The use of Public Key Infrastructure (PKI) and digital certificates is on the rise, making certification authorities (CAs) a more likely target for sophisticated cyber attacks, potentially compromising their customer networks.
A few years back, the massive breach of now-defunct CA DigiNotar served as a cautionary tale for any agency or company. Although that attack was focused on Iranian citizens, there was also fallout for the Dutch government, which was the biggest user of DigiNotar [certificates]. The breach forced the Dutch government to issue warnings that its sites could not be trusted, at least until all the certificates on the front-end and back-end systems relying on DigiNotar were accounted for and vetted.
While the DigiNotar case exemplified what was thought of as a worst case scenario, the lessons learned did not go far enough for people to even consider that even worse security breaches could occur - take for example the recent HeartBleed OpenSSL security compromise, something thought of as the worst potential security breach in IT history.
How to prevent cyber attacks
Yet, OpenSSL threats, PKI corruption and CA breaches are still preventable, but only if the appropriate steps are taken. Protecting your business from those attacks is no easy task. Nevertheless, you need to be prepared to deal with the possibility of an attack that can disrupt your operations, even when you have little or no control over the situation. However, you can at least equip yourself with the knowledge of how to respond to and recover from PKI/CA compromises.
Simply put, ignorance can be the biggest contributor to a breach - and in the rush to new and more sophisticated security technologies, things are often overlooked and in many cases, the skill sets needed to effectively use those technologies are underdeveloped.
The increase in PKI and CA compromises has spurred the federal government's National Institute for Standards and Technology (NIST) to act. The NIST has issued its first-ever guidelines for government agencies and private-sector businesses to protect themselves in the wake of the breach of their digital certificate authorities.
The increase in attacks was highlighted by the Flame malware's abuse of a Microsoft digital certificate, which demonstrated how susceptible organizations are to CA breaches. NIST's new "Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance" guidelines bulletin, which was co-authored by Venafi, is a direct response to concerns about how a CA breach could affect agencies and businesses.
NIST's guidance bulletin highlights some very specific tasks that IT managers should perform to reduce compromises and how to prepare for a breach, which may be an inevitability, especially in light of past attacks.
One of the first recommendations from NIST is to make sure that IT managers fully inventory and track all of the certificates in use, including what authority provided the certificates, what systems use certificates and the issuance and expiration dates of those digital certificates.
For many businesses, that simple advice could prevent a tsunami of certificate related failures. Today, most businesses have very poor inventory control over certificates, often tracking certificates by using a spreadsheet or some other piece of generic technology. What's more, most businesses don't protect their PKI "keys" appropriately, by keeping passwords and other issuance information in unprotected spreadsheets and databases, something akin to leaving the keys to the house in the mailbox, for anyone looking to just grab and enter.
Know your certificate authorities
Another recommendation is to know your CAs - in other words, making sure the certificate authorities used are themselves secure and adhere to best security practices. Even so, a trust, but verify approach should also be used. That means performing regular third party audits and implementing best security practices across the infrastructure as well.
Arguably, the most important element here is to make sure that if a CA suffers an "impersonation" attack or one of its Registration Authorities is compromised, it should have clear-cut emergency revocation response in place, immediately revoking the affected certificates and preventing fraudulent activity from occurring.
While guidelines are a good start, agencies and organizations should not rely solely on a CA's security team and procedures to ensure complete data safety. IT Managers need to be part of the security equation as well, and that takes proactive management. However, managing PKI, certificates and everything that goes along with it takes more than perseverance; it takes the appropriate tools and technologies to handle the volume of minutia associated with CAs, certificates and keys
Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MCNE, MCSE, A+, N+, L+, and Security+.