The National Institute on Standards and Technology (NIST) and Venafi today announced publication of the NIST Information Technology Laboratory (ITL) bulletin entitled, “Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance.” NIST released the ITL bulletin, which information-security experts at NIST and Venafi co-authored, to alert both government agencies and private-sector organizations to the risks of certificate authority (CA) compromises. The bulletin also offers guidance on how to prepare for and respond to a CA compromise that results in fraudulently issued security certificates.
Digital X.509 certificates have become the de-facto standard for ensuring online trust. Nearly all government and private-sector organizations use them broadly for Secure Sockets Layer (SSL), Transport Layer Security (TLS), and other security protocols. Large organizations may use thousands and even tens of thousands of certificates and encryption keys—issued from internal and external CAs—in their data centers, private clouds, and increasingly on mobile devices to authenticate systems and users and to encrypt communications. As a result, CAs, certificates, and private keys have become high-value targets for cybercriminals in search of sensitive government and corporate information.
In 2011, attackers successfully targeted several public certificate authorities and, in at least two of these incidents, the attackers successfully issued fraudulent certificates. An attacker who breaches a CA to generate and obtain fraudulent certificates does so to launch further attacks against organizations or individuals. Attackers can use fraudulent certificates to authenticate as other individuals or systems, or to forge digital signatures.
Responding to a CA compromise may entail replacing all user or device certificates, or trust anchors from the compromised CA. If an organization is not prepared with an inventory of certificate locations and owners, it will not be able to respond quickly and may experience significant interruption in its operations for an extended period of time. To avoid this, organizations must establish CA-compromise preparation and response plans.
“Certificate authorities have increasingly become targets for sophisticated cyberattacks, particularly as the use of digital certificates for Secure Sockets Layer (SSL) has become widespread,” bulletin co-author William Polk of NIST’s Computer Security Division noted. “Recent attacks on CAs make it imperative that organizations are prepared to respond to CA compromises and the issuance of fraudulent certificates. This bulletin was published to provide organizations with practical guidance and proven best practices, which they can implement right away to minimize risk and damages should a CA compromise occur.”
“Because certificates are typically installed and managed by individual administrators in disparate departments, most organizations and executives are not aware of their dependence on certificates for security. Nor are they aware of the significant disruption to business operations that would result if they had to replace all affected certificates following a CA compromise,” said Paul Turner, vice president of products and strategy at Venafi. “The goal of this paper is to provide clear, easy to follow steps and procedures to prepare for and respond to a CA compromise. If enterprises are not prepared to respond to a CA compromise, they have overlooked business continuity planning that could prevent extended downtime for a majority of their applications and systems.”
NIST and Venafi provide several important steps organizations should implement to prepare for a CA compromise:
For applications that have public key certificates of their own, procurement requirements should ensure that CA-independent mechanisms exist for obtaining new system and application certificates
To download the full July 2012 NIST ITL Security Bulletin go to http://csrc.nist.gov/publications/PubsITLSB.html
Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation’s oldest physical science laboratories. Congress established the agency to remove a major handicap to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of England, Germany, and other economic rivals. Today, NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communications networks. We invite you to explore our website to learn about our current projects, to find out how you can work with us, or to make use of our products and services.
As one of the major research components of the National Institute of Standards and Technology, the Information Technology Laboratory (ITL) has the broad mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics, and statistics.
Venafi is the market leading cybersecurity company in Next-Generation Trust Protection. As a Gartner-recognized Cool Vendor, Venafi delivered the first trust protection platform to secure cryptographic keys and digital certificates that every business and government depend on for secure communications, commerce, computing, and mobility. With little to no visibility into how the tens of thousands of keys and certificates in the average enterprise are used, no ability to enforce policy, and no ability to detect or respond to anomalies and increased threats, organizations that blindly trust keys and certificates are at increased risk of costly attacks, data breaches, audit failures and unplanned outages.
As part of any enterprise infrastructure protection strategy, Venafi Director helps organizations regain control over trust in the cloud, on mobile devices, applications, virtual machines and network devices by protecting Any Key. Any Certificate. Anywhere™. Venafi prevents attacks on trust with automated discovery and intelligent policy enforcement, detects and reports on anomalous activity, and remediates errors and attacks by automatically replacing misconfigured and compromised keys and certificates. Venafi Threat Center provides primary research and threat intelligence for trust-based attacks.
Selected as a 2013 FiReStarter and Red Herring Top 100 company, Venafi customers are among the world’s most demanding, security-conscious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, manufacturing, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.