Your network has been attacked and your security is compromised. Your incident response (IR) team goes to work trying to discover the cause of the breach and restore your organization’s equilibrium—the faster the better. Just how fast and how thorough that process is has a lot to do with the tools your IR team uses, particularly when it comes to cryptographic key and digital certificate security.
Most security controls blindly trust keys and certificates, allowing cybercriminals to use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data. The 2015 Cost of Failed Trust Report, published by the Ponemon Institute, confirmed just how widespread the problem is. Every Global 5000 company in the survey had responded to an attack involving keys and certificates within the last 24 months.
Breaches using keys and certificates put sensitive data in the wrong hands and damage corporate reputations. They also consume staff hours and result in lost operational and development time. IT security professionals who responded to the Ponemon Institute estimate the total impact of attacks using keys and certificates at almost $600 million. They also estimate a total risk for each organization of $53 million over the next two years.
Incident Response teams also have to respond to outages. With the increased use of keys and certificates, there are also more outages—all organizations surveyed had 2 or more certificate-related outages over the last 2 years with a total possible impact of $15 million per outage.
The Ponemon Institute report revealed other surprising facts. The average enterprise has over 23,000 keys and certificates, but 54% of security professionals admit that they don’t know where their keys and certificates are located, who owns them, or how they are used. With this lack of visibility it’s not surprising that 100% of organizations responded to attacks using keys and certificates as well as certificate-related outages. And when they respond to incidents, most companies try to get by with issuing new certificates but not issuing new keys, which leaves an organization open to continued breaches, outages, and exploitation.
Without key and certificate security built into your IR plan, your IR team won’t be able to act quickly to determine the extent of the attack and bring your organization back to a trusted, secure state. Here are 4 ways to strengthen IR with key and certificate security controls.
Ensure complete visibility
Identify all keys and certificates across networks, cloud instances, CAs, and trust stores.
Map user access to servers and applications
Establish a baseline to identify misuse
Enforce policies and workflows
Implement policy criteria for strong cryptography and key and certificate rotation
Enforce configurable workflow capabilities for replacement, issuance, and renewal
Track response progress with real-time dashboards and reports
Terminate access when needed, revoking all certificates associated to a user
Automate management and security
Automate and validate the entire issuance and renewal process
Replace certificates in seconds, and remediate across thousands of certificates within hours following a certificate authority compromise or a new vulnerability such as Heartbleed
Establish certificate reputation insight.
Use global certificate reputation to identify certificate misuse such as stolen certificates used for spoofed websites
Remediate immediately through certificate whitelisting and blacklisting
Just like the human immune system, Security Operations and Incident Response teams need to be able to identify what is “self” and trusted and what is not and therefore dangerous. When key and certificate security is added to your incident response plan, you can identify which keys and certificates are trusted, protect those that should be trusted, and fix or blocks those that are not. With this security in place, you can quickly return the network to a trusted state while minimizing damages, downtime, outages, recovery time, and costs—all while protecting your network, your business, and your brand.
Has your IR team recently responded to attacks using keys and certificates? What approaches has your team found helpful to return to a secure, trusted state after these attacks?