Plugging the trust gap

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

Every business and government is dependent upon cryptographic keys and certificates to provide trust for critical communications. These trust technologies underpin the modern world of business, establishing secure transactions and protecting access to confidential corporate data.

Unlike before, when trust could be measured in terms of locks, safes and video cameras, trust today is established in such security technologies within the enterprise network that can’t be seen, only managed. As organizations adopt cloud computing and employee-owned devices have increased access to the corporate networks and sensitive information, the challenge of securing company data everywhere increases exponentially. Cryptographic keys and digital certificates establish trust in the enterprise, ensuring that corporate data remains secure whether accessed by the employee in the cube on the second floor or by an executive in a hotel room in Singapore.

The attack vehicle
When it comes to Advanced Persistent Threats (APTs), bad actors will take advantage of the trust gap – using any and every exploit that they can leverage to steal your organization’s data. They will look for the weakest link in your security systems and find the path of least resistance. Over the past several years, criminal organizations and individual bad actors have found that by taking advantage of poor key and certificate management practices that they can breach trust to infect systems with information-siphoning malware and in some cases even implant weaponized code that can inflict physical damage on facilities.

All you have to do is look back at the past few years to realize the impact trust-based attacks have had on organizations. Organized groups have been using encryption keys and digital certificates to steal information for years, as they serve as perfect vehicles for sliding past defensive systems. Case in point: Stuxnet and Flame. These two well-known examples of malware took advantage of stolen and weak certificates. Why did the actors choose this method? Compromised certificates authenticated the malware on the network making it appear as if it was legitimate code. As a result, the infected operating systems allowed the installation of the malware without any warning.

The certificate-based attack problem is ongoing and growing. In April, the Common Computing Security Standards (CCSS) forum has logged sixteen legitimate digital certificates associated with malware. In the grand scheme of things, this doesn’t sound too bad, but when you take into account that an average of 200,000 new malicious programs are found every day, the use of legitimate certificates becomes a very real problem that organizations aren’t ready to face. Cybercriminals have gone as far as setting up fake companies to deceive a public Certificate Authority (CA) into issuing legitimate certificates that could be used to distribute malware, as was the case with the Brazilian banking malware signed with a valid DigiCert certificate.

Does this mean that trust-based technology is broken? Not quite.

The root of the problem
While each of the above exploits demonstrates the misuse of a digital certificate, it is not the technology that is the root of the failure but the proper controls over the technology. The cybercriminals behind these exploits understand that each unmanaged and unaccounted for cryptographic key and certificate deployed in an organization is a valuable asset ripe for exploitation.

The problem is systemic, and the exposure is significant. Over half of all enterprises don’t know how many keys and certificates are in use, for instance. More than 60 percent of the organizations surveyed by Venafi at RSA 2013 would take a day or more to correct a CA trust compromise if they were attacked by digitally signed malware; it would take at least that long to respond to a compromised SSH key. Combine the inability to understand how trust is established with the incapacity to quickly respond when it breaks down, and you have the perfect environment for APTs and for sophisticated attackers to launch their exploits. The financial impact of these exploits can hardly be exaggerated.

The average global 2000 organization must manage in excess of 17,000 encryption keys – and most of the time the keys are managed manually. The first step in self-defense is to know thyself. Your organization is fully exposed to trust exploits and the consequences of targeted and persistent attacks on intellectual property if it does not have a clear understanding of its key and certificate inventory. Cybercriminals can easily collect unencrypted data within the network, so internal data should be protected in the same manner as external data—by encryption.

The lifecycle of all cryptographic keys should be securely managed with an enterprise key and certificate management solution. It’s no surprise that every organization surveyed by the Ponemon Institute for the 2013 Annual Cost of Failed Trust Report has had to respond to at least one attack on keys and certificates over the last two years.

Nearly 60 percent of survey respondents at RSA 2013 stated that they were concerned about the issuance of certificates to mobile devices outside of IT control. The same percentage of respondents were also perturbed that system administrators, who are not necessarily security experts, were responsible for encryption keys and certificates. This situation can result in security breaches, unplanned outages, or audit and compliance failures. By enforcing longer key lengths, strong algorithms, frequent rotation of keys and short validity periods for certificates, you can increase your ability to reduce the threat surface.

The fix
Only through automated management can you respond fast enough to a compromise and limit significant reputational and financial damage. With APTs leveraging trust technology weaknesses, it’s critical to have visibility into and control of enterprise key and certificate inventories. Cybercriminals understand that the easy targets are those organizations that have little visibility into their threat surface and cannot respond quickly. As an industry, we need to gain control over trust and plug the gap related to key and certificate-based exploits.