Digital Security Certificates Need Tight Management

Mismanaged encryption keys and certificates have emerged as the latest IT security risk – one that’s more like the iceberg that sank the Titanic than recent, highly-publicised data breaches. As encryption keys and certificates proliferate, many organisations blissfully continue to mismanage their certificates and keys, ignoring the tangible rinks that doing so poses to security, compliance and operations — risks that, if not addressed, can sink reputations and leave organisations floundering in a sea of customer recriminations.

Today data encryption has permeated every facet of IT life – found in every corner of the infrastructure. Encryption keys and digital certificates that are used to authenticate systems and secure data have grown organically, becoming prolific security technologies in every business and government sector. SSL certificates and their associated private keys, for instance, are broadly used to secure systems and data for a wide variety of mission-critical applications – including credit-card transactions, online banking, healthcare information access and many others – both inside and outside corporate firewalls.

The encryption keys used to secure data have become the “keys to the kingdom.” People trust data because they trust the data is protected by a strong lock and an appropriately strong encryption key. But what happens when the care and handling of the key itself is not trustworthy? And how can companies that attempt to manage the lifecycle of these encryption certificates and keys manually guarantee that they are well cared for and properly managed?

Shifting Threat Landscape

This problem is not hypothetical and was detailed this week by AVG in their Community Powered Threat Report Q2 2011. AVG considers mismanaged and stolen certificates as the number one threat facing the enterprise:

“The trend in Q2 2011 could be characterised as ‘the shift’. As cybercriminals are shifting some of their efforts to better monetise having the increased popularity of new computer platforms there is also a shift in responsibility of cybercrime damages to the victims. This quarter we noticed that cybercriminals are utilising the knowledge, experience and tactics to explore ‘new markets’ to increase revenue from their operation. These criminals are performing even more sophisticated attacks in order to steal assets that can later be used to simplify other, more sophisticated, attacks.”

The best way to gain access to access valuable systems and data that is encrypted is to find the encryption keys and simply unlock the encryption.

As AVG points out, “Stealing the keys to the house becomes easier than breaking the Windows. As digitally signed code unlocks ‘doors’ to enable binary code to execute on a PC, hackers have increased their efforts in stealing digital certificates to sign their malware with it. Starting in 2011, and more specifically in Q2, AVG Threat Lab has seen a rise of stolen digital certificates being used to sign malware before it is being distributed by hackers. We have detected 53,834 pieces of signed malware in the first 5 months of the year comparing to 39,102 during the whole 2010, indicating an increase of over 300 percent. Although in the last few years we have seen many faked digital certificates in use by cybercriminals, the use of stolen legitimate keys is a major trend these days.”

As AVG further elaborates, hackers use these stolen digital signatures to “sign” a malware application. As AVG maintains: “Nowadays, digital certificates are widely used in modern operating systems to unlock protection layers and allow files to be executed, knowing a trusted authority confirmed the legitimacy of the file. Many companies sign their software products with such digital certificates so they can be easily recognised as trusted by security components.”

In other words, operating systems, security software and end users, trust “signed” files. Because they consider programs signed with a digital certificate to be safe, they give those programs some dangerous privileges, and the authors of malicious software have caught on.

The Keys To The Kingdom

AVG points out that stolen certificates made the headlines recently with the highly publicised Stuxnet worm that used valid stolen certificates. In their report, they present examples of malware using legitimate digital signatures as detected and analysed by their Labs. And AVG claims to have witnessed a three-fold rise in the amount of malware signed with a stolen certificate in 2011 alone. AVG ‘anticipates’ that ‘stolen keys’ such as digital certificates, tokens and passwords will eventually become a significant problem and that they are likely to be utilised by high revenue generating malware such as Zeus or be used by countries or organisations as part of their cyber war, political agenda or industrial espionage.

Today, private or asymmetric encryption keys are not well protected — both from lax distribution processes inside the firewall as well as the poor and infrequent keystore password rotation practices. These private keys to the kingdom are frequently protected with the same password across hundreds of administrative keystones. Administrators also often have direct access to the keystores and duplicate the keys in them for distribution, and reuse them on other systems and applications throughout the infrastructure. This represents significant risk.

For companies with thousands and even hundreds of thousands of digital certificates and encryption keys, this trend exposes another mission-critical security asset to protect. Rather than steal customer details or intellectual property, hackers have begun to target this valuable but often overlooked piece of information: the company’s private keys for signing its software.

The need for such guidance is not overstated. Major corporations like Lockheed Martin, L3, NHS, Epsilon, EMC, and others have recently experienced unauthorised access that has been the subject of significant, mainstream press coverage. Without leveraging best practices and automated management processes, organisations will never gain complete control of their key and certificate inventories, resulting in significant security, compliance and operational risk that invariably lead to unauthorised access.

Most organisations are in encryption chaos—encryption assets are strewn throughout the organisation, and they are managed in silos and departmentally.  There is no enterprise-wide understanding of who manages this critical resource, or of why and how it is being managed.

What many organisations do not understand is they have to manage their keys – you can have the strongest lock in the world but if you hand the bad guys your keys they have access to all your information. And—as AVG has shown—they also have the keys to your reputation. What are you going to do when this happens?  Do you know where your keys and certificates are?  What is your plan to recover quickly?

I agree with AVG – the problem will get worse – but the solution is already available. Manage your encryption keys and certificates and your personal iceberg nightmare will melt.

Jeff Hudson is CEO at Venafi