The Hidden Threats of Security Certificates
By Frank J. Ohlhorst
System Intrusions and data theft are on the rise, and many organizations are suffering the consequences—in lost revenue, exposed intellectual property, outraged customers or damaged brands. A key problem is that the more sophisticated protection technologies become, the more sophisticated attacks become.
Attackers are actively seeking new vulnerabilities and creating new techniques to compromise systems. Digital certificates have become one of the latest targets, especially with enterprises relying on certificates more than ever to keep system connections secure.
Of the many concerns surrounding certificates is the security offered by the certificate authorities (CA), such as VeriSign, Network Solutions, GeoTrust and dozens of others. The number of CAs and the risk of compromise is a troubling concern for IT leaders.
The problem is that CAs can be compromised, as exemplified by incidents at certificate authorities DigiNotar, Comodo and DigiCert. Those compromises may represent the tip of the iceberg, and increased attacks can mean only one thing: Attackers are going after CAs as an industry.
Microsoft admitted this year that attackers were able to compromise its internally issued certificates, take control of its update systems and execute a man-in-the-middle attack that essentially gave them control over thousands of computer systems. Once in control, the attackers were able to inject the now-infamous Flame malware into the computers and siphon off information undetected and at will. In this case, poor management led to Microsoft missing the fact that it was using vulnerable certificates signed with a weak algorithm.
Last year, at least five separate CAs were compromised, allowing hackers to intercept all the traffic coming to a Website protected by a compromised certificate. As reliance on certificates increases, so does the possibility of unexpected downtime and system failures, both of which can be almost as devastating as a security compromise. Many of these problems can be quickly mitigated with some proactive management techniques, something that seems to be on the back burner for many organizations.
Shortsighted Management Practices
Research firm Gartner recommends that organizations be aware of the potential for significant impact on their operations, should they suffer such an incident. However, revoking those certificates may not be as easy as it sounds. Many organizations have lost control of their certificates, thanks to spotty management practices.
Eric Ouellet and Vic Wheatman, vice presidents at Gartner, note that companies that have an unplanned certificate expiry typically focus on other IT issues first—such as hardware or software crashes—long before they begin to consider an expired X.509 certificate as the source of trouble. This typically results in significant delays in identifying and resolving the root cause of a system outage.
When certificates are compromised, there's plenty of blame to go around, and some of that blame can be placed on the individuals in charge of securing systems, as well as software vendors, and even end users who fail to effectively protect their access to certificate stores. But the problem may lie mostly with shortsighted management practices.
The primary vulnerability behind security certificates involves the management of those certificates—not the certificates themselves or the underlying technology. After all, the encryption techniques and protections in place have proven to be extremely secure.
However, if an attacker can usurp control of a certificate, forge a certificate or compromise a certificate, all the benefits offered are made moot. Additional problems occur when certificates expire: If not tracked or renewed properly, systems using expired certificates are subject to downtime. Resolving those issues requires taking a proactive approach, but understanding the root causes of certificate issues is the first step to solving the problems associated with certificates.
These issues can be categorized in the following ways:
· Businesses do not know how many certificates they have and where they are located. This makes it difficult to manage them.
· A number of organizations specify secure encryption standards, defining the strength of the key and the encryption algorithm. Too often, IT security professionals cannot determine the strength of the encryption key—whether it is 1024 or 2048 bits long.
· SSH (Secure Shell) keys allow users to log onto Unix and Linux systems by remote access. A number of internal auditing organizations are looking at the risks of SSH.
Encryption Keys a Threat
Over the last 16 years, certificate use has exploded, and certificates are used both externally and internally, such as on routers and within software. That amplifies the management problem, especially since certificates and associated encryption keys are manually managed. What’s more, encryption keys pose as much of a threat to security as ill-managed certificates.
With encryption keys, data is encrypted and decrypted using a two-part sequence. A private key encrypts the data, while a public key (used by the recipient) decrypts the data. Simply put, these keys can unlock confidential data, so they must be secured.
In a survey of 471 senior managers by certificate management vendor Venafi, 54 percent of respondents admitted that their organizations had experienced either stolen or unaccounted for encryption keys. IT managers, CTOs and CIOs have gone to great lengths to better secure their systems and protect data, with mixed results: Intrusions still occur and seem to be on the upswing.
Gartner, in it’s “X.509 Certificate Management: Avoiding Downtime and Brand Damage” research report, offers advice about certificates. “Organizations with roughly 200 or more documented X.509 certificates in use are high risk candidates for unplanned expiry and having certificates that have been purchased but not deployed. They must begin a formalized discovery process immediately.”
· “Automated certificate discovery and renewal/management work to minimize the risk of unplanned expiry. Manual or automatic certificate management should be leveraged to attribute accountability and ownership of X.509 certificates within organizations.”
· “Organizations need to create an inventory of X.509 certificates and certificate issuers to minimize the impact and downtime in the event of a certificate issuer compromise, suspected compromise or attack as seen over the past 18 months involving several certificate authorities. Furthermore, organizations need to plan for and practice what they will do in the event of a certificate authority compromise in the context of a security incident.”
Protecting enterprises from security breaches and downtime related to security issues comes down to proactive management, peppered with common sense and situational awareness. Organizations that choose to effectively manage security technologies will be better equipped to deal with the next generation of attacks and threats.