Even though your organization is spending millions in security technology to protect the business and stop adversaries, cybercriminals are still getting away with your data. There’s no better indication of this ongoing trend than the Breach Level Index’sfindings for H1 2018. In just these six months, fewer than a thousand security incidents exposed more than 4.5 billion data file. That’s more than any other year on record.
It’s time to take a long hard look at your security strategy and ask yourself where all the gaps are. One area where most organizations fall short is key and certificate security. I’m not talking about key and certificate management. It doesn’t help mitigate or detect trust-based attacks. I’m talking about what analysts are now calling machine identity protection.
The sad truth is that your organization has probably invested millions of dollars in security solutions but failed to secure keys and certificates. And as a result, the security solutions you have implemented wind-up having diminished effectiveness because you have a gaping hole in your security strategy in which adversaries are taking advantage. I’m talking about trust-based attacks.
In the last decade, attacks on keys and certificates have increased dramatically. Some of the most well-known ones like Snowden, Energetic Bear, Carreto and Heartbleed have shown just how ineffective the security investments your organization is making against trust-based attacks.
Time for a change
Whether you use a key lifecycle management solution or the good old spreadsheet, basic key management is not good enough. That’s especially true given organizations’ increasing use of keys and certificates to protect their machine identities. In the wrong hands, bad actors can misuse machine identities to gain access to sensitive data by creating hidden communication channels within the network. Alternatively, they can trick enterprise network defenses into believing they are a legitimate machine that can safeguard sensitive information.
Bad actors realize the value of stealing, forging and using keys and certificates. They also know that many organizations are rapidly adding more machines to the cloud, IoT and mobile. Together, these developments make it even more important that they’ve protected their machine identities so that they can guarantee the confidentiality of information exchanged between computing devices. But how can they do this?
A good way to start is to take a good long hard look at your security strategy and evaluate your organization is protecting its keys and certificates.
Basic key management is not going to help you identify rogue usage of keys and certificates in the network. Neither is an IDS/IPS, NGFW, Sandboxing or even an SSL gateway scanning solution. The truth of the matter really is that keys and certificates are blindly trusted. Combatting threats that leverage these trusted assets requires a targeted solution designed to discover their misuse.
Revamping your security strategy
Don’t undermine the millions of dollars your organization has invested in security solutions with a gap in your key and certificate protection. Close this gap to make all of your security solutions more effective. Here are some recommendations on implementing key and certificate security:
Identify vulnerabilities related to keys and certificates and remediate by replacing vulnerable keys and certificates.
Establish a baseline norm of key and certificate usage. In doing so, you will quickly be able to identify any rogue usage of keys and certificates that trigger security events.
Define and enforce centralized policy for all keys and certificates—including SSH keys.
Automate the remediation of trust-based attacks to reduce the overall impact.
At the same, organizations need to achieve complete visibility of their machine identities’ behavior and status on their extended ecosystem. Things can change on a moment’s notice, so it’s important that enterprises have a way to automatically identify weaknesses and respond to potential security concerns.
Venafi helps organizations address key and certificate issues, manage their machine identities and block trust-based attacks with its Trust Protection Platform. To find your organization’s SSL vulnerabilities, register for a free risk assessment.
Originally published by Gavin Hill on August 21, 2014.