The IT security world has been shaken by a series of breaches that some say spells the death of Public Key Infrastructure (PKI) technology.
Comodo, Sony, RSA Security and other breaches have seen established and trusted organisations fall from grace as they became victims of hacking. With Comodo and StartSSL in particular the resultant outcry has focused on the future of PKI.
Certificate authorities (CAs) are critical links in the chain that ensures the quality and integrity of enterprise IT security, compliance and operations. CAs issue and ensure valuable third-party trust for human-to-machine and machine-to-machine communications and authentication. However, leveraging the security benefits of trust providers like CAs doesn’t relieve your organization of its management responsibilities.
On the contrary, effective encryption key and certificate management processes based on best practices are as critical to your organization’s security profile as are certificates and keys themselves. To understand what your organization should seek in a management solution, it might be helpful to first understand the roles CAs and digital certificates play on the security-solutions stage.
When I arrived at work this morning, I found an email telling me that Malaysia may be suffering a case of bad entropy—or to put it more precisely, bad key entropy. “What does this mean?” I asked myself.
So off I went to a few familiar “fonts of all knowledge,” Google and Wikipedia, to discover what entropy is all about. According to one source I came across, entropy is a measure of disorder or unpredictability. In other words, my wife can exhibit extremely entropic behavior at times. If she were a crypto algorithm, high concentrations of entropy would be very good, but she’s not. In general, I haven’t got a clue what she’s thinking when she behaves entropically.
Another source expressed the common belief that entropy is a good measure of how many guesses it will take to correctly guess a single value generated by a given source—for example, the number of guesses it takes to correctly guess a single thought generated by my wife, which I have yet to determine. But Drs. David Malone and Wayne Sullivan from the Department of Mathematics at University College Dublin are convinced that this belief is not well founded and that its implied definition of entropy “may have arisen via the asymptotic equipartition property.” Ah yes—it’s amazing what you’ll see at the bottom of a pint of the black stuff!
But what do these ramblings have to do with anything, you might ask? The answer to this question brings us back to the email about Malaysia’s current malady.
People have long named years according to their personalities—in Chinese astrology, 2011 was the Year of the Tiger, for example, and in American culture, 2003 was the Year of the Blues. In the IT security sphere, pinning down 2011 to just one personality would deny another, equally strong personality: The year had a split personality. It was the Year of the Third-party Trust Compromise, and the Year of the Bring Your Own Device (BYOD) Mobile Revolution.
These two personalities have more in common than you might think. For example, both engendered 2012’s emerging personality, the Year of Ubiquitous Encryption, which is already taking shape. And both relate to a common security problem: attacks from within an organization’s systems. They also share the solution to this problem: improved processes and management.
When news of a persistent and deeply penetrating attack against government agencies makes headlines, speculation often prompts widespread panic. A case in point is the public response to the recently revealed activities of the Operation Shady Remote Access Trojan (RAT). Primed by the summer’s latest conspiracy thriller, alarmed audiences consider governments and their allies to be the main target. As they ponder the implications of compromised, top-secret diplomatic correspondence and military secrets they concede: well, better them than me. But the Shady RAT hackers seemed equally interested in stealing intellectual property and customer data from the businesses as well, which means the problem extends into the private sector too.
Firewalls, antivirus software and intrusion detection tools may work to keep out stealthy attackers, but what is to be done about rogue insiders? The reality is that the bad buys are already in—working from the inside of your organisation. Dmitri Alperovitch—McAfee Vice President, Threat Research and author of the report on Operation Shady RAT—divides all Global 2000 companies into two camps: Those who have been compromised and know it, and those who simply don’t know it yet.
The amount of data that enterprises must secure with encryption is growing rapidly, and with it, the number of digital certificates and keys that encrypt the data. This digital-certificate explosion, while necessary, can create management nightmares: Companies must track each and every certificate, and in keeping with best practices, renew each of them as they are set to expire (typically annually). The ability to do this hinges on a critical asset: a comprehensive inventory.
When a company prides itself in providing the most advanced and sophisticated network security solutions—and that company’s own network is hacked—brand insult is added to data injury. Not only must the company compensate customers for their losses, but the breach of information incurs an unquantified cost to its reputation. No one wants to call on the services of the firehouse that burned down, and customers will invariably ask how a company’s security solutions can protect them if they couldn’t protect the company itself.
Former Defense Secretary Donald Rumsfeld famously said the following at a Pentagon news conference in 2002: “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.”
There’s an old expression that the most dangerous part of a car is “the nut holding the steering wheel.” It means that despite all the technology that goes into making cars safer, there’s still risk associated with human error by the driver. The same holds true for an enterprise network. Despite all the technology that offers data loss prevention, encryption, intrusion detection, firewalls and vulnerability scanning, network breaches still occur. That’s because the technology has to be complimented with proper employee training, rigorous adherence to best practices, internal policies and effective IT security management. An enterprise that relies solely on technology to protect its network, without effective management, is still very much at risk.
Members of the Amazon Cloud community can build Amazon Machine Images (AMIs) from their own virtual servers and share them to save fellow developers time. But recently, the Center for Advanced Security Research Darmstadt (CASED) discovered that many community members are sharing more than they bargained for.
Like generous souls giving their old jacket to a shivering passerby – only to find that they left their driver’s license, passport, and credit cards in the pocket – these members published their AMIs without removing sensitive data such as SSH keys and the private keys associated with digital certificates.
