RSA 2106 did indeed shape up to be an interesting event. With a hospital in Los Angeles being held hostage by hackers with ransomware and Apple defending its operating system against the federal government’s request for a backdoor, the threats facing cybersecurity are significant and dangerous.
At the same time, we’re needing to provide faster IT—cloud, DevOps, IoT, mobility, and more. As I expected, the RSA sessions, floor, and meetings were buzzing with talk of DROWN and what we need to do to protect the things we care about while delivering more IT services, faster, and with less.
IT Security professional are entrusted with protecting the business and its critical digital assets. So we layer security controls, ensuring we have a defense-in-depth approach. With endpoint protection, advanced threat protection, next generation firewalls, IDS/IPS, VPNs, behavioral analytics, access controls, data protection, and so many others, it’s not surprising that Gartner expects information security spending to exceed $83 billion in 2016.
But with all of this protection, the bad guys are still getting in—and they are using our own security controls to do it. We use cryptographic keys and digital certificates to protect our communications and connections. However, security controls blindly trust keys and certificates, enabling cybercriminals to use stolen or forged ones to bypass security controls. When keys and certificates go unmanaged and unprotected, the foundation of cybersecurity crumbles.
As it turns out, we are the ones with visibility problems.
I think we can all agree that encryption is important. It secures our networks, online transactions, communications, and data. Even Edward Snowden agreed that nothing is as effective as encryption at safeguarding our digital assets when it is properly implemented. Unfortunately, many don’t properly manage and secure their cryptographic keys and digital certificates, leaving a gap in security. As a result, man-in-the-middle (MITM) attacks, spoofed websites, code-signed malware, and other threats that misuse keys and certificates are on the rise.
Intel predicts that the next high-ticket black-market item will be stolen digital certificates, and Gartner predicts that by 2017, 50% of all network attacks will use SSL/TLS. Unless we have deployed decryption devices that have real-time access to all keys and certificates needed for decryption, we have no way of knowing if our SSL/TLS traffic contains malicious or stolen content. And leaving our keys and certificates unprotected give the bad guy ample opportunity to steal them and use them in attacks.
But it’s not just our SSL/TLS keys and certificates we need to manage and secure—SSH keys are equally as important. For many organizations, SSH keys are left up to system administrators to manage on an ad hoc basis.
How do we expect to remain secure when can’t see the “lifecycle” of privileged access?
We bestow privileged access to our most critical systems and data without a way to see how our privileged users are leveraging this access. We have no way of telling if they have or have not shared their credentials with others, if SSH keys are stored securely, and if they are revoked when no longer used.
And, of course, there are also mobile and user certificates. As remote and traveling workers increase as well as the number of devices each of us carries, these certificates are exploding. Keys and certificates can help to secure users and devices, but when misused provide another avenue for cybercriminals to gain trusted status to access enterprise systems and data. Many don’t realize that their MDM systems do not provide sufficient control over keys and certificates.
More than half of us (54%)—and by "us" I mean information technology security professionals—have no idea exactly how many keys and certificates our systems use, where they are, who owns them, who has access to them, which CAs issued them, what key lengths or cryptographic hash types they use, when they expire, and so forth.
It's up to us to stop the bad guys. We can begin by eliminating our own blind spots.
We should have the means to decrypt and analyze both sides—inbound and outbound—of SSL/TLS traffic. If not, we’ll be missing half of the attacks by 2017, which will be using SSL/TLS traffic to hide cybercriminal’s actions. We should create and enforce clear policies for replacing certificates and keys at regular intervals, and we should automate the enforcement process, just as we have automated password-change enforcement for our users.
Similar policies should be applied to our SSH keys—without this policy enforcement SSH keys never expire, continuing to provide privileged access to critical systems and data that can be hijacked by the bad guys. And we need mobile and user certificate management that provides complete visibility as well as easy issuance and revocation to keep systems and data secure while enabling our remote workforce.
Admittedly, gaining this visibility and enforcing policies might be easier for me than it is for you. As Venafi's CISO, I use our industry-leading platform to discover everything I can know about whether or not the keys and certificates on my network are trustworthy. (With our TrustNet™ certificate reputation service, my visibility actually stretches beyond my network.)