Last month I wrote about the use digital certificates and encryption keys used nefariously against organizations. In the time is takes you read this blog, 1388 new malicious programs would have been submitted to AV-Test for analysis. With a percentage of these malicious programs stealing private keys and digital certificates, it’s imperative that you understand where and how these assets are being used within your organizations. In one month of malware analysis Symantec found over 800 samples that had been designed to steal keys and certificates. The growth rate of malware using digital keys and certificates is staggering. Compared to the growth rate of apps submitted to Apple every day, digital certificates used in malware is 5 times that – in the last year by 600%.
The question that needs to be answered is, why would an attacker steal private keys and digital certificates? Simply put, to gain access to your data more easily. Signed malware with a stolen digital certificate, in many cases, will be executed without any error from operating systems. In the month that Symantec specifically tracked malware that steals encryption keys and digital certificates, the US alone accounted for more than half of all infections worldwide.
Attackers haven’t ignored Secure Shell (SSH) keys either. Stolen SSH keys are used to break into systems and expand within the network. As an organizations you should prioritize in understanding where SSH keys are being used, who has access to them or for what purpose in order to reduce your attack surface. Take for example the FreeBSD servers that were hacked late last year as a result of a stolen SSH key – which was being used by a developer. Had the SSH private key been assigned a password, the attack would probably not have been successful, or at least made more difficult.
Most organizations have been hacked at one time or another; according to FireEye, 95% are already breached. In fact, one in five global 2000 organizations expect to be compromised in the next two years due to weak or legacy cryptography. Organizations do not look at, or understand how many keys and certs—51% according to Ponemon—are in use that have access to their data. Compared to traditional network perimeter security, you would not expose external facing ports to internal only traffic with no monitoring. Why then allow keys and certificates to be used within the organization without appropriate control. The question that needs to be answered is, where are the security gaps that expose an organization to exploits which take advantage of keys and certificates?
The first thing you learn in any offensive strategy is to look for your opponents weak areas. It is no different for cyber-criminals. Organizations no longer deal with securing company data behind the proverbial four walls. With the cloud computing, employee owned device, and very soon the “internet of things“, the attack surface cyber-criminals can exploit has increased exponentially. To add to the problem, organizations need to maintain control over, and respond to attacks on a global basis as employees become more mobile.
Strategies to reduce your risk
Trust but verify: The average global 2000 organization has in excess of 17,000 encryption keys that they need to deal with – most of the time manually. The first step in self-defense is to know thy self. Your organization is inept to defend itself against trust exploits if there is not a clear understanding of the encryption key and certificate inventory. One of the concepts in the Forrester Zero Trust model is that all resources should be accessed securely regardless of location. Cybercriminals can easily collect unencrypted data within the network, therefore internal data should be protected in the same manner in which external data is—encrypted. And all the encryption keys lifecycle should be securely managed with an enterprise key and certificate management solution.
Control: Nearly 60 percent of RSA 2013 survey respondents stated that they were concerned about the issuance of certificates to mobile devices outside of IT control. The same percentage of respondents were also perturbed that system administrators, who are not security experts, were responsible for encryption keys and certificates, which can result in security breaches, unplanned outages, or audit and compliance failures. Only with well-defined policies can you mitigate against this risk. By enforcing long key lengths, strong algorithms, frequent rotation of keys, along with short validity periods for certificates, can you increase your ability to reduce the threat surface.
Automate: How long would it take you to respond to an attack related to SSH key or digital certificate theft? That is, the length of time it would take your organization to replace the keys and certificates to protect the data? Sixty percent of attendees at RSA2013 said it would take one or more days to respond to an attack that took advantage of encryption keys or certificates. Only through automated process can you respond fast enough to a compromise, and rotate out encryption keys and certs that have been compromised.
Venafi Director™ is a platform that provides Enterprise Key and Certificate Management enabling organizations to gain insight and control over their keys and certificates in the datacenter, on desktops and mobile devices, and in the cloud. Director is a vendor-agnostic platform that reduces organizations’ threat surface and response time to targeted attacks with full key and certificate lifecycle control spanning across the widest range of certificate authorities (CA). The Director platform enables organizations to rapidly develop an accurate key and certificate inventory to quickly identify security risks associated with trust exploits, operational and compliance risks. Enterprises can quickly establish consistent policies and automate operations across the organization and in to the cloud. As a result, organizations can successfully prevent security breaches, eliminate unplanned outages, and achieve audit success and compliance.