There has been a dramatic increase in attacks that leverage keys and certificates, and the recent breadth and criticality of vulnerabilities, from Heartbleed to POODLE, underscore the importance of strong security and remediation capabilities. With the rapid growth of threats that misuse keys and certificates, it’s not surprising that the Payment Card Industry Security Standards Council (PCI SSC) announced today in its PCI Monitor weekly newsletter that Securing Cryptographic Keys and Digital Certificates is among the five finalists selected for a 2016 Special Interest Group (SIG) project in support of the Payment Card Industry Data Security Standard (PCI DSS).
This is the second year running that the PCI SSC has designated key and certificate security as a SIG finalist. Although the PCI Participating Organizations did not elect key and certificate security as a 2015 SIG last year, the PCI SSC has selected it as a finalist again—this time for the 2016 PCI SIGs—showing the council’s support for this important security and the need for a SIG in this area. Its acceptance for the second time emphasizes how critical it is for organizations to protect keys and certificates, which establish the trust on which businesses depend—securing data, keeping communications safe and private, and establishing trust between communicating parties.
This year the vulnerabilities in SSL and early TLS moved the PCI Council to eliminate their use under PCI DSS 3.1. However, to date, there has not been specific guidance on how to best implement and secure keys and certificates with detailed information on industry best practices and how these security elements interrelate for optimal protection.
Both organizations and Qualified Security Assessors (QSAs) will benefit from this SIG. We have increased our reliance on keys and certificates that protect communications and authorize and authenticate servers, devices, software, cloud, and privileged administrators and users. As for the PCI DSS, keys and certificates are critical to securing cardholder data, as well as all sensitive electronic information, and are specifically mentioned throughout the standard. But the PCI DSS requirements demand more visibility and security over keys and certificates than most organizations can deliver.
Are you one of the doubters that don’t think you’ll become a victim? It looks like many G5000 organizations are. But odds are you’re already a victim—according to Ponemon Institute research, for the last four years running, every major enterprise has been attacked using compromised keys and certificates. So, I hope all of the doubters are getting converted to believers—the likelihood that you’ll be a victim of an attack on trust is very high and, without the right security in place, the impact even higher. Advanced Persistent Threats (APTs) that target keys and certificates such as APT 1, APT 18, Mask, POODLE, FREAK, Shellshock, and the Sony breach, as well as the Chinese certificate authority, CNNIC, involved in the issuance of malicious certificates, are just a few examples that underscore the importance of strong key and certificate security and remediation capabilities.
The open approach of the PCI DSS requirements provides flexibility to implementing organizations, which is helpful when working to secure unique business environments. But organizations subject to the PCI DSS and QSAs need more clarity on how to secure keys and certificates to establish a foundation of trust for an effective security program and a defense against today’s cyber threats.
We have two primary objectives for this SIG:
- Develop the document PCI DSS Cryptographic Key and Digital Certificate Security Guidelines
- Draft a compliance checklist which outlines the different security options to meet the PCI DSS requirements for keys and certificates
So what’s next? Video presentations of the selected PCI SIG finalists will presented at the 2015 PCI Community Meetings in North America (September) and Europe (November), and on the PCI SSC website. After the community meetings, an election will be held and the PCI Participating Organizations will vote. The leading 1-2 SIG topics will become PCI SIG projects for 2016.
We have several participants already committed to supporting the SIG, including QSAs, vendors, and merchants in the Global 2000. We hope that PCI Participating Organizations will follow the council’s show of support for key and certificate security for two years running and vote for this important SIG.
If you are the voting member of a PCI Participating Organization, vote for Cryptographic Key and Digital Certificate Security as a 2016 SIG and consider becoming one of the SIG participants.