Instead of making the general New Year’s Resolution to decrease the risk in your company’s information security, let’s apply what we learned in 2014 about today’s threatscape and develop New Year’s Revelations.
In the past year, lots of breaches have occurred that can be tied to the theft of private cryptographic keys. Some of the top threats of 2014, (e.g. Heartbleed, Shellshock, POODLE, and Gotofail) exposed private keys. Solutions using key and or certificates can no longer be blindly trusted. This affects solutions such as SSL, VPN, multi-factor authentication, privileged access (SSH), code signing, and mobile computing. Information Security experts are predicting that attacks and breaches using private keys will only continue to increase in 2015.
The use of digital certificates and cryptographic keys has skyrocketed. Every person in your organization uses one or more digital certificates and/or cryptographic keys, multiple times, daily—without even knowing it. Keys and certificates are meant to secure our communications and provide privacy, authentication, integrity, and non-repudiation. But when stolen, they can jeopardize the very things they are meant to protect. These “keys to the kingdom” give attackers the access they need to your sensitive information and allow their activities to go undetected. Therefore, it is necessary to consider what is fundamental to the confidentiality, integrity and availability of your companies’ sensitive data. How do you protect against inappropriate access, modification, and downtime through the use of stolen keys and certificates?
Let’s consider the threat in more detail. What are vulnerabilities that affect private keys? They include software bugs, the use of deprecated hashing or cryptographic algorithms, and long validity periods for certificates. Does the Information Security Policy in your organization include policies to protect against these vulnerabilities? Are your policies backed up by standards, guidelines, and solutions for implementing compliance to the policies? The clarity of having these in place, allows for efficient risk assessment and gap analysis. This ultimately feeds into the risk management process and audit and compliance quarterly and annual reporting. All of this reporting is based on the adherence to your Information Security Policy in your organization.
One important consideration is how your policies on securing your keys and certificates impact the rest of your Information Security practices. The ISO27002, section 10.1.2 states that, “A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.” If there are gaps in protecting your keys anytime in their lifecycle, attackers can compromise those keys and bypass the other security controls used by your organization. This means this one ISO27002 statement is fundamental to ensuring that the rest of your security controls in place in your organization are performing the way they should. Broken key security undermines all of your other security technologies and access controls.
Stealing keys is a real threat and the proper people, processes, and technology must be put in place to ensure that cryptographic keys are managed through their entire lifecycle, including generating, storing, archiving, retrieving, distributing, retiring, and destroying keys. How do you think the current state of your certificate and key visibility and security increases the risk of these threats to your organization? How do you think your stockholders, board members, audit and compliance staff would feel if your certificates and keys were compromised and your organization breached? The revelation I hope you’re having for 2015 is that, if you’re not securing your private keys and certificates, then you are not secure.
So as we kick off 2015, does your Information Security Policy need to be updated to protect against today’s attacks that target keys and certificates? As you get started, realize that the problem begins with a lack of visibility. Most organizations lack a complete inventory of SSH keys, SSL keys, and other keys and certificates in their organizations. They are unaware of where their keys and certificates are across their network, how they are used, and who owns them.
You can get more visibility into the current state of your key and certificate vulnerabilities in your organization by running a report from the Venafi Threat Center for your organization. With this report you can see what certificate vulnerabilities exist. Once armed with more insight, you can see what other revelations you can make for better key and certificate security in Information Security Self Assessments, Gap Analysis, Action Planning, Risk Management, Internal Audit, Material Audit, compliance initiatives, and more for 2015.