Just last week, an exploit of the Heartbleed vulnerability that used compromised keys and certificates became public. Community Health Systems (CHS) was breached following incomplete Heartbleed remediation, impacting an estimated 4.5 million patients. This breach was particularly significant because it compromised a behind-the-firewall system that has been a low priority for remediation for many companies. The severity and scope of Heartbleed, and now its exploits, put a spotlight on the importance of protecting trust—securing our keys and certificates.
With the rapid growth of threats that misuse keys and certificates, it’s not surprising that the Payment Card Industry Security Standards Council (PCI SSC) announced on Monday that Securing Cryptographic Keys and Digital Certificates is among the finalists selected for a 2015 Special Interest Group (SIG) project in support of the Payment Card Industry Data Security Standard (PCI DSS). Back in June, I posted a blog about our submission of a PCI SIG topic on Securing Cryptographic Keys and Digital Certificates. Now the acceptance of this PCI SIG as a finalist emphasizes how critical it is for organizations to protect key and certificates, which establish the trust on which businesses depend—securing data, keeping communications safe and private, and establishing trust between communicating parties.
Both organizations and Qualified Security Assessors (QSAs) will benefit from this SIG. We have increased our reliance on keys and certificates that protect communications and authorize and authenticate servers, devices, software, cloud, and privileged administrators and users. As for the PCI DSS, keys and certificates are critical to securing cardholder data, as well as all sensitive electronic information, and are specifically mentioned throughout the standard. But the PCI DSS requirements demand more visibility and security over keys and certificates than most organizations can deliver.
Most organizations have not fully remediated Heartbleed. Venafi research shows that 97% of G2000 public-facing servers are still vulnerable because keys and certificates haven’t been changed—and this doesn’t include the behind-the-firewall systems that have been a low priority for remediation. The bottom line is that there are hundreds of organizations that have not completed remediation and are another CHS waiting to happen.
Are you one of the doubters that don’t think you’ll become a victim? It looks like many G2000 organizations are. But odds are you’re already a victim—according to Ponemon Institute research, every major enterprise has been attacked using compromised keys and certificates in the last 24 months. So, I hope all of the doubters are getting converted to believers—the likelihood that you’ll be a victim of an attack on trust is very high and, without the right security in place, the impact even higher. The CHS attack and Advanced Persistent Threats (APTs) that target keys and certificates such as APT1, Mask, Energetic Bear, Crouching Yeti, and Zombie Zero—just to name a few—underscore the importance of strong key and certificate security and remediation capabilities.
The open approach of the PCI DSS requirements provides flexibility to implementing organizations, which is helpful when working to secure unique business environments. But organizations subject to the PCI DSS and QSAs need more clarity on how to secure keys and certificates to establish a foundation of trust for an effective security program and a defense against today’s cyber threats.
We have two primary objectives for this SIG:
- Develop the document PCI DSS Cryptographic Key and Digital Certificate Security Guidelines
- Draft a compliance checklist which outlines the different security options to meet the PCI DSS requirements for keys and certificates
Venafi co-submitted the PCI SIG proposal on Cryptographic Keys and Digital Certificates with SecurityMetrics, a leading QSA. SecurityMetrics brings extensive experience to the SIG—they have helped over 1 million organizations manage PCI DSS compliance and/or secure their network infrastructure, data communication, and other information assets. We also have several other participants committed to supporting the SIG, including QSAs, vendors, and merchants in the Global 2000.
So what’s next? The selected PCI SIGs will present at the 2014 PCI Community Meetings in North America (September) and Europe (October). An election will be held from October 13-23 and the PCI Participating Organizations will vote. The leading 2-3 SIG topics will become PCI SIG projects for 2015.
If you are a PCI Participating Organization, I hope you’ll vote for this important SIG, and even consider becoming one of the SIG participants. For more information, read the Venafi press release on our SIG for Securing Cryptographic Keys and Digital Certificates.