The Snowden case has caused an international media frenzy, with many questions that still need to be answered. No matter what questions we have about the U.S. government’s surveillance policies, however, we should not ignore the network vulnerability this case highlights. As I have followed all the news about this case, one statement in particular intrigues me. Last month U.S. National Security Agency (NSA) director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden accessed “files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator.” I find this statement interesting because it has sparked numerous conversations and debate about how Snowden gained access to confidential information.
What does “fabricating digital keys” mean? There is some debate as to whether Snowden simply used other people’s Secure Shell (SSH) keys that had weak or no passwords, whether he ran a fake certificate authority (CA), or whether he “minted a certificate, or a ticket, or token, or whatever the thing is, by subverting an issuing authority or its processes (possibly via social engineering).”
We may never know how Snowden fabricated digital keys to gain elevated privileges to systems, but if we focus on discovering his exact methods, I think we are overlooking an important question: How are encryption keys and digital certificates being used within our organizations? The Snowden case should be a wakeup call for organizations—regardless of what type of digital keys Snowden used. It clearly shows that low-level administrators can gain elevated privileges into areas within an organization where they should not normally have access. When using digital certificates or encryption keys for authentication—such as SSH or user certificates—users can bypass authentication mechanisms on a host, resulting in elevated privileges.
We’ve seen how bad actors use self-signed certificates to encrypt their traffic and thereby disguise their communications within organizations. Security solutions blindly trust encrypted traffic. Many security solutions cannot scan encrypted traffic because they do not have the capability to decrypt it, and although some security solutions have this capability, they must actually have the encryption keys to be able to scan this traffic.
As the Snowden case shows, encrypted traffic and the use of encryption as an authentication mechanism within the confines of an organization’s network is generally trusted, which can create a security risk. Organizations can learn three main lessons from this case:
Lesson 1
More than 50% of organizations do not have a clear understanding of their encryption keys and digital certificate inventory. These organizations do not know how keys and certificates are used, what systems they provide access to, or who has control of them. It is imperative that organizations understand what keys and certificates are being used in the network, who has access to them, how they are being used, and when they are being used. The first step in gathering this information is to gain a clear understanding of the key and certificate inventory by centrally managing these cryptographic assets.
Lesson 2
Bad actors (including insider threats) take advantage of the fact that keys and certificates are blindly trusted. They use this trust against organizations by gaining elevated privileges to systems, thereby bypassing host authentication controls. One such example was highlighted in the Mandiant APT1 report, which briefly describes how attackers inserted their own self-signed certificates that were used to encrypt communications between victims’ hosts and the attacker’s command and control. By gaining a clear understanding of your key and certificate inventory, you can detect anomalous behavior. For example, if you have a clear understanding of the entire key and certificate inventory and a rogue self-signed certificate is detected on the network, you could immediately investigate the certificate, reducing the exposure and mitigating any potential losses.
Lesson 3
Security experts strongly recommend that organizations encrypt any sensitive data and control access to systems that house that data. However, encryption is only as strong as how secure the encryption key is. Failure to secure encryption keys is as risky as transmitting the sensitive data as plain text. Direct access to cryptographic keys and certificates enables anyone to gain elevated privileges. You should implement solutions that create separation of duties so that encryption keys and certificates cannot be accessed directly. Any action performed with encryption keys and certificates should also be logged for audit purposes.