In this podcast recorded at RSA Conference 2018, Asif Karel, Director of Product Management at Qualys, illustrates why certificate visibility and security should not just be bolted on but part of the solution, and he showcases how Qualys CertView can help with that.
Here’s a transcript of the podcast for your convenience.
Hello. My name is Asif Karel. I am the Director of Product Management at Qualys for certificate management. In this Help Net Security podcast, I’ll be talking about the importance of having visibility into both certificates and the underlying TLS configurations and vulnerabilities as part of your overall security program.
Back in the day the SSL protocol was adopted by Netscape in about 1994 as a response to the growing concern over Internet security. Netscape’s goal was to create an encrypted data path between the client and the server that was platform and OS agnostic, and from the very beginning the main role of SSL was to provide security for the traffic that included confidentiality, authentication, message integrity and non-repudiation.
Confidentiality to make sure that only the sender and the intended recipient can read the message. Authentication to make sure that the sender is who they say they are. Message integrity to make sure that the message wasn’t altered or tampered with in transit, and using digital signatures to ensure non-repudiation. SSL, and in more recent times TLS, achieved these elements of security through the use of cryptography and properly authenticated digital certificates.
Certificates and SSL are everywhere. When you connect to your bank you’re using SSL, when you connect to a VPN you’re using SSL, when you connect to Facebook and LinkedIn, you’re using SSL, when you connect to AWS or Azure you’re using SSL. Most significantly, when applications talk to each other over the Internet or the Intranet, they are using SSL to communicate, to authenticate, and to encrypt data between the channels.
Recently SSL Labs surveyed about 140,000 certificates. They do this every month. The last report from April 3rd shows an astonishing number of expired and expiring certificates. There were about 6000 expired certificates, and 10,000 expiring certificates expiring in the next 15 days. In total about 59,000 sites, which amounts to about 43 percent of the sites surveyed, had inadequate security. Some of the sites were not only had expired certificates they were also using older protocols like SSL v3 and TLS 1.0. Almost 17 percent had RC4 enabled.
This is a concern because there’s many bad things hiding in encrypted traffic. Encrypted traffic not only hides the payload that is delivered things like ransomware and Trojans, it also hides the call back to the command and control centers as well as any data that is being exfiltrated.
Last year Gartner research concluded that 70 percent of network attacks would use SSL by the year 2020. Just three years ago this number was at 50 percent. In another research they found that 91 percent of users surveyed saw some alert or the other in the past year, and an astonishing 41 percent of users just ignore their security alerts. Users are getting trained to ignore these alerts. Certificates today are available on the dark web for about a thousand dollars. That’s a hundred times more than the price of a stolen credit card.
All organizations rely on SSL and certificates to protect their business. SSL certificates were designed to solve the original Internet security problem: accurately identifying servers of browsers so that they could safely communicate back and forth independently. But most organizations don’t have any visibility into their certificates. They don’t know where they are. They don’t know how many there are, they don’t know what purpose they’re being used for. Certificate ownership information is typically missing.
The unknown is always difficult to manage, which usually results in unplanned outages, and for every unplanned outage caused by an expired certificate, there are surely many more near misses. Most organizations usually have a policy about which certificate authorities should be used. But if you don’t have visibility into your certificates, how do you know where they are and how do you know there aren’t any certificates from unapproved CAs.
DevOps often uses free or unapproved CAs. They can’t wait days for infosec teams to get them a certificate. And when auditors come and say there are risks that need medicated, or you’re out of compliance regarding certificates, you can’t fix those issues because you don’t know where these noncompliance certificates are. Some customers track certificates using spreadsheets. This is better than no tracking at all, but this might lead to complacency because the spreadsheet only tracks certificates that have been reported. What about the others? With spreadsheets, how do you track the underlying configurations?
Certificates are often viewed as an operational issue that can be manually managed by system administrators. But this approach is just not scalable. It not only impacts business growth and innovation, it also increases the risk of compromise and breaches.
The Poneman Institute did a study not too long ago which found that the average global 5000 company spends about 15 million dollars to recover from the loss of business due to a significant outage. This includes remediation costs, loss of productivity, loss revenues brand image damage.
In addition to this they spend around 25 million dollars in audit and compliance remediation. Instagram, even Google and Microsoft have suffered outages from expired certificates. And in that same Ponemon report organizations cited at least two certificates related outages over two years. These outages can hurt.
There are alternatives to the spreadsheet, but they have their own challenges. Most of these alternatives are point tools, and while some do help, most of them are just that – tools that eventually increase the admin effort and cost of ownership. They’re not scalable, they’re deployed in either operational silos or technology silos, and the silos deployed their own instance of the tool without other teams knowing about it or already or be able to leverage it. Because of the way they designed these tools can only work within the enterprise or in the cloud, but have a hard time working across both environments.
In today’s world the cloud and enterprise networks are tied and you can’t have the segregation approach. And most solutions are certificate or vulnerable-only tools. They give you half the perspective. The rest is still unknown and you often have to deploy another tool to do the other half.
So, you end up with an SOC where different teams want to collaborate but they can’t. Respond to outages and breaches can take a very long time. And this is where Qualys CertView can help. Qualys CertView can not only discover monitor and create an inventory of certificates, Qualys CertView can also discover the host, the associated vulnerabilities and post configurations related to that certificate instance.
What can you do with CertView?
First and foremost stop expired certificates from interrupting critical business functions. Qualys CertView gives you certificate grades which tell you how strong or weak the underlying configuration is.
The unknown is always difficult to manage. So effort must be put into undefined and how and where certificates are being used. At the very least, create a baseline and have the ability to monitor the baseline, and make sure things are not changing and when things do change be able to say what has changed and how it’s changed. And if it’s a big deal that this certificate went away, or you found another instance of some certificate on another system, is that interesting or not.
With CertView you get full visibility across on premise and in cloud network through a single pane of glass. So, we can also help meet audit requirements and give you the ability to quickly remediate and close security gaps. If an audit needs data on how many SHA-1 certificates or wildcard certificates are out there, you can get that in seconds.
In summary, certificate visibility and security should not just be bolted on. It should be part of the solution, and Qualys gives you that platform. Thank you for listening to the podcast.