<![CDATA[Venafi Blog]]> https://www.venafi.com/blog/ Venafi Blog EN Copyright 2015 2015-04-19T06:33:51-06:00 <![CDATA[Still Bleeding One Year Later—Heartbleed 2015 Research]]> https://www.venafi.com/blog/post/still-bleeding-one-year-laterheartbleed-2015-research https://www.venafi.com/blog/post/still-bleeding-one-year-laterheartbleed-2015-research/#When:10:00:00Z Early last year the BBC dubbed 2014 to be the year of encryption. How right they were—not only for the increased use of encryption, but also for the 2014 threats that leveraged cryptographic keys and digital certificates in their attacks. Encryption and keys and certificates were hurdled to the forefront of the media on multiple occasions. To name a few, Heartbleed, Cupid, Open SSL CSS, Shellshock, and POODLE, impacted the entire world. Very quickly cybercriminals mobilized themselves to take advantage of these exploits based on vulnerabilities that many were not remediating. One example was the Community Health Systems (CHS) breach by the Chinese espionage group APT 18 who exploited Heartbleed to breach CHS and steal data on 4.5 million patients.

At Venafi, we reviewed how well organizations have remediated Heartbleed since it was first discovered. The research focused on the largest global organizations in the world (Global 2000), and the results are not very comforting. In last year’s Venafi Labs report, a staggering 76% of Global 2000 organizations with public-facing, Heartbleed-vulnerable systems were still vulnerable. We would have expected to see a significant improvement this year. Unfortunately that’s not the case. There is only a 2% improvement in the number of Global 2000 organizations that have remediated Heartbleed.

 

  2014 2015
Vulnerable Incomplete Remediation 76% 74%
Remediation Complete 24% 26%

 

In last year’s Venafi Q3 Heartbleed Threat Research Analysis we found that 97% of Global 2000 public-facing servers previously susceptible to Heartbleed had still not been fully remediated. The University of Maryland performed similar analysis in November 2014 and found that 87% of the susceptible servers had still not been fully remediated. Now a year after Heartbleed’s public disclosure, 85% of Global 2000 public-facing servers still remain vulnerable. Even though that’s a 16% improvement over 2014, it is still very poor performance, leaving the door open to cybercriminals.

The surprising part from the research findings this year is that the Heartbleed remediation steps that were taken weren’t actually driven by Heartbleed remediation efforts—this was just a secondary benefit. Instead, they were the result of impending certificate expirations. An astounding 65,000 certificates were re-issued with new private keys simply because of impending expirations. Although it is a good practice to keep short key and certificate rotation cycles, organizations should be replacing all keys and certificates to remediate Heartbleed. Industry experts from Bruce Schneier to Gartner’s Erik Heidt made it clear that to fully contain and remediate Heartbleed, SSL keys and certificates needed to be replaced.

Why so many are still susceptible to Heartbleed

It would seem based on the trend of replacing keys only for impending certificate expirations that organizations have either given up on trying to fully remediate this massive vulnerability or simply don’t grasp the gravity of the situation. I believe that there are two additional reasons for such poor Heartbleed remediation. As described by Gartner, “lazy” remediation—when organizations fail to replace the private key or fail to revoke the old certificate—shows that organizations do not understand that once the private key is exposed, everything is exposed. Another probable reason for the lack of Heartbleed remediation is that organizations simply don’t see the impact yet. According to Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last 2 years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks which leverage keys and certificates increasing, their impact is as well. The organizations surveyed by Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.

Remediating Heartbleed

Remediating Heartbleed goes beyond simply patching the OpenSSL vulnerability. Just like user IDs and passwords are assumed compromised after a breach, so too should keys and certificates.    

To remediate Heartbleed 4 steps are required:

  1. Patch the OpenSSL vulnerability
  2. Generate new keys
  3. Issue and install new certificates
  4. Revoke old certificates
It’s only the beginning

Using kill chain analysis we see exactly how keys and certificates are used throughout an attack. Since last year, there has been a significant increase in hijacked VPNs used to maintain access to victim’s environments. Intel Security noted a 12% increase in SSL-based network attacks—up from 0% in 2013. And Gartner estimates, by 2017 that 50% of network-based attacks will use SSL/TLS.

If organizations do not secure their keys and certificates and enable fast rotation when breached, we could be heading towards a cryptoapocalypse. This phrase was coined by researchers in their Black Hat 2013 presentation and is a scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited, allowing bad guys to spoof or surveil all Internet communications. 

What is your organization’s response plan to handle potentially compromised keys and certificates when breached? Does your organization treat keys and certificates like user ID passwords and replace them when a breach is suspected? I would love to hear from you.

The full analysis on our 2015 Heartbleed research can be found here.

]]>
2015-04-07T10:00:00+00:00
<![CDATA[4 Common Tactics Used in Recent Healthcare Breaches]]> https://www.venafi.com/blog/post/4-common-tactics-used-in-recent-healthcare-breaches https://www.venafi.com/blog/post/4-common-tactics-used-in-recent-healthcare-breaches/#When:12:15:00Z Last month, Anthem reported that they had been breached, affecting more than 80 million customers’ personal information. This month, Premera Blue Cross disclosed they too have been breached, resulting in medical and financial data for 11 million customers being stolen. Both organizations discovered the breach in January of this year. Less than 6 months prior, Community Health Systems (CHS) also reported a breach that impacted data on 4.5 million patients.

4 common tactics used in recent healthcare breaches

Besides the fact that all three breaches were in the healthcare industry, there are similarities in the tactics employed. We can learn from these tactics to protect organizations, not only in healthcare, but from all industries.

Blind Spot

It’s believed that attackers in all three breaches gained a foothold within the enterprise networks at around the same time (April-May 2014). Although the use of the Heartbleed vulnerability was only confirmed in the CHS breach, Anthem and Premera were also said to have been breached around the same time. But they only discovered the compromise 8-9 months later. If the attackers that breached Anthem and Premera gained access to private keys stolen via Heartbleed, they would have assuredly used them to perform man-in-the-middle (MITM) attacks on VPN’s. According to Mandiant, last year VPN hijacking was the highest they have ever seen. It’s no surprise that it took Anthem and Premera 8-9 months before identifying the breach. Most organizations are blind to attackers on their networks who misuse keys and certificates, enabling these attackers to establish encrypted sessions that disguise malicious traffic phoning home to the command and control (C2). Research published by the Ponemon Institute shows that for the last 2 years, and now for 4 years running, 100% of large enterprises have had to respond to attacks using keys and certificates.

Spoofed Websites

Phishing attacks are the most common attack methods used today. Why, you ask? Quite simply because there is always a human that can be easily tricked into disclosing information. One very common technique seen in both the Anthem and Premera breaches is known as URL hijacking and it involves registering a domain with specific typographical errors to misrepresent the original domain. The purpose of this technique is to make the domain look like, or spoof, the well-known, legitimate business and use it in attacks like spear-phishing campaigns. Domains like we11point[.]com and prennera[.]com were both used as parts of these attacks for spear-phishing and malware hosting. It is challenging to identify this type of brand misrepresentation without scanning the entire internet on a periodic basis. In fact, only 30% of victims discover the breach themselves—most are notified by external third parties.

Digitally-signed Malware

According to Intel Security, digitally-signed malware has been doubling every quarter since 2012 and shows no sign of slowing down. The primary driver to sign malicious code with a valid certificate is to avoid detection from security solutions and ensure the victim does not receive any error messages from the operating system. In the Anthem breach, the malware signed with a legitimate certificate was found to be hosted on the site prennera[.]com.

One Common Attack Vector

In all three breaches, there is one common attack vector—keys and certificates. Although keys and certificates are designed to create trust and assurance, when they are used against you, it becomes very difficult to know what can and cannot be trusted. To do this, we need to be able to understand the reputation of the mechanism that is being used to establish the trust—the certificate. By understanding the reputation of the certificate, we can decide whether or not to trust the session or application using the certificate. One example would be scanning the internet for certificates that are used to misrepresent a brand like the we11point[.]com and prennera[.]com examples.

Scanning the entire internet on a regular basis to identify spoofed websites or even rogue certificates is no small undertaking. Even Microsoft took multiple years to recover rogue TLS certificates and revoke them. But revocation lists have been proven to be easily defeated since 2009. Even new initiatives like Google Certificate Transparency still rely on certificate revocation.

Venafi helps solve this problem with the introduction of Venafi TrustNet—a global certificate reputation service designed to detect the misuse of certificates on the internet and enable you to take immediate action by blacklisting certificates with a bad reputation. TrustNet is the single most comprehensive and accurate source of certificate trustworthiness. Regardless of where a certificate is used on the Internet, TrustNet provides you with its reputation in real time. With TrustNet, you can stop the bad guys from misusing certificates and keys and protect your business and brand. Find out more about TrustNet at Venafi.com/TrustNet.

Venafi TrustNet

How does your organization detect the misuse of certificates on the internet that are used to misrepresent your companies’ brand?

]]>
2015-03-24T12:15:00+00:00
<![CDATA[Well-Designed RFP Crucial for Enterprise Key and Certificate Management]]> https://www.venafi.com/blog/post/well-designed-rfp-crucial-for-enterprise-key-and-certificate-management https://www.venafi.com/blog/post/well-designed-rfp-crucial-for-enterprise-key-and-certificate-management/#When:17:46:00Z So, you’ve decided to select a vendor solution for your enterprise key and certificate management. You’ve made a wise decision—manual tracking methods or limited internal scripts cannot effectively manage and secure the number of keys and certificates in an average enterprise. But to get the most of your investment dollars and ensure that the vendor solution you choose will meet your needs now and in the future, you need to create a clear and comprehensive request for proposal (RFP).

An RFP is a formal statement of your requirements and is worth every effort you put into it. In many cases, companies view RFPs as a burden. But when projects fail, they often do so due to inadequately defined requirements that lead to the purchase of the wrong solution for what the company needs.

The clearer and more comprehensive your RFP, the greater your chances of getting vendor responses that lead to a successful outcome. The exercise of writing the RFP forces you and your team to work through the tradeoffs between cost, convenience, flexibility, security, scalability, compliance, and ease of use. To create an effective RFP, I recommend these 3 steps:

  1. Ask your end users for input. All too often, the people who actually use the system have no say in the system design. Instead, IT develops a system based how they think things should work. Not only are important issues missed as a result, but it is harder to gain user acceptance down the road. Your users may have some excellent suggestions, such as:
    1. Can the issuance and renewal process be automated?
    2. Is there a web-based, self-service portal for certificate requests and renewals?
    3. Can certificate ownership be assigned by an individual or group to assist with renewals?
  2. Involve members of your company’s compliance or legal department. With the myriad of overlapping industry and government regulations out there, it pays to have a compliance expert on the RFP team. For example, he or she may ask you to consider the following:
    1. What is the process for quickly identifying the misuse of keys and certificates?
    2. What is the process for enforcing policies and workflows for security and compliance?
    3. How does the solution prevent certificate-based outages?
    4. Is there an automated key and certificate replacement process for fast remediation if there is a CA compromise or vulnerability like Heartbleed?
  3. Finally, involve the primary project manager. Make sure the person responsible for managing the RFP and the point of contact for the vendor is part of the RFP team. He or she has a vested interest in making sure that ongoing management is efficient and easy for users to adopt and may ask you to include the following:
    1. How does the solution help you gain control of your key and certificate environment with visibility and fast remediation?
    2. What is the process for compiling a complete inventory and central management of keys and certificates?
    3. What is the validation process for proper installation and configuration?
    4. Is there flexible criteria for certificate management, such as lifetime, authorized CA, and so on?
    5. Is there a robust policy framework for controlling workflow processes as well as for controlling attributes such as key lengths, validity periods, and cryptographic hash types?
  4. Once your team has created a comprehensive set of RFP requirements, you’re armed and ready to approach leading vendors. Perhaps you’ve already done some basic market research during the RFP creation process, but now it’s time to get serious. For additional input, I recommend the KuppingerCole report, Leadership Compass: Enterprise Key and Certificate Management.

    Enterprise Key and Certificate Management

    Has your company drafted a successful RFP for a key and certificate management and security project? Were their particular requirements that you included in your RFP that would help others with their project planning? Let me know what worked for you.

    ]]> 2015-03-19T17:46:00+00:00 <![CDATA[Clinton Email Server Only One Example of Convenience Over Security]]> https://www.venafi.com/blog/post/clinton-email-server-only-one-example-of-convenience-over-security https://www.venafi.com/blog/post/clinton-email-server-only-one-example-of-convenience-over-security/#When:19:18:00Z Earlier this week, I shared my thoughts on why CISOs need a seat at the table with the Board of Directors. Equally important, CISOs need to be able to set security policies and guidelines that are followed by all employees, including executives. Often employees will use personal phones, computers, and email accounts to conduct business—ignoring company security policies and protocols, and often at the risk of compromised data.

    These security policy violations are frequently conducted in the interest of convenience with the belief that the increase in productivity outweighs the risk. Another motivator is privacy. Some executives use personal email accounts to keep certain communications “private” from the broader company. This tendency is mentioned in a recent Wall Street Journal article (requires subscription to view). However, using these methods often violate both internal and regulatory governance standards.   Many companies, especially if they are in litigation, require a legal hold of all of their executive email (regardless of the company email retention policy).

    Often those that are violating the policies do not understand the full extent of the risks they are taking especially because personal accounts are typically more susceptible to hackers and can result in legal consequences.

    The recent discussions around the use and configuration of former Secretary of State Hillary Clinton’s personal email server help to highlight how convenience and privacy are often pursued in lieu of security in both our enterprises and governments. While Clinton was in office as the Secretary of State, she used her personal email account to conduct all State business. In a press conference on March 10, Clinton said she used her personal email account for convenience—she wanted to carry just one device for both her work and personal emails (by the way, I carry two devices!).

    On Wednesday, March 11, Venafi announced and released its TrustNet certificate reputation service and by using TrustNet, we were able to evidence that there was a 3-month gap before encryption was enabled on Clinton’s email server.  In January 2009, eight days before Secretary Clinton was confirmed by the U.S. Senate, the domain, clintonemail.com, was registered. Then 3 months later, in March 2009, mail.clintonemail.com was enabled with a Network Solutions’ digital certificate and encryption for web-based applications. Although we do not know if it was compromised during this 3-month gap, Secretary Clinton stated in her recent press conference, that her email account had never been compromised. But honestly, she can’t know that!

    unsecure

    During the 3 months without a digital certificate, access to the server was not encrypted or authenticated. Throughout that time, the account would have been easy to compromise, allowing others to eavesdrop on both incoming and outgoing communications. It could also have been spoofed, using the account for phishing or to send malware.  Another concern is that credentials could have been compromised during this time, especially given her travel to China and elsewhere. This could open the door, as we've seen with so many other breaches, to long term, under-the-radar compromise by adversaries. This is an example of how the person taking the risk didn’t know the full ramifications of his or her actions and policy was not enforced.

    Organizations need to partner and rely on their security professionals, and ultimately their CISOs, to set security policies that consider the risk to the company.  Noting however, it is imperative for the CISO to partner with the business and compliance teams to ensure that what policies are set forth in turn address the necessity of those controls. 

    We all know that in some cases policies/guidelines must be flexible to enable business, but we always must assess the acceptable risk to the company.  It is important, however, that the business as well as your company as a whole understand and accept the risk through a formal Risk Acceptance process. This process must be documented, including mitigating controls, and kept current through formal documented security reviews with the business.

    Although the CISO is charged with balancing security with privacy, productivity and flexibility, as well as industry and governmental compliance regulations, when creating communication policies, they cannot be created in a vacuum.  They should be a done in a collaborative nature to ensure business enablement while still ensuring the least amount of acceptable risk as possible. Therefore, when these policies are designed to support the overall business using a comprehensive risk analysis, all employees should be informed of these policies at least annually through formal security awareness training and then abide by these policies to keep their organizations safe.

    Again, I hope my comments spark a discussion. Has your organization’s CISO provided clear security policies for business communications that include the use of personal phones, laptops, and email accounts? What about the use of social media? Do you feel these policies support productivity? Do they address risk? Do your employees adhere to these policies?   Let’s hear your thoughts….

    As always, I am interested in hearing from you!!!

    ]]>
    2015-03-13T19:18:00+00:00
    <![CDATA[Infographic: Trust Online is at the Breaking Point]]> https://www.venafi.com/blog/post/infographic-ponemon-research-finds-trust-online-is-at-the-breaking-point https://www.venafi.com/blog/post/infographic-ponemon-research-finds-trust-online-is-at-the-breaking-point/#When:13:00:00Z Can cryptographic keys and digital certificates still be trusted?

    Today, the Ponemon Institute and Venafi released the 2015 Cost of Failed Trust Report, the first update to the 2013 study and the only global research to analyze the impact of attacks on the system of Internet trust established by cryptographic keys and digital certificates. You can download your copy of the report and see the research highlights in the Infographic included below.

    What many may find surprising is that for the fourth consecutive year, every organization that participated in the survey – 100 percent of more than 2,300 IT security professionals from the U.S., United Kingdom, Australia, France, and Germany – reported that they had responded to multiple attacks on keys and certificates in the past two years.

    The report’s findings show that IT security professionals believe we’re at a breaking point: more than half of the respondents reported that the technology behind the trust online that their business requires to operate is in jeopardy.

    Online Trust is at the Breaking Point Infographic

    These concerns about trust online are hardly surprising given that some of the largest and most dangerous breaches to date – Heartbleed, Community Health Systems, Dark Hotel, and more – have involved the keys and certificates that are required to establish trust. In just the last months we’ve seen multiple abuses of keys and certificates via the Lenovo/Superfish certificate authority debacle and the FREAK vulnerability – and those incidents hadn’t even been reported yet when this research was completed in January 2015. No doubt the sense of urgency for regaining trust is now greater than ever before. And with stolen certificates now fetching almost $1,000 on the black market, CISOs and other IT professionals can be assured that this problem will only continue to grow.

    Learn how Venafi helps organizations regain trust and stay protected at venafi.com. For help today, please contact us.

    ]]>
    2015-03-11T13:00:00+00:00
    <![CDATA[Digital Certificate Forensics: What Venafi TrustNet Tells Us about the Clinton Email Server]]> https://www.venafi.com/blog/post/what-venafi-trustnet-tells-us-about-the-clinton-email-server https://www.venafi.com/blog/post/what-venafi-trustnet-tells-us-about-the-clinton-email-server/#When:13:00:00Z 3-month gap before encryption enabled for browsers, smartphones, and tablets starting in 2009

    Venafi TrustNet is the world’s first enterprise certificate reputation service. TrustNet can identify certificate misuse, perform forensic analysis, and predict vulnerabilities that need to be fixed to protect the Global 5000 and governments. To achieve this, TrustNet has acquired, maintains, and is continuously adding to the world’s largest database of digital certificates and associated metadata. TrustNet is able to go back in time and identify how digital certificates were used in the past, providing a new type of forensics capability to the IT security community.

    Digital certificates and their corresponding cryptographic keys are incredibly powerful. They solved the biggest barriers to using the Internet: how do I know that a website is what it says it is and that communications with the site are private?  But this is also why certificates are so interesting to bad guys for misuse. It’s also why cybersecurity experts, like Intel, predict stolen certificates will be the next big hacker marketplace. With this increasing misuse by attackers, how do we keep certificates safe? Venafi protects the trust established by keys and certificates for the Global 5000 and governments.

    Digital certificate analysis for clintonemail.com

    In the past week, there have been questions about the level of security, use, and configuration of former Secretary of State Hillary Clinton’s personal email server. Specifically, there have been concerns that the server may have been vulnerable to eavesdropping and compromise. TrustNet found that at least 3 digital certificates were used with clintonemail.com since 2009. Operators of clintonemail.com obtained these certificates so the site could be uniquely distinguished (another clintonemail.com would not show as being secured without the certificate) and the site would use strong encryption to keep data transmissions private. These certificates were obtained validly and enabled web-based encryption for applications. Based on TrustNet analyst, Venafi can conclude clintonemail.com was enabled for browser, smartphone, and tablet encryption since 2009 and can operate using encryption through at least 2018. However, for the first 3 months of Secretary Clinton’s term, access to the server was not encrypted or authenticated with a digital certificate. During this time, Secretary Clinton travelled to China, Egypt, Israel, South Korea and other locations outside of the U.S.

    Note: All data in this report was obtained by non-intrusive Internet scanning routinely performed throughout the IT security community to protect the safety and health of the Internet.

    Digital Certificate Forensics for clintonemail.com


    Venafi TrustNet Analysis
    January – March 2009
    No certificates found –
    no encryption enabled
    March 2009
    mail.clintonemail.com
    Issued by: Network Solutions
    Valid to: September 2013
    Download certificate file
    February 2012
    sslvpn.clintonemail.com
    Issued by: Network Solutions
    Valid to: February 2013
    Download certificate file
    September 2013
    mail.clintonemail.com
    Issued by: GoDaddy
    Valid to: September 2018
    Download certificate file

     

     

    First clintonemail.com digital certificate obtained in 2009 from Network Solutions

    First clintonemail.com digital certificate obtained in 2009 from Network Solutions

     

    Starting in late March 2009, mail.clintonemail.com was enabled with a Network Solutions’ digital certificate and encryption for web-based applications like Outlook Web Access. This was 3 months after Secretary Clinton took office. The clintonemail.com domain was registered with Network Solutions in January 2009 – 8 days before Secretary Clinton was confirmed by the U.S. Senate. Therefore, from January to end of March 2009 access to clintonemail.com did not use encryption.

    Once the digital certificate was installed in March 2009,  all access with a desktop web browser, smartphone, or table was encrypted, even on government networks designed to inspect traffic. However, this doesn’t mean that email sent to/from the account would be encrypted – just accessing the server.

     

    Replacement clintonemail.com digital certificate obtained in 2013 from GoDaddy

    Replacement clintonemail.com digital certificate obtained in 2013 from GoDaddy

     

    The first certificate obtained for clintonemail.com was set to expire on 15 September 2013. It was replaced a few days before this expiration with a new certificate from GoDaddy set to expire in 2018. This is the certificate that remains running on the server in March 2015. Microsoft Outlook Web Access and Microsoft IIS were confirmed by Venafi to be running on the server. At the time of inspection, communications between the server and applications were being authenticated and encrypted.

     

    Certificate for SSL VPN service run from clintonemail.com that was issued in February 2012

    Certificate for SSL VPN service run from clintonemail.com that was issued in February 2012

     

    As reported elsewhere, the server also appears to have run an SSL VPN – an authenticated and encrypted tunnel through which other web pages on other servers could be accessed. TrustNet found the sslvpn.clintonemail.com certificate. It was issued in 2012 and expired in 2013. Venafi could not confirm the continued operation of an SSL VPN or the sites to which it may have gated access.

    Security Implications

    Online banking, shopping, and confidential government communications wouldn’t be possible without the trust established by digital certificates. Hundreds of billions of dollars in trade around the world also depends on it, as does the future of secure communications and computing. From airplanes to cars to our smartphones, all of these technologies are dependent on the trust digital certificates and their associated cryptographic keys provide. And, they are being used more and more every day. It’s also why bad guys are ferociously going after them. Threat research from FireEye, Intel, Kaspersky, and Mandiant consistently identifies the misuse of keys and certificates as an important part of APT and cybercriminal operations. And Gartner expects by 2017 that 50% of network attacks will be using SSL/TLS.

    Clintonemail.com operated for 3 months without a digital certificate. This means that during the first 3 months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed – allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information.

    Obtaining the cryptographic key and digital certificate for clintonemail.com would be an important step for attackers seeking to compromise Secretary of State Clinton or others that might access the server.  With them, bad guys could masquerade as the legitimate site or decrypt what was thought to be private communications. As a standalone Microsoft Windows Server, the site is very vulnerable. In 2013, over 800 trojans were known to steal keys and certificates – and that number has swelled since then.  The use of digital certificates on clintonemail.com provides users with the confidence that they are connecting to the real site and communications cannot be inspected. But when on government networks, anyone accessing the site and depending on the certificate needs to be highly suspicious. The site has received tremendous attention and its contents and certificate are likely targets for compromise and misuse. 

    Venafi will continue to observe this situation and provide updates if new information becomes available. Venafi TrustNet operates 24x7 to secure and protect Venafi customers, is constantly monitoring the status of certificates around the world, and provides real-time updates to subscribers. Organizations interested in learning how TrustNet can help can contact Venafi for more information.

    I want to offer a special thank you to Hari Nair, Gavin Hill, and the Venafi TrustNet product team who contributed to this research and analysis.

    ]]>
    2015-03-11T13:00:00+00:00
    <![CDATA[Global Certificate Reputation to Protect Your Business and Brand]]> https://www.venafi.com/blog/post/global-certificate-reputation-to-protect-your-business-and-brand https://www.venafi.com/blog/post/global-certificate-reputation-to-protect-your-business-and-brand/#When:13:00:00Z Imagine for a minute what would happen if you could not trust any transaction on the Internet. Not too long ago you would not have ever considered buying something online—simply because there were no guarantees of privacy or security on the internet. The popular cartoon published by the New Yorker in 1993 shows a dog surfing the internet with the caption, “on the internet, nobody knows you’re a dog.” That all changed with the use of digital certificates to help drive trust on the internet. With digital certificates one is able to ensure digital transactions are both confidential and unaltered.

    Fast forward to today where the average American adult spends 11 hours per day with electronic media, and it becomes critical to be able to establish confidentially and integrity of Internet data at all times. Keys and certificates are intertwined into our everyday lives so much so that taking advantage of the trust established by them is the perfect attack vector. Unfortunately this is exactly what has happened!

    Cybercriminals understand that by taking advantage of a trust mechanism like keys and certificates, it once again becomes very difficult to identify with whom you are exchanging information—all of a sudden we are back in 1993. In the last 6 months, we’ve seen large organizations like Sony and Anthem fall victim to breach through the misuse of keys and certificates. Keys and certificates are quickly becoming the preferred attack vectors for cybercriminals, and the problem is so large that Gartner predicts by 2017, 50% of network attacks will use SSL due to the trusted channel it provides. Moreover, it’s not only cybercriminals that misuse certificates, corporations like Lenovo and GoGo both used certificates to perform man-in-the-middle (MITM) attacks to inject adds or manipulate traffic.

    Combating Certificate Misuse with Certificate Reputation

    Like reputation services for URLs, email, and files, certificate reputation was born out of necessity to help enterprises detect new threats. Cybercriminals are increasingly misusing digital certificates in malicious campaigns and going undetected for extended periods of time.

    Phishing is one of the most common practices used to steal credentials and banking information. To support this, cybercriminals use fraudulent or stolen certificates. The challenge is that there are over 1.2 billion websites online right now. How would your organization scan the internet to identify the misuse of certificates to spoof your organization’s brand? Certificate reputation is designed to determine whether or not a digital certificate can or cannot be trusted.

    Venafi Trust Protection Platform now includes Venafi TrustNet

    Venafi is proud to announce our new Venafi TrustNet certificate reputation service that is available with the launch of Venafi Trust Protection Platform, version 15.1. TrustNet is a global authoritative key and certificate reputation service that identifies rogue or anomalous key and certificate usage. TrustNet offers the most comprehensive collection of key and certificate intelligence.

    TrustNet employs a global sensor network to identify certificate misuse on the internet. There are no limitations to specific browsers or operating systems. Subscribers to the service can take advantage of the native integration with Venafi products to provide alerts on any anomalous certificate behavior identified for certificates issued by the enterprise that are forged or misused on the internet. For security vendors that want to take advantage of the reputation feed integrated into security gateways, a public API is provided for integration with any application.

    Once a certificate anomaly has been identified, it is imperative to take immediate action. TrustNet provides global whitelisting for trusted CAs and certificates, and blacklisting for untrusted ones.

    Using TrustNet, enterprises can more easily mitigate new and emerging threats:

    • Detect certificate misuse globally
    • Increase threat detection rates
    • Accelerate incident response time
    • Protect brand reputation

    To learn more about Venafi TrustNet, you can read the datasheet here: Venafi.com/TrustNetDS

    ]]>
    2015-03-11T13:00:00+00:00
    <![CDATA[CISO’s Need a Seat at the Table]]> https://www.venafi.com/blog/post/cisos-need-a-seat-at-the-table https://www.venafi.com/blog/post/cisos-need-a-seat-at-the-table/#When:19:56:00Z Cyber breach headlines are on the increase and underscore the need for security awareness at the very highest levels of an organization. In 2014 alone, hundreds of millions of records were stolen and tens of millions of dollars were spent on investigations, fines and lawsuits. I was wondering... in how many cases did the CISO have access to the Board of Directors? It is without a doubt, so important to ensure awareness; Chief Information Security Officers (CISO’s) need to be an active and engaged part of board of director meetings. In addition, Board members should not only know their CISO’s views on cyber security, they should have his or her cell phone number on speed dial.

    It wasn’t long ago that corporate security meant blocking and tackling to prevent viruses from getting on your systems and making sure that nefarious people did not gain access to internal networks. But as we all know as executive leaders, the environment is ever changing and the attack vectors are many. Today’s CISOs grapple with a much wider, deeper, and more complex set of responsibilities—going beyond just keeping the bad guys out and deploying security that also enables the business. It is vital that board members understand the importance of cyber security and its potentially catastrophic impact on their organization’s brand, reputation, bottom line, and stock price when not implemented effectively. To make that happen, we as CISOs need to better promote our role and educate board members that cyber security is a high priority and should be a top concern. It now influences every aspect of the business.

    executive board

    To sell the value of our contribution to the company to board members, CISOs must be able not only to market their role more strategically—but they must act more strategically. The new generation of security officers must possess strong business acumen and have the ability to think long term and not be afraid to wear many hats. They need to know how the company operates, its top business goals, and its appetite for risk when developing and implementing a security framework. They must also communicate their knowledge in business-benefit terms that resonate with a wider range of audiences. They must be able to enable the business while ensuring that risks are mitigated, acceptable risks are completely understood and must have strong controls to support them. The protection of their data is vital to business operations.

    The CISO of today must also be extremely collaborative, with good listening and communication skills, because the heightened visibility of this critical executive role brings with it the responsibility of ensuring that cyber security becomes top of mind across the entire organization, from the boardroom to departmental employees. A seasoned security leader with a strategic business perspective should be comfortable developing and communicating a security vision and positioning the needed resources and talent to translate that vision into a reality.

    At the same time, board members should see the value of having the CISO in board meetings. Board members need to learn why it is vital to keep abreast of the cyber security landscape and its impact on corporate initiatives such as mobility, social media usage, and global expansion. They should discuss with their CISO the need for an effective crisis management program and know what their role is if there is a security incident. In fact, because of the critical nature of cyber security today, qualified CISOs should also be encouraged to join the boards of other companies as well.

    Of course there is so much more I would like to say in this blog—but then it will become a short story...

    I hope my comments spark a discussion. What role does the CISO play in your organization? Does he or she regularly address your board of directors on the importance of compliance and security directives? What changes would you like to see to better align security with the business of your company?

    As always, I am interested in hearing from you!!!

    Cheers!

    Tammy

    ]]>
    2015-03-09T19:56:00+00:00
    <![CDATA[Infographic: How an Attack by a Cyber-espionage Operator Bypassed Security Controls]]> https://www.venafi.com/blog/post/infographic-cyber-espionage-operator-bypassed-security-controls https://www.venafi.com/blog/post/infographic-cyber-espionage-operator-bypassed-security-controls/#When:22:00:00Z Chinese cyber-espionage operator, APT 18, has proven it can breach enterprises by undermining critical security controls when enterprises fail to protect digital certificates and cryptographic keys. As reported by Time, Bloomberg, and others, APT 18 used keys and certificates to compromise a Fortune 200 American health services organization and stole data on 4.5 million patients.

    RaxisRaxis, an independent penetration testing firm, reconstructed the APT 18 attack in a simulated enterprise environment. Raxis demonstrated how the bad guys were able to bypass security controls like threat detection, data protection, firewalls, VPNs, DLP, privileged access, and authentication systems that enterprises expect will mitigate threats.

    Why did Chinese cybercriminals want to breach an American health services company? Perhaps they were hoping to resell personal data or learn how to operate distributed hospital systems for profit. More likely, this was a test—a proof-of-concept attack that was vastly successful in stealing data by undermining the security controls of this Fortune 200 business. Having now proven the attack vector, APT 18 will decide when and where to use the attack on other targets.

    How did they do it? This exclusive new infographic highlights the 4 attack stages used by many threats that rely on compromised keys and certificates to bypass existing enterprise security controls. Learn these stages and find out how to ensure your enterprise is not the next headline.

    Want to learn more about the Raxis reconstruction of the APT 18 attack with a detailed look at how they bypassed security controls? Watch the on-demand webinar, Keys to the Kingdom.

    undermining security infographic

    ]]>
    2015-01-28T22:00:00+00:00
    <![CDATA[The Need for Certificate Transparency]]> https://www.venafi.com/blog/post/the-need-for-certificate-transparency https://www.venafi.com/blog/post/the-need-for-certificate-transparency/#When:13:53:00Z An inherent weakness in the Internet’s Public Key Infrastructure (PKI) is the ‘equivalency of trust’ that is placed on trusted Certificate Authorities (CA)s. Any CA that is trusted by a browser, operating system, or application-specific trust store can issue a certificate for any domain. As a result, in the event of CA compromise, it is possible for a CA to issue counterfeit certificates for any domain without the knowledge and approval of HTTPS site operators.

    Technical controls to detect and possibly prevent this scenario have been proposed by extensions to DNS, such as Certificate Authority Authorization (CAA) and DNS-based Authentication of Named Entities (DANE). However, these controls require all DNS clients to be updated in order to support the new extensions, making deployment in the short term infeasible.

    Google Certificate Transparency

    In 2013, Google started an industry-wide initiative to address this issue, called Certificate Transparency or CT. With CT, public logs will be used to record issuance of publicly-trusted EV (Extended Validation) certificates. These logs can then be monitored by site operators to look for rogue instances of their domains. If duplicate certificates for the same domain are discovered by site operators in the logs, the site operator can take action to resolve the issue.

    As part of the CT design, Google anticipates that one or more organizations would act as CT log monitors. These log monitors would periodically search through CT logs to detect possible mis-issuance events.

    As a market leader in Next Generation Trust Protection, Venafi recognizes the value of the CT initiative as another important step to ensure online trust for certificates issued. Therefore, Venafi will be launching a public CT log that will satisfy the much needed Google CT log operator requirements of three public CT log servers. This public CT log can be used by any publicly-trusted CA and site operator to publish issued certificates. Furthermore, any organization that acts as a log monitor is free to use the Venafi public CT log to support their efforts.

    Venafi is proud to support the Google CT initiative and looks forward to providing enhanced security for all public CA customers.

    ]]>
    2015-01-27T13:53:00+00:00
    <![CDATA[Forrester Research Uncovers Gaps in Mobile Certificate Security]]> https://www.venafi.com/blog/post/forrester-research-uncovers-gaps-in-mobile-certificate-security https://www.venafi.com/blog/post/forrester-research-uncovers-gaps-in-mobile-certificate-security/#When:22:55:00Z The increasing reliance on mobile devices and applications is driving the need for mobile certificates to ensure that devices and applications are secure, authenticated, and encrypted for enterprise users. But failing to protect mobile certificates—to whom they are issued and when they need to be revoked—opens the door to unauthorized access, data leakage, and intellectual property theft.  The fact is that keys and certificates of all kinds, including mobile certificates, are being targeted to initiate and continue attacks every single day.

    However, research published by Forrester Research uncovers that IT security professionals are not fully aware of the implications of what is required to protect mobile certificates. This creates gaps in understanding how to perform the most critical functions necessary for securing mobile certificates.

    IT Security’s Role in Protecting Mobile Certificates

    Forrester Research: Protecting Mobile Certificates

    A study by Forrester Research found that a majority of IT security decision makers rely on digital certificates to secure their mobile applications and systems, such as VPN, Mobile Device Management (MDM), email, WIFI, SSL/TLS mobile applications, and Mobile Application Management (MAM). Nearly 80% of IT security professionals acknowledge they own the responsibility for protecting mobile certificates. And two-thirds or more of IT security decision makers believe they should own responsibility for security functions, including certificate issuance, policy, updates, deployment, and revocation.

    Gaps in Security Awareness

    Although most agree that they are responsible, 77% of IT security professionals who responded to the survey said that they have very little visibility into the applications, users, use cases, and security of mobile certificates, and 71% said they do not have full control.  But what’s even more shocking, one of the most important functions—detecting anomalies—is a task that IT security is not prepared to perform.  Only 38% claim they have the ability to detect mobile certificate anomalies, such as duplicate certificates, or active certificates issued to terminated employees, both of which can be used for unauthorized access.

    IT Security Visibility of Mobile Certificates

    IT Security Does Not Have Full Visibility or Control of the Use of Mobile Certificates.
    Source: Forrester Research – IT Security’s Responsibility: Protecting Mobile Certificates

     

    Closing the Gaps

    So what can you do to close the gaps that exist in mobile certificate security?  Forrester Research recommends the following steps that enterprise organizations should take to protect mobile certificates:

    • Establish common policy across applications and desktops, laptops, tablets, and phones
    • Identify all sources of certificates
    • Map all found certificates to a single user and establish a baseline
    • Enforce policy for all mobile certificates
    • Detect anomalies like duplicate certificates or unrevoked certificates for terminated employees
    • Respond quickly to anomalies with kill-switch-like revocation
    • Prepare to quickly remediate when incidents like Heartbleed occur that require all certificates to be rekeyed, reissued, and revoked

    To learn more, read the Forrester Research study, IT Security’s Responsibility: Protecting Mobile Certificates.

    ]]>
    2015-01-19T22:55:00+00:00
    <![CDATA[2015: Get Ready for More Attacks on Trust]]> https://www.venafi.com/blog/post/2015-get-ready-for-more-attacks-on-trust https://www.venafi.com/blog/post/2015-get-ready-for-more-attacks-on-trust/#When:14:29:00Z Over the past few years, the threatscape has changed more than some realize. Cyberattackers want trusted status and they are misusing the very technologies that create trust for their nefarious purposes.

    So, you may ask, what exactly creates trust? Every mobile app, every cloud platform, every website—virtually anything that’s software, hardware, or Internet-enabled—relies upon digital certificates and cryptographic keys to create trust and define whether a source is good (trusted) or bad (untrusted). And the bad guys are going for these “keys to the kingdom” like never before!

    How do hackers get keys discussed on CNN

    Unfortunately, 2014 saw a significant rise in attacks that misused the keys and certificates that create trust in our digital kingdoms (businesses and governments). Let’s look at a few important examples:

    1. In January, Kaspersky Labs revealed details on The Mask, an APT operator that had been misusing keys and certificates for years. As reported by Kaspersky, The Mask’s Windows malware was digitally signed with a valid certificate.
    2. In April, a major vulnerability in OpenSSL called Heartbleed was widely reported and companies all over the world were warned to take action to protect their networks, including replacing and revoking compromised certificates and keys. Experts from Bruce Schneier to Gartner stated clearly that SSL/TLS keys and certificates must be replaced. Several months later, not surprisingly, a key and certificate that were not replaced were compromised to breach Community Health Systems, a Fortune 500 company.
    3. In July, IoActive researchers released a report on vulnerability in the U.S. Emergency Alert System, where a publicly available SSH key made it possible to hijack the nation’s warning system.
    4. In September, news of Shellshock, a flaw in the Bash shell, was reported that showed hackers could create long-term backdoors by inserting SSH keys and running critical shell commands on affected machines.
    5. In November, DarkHotel was reported, showing that a very effective APT campaign that tricked traveling executives using hotel WiFi networks was enabled by dozens of misused digital certificates.
    6. And finally, this December, Sony’s SSH keys and code-signing certificates were leaked as part of a massive breach, allowing the attackers to gain authorized access into Sony’s network and causing even more damage.

    So while 2014 saw more attacks misusing SSL/TLS keys and certificates, along with SSH keys, these aren’t exactly new threats; in fact, they go back to Flame and Stuxnet years ago. These actually created blueprints and sophisticated designs of attacks that can now arm nation-state attackers, APT operators, and common industry criminals with tools on how to use weaponized malware. The problem is that good guys have not been paying attention to the impact of misused certificatess and keys until just recently.

    In fact, in its latest threat report, McAfee Labs referred to 2014 as “The Year of Shaken Trust.” The report discussed attempts to exploit the Internet trust model, dramatic rise in misuse of digital certificates, growth in underground marketplaces selling compromised certificates, and the impact of SSL vulnerabilities such as Heartbleed and BERserk. Cisco also released its mid-year security report that said “compromised, secure encrypted connections” (aka SSL/TLS) are a major threat to enterprises. And recent University of Maryland research published in November 2014 validated findings by Venafi about non-remediation of Heartbleed, whereby 97 percent of Global 2000 SSL certificates were still vulnerable to Heartbleed several months after it was initially reported.

    Organizations need to be prepared for rampant rise in attacks on trust. We predict the following major developments in 2015:

    1. SSL will be used and abused a lot more. With the bad guys attacking and stealing data, there will be a need to use more SSL/TLS.  We’ve seen CloudFlare and the “Let’s Encrypt” teams now giving away free SSL certificates, and this is a great thing—more SSL/TLS protects data and privacy. But more certificates, and especially those that might not protect and continuously monitor, will create more criminal interest and activity. In fact, we’ve already seen the first free certificates misused by bad guys.
    2. Certificate expiration and outages will be recognized as a major security issues. It’s a fact: digital certificates expire, costing millions of dollars every year. But that’s not just a major operations issue; it’s a huge security issue—because it’s clear that if a certificate expires and users ignore this, the organization is being blindly trusted. At that point, what’s the difference between an organization’s expired certificates and those that are out-of-policy, misconfigured, or even malicious? But expirations also bring down services. We’ve already seen some recognize certificate expirations and outages as a major security issue following a major payments terminal outage.
    3. Our security controls will be useless against half of the network attacks. Gartner predicts that 50 percent of all inbound and outbound network attacks will use SSL/TLS by 2017. By the end of the year, we’ll likely already be there. Bad guys understand that most security systems either trust SSL/TLS or lack the keys to decrypt traffic and find their hidden threats. This undermines a whole slew of critical security controls like sandbox threat protection, NGFW, IDS/IPS, and DLP.
    4. Incident response teams will leave the door open for bad guys, resulting in more attacks. We also predict that incident response (IR) and forensics analysis teams will increasingly be called in to determine the root cause of breaches—i.e., to understand the forensics of the malware, where it is, what data was stolen and what parts of the network were infected with it. They will be able to bring these breached networks back to a good, trusted state, but breaches will still recur. Why? Because IR teams will forget to revoke and replace the certificates.
    5. Our hearts will continue to bleed. The Community Health Systems breach was likely just a proof-of-concept, and a sign of more exploits to come. Because of the lack of remediation—replacing keys and certificates—the impact of Heartbleed isn’t going away anytime soon.
    6. Kinetic attack will go through misused certificates and keys. Stuxnet is the first known kinetic attack that leveraged misused keys and certificates, but it won’t be the last. All sorts of interconnected networks and physical devices and systems—also known as the Internet of Things—are authenticated using SSL/TLS keys and certificates. Bad guys seeking to compromise these devices or misuse them in their attacks will look to keys and certificates as a means to an end.
    7. Compliance and security frameworks will continue to add guidance on how to protect keys and certificates. This past year, the SANS 20 critical security controls added multiple control checks on how to protect SSL/TLS keys and certificates and they are now including this in SANS trainings. This is a good step in the right direction. We expect to see more compliance and security frameworks do the same in 2015, especially now that the PCI Security Standard Council considered key and certificate security for a Special Interest Group (SIG).
    8. The Underground Digital Certificate Marketplace is open now for the bad guys. New underground marketplaces are developing for cybercriminals where they are selling keys and certificates for profit, because they know how valuable they are to undermining and circumventing critical security controls. Intel researchers expect this to be the next big cybercriminal market and we’re seeing compromised certificates sold for more than $900.

    Given all that, it looks like 2015 will also be the year when we look to not just manage keys and certificates, but also protect them and the trust they establish. I like to call it Next Generation Trust Protection. It requires constant surveillance, immediate detection of misuse (whether a policy violation or possibly malicious), and fully automated remediation to replace old or bad keys and certificates with new ones and get trusted keys and certificates out to more security systems like SSL decryption, sandbox threat protection, NGFW, IDS/IPS, DLP, and other security systems.

    This year one of Forrester’s top data protection predictions for 2015 pointed out that “Attackers who compromise trust end up with the keys to the kingdom.” We need to update our playbook when it comes to SSL/TLS keys and certificates, SSH keys, and keys and certificates used for VPN, WiFi, MDM, and more. The bad guys are attacking trust. It’s time for the good guys to defend it.

    ]]>
    2015-01-08T14:29:00+00:00
    <![CDATA[Turn Your 2015 New Year’s Compliance and Audit Resolutions into Revelations]]> https://www.venafi.com/blog/post/2015-new-years-compliance-and-audit-resolutions-into-revelations https://www.venafi.com/blog/post/2015-new-years-compliance-and-audit-resolutions-into-revelations/#When:14:52:00Z Instead of making the general New Year’s Resolution to decrease the risk in your company’s information security, let’s apply what we learned in 2014 about today’s threatscape and develop New Year’s Revelations.

    In the past year, lots of breaches have occurred that can be tied to the theft of private cryptographic keys. Some of the top threats of 2014, (e.g. Heartbleed, Shellshock, POODLE, and Gotofail) exposed private keys. Solutions using key and or certificates can no longer be blindly trusted. This affects solutions such as SSL, VPN, multi-factor authentication, privileged access (SSH), code signing, and mobile computing. Information Security experts are predicting that attacks and breaches using private keys will only continue to increase in 2015.

    2015 New Year’s Compliance and Audit Resolutions

    The use of digital certificates and cryptographic keys has skyrocketed. Every person in your organization uses one or more digital certificates and/or cryptographic keys, multiple times, daily—without even knowing it. Keys and certificates are meant to secure our communications and provide privacy, authentication, integrity, and non-repudiation. But when stolen, they can jeopardize the very things they are meant to protect. These “keys to the kingdom” give attackers the access they need to your sensitive information and allow their activities to go undetected. Therefore, it is necessary to consider what is fundamental to the confidentiality, integrity and availability of your companies’ sensitive data. How do you protect against inappropriate access, modification, and downtime through the use of stolen keys and certificates?

    Let’s consider the threat in more detail. What are vulnerabilities that affect private keys? They include software bugs, the use of deprecated hashing or cryptographic algorithms, and long validity periods for certificates. Does the Information Security Policy in your organization include policies to protect against these vulnerabilities? Are your policies backed up by standards, guidelines, and solutions for implementing compliance to the policies? The clarity of having these in place, allows for efficient risk assessment and gap analysis. This ultimately feeds into the risk management process and audit and compliance quarterly and annual reporting. All of this reporting is based on the adherence to your Information Security Policy in your organization.

    One important consideration is how your policies on securing your keys and certificates impact the rest of your Information Security practices. The ISO27002, section 10.1.2 states that, “A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.” If there are gaps in protecting your keys anytime in their lifecycle, attackers can compromise those keys and bypass the other security controls used by your organization. This means this one ISO27002 statement is fundamental to ensuring that the rest of your security controls in place in your organization are performing the way they should. Broken key security undermines all of your other security technologies and access controls.

    Stealing keys is a real threat and the proper people, processes, and technology must be put in place to ensure that cryptographic keys are managed through their entire lifecycle, including generating, storing, archiving, retrieving, distributing, retiring, and destroying keys. How do you think the current state of your certificate and key visibility and security increases the risk of these threats to your organization? How do you think your stockholders, board members, audit and compliance staff would feel if your certificates and keys were compromised and your organization breached? The revelation I hope you’re having for 2015 is that, if you’re not securing your private keys and certificates, then you are not secure.

    So as we kick off 2015, does your Information Security Policy need to be updated to protect against today’s attacks that target keys and certificates? As you get started, realize that the problem begins with a lack of visibility. Most organizations lack a complete inventory of SSH keys, SSL keys, and other keys and certificates in their organizations. They are unaware of where their keys and certificates are across their network, how they are used, and who owns them.

    You can get more visibility into the current state of your key and certificate vulnerabilities in your organization by running a report from the Venafi Threat Center for your organization. With this report you can see what certificate vulnerabilities exist. Once armed with more insight, you can see what other revelations you can make for better key and certificate security in Information Security Self Assessments, Gap Analysis, Action Planning, Risk Management, Internal Audit, Material Audit, compliance initiatives, and more for 2015.

    ]]>
    2015-01-07T14:52:00+00:00
    <![CDATA[3 Opportunities to Learn from the Sony Breach]]> https://www.venafi.com/blog/post/3-opportunities-to-learn-from-the-sony-breach https://www.venafi.com/blog/post/3-opportunities-to-learn-from-the-sony-breach/#When:14:08:00Z In a threat bulletin published on our blog in December, we explored the details of the major breach at Sony Pictures Entertainment orchestrated by the “Guardians of Peace” (also known as #GOP). The attack resulted in the release of much more than gigabytes of valuable data, including dozens of digital certificates and SSH and SSL private keys—keys that could allow privileged-user access to the entire internal network of Sony. Once on the network, using these compromised keys, the bad guys likely remained undetected for weeks, months, or even years and had unfettered access to systems and data. And now that these private keys are in the wild, more bad guys could further infiltrate Sony.

    Since the news initially broke there have been multiple updates and discoveries, and I suspect there will continue to be more. This is a huge, complex breach that would have been very difficult to stop—but within it are a few important lessons for other enterprises to take to heart.

    3 Opportunities to Learn from the Sony Breach

    1. The threatscape has changed. Cybercriminals are (and have been) looking to compromise cryptographic keys and certificates, and this Sony breach is just the latest in a series of several incidents using the same exploit. Looking back to April 2011, Sony’s PlayStation Network (PSN) suffered a significant breach that exposed names, addresses, and credit card data belonging to 77 million user accounts and shut down the PSN for several weeks. The breadth of the data exposed in that attack indicated that data which should have been encrypted was not.

      Many believe attackers obtain keys to allow data or transmissions to be decrypted, but they do more than that. We’re now seeing again that bad guys gain access to private keys, allowing access to a treasure trove of sensitive internal data such as payroll and financial management, which was the case for Sony. And because one key in this breach was for Audible Magic, an entertainment service that identifies stolen digital media, this could have been one of the ways the to-be-released movies were accessed.

    2. Incident response must involve replacing all key and certificates. The incidents at Sony should sound familiar: we’ve seen cybercriminals from Mask, Crouching Yeti, APT18 and others misuse SSL certificates and SSH keys. In these cases and others, attackers can gain unauthorized access to a system with elevated privileges using a compromise certificate or SSH key (like Edward Snowden), expand their attack by gaining more data or misusing a compromised system, gain access to continually more systems, and leave behind backdoors as we’ve seen with Shellshock.

      The only way to remediate this is to change out all keys and certificates. Otherwise, bad guys retain the presence and p0wning of networks. Advice from Erik Heidt at Gartner on responding to incidents like Heartbleed provides a good template: new keys must be generated, new certificates issued, old certificates revoked, and the replacement of new keys and certificates validated. Getting back to a known, good state can’t mean relying on the same keys and certificates that are increasingly being misused.

      So why hasn’t Sony simply replaced these keys yet? Well, that’s much harder to do than it sounds. The first problem is that most enterprises aren’t aware of all of the keys and certificates they have, where and how they are used, and who is responsible for them—from SSL and SSH to code signing, VPN, WIFI and more. Most organizations use many Certificate Authorities (CAs) and there are increasingly more applications, devices, and cloud services that need to use keys and certificates.

      The second issue is that many security teams don't know how to detect which keys and certificates are being misused. The Ponemon Institute found that in the average Global 2000 organization there were on average more than 17,000 SSL keys and certificates, including those from internal CAs and self-signed.

      Finally, security teams don’t have the means to automate remediation. Security and response teams haven’t been tooled to generate new keys, issue new certificates, and revoke old ones—just look at the poor level of remediation from Heartbleed. Venafi research from 2014 found that Heartbleed remediation for 97% of the vulnerable G2000 SSL certificates had not been completed. In addition, University of Maryland research published in November 2014 validated this widespread non-remediation. At any one time, enterprises need to know all of the keys and certificates that are in use and then be able to respond quickly to replace and revoke them when needed.

    3. This is another clear example proving keys and certificates must be secured and protected. Here’s a case of history doomed to repeat itself as long as the same attack pattern continues to work (and it does): get the keys and own the kingdom. As recent breaches have proved—and as the Cost of Failed Trust research revealed almost two years ago—all it takes is one compromised key or vulnerable certificate to cause millions of dollars in damages. Failing to continuously surveil all keys and certificates, enforce a policy, detect misuse and anomalies, and respond and remediate by replacing them with good keys and certificates means that security will continue to be undermined. By misusing keys and certificates bad actors can undermine and circumvent many of the most critical security controls, including strong authentication, DLP, sandboxing and privileged access management.

    So while many IT security pros and incident response teams continue to focus on who was behind the Sony breach, what their intention was, and what data was stolen or exposed, let’s take this opportunity to learn an important lesson. We should start 2015 by working to better secure and protect SSL keys and certificates, SSH keys, and the range of keys and certificates increasingly being used for VPN, WIFI, and MDMs.

    Forrester research on how cybercriminals are misusing keys and certificates and some common sense recommendations to protect your business is a good place to start.

    ]]>
    2015-01-06T14:08:00+00:00
    <![CDATA[Is Your SSL Traffic Hiding Attacks?]]> https://www.venafi.com/blog/post/is-your-ssl-traffic-hiding-attacks https://www.venafi.com/blog/post/is-your-ssl-traffic-hiding-attacks/#When:13:52:00Z Encrypted traffic is growing fast and becoming mainstream. According to Gartner, SSL traffic comprises 15-25% of the total web traffic, making it a significant percentage. The use of SSL varies by industry, but often helps to securely transmit sensitive or confidential information.

    So what’s the problem? While SSL provides confidentiality and security for an individual session, it can also create a problem for enterprise security. Cybercriminals can use SSL to hide their exploits from an organization’s security devices, like firewalls, Intrusion Prevention System (IPS), Unified Threat Management (UTM), secure web gateways, Data Loss Prevention (DLP), anti-malware solutions, and more. Cybercriminals are well aware of SSL/TLS encryption blind spots and they are using SSL/TLS to hide malicious content, evade detection, and bypass critical security controls.

    The results of a Gartner survey show that, “Less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.” Therefore, in over 80% of the organizations that use these security devices, cybercriminals can bypass the organizations’ existing security controls by leveraging SSL tunnels to sneak malware into the corporate network, hide command and control traffic, and exfiltrate data. This is a serious threat.

    Gartner believes that by 2017 more than 50% of the network attacks targeting enterprises will use SSL encryption. For this majority of organizations that do not decrypt data, most lack the ability to decrypt and inspect encrypted communications to assess these threats. This blind spot undermines traditional layered defenses and increases the risk of information breach and data loss.

    Security professionals know that visibility into and control over SSL traffic is a necessity. And just as importantly, failing to find, use, and secure ALL keys and certificates for decryption undermines existing critical security controls. These tasks are critical:

    • Have access to keys and certificates that can decrypt inbound traffic
    • Secure the volumes of keys and certificates necessary to enable inspection

    Failing to decrypt traffic and maximize decryption with ALL keys and certificates means that by 2017, 50% of the network attacks will be able to bypass your existing security investments.

    Having automatic, secure access to all enterprise keys and certificates maximizes the amount of decrypted traffic, enables inspection of SSL traffic, and eliminates blind spots that are otherwise hidden in encrypted traffic. So when it comes down to it, every extra key and certificate available for decryption means one less place for nefarious actors to hide threats in SSL encrypted sessions.

    Blue Coat and Venafi have partnered to help organizations uncover blind spots from malicious SSL/TLS threats that are obscured by encrypted traffic. The Blue Coat SSL Visibility Appliance and Venafi TrustForce integration maximizes the amount of traffic that can be decrypted and inspected to eliminate blind spots. Venafi TrustForce delivers keys and certificates to Blue Coat SSL Visibility Appliances securely and efficiently, thereby eliminating manual maintenance and reducing administrator burden.

    You can view the Solution Brief to learn more about the Blue Coat SSL Visibility Appliance and Venafi TrustForce integration.

    ]]>
    2014-12-23T13:52:00+00:00
    <![CDATA[Sony Breach—The Gift That Keeps on Giving (Sony Certificate Used for Destover Malware)]]> https://www.venafi.com/blog/post/sony-breach-the-gift-that-keeps-on-giving https://www.venafi.com/blog/post/sony-breach-the-gift-that-keeps-on-giving/#When:14:05:00Z In the season of giving, the Sony breach has given hackers around the world the gift that keeps on giving—keys and certificates that can be used as part of malicious campaigns for as long as Sony keeps them active. In the last week, the media has been abuzz about the malware Destover that’s digitally signed with a valid Sony certificate—part of the treasure trove successfully exfiltrated during the Sony breach last month.

    New Version of Destover Malware Signed by Stolen Sony Certificate

    Even though the signing of a variant of Destover was apparently a joke between Kaspersky researchers, the biggest concern should be that Sony has still not yet revoked any of the certificates compromised last month. The main motivation for cybercriminals to sign malware with valid digital certificates is to deliver seemingly valid content and avoid detection by critical security controls like antivirus, sandboxing solutions, or operating system security policies. By not revoking its certificates, Sony is providing cybercriminals with the ability to bypass these security controls.

    The misuse of keys and certificates as part of malicious campaigns is at an all-time high. For many years, cybercriminals have been signing malicious code to avoid detection. McAfee’s 2014 Q3 threat report shows a dramatic increase in maliciously signed code with no indications of slowing down. In fact, McAfee describes the misuse of certificates to sign malware as “unabated since we began tracking it in 2007.”

    Wake-Up Call

    If anything, the Sony breach should be a wake-up call to every organization, showing the power keys and certificates provides to attackers. There are thousands of examples in which cybercriminals continue to misuse keys and certificates—Mask, Crouching Yeti, and APT18 are but a few commonly known examples.

    Although 2014 was dubbed the “Year of Encryption,” it has turned out to be the “Year of Encryption Vulnerability.” Organizations have a blind spot when it comes to securing keys and certificates that enables cybercriminals to bypass critical security controls while syphoning data without being detected. Gartner estimates, by 2017, 50% of network-based attacks will  be using SSL to disguise activity.

    3 Steps You Can Take to Avoid a Sony-like Breach
    • First, rotate keys and certificates.
    • Second, establish a baseline.
    • Third, remediate quickly.

    First, we know that cybercriminals go after keys and certificates to gain trusted status, elevate privileges and avoid detection. So, like password, keys and certificates should be protected and rotated on a frequent basis to avoid their successful use by cybercriminals.

    Second, one cannot distinguish a good key or certificate from a bad one—there is no such thing. Unlike malware, keys and certificates are not malicious. However, they can, and are, used in malicious campaigns. Therefore, it is imperative that you establish a baseline of normal behavior of your keys and certificates in your IT environment. By establishing a baseline of normal usage, anomalous key and certificate usage can be identified.

    Third, when you have been breached—and you are going to be—the time it takes to respond and how you respond will make all the difference. In the case of the Sony breach, the certificate used to sign Destover should have been revoked the day Sony discovered that it had been stolen. In the case of all the SSH keys that were stolen, they too should also be rotated to avoid providing future backdoor access to cybercriminals.

    Find out how Venafi helps organizations mitigate attacks on trust that misuse keys and certificates.

    ]]>
    2014-12-16T14:05:00+00:00
    <![CDATA[Attack on Trust Threat Bulletin: Sony Breach Leaks Private Keys, Leaving Door Open]]> https://www.venafi.com/blog/post/attack-on-trust-threat-bulletin-sony-breach https://www.venafi.com/blog/post/attack-on-trust-threat-bulletin-sony-breach/#When:15:55:00Z The Breach

    On 24 November news of a major breach at Sony Pictures Entertainment was reported. An organization self-described as the Guardians of Peace (also known by #GOP) claimed responsibility. The group released compressed archives of over 217MB that the organization claims contains Sony data. Those able to access the data reported dozens of SSH private keys were included in the exfiltrated data. This appears to be only a sample of the data stolen as later upcoming Sony movies were leaked online.

    Message Displayed When Employees Logged into the Company Network

    hacked by the #GOP

    This breach is significant for at least three reasons:

    1. It is one more example that bad guys are looking for and obtaining SSL and SSH keys like we’ve seen with Mask, Crouching Yeti, APT18, and others.
    2. Theft of private keys means attackers can have access to an unknown number of systems with elevated privileges, enabling them to obtain more unpublished keys and certificates.
    3. Until keys and certificates are replaced following the breach, attackers maintain their foothold—retaining elevated privileges, having the ability to decrypt sensitive data in transit, and spoofing systems and administrators.

    Below is some of the content that was stolen from Sony, including SSH keys in the PuTTY SSH client .PPK format.

    reddit post on content stolen from Sony

    Sony now joins the at least 44% of organizations Forrester Research found to have already had keys and certificates compromised.

    Threat

    An anonymous source was quoted in a The Next Web (TNW) article as saying, “a single server was compromised and the attack was spread from there.” With stolen SSH keys, an attacker can gain unauthorized access to a system with elevated privilege, like Edward Snowden. Attackers then expand their attack by gaining more data or misusing a compromised system, gain access to more systems, and leave behind backdoors as we’ve seen with Shellshock.

    Attackers also target SSL/TLS private keys. When attackers gain access to these keys, they have the ability to spoof trusted services. Bad guys can also launch man-in-the-middle (MITM) attacks to decrypt encrypted communications. The threat is amplified when SSL/TLS keys used for mobile applications are compromised because many mobile applications lack the additional validation checking that many browsers provide.

    Impact

    After realizing that private keys and other sensitive information was revealed, Sony’s initial response was to go dark to prevent further access. In the reports about the Sony breach, Sony was said to have taken their corporate network offline and disabled the VPN. Insiders also shared that Sony asked employees to turn off their computers and disable WIFI on their mobile devices.

    But Sony’s business cannot be sustained with their corporate systems down. What does Sony need to do to remediate this breach? The examples of stolen content show that SSH keys were stolen, including SSH keys to the ADP payroll system. But Sony should not stop with the private keys shared by attackers. Like with Heartbleed, Sony must assume that all keys and certificates were compromised.

    Until incident response teams fully remediate keys and certificates, adversaries retain unauthorized access and the ability to execute spoofing and MITM attacks. Remediation requires not only that servers, virtual machines, and network segments be brought back to a known good state, but also that new keys be generated and then certificates be re-issued, installed, and validated, and old ones revoked.

    Furthermore, if Sony fails to remediate their keys and certificates, the bad guys can exploit this to undermine other security controls, from strong authentication to privileged access to behavioral analysis. When attackers have the trusted status of valid keys and certificates, they can authenticate and cloak their malicious activities.

    Recommended Remediation

    If Sony is like most Global 2000 organizations, the IT team is not even aware of all of the digital certificates and cryptographic keys that support trusted communications and authentication in the network. To effectively remediate this type of breach, organizations must know how all keys and certificates are used to establish trust (from SSL and SSH through to POS and mobile devices), where they are located, and who is responsible for them.

    Only once a baseline inventory is known can organizations then respond to incidents by replacing keys and certificates. However, most organizations then rely on manual methods that keep organizations vulnerable for extended periods of time. APT operators, from Mask to Crouching Yeti, have been known to exploit stolen keys over periods of up to 7 years.

    Remediation that is automated can close doors on attackers in minutes versus days, weeks, or months that it may take organizations to remediate manually. Until keys and certificates are replaced, your network, intellectual property, and customer data is still vulnerable.  Time is of the essence.

    Being Prepared

    This breach is a problem not just for Sony. Organizations are breached every day but are not aware keys and certificates are being stolen for misuse and do not remediate by changing keys and certificates.

    Venafi recommends customers use the Venafi Trust Protection Platform in preparation to respond to increasing incidents of attackers compromising keys and certificates with the following actions:

    Securing SSH Keys
    1. Determine trusted relationships and map privileged access
      • Detect all SSH keys across all servers, virtual machines, cloud instances, and administrator workstations with Venafi TrustAuthority
      • Understand trust relationships and access with TrustMap reporting
    2. Reduce exposure to misuse by rolling SSH keys more often by policy
      • Use TrustAuthority to establish lifetime policies for SSH keys
      • Use TrustForce to automate the replacement of SSH keys
    3. Detect possible misuse and remediate automatically
      • Detect all changes to SSH trust relationships with TrustAuthority
      • Automate remediation by removing keys from authorized key lists with TrustForce
    4. Respond quickly to incidents by replacing SSH keys
      • Force new keys to be generated
      • Ensure certificates are reissued, installation confirmed, and authorized key lists updated with TrustForce
    5. Validate and report on remediation
      • Use the shared reporting services of the Trust Protection Platform to identify progress in reducing risk
      • Turn to the Venafi support team for more information and examples
    Securing SSL/TLS Certificates and Keys
    1. Establish a baseline of keys and certificates and continuously surveil to detect new ones with Venafi TrustAuthority
      • Scan networks to identify SSL/TLS certificates
      • Use Venafi Aperture portal to establish ownership of keys and certificates
      • Surveil for new keys and certificates continuously with scheduled discoveries
    2. Reduce exposure to misuse by limiting key and certificate lifetimes with TrustAuthority and TrustForce
      • Set policy to limit lifetimes for keys and certificate similar to Google’s lifetime policies, which is now down to 3 months
      • Generate and securely distribute new keys and certificates regularly with TrustAuthority
      • Replace keys and certificates automatically using TrustForce
    3. Respond quickly to incidents by replacing keys and certificates
      • Force new keys to be generated
      • Ensure certificates are reissued, installation confirmed, and old certificates revoked with TrustForce
    4. Validate and report on remediation
      • Use the shared reporting services of the Trust Protection Platform to identify progress in reducing risk
      • Turn to the Venafi support team for more information and examples

    Venafi CISO, Tammy Moskites, has prepared guidance’s for CISO and their team on why organizations need to prepare to respond to more incidents involving the compromise and misuse of keys and certificates.

    Please contact Venafi support with any questions or for help with remediation.

    Additional Resources
    ]]>
    2014-12-04T15:55:00+00:00
    <![CDATA[2014: The Year of Encryption (Vulnerability)]]> https://www.venafi.com/blog/post/2014-the-year-of-encryption-vulnerability https://www.venafi.com/blog/post/2014-the-year-of-encryption-vulnerability/#When:14:30:00Z Looking back a year ago, when writers published blogs and articles predicting what 2014 would have in store for us, many were calling it the “Year of Encryption.” This was largely due to the NSA/Snowden revelations, which lit a raging privacy vs. security fire, with the widespread use of encryption as the by-product. Google, Microsoft, Yahoo!, and many other eGiants began encrypting everything, everywhere, not only to combat government surveillance programs, but most importantly to protect against attacks from a litany of cyber adversaries.

    What we didn’t count on was 2014 ultimately being the “Year of Encryption Vulnerability.”

    That’s exactly what happened. And for enterprise security warriors waging a daily war against multitudes of cyber adversaries, from solo hackers to well-funded nation-states, it couldn’t have happened at a worst time. There was Heartbleed, then Shellshock, then POODLE, and many more along the way, which didn’t make the headlines. Remediating these vulnerabilities presented different challenges, yet the common thread between them all was they threatened the veracity of encryption keys and digital certificates. Security teams found themselves spending massive amounts of time and resources remediating, ironically the very same encryption “trust instruments” which they deployed in the first place, to keep them safe. The enterprise PKI, designed to surround sensitive data like an impenetrable brick wall, turned out in some cases to be full of hidden trap doors.

    hidden trap doors

    So where do we go from here? That’s a question we must all ask ourselves, and answer correctly, because the use of encryption will only continue to exponentially increase, regardless of how well or poorly we manage it. When it comes to a hyper-connected world in which privacy and security is ever more important, our businesses must be in a position of strength when it comes to encryption, so that we can actually trust encryption to do its’ job and protect sensitive data everywhere it’s employed. If we don’t, trust itself could get undermined to the point where the internet could revert back to the e-commerce of 1990’s, where hardly anyone trusted it to perform financial or otherwise sensitive transactions online. When I read articles stating that the German Spy Agency wants to buy zero-day vulnerabilities in order to undermine SSL security, that’s literally what I envision.

    From a security perspective, I believe we are at a point where it’s become absolutely mandatory that all encryption keys and digital certificates are secured and managed with the right technology, people and processes. In other words, we must now treat all keys and certificates as if they are the most privileged set of credentials that exist in the enterprise.

    That means we must be in position to immediately and effectively remediate encryption vulnerabilities when they inevitably come to light. When the next Heartbleed hits, we must be able to quickly find every single affected key and certificate, and then automatically revoke, replace, and reissue. Our businesses and brands can’t afford to have incomplete remediation when it comes to trust-based vulnerabilities.

    More importantly, as malicious cyber operations (nation-state and others) continue to use encryption more and more to evade detection and silently siphon off massive volumes of sensitive data from businesses, we must adapt to this new reality and be in position to fight back. The ever-expanding digital universe certainly holds much promise for the world. Yet the future of securing sensitive, private and financial data within this universe largely depends upon our ability to secure and properly manage the encryption assets we all rely upon to make trust online possible.

    ]]>
    2014-11-24T14:30:00+00:00
    <![CDATA[A Week to Remember: When All the Cookies, Keys, and Certificates Crumble ]]> https://www.venafi.com/blog/post/a-week-to-remember-when-all-the-cookies-keys-and-certificates-crumble https://www.venafi.com/blog/post/a-week-to-remember-when-all-the-cookies-keys-and-certificates-crumble/#When:04:00:00Z If there’s one thing I’ve learned from being in the field of cybersecurity for nearly two decades, it’s that there is never, ever a dull moment. But in the past week, something different seemed to happen in cyberland. And it’s really quite disconcerting. We saw four major stories about how adversaries’ campaigns and methods hit the web with one common theme: the trust established by cryptographic keys and digital certificates is being misused everywhere. It’s not exotic anymore, nor is it hypothetical. It’s a real threat and happening with increased frequency. It’s also a high risk that threatens to undermine most, if not all, critical security controls.

    Why? Because keys and certificates provide the foundation of trust for every app, website, and cloud today. And they are consistently being misused and compromised by attackers now. In their top 2015 predictions (also published in the last week), Forrester explained why bad guys are so interested: “Attackers who compromise trust end up with the keys to the kingdom.” Those keys to the kingdom are the keys and certificates on which we run our businesses everyday but spend very little time protecting.

    So what actually happened last week?

    • First, Kaspersky released a report on DarkHotel—a very effective APT campaign enabled by dozens of misused digital certificates used to target traveling executives using hotel Wi-Fi networks. These executives thought they were transmitting data privately, in an authenticated way, but the malware operators that were used compromised certificates to get in between unsuspecting executives and their businesses.
    • Then researchers at the University of Maryland issued interesting research on Heartbleed that verified what we at Venafi have been saying all along: you have to change all the keys and certificates. These UMD researchers found that within 3 weeks of the Heartbleed incident, at least 87% of certificates had not been fully remediated: keys changed, certificates reissued, and bad ones revoked. It’s not an option to ignore Heartbleed any longer. The Community Health Systems breach subsequently demonstrated how exploiting Heartbleed and compromised certificates is not theoretical and attackers will chose when and where to use their exploits. What are people waiting for?
    • Next came the news of WireLurker, a malware Trojan targeting iOS where the keys and certificates used to sign apps for an iOS enterprise app store were compromised. With this new threat, attackers can load software onto an Apple device that isn’t jailbroken. This is no surprise to anyone watching changes in the threatscape. Intel Security has been raising this issue for some time: “The rapid escalation of malicious signed binaries quarter-over-quarter and year-over-year bring into question the viability of the Certificate Authority model.” This is a concern researchers at Intel Security have raised time and time again since 2013.
    • Finally, news broke earlier this month that, for a mere $0.65, researchers (and guaranteed the bad guys) can perform collisions needed to compromise a digital certificate using an Amazon Web Services EC2. In this instance, the crypto attack was against the widely used MD5 algorithm. And it only took 10 hours using a single instance. Remember Flame? The exploit of the Windows update service using a compromised certificate? Unfortunately, this is not just a problem for Microsoft. In every Global 2000 organization Venafi works with, we still find vulnerable MD5 certificates leaving the door open to very powerful spoofing and man-in-the-middle attacks.

    All of these news stories should be a serious wake-up call for the infosec industry: the threatscape has changed, and attackers need trusted status, and they know they can get it by misusing keys and certificates. What else does this mean? Unfortunately, it means almost every single security control that you’ve spent millions on to protect your network, apps, and data, can be undermined and circumvented.

    Why? Because hackers know they can get around your strong authentication with spoofing and man-in-the-middle attacks. They know you can’t decrypt all incoming SSL traffic and can’t see their new attack because your threat detection systems don’t have all of the keys to decrypt traffic. They know you’re privileged access management systems don’t know the difference between a good and rogue SSH key. They know all of your data protection systems can be foiled with the compromise of just one SSL key and certificate that won’t be changed for years.

    Now, it may appear that the world is coming to an end. The foundation of trust of our digital systems—from banking, to the cloud, to mobile apps, to your business—is all based on keys and certificates and is under attack. Some have wondered, is the cryptoapolcalypse upon us? No, it’s not. But the threatscape has changed and we all need to respond. Edward Snowden’s comment from earlier this year is just one example of how we’re waking up to this problem: to circumvent security like encryption, the best method is to “try to steal their keys and bypass the encryption. That happens today and that happens every day. That is the way around it.”

    I know many CISOs, security architects, and security operations teams will continue to spend more money on strong authentication, DLP, threat detection, SSL traffic decryption, privileged access management, and more. However, if we continue to blindly trust keys and certificates—don’t know how many we have, don’t know what they’re used for, can’t enforce policy, can’t detect anomalous certificates, can’t safely deliver them to threat detection systems to inspect traffic, and can’t replace one or many in seconds not weeks (incident response teams: remember Heartbleed?)—then we’ll continue to undermine all other critical security controls. It’s why the SANS20 Critical Security list has been updated to now include guidance on securing keys and certificates. It’s why the PCI Security Standards Council considered it a high priority in 2015 Special Interest Group selection to improve security for cardholder data.

    Over the last month I’ve met with CISOs and their teams from Berlin to Sydney. The message is the same: the threatscape has changed and the risk posed by the misuse of keys and certificates is very high. CISOs, security architects, and security operations teams need to wake up and realize the root of the problem: you simply can no longer blindly trust certificates. Gartner’s Neil MacDonald simply described this as “living in a world without trust”—a reality that security professionals cannot tolerate if we expect to stay ahead of the bad guys and defend our businesses and customers.

    ]]>
    2014-11-18T04:00:00+00:00
    <![CDATA[Payments and Private Key Protection, Part 2]]> https://www.venafi.com/blog/post/payments-and-private-key-protection-part-2 https://www.venafi.com/blog/post/payments-and-private-key-protection-part-2/#When:13:50:00Z Since last month’s blog where I started to discuss the importance of protecting private keys in payment networks, even more retailers have made the news for credit card data breaches. I also personally received a new debit card because of these high-profile retailer data breaches. This is a cause for concern for both retailers and consumers. When cardholder data is stolen, it costs a lot of money to replace the credit and debit cards and refund the money to the cardholder for purchases they did not make. This cost could be passed along to the consumer via paying more for goods and services due to higher merchant interchange rates. So, protecting the private keys that keep the payment card systems data from being disclosed, modified, or unavailable is very important.

    PCI DSS requirements

    While proper compliance to all of the applicable requirements of the Payment Card Industry Data Security Standard (PCI-DSS) to your cardholder data environment will ultimately help protect your private keys and secure your cardholder data, here I want to cover the requirements specific to managing and securing keys. The first step in this process is to know where the private keys are on the cardholder data network. (PCI-DSS req. 2.4) Organizations can accomplish this by providing an inventory of their private keys and where they are located. Once private key locations are known, the rest of the requirements involved in securing keys can be met. 

    Requirement 3 of the PCI-DSS addresses securing encryption keys with the intent to protect keys so that the cardholder data is not exposed. These requirements use the words exposed or disclosed. When I see this language, I think of confidentiality—one of the pillars of information security. Confidentiality, through using encryption, keeps data from being exposed or disclosed, when it should not be, and is a form of access control. There are several steps to securing the keys during their lifecycle, including access control, proper approvals, and any policies that have to be applied around key length, signing algorithms, validity period, and trusted third parties, if applicable. Norms must be established, and continuous monitoring and reporting must occur, as well as continuous inventory, so that protecting cardholder data is achieved.

    Requirements 3 in the PCI-DSS addresses key security as follows:

    • Render the Primary Account Number (PAN) unreadable via the use of strong cryptography, including the associated key management processes and procedures. (3.4)
    • Document and implement procedures for protecting keys so that cardholder data is not disclosed and misused. (3.5)
    • Secure private keys either with a key-encrypting key, within a secure cryptographic device, or by using two full-length key components. (3.5.2)
    • Document and implement key management processes and procedures for cryptographic keys. (3.6)
    • Do not allow keys to expire. (3.6.4)
    • Change the keys when they expire—do not just renew the validity period. (3.6.5)
    • Archive, destroy, or revoke the key when the integrity of the key has been or is suspected to have been compromised. (3.6.5)

    Although these requirements are applied to data at rest in requirement 3, QSAs apply these same key management requirements to section 4, data in transit, over open, public networks. SSL is currently the technology of choice to achieve this. As in section 3, keys cannot expire and the server certificate must use strong cryptography, for example, 2048-bit keys, not 1024-bit. Other items of note, are verifying that certificates are issued from a trusted source and the TLS configuration on the server has been done properly to ensure integrity of the secure connection. Run a Venafi Labs vulnerability report to determine if these certificate or TLS configuration vulnerabilities exist in your network.

    On cardholder data networks, private keys provide the base of trust and confidentiality, protecting against disclosure of personal account numbers and sensitive authentication data. Using strong cryptography and implementing good people, process, and technology around keys will keep the underlying infrastructure of trust protected in your cardholder data network. Cryptographic keys are the foundation of trust in any system.

    ]]>
    2014-10-22T13:50:00+00:00
    <![CDATA[PCI SIG Voting Now Open—Vote for Securing Keys and Digital Certificates Proposal]]> https://www.venafi.com/blog/post/pci-sig-voting-now-openvote-for-securing-keys-and-digital-certificates https://www.venafi.com/blog/post/pci-sig-voting-now-openvote-for-securing-keys-and-digital-certificates/#When:14:00:00Z I know that meeting and maintaining PCI DSS compliance is a major undertaking for fellow CISOs and teams, and our collective efforts to do so improve the overall security of our organizations. Yesterday, the PCI SSC opened the voting for the 2015 PCI special interest group (SIG) projects and PCI Participating Organizations can vote through October 24. These PCI SIGs are an opportunity to gain clarity on meeting the PCI DSS requirements more effectively and efficiently, increasing security. Let’s vote for the topics that will provide the most value.

    An important proposal addresses the need to better protect digital trust called, Securing Cryptographic Keys and Digital Certificates. This protection has become critical for merchants, financial institutions, and payment processors. Keys and certificates authorize and authenticate servers, devices, software, cloud, and privileged administrators and users—establishing the trust on which our businesses depend. But as we’ve come to rely more heavily on keys and certificates, cybercriminals have made them more of a target. They use unprotected keys and certificates as weapons that authenticate and evade detection, bypassing other security controls.

    Controlling requirements for cryptographic keys and digital certificates are contained throughout the PCI DSS for data at rest, data in transit, authorization and authentication. But beyond providing guidance on meeting these requirements, the SIG can provide direction on how to maintain security within particular use cases, including remediating vulnerabilities like Heartbleed and defending against increasing trust-based attacks (think Snowden, the Mask Operation, APT1, and more ). The PCI DSS includes general security requirements for keys and certificates, but organizations also need to know how to defend against real-world threats.

    This PCI SIG is an opportunity to pull together the knowledge from merchants, financial institutions, payment processors, QSAs, and security experts to provide invaluable guidance on securing keys and certificates to preserve our trust in digital business communications. To learn more and show your support for the PCI DSS SIG on Security Cryptographic Keys and Digital Certificates, visit www.protecttrust.org and vote in the PCI SSC SIG election today.

     

    Cheers!

    ]]>
    2014-10-14T14:00:00+00:00
    <![CDATA[Budget for Key and Certificate Security as a Critical Security Control ]]> https://www.venafi.com/blog/post/budget-for-key-and-certificate-security-as-a-critical-security-control https://www.venafi.com/blog/post/budget-for-key-and-certificate-security-as-a-critical-security-control/#When:14:00:00Z In the recent blog post on Allocating 2015 Budget for Key and Certificate Security, by Tammy Moskites, the CISO and CIO of Venafi, she emphasizes how unsecure keys and certificates can undermine critical security controls. This is certainly true. A lack of key and certificate security undermines a minimum of 40% of the Critical Security Controls (CSCs) listed by the SANS Institute. But key and certificate security should also be considered a critical security control, in and of itself—not just a function that impacts them.

    The latest version of The Critical Security Controls for Effective Cyber Defense by the SANS Institute now includes requirements for securing keys and certificates in Section 17 on Data Protection. These changes recognize that data protection must go beyond Data Loss Prevention (DLP) and Data Classification solutions, which cannot see encrypted traffic—creating a security gap (as mentioned in Tammy’s blog). But folding in these new key and certificate security requirements elevates key and certificate security to a Critical Security Control. Below are examples of the key and certificate security now listed under Data Protection.

    New Key and Certificate Security in SANS20 CSC Version 5, Requirement 17: Data Protection
    • CSC 17-2: Verify that cryptographic devices and software are configured to use publicly-vetted algorithms.
    • CSC-17-3: Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls.
    • CSC 17-10: Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise. Review and verify each CAs Certificate Practices Statement (CPS) and Certificate Policy (CP).
    • CSC 17-11: Perform an annual review of algorithms and key lengths in use for protection of sensitive data.
    • CSC 17-14: Define roles and responsibilities related to management of encryption keys within the enterprise; define processes for lifecycle.

    An effective data protection framework must close gaps by securing cryptographic keys and digital certificates to protect the trust behind secure, authenticated, and encrypted communications.

    Key and certificate security is explicitly mentioned under Data Protection, but also directly impacts many of the other SANS critical security controls that address authentication, access control, vulnerability assessment, and defense against trust-based attacks.

    SANS 20 Critical Security Controls

    SANS 20 Critical Security Controls

    Like Tammy, I also urge you to budget for key and certificate security in 2015, if not earlier with remaining 2014 funds. Tammy and others in Venafi have been working with many of the top global enterprises to help them plan key and certificate security, often folding this in with other important security and compliance projects. We’ve taken what we’ve learned from these successful engagements and captured them in a budget recommendation brief, as well as a more detailed white paper, Budgeting for Next Generation Trust Protection.

    These materials emphasize why securing keys and certificates is critical when protecting against today’s threatscape, how this protection complements your planned security and compliance projects, and how to position and estimate budget. Of course, Tammy and the rest of us at Venafi are happy to help you customize your budget efforts.

    Too often we take the trust established by keys and certificates for granted, but without key and certificate security we leave an open door to trust-based attacks, breach, and compromise.

    ]]>
    2014-10-07T14:00:00+00:00
    <![CDATA[Malicious Security—Can You Trust Your Security Technology? ]]> https://www.venafi.com/blog/post/can-you-trust-your-security-technology https://www.venafi.com/blog/post/can-you-trust-your-security-technology/#When:14:00:00Z In my previous post, I discussed the first three steps of four showing how a typical trust-based attack can be broken up into the following: 1) theft of the key, 2) use of the key, 3) exfiltration of data, and 4) expansion of its foothold on the network. This post focuses on step 4 while outlining some examples of the actions trust-based attacks perform and how bad actors use keys and certificates to maintain their foothold in the enterprise network.

    keys and certificates used throughout the attack chain

    When reviewing the security architecture for any enterprise network, the majority of the time you will hear security architects talk about defense-in-depth strategies. This equates to the layering of multiple best-of-breed security solutions to stop an attacker from getting in to the network and data leaking out of the network. But what happens when every security solution deployed as part of the enterprise security strategy can be bypassed? This is exactly the case when it comes to trust-based attacks. Security solutions are inherently designed to trust keys and certificates as part of the security stack.

    The result is catastrophic. Organizations that invest millions of dollars and hundreds of man-hours in security solutions are constantly being breached because their security controls are undermined as a result of inadequate key and certificate security—they have no visibility into the use of their keys and certificates or ability to respond to an attack. Using these keys and certificates, attackers are able to bypass the organizations’ other security controls unnoticed due to the trusted status granted.

    In step 4 of a typical trust-based attack, bad actors will use the stolen keys and certificates to maintain and strengthen their foothold on the network. As part of this process, the malware that was installed in step 3 is used to steal additional credentials, including keys and certificates. Common examples like Mask Operation and Crouching Yeti were successful for up to 7 years, showing just how long APT operators can go undetected.

    Once inside the corporate network the name of the game is remain undetected for as long as possible. For cybercriminals, the use of encryption and keys and certificates provides the perfect cover. At the same time, it’s important for cybercriminals to collect additional keys and certificates to be used for future access and malicious campaigns while maintaining privileged access.

    A good example of a massive security hole in most organizations is SSH. Forrester research identified almost three-quarters (73%) of organizations hardly ever rotate SSH keys. Public key authentication is one of the more popular authentication deployments of SSH. Unfortunately, it also requires adequate security of the private key. However, more than 50% of organizations don’t even know how many keys and certificates are in use in the network and have no security controls for these keys and certificates.

    50% OF ORGANIZATIONS DON’T EVEN KNOW HOW MANY KEYS AND CERTIFICATES ARE IN USE IN THE NETWORKS

    When authenticating via SSH, privileged identity management (PIM) solutions are bypassed. This is by no means an impediment of PIM solutions: it’s the design of SSH. The majority of security solutions have no visibility into the use of SSH and other keys and certificates on the network. It’s no wonder cybercriminals are taking advantage of them at an ever increasing rate, undermining current security controls.

    Keys and certificates are critical for secure communication across the Internet, but when a security method is used for malice, something needs to be done about it. Enterprises need to start by knowing where all of the keys and certificates are on the network, how they are used on the network, who has access to them, and how they are configured. Organizations can get direction from security standards, like SANS 20, that provide very specific guidance on key and certificate security. These standards show promise in their recognition that trust-based attacks need to stopped.

    ]]>
    2014-10-02T14:00:00+00:00
    <![CDATA[Allocating 2015 Budget for Key and Certificate Security]]> https://www.venafi.com/blog/post/allocating-2015-budget-for-key-and-certificate-security https://www.venafi.com/blog/post/allocating-2015-budget-for-key-and-certificate-security/#When:14:00:00Z Right now many enterprises are in final stages of their 2015 budget cycles and many are allocating budget for one of the most important problems and highest areas of risk: protecting the trust established by keys and certificates. Trust is a top-of-mind issue for CEOs and boards. Thousands of keys and certificates—many unknown to security teams—create the trust on which businesses run. If any one key or certificate is compromised, tampered with, or forged, brand reputation suffers, intellectual property can be stolen, and customer privacy breached. The consequences of failing to secure trust are considerable and can significantly damage business.

    Why is securing keys and certificates so important now? As we have come to rely more heavily on keys and certificates, cybercriminals have made them more of a target. They want to use keys and certificates to be authenticated and evade detection, bypassing other security controls and keeping their actions cloaked.

    Organizations layer security controls to create a defense-in-depth approach to protecting their business. But a lack of key and certificate security undermines the Critical Security Controls (CSCs) listed by the SANS Institute. For example, according to Gartner, 25% to 50% of all traffic in organizations is encrypted. Most security controls, like malware, boundary defenses, and data protection, do not decrypt data, but instead rely on keys and certificates to determine trust.

    Secure Key and Certificates Improve critical security controls

    The challenge is that security technologies are still designed to trust encryption. When attackers use encryption, they securely bypass your other security controls and hide their actions. The strength of your security program depends on the trust established by keys and certificates and how well you protect that trust. If your top 2015 priorities are data security, privileged access, data loss prevention, PCI DSS v3, advanced threat mitigation, or mobility, then securing keys and certificates is critical to your team’s success.

    If you have not already included key and certificate security in your 2015 budget, I encourage you to include this essential Next Generation Trust Protection as a top priority. Since Heartbleed, CEOs, Board of Directors, and even Audit Committees are asking their CISOs what they are doing about better securing keys and certificates—especially when hackers used the Heartbleed vulnerability to breach a behind-the-firewall system at Community Health Systems that affected an estimated 4.5 million patients! If keys and certificates are not replaced, exploits of Heartbleed can steal intellectual property, breach customer privacy, and irreparably damage reputation.

    With these consequences, it’s incredibly surprising that so many have not fully remediated Heartbleed: in research from July 2014, Venafi Labs found 97% of public-facing G2000 servers are still vulnerable because keys and certificates hadn’t been changed—and this doesn’t include the behind-the-firewall systems that have been a low priority for remediation.

    I know firsthand that CISOs are always being asked to do more with less and have to prioritize many important projects during budget cycles. I joined Venafi earlier this year to help other CISOs and CIOs fortify their strategies and defend their businesses. Since I joined Venafi, I’ve worked with over 150 CISOs and CIOs to help them understand the problem and begin budgeting now. I can do the same for you by sharing a budget recommendation brief that summarizes the information gathered from these CISO meetings.

    Effective key and certificate security can complement your current priorities and improve the effectiveness of your critical security controls. Enterprises need to make key and certificate security a top priority in 2015, or an opportunity to get started with any left over 2014 funds. Without key and certificate security, there are security gaps that bypass critical security controls. And Heartbleed is just one of numerous vulnerabilities and attacks on trust—these are increasing in frequency and severity, continually threatening the trust that is the foundation of business.

    I am personally committed to helping my fellow CISOs secure their businesses against trust-based attacks and welcome them to reach out to me directly to help them put together a plan to protect their keys and certificates and secure their business.

    ]]>
    2014-10-01T14:00:00+00:00
    <![CDATA[Payments and Private Key Protection]]> https://www.venafi.com/blog/post/payments-and-private-key-protection https://www.venafi.com/blog/post/payments-and-private-key-protection/#When:13:44:00Z There have been a lot of retailers making headlines for payment system breaches, where millions of credit card numbers have been stolen. After a breach, the retailer has to take a hard look at the people, processes, and technology that are in place in their Information Security organization. How the organization complies with their own Information Security policies, standards, and guidelines must be analyzed and the gaps in infrastructure and applications must be identified and prioritized so that risk can be greatly reduced.

    Payment Card Industry Data Security Standard High-Level Requirements

    For any organization that processes, stores, and transmits cardholder data, the Payment Card Industry Data Security Standard (PCI-DSS) helps keep cardholder data secure. There are 6 objectives supported by 12 high-level requirements and over 200 detailed requirements. The number of requirements that apply to an entity that is storing, transmitting, or processing cardholder data depends on the number of transactions processed, the cardholder data flow, and if there has been an egregious violation. Egregious violations occur when the following is present on a network: a Primary Account Number (PAN) stored in the clear in a database, a PAN transmitted in the clear over an open public network, or stored sensitive authentication data. This authentication data includes full track data from the magnetic stripe or chip, the 3- or 4-digit code on the front or back of the credit card (CAV2/CVC2/CVV2/CID), or personal identification numbers (PINs/PIN blocks). So even a merchant with low transaction volumes could have all 239 requirements apply if they have not properly scoped or implemented the network and cardholder data handling.

    Requirements three and four fall under the objective, Protect Cardholder Data, and define critical protection methods that use cryptography. The cryptography has to be implemented in a secure manner to keep intruders out. “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.” (PCI-DSS, pg. 34) So there are a lot of requirements, but underlying the security of the entire PCI-DSS is the application of strong cryptography in the right places and the assurance that the private keys are protected. Private keys must stay private. Failure to do so undermines all of the other security controls that are in place.

    So how does one protect a private key? The PCI-DSS requirement 3.5.2 goes into detail on this, and I will blog about this next month. For now, I want to highlight the physical security requirements under requirement 9, Restrict Physical Access to Cardholder Data. To do this I want to share my experience in having implemented a Certification Authority (CA). Five tiers of physical security, were implemented to secure the Root CA, which was an offline CA, and four for the online CAs:

    • Tier 1: Employees
      Operating policies and procedures including employee screening
    • Tier 2: Building
      7X24X365 guard force with a central control station, photo ID access, intrusion detection system, and closed circuit TV
    • Tier 3: CA Facility
      Structural protection, controlled access system, and self-contained UPS power system
    • Tier 4: CA Secure Rooms
      Walls with steel mesh, two-person access with biometric control, closed circuit TV, and motion alarms
    • Tier 5: Root Private Key
      Class 5 dual drawer safe with dual locks on each drawer
    • Additionally, all of Requirement 9 was met

    I know you’re not all protecting Certification Authority keys, however, the care taken to protect CA keys, should be thought about for the private keys on the payment network. In order to protect private keys there has to be physical and network defense in depth present. I could argue that all 239 PCI-DSS requirements should be in place to protect private keys. But I bet most organizations do not give private encryption keys much thought, and therefore, do not know what private keys are on their network, who put them there, if they have been rotated, if they are accessible by only the key custodians or by any administrator, and if they are exposed to the internet because of zero-day malware or other Trojans that have gone undetected.

    There are numerous current attacks on private keys. Yes, I know some are because the X.509 standard was not implemented properly, and this was taken advantage of by intruders and malicious individuals. But in your organization, can you be sure that the wrong people don’t have your private keys, that an intruder has not replaced them, and that you have all the proper controls in place to ensure this?

    ]]>
    2014-09-30T13:44:00+00:00
    <![CDATA[Attacks on Trust Driving Compliance Evolution]]> https://www.venafi.com/blog/post/attacks-on-trust-driving-compliance-evolution https://www.venafi.com/blog/post/attacks-on-trust-driving-compliance-evolution/#When:14:00:00Z When it comes to cybersecurity, any new regulatory compliance measure or guidance is typically driven by a significant expansion of associated real-world threats and incidents. For example, in October 2005, the Federal Financial Institutions Examination Council (FFIEC) issued very pointed guidance requiring a second factor of authentication in an Internet banking environment. This effectively replaced the initial FFIEC Internet banking authentication guidance of 2001. The updated FFIEC guidance came as a result of these real-world instances:

    1. The massive growth of Internet banking (from 2001-2005), and
    2. The increase in the number and sophistication of threats to Internet banking authentication

    Each financial services enterprise then proceeded to come up with a plan to technologically require users to employ a second factor of authentication (beyond a password) that would be as minimally intrusive as possible to the customer’s online experience. Fast-forward to present day, and this is why risk-based and behavioral scoring occurs behind the scenes at any bank’s login page, serving as that least intrusive, yet valid, second factor of authentication.

    Compliance Evolution

    New risk areas and new real-world incidents drive the evolution of information security audit and compliance.

    Similar to user IDs and passwords, encryption keys and digital certificates provide trusted authentication (along with trusted encryption of the data transmitted), whether between two machines or a machine and a user. However, if cybercriminals compromise, for example, SSH keys that provide root-level access to critical Linux systems, they’ll get away with a whole lot more than a few hundred dollars from a user’s checking account. When it comes to protecting keys and certificates, the stakes are much, much higher for the enterprise.

    Malicious use and compromise of keys and certificates is no longer a theoretical threat. In 2013, even prior to the discovery of Heartbleed, an analysis by the Ponemon Institute of over 2000 large, global enterprises showed that ALL had experienced and responded to an attack on keys and certificates in the previous 24 months. In this same study, IT security professionals estimated the impact of an attack on trust to total on average almost $35 million.

    Add to this equation the fact that enterprise usage of keys and certificates is growing at rates similar to the adoption of online banking in the early 2000s. It then becomes very apparent that risks associated with keys and certificates (and thus trust online) can easily spiral out of control if Global 2000 organizations don’t act now.

    From a compliance perspective, encryption keys and digital certificates are now where online banking user IDs and passwords were in 2005. Attackers are expanding their efforts to breach their targets via weaknesses in keys and certificates, as they know many organizations’ PKI are silently rife with vulnerability. This is why many Global 2000 industry compliance bodies are more and more insisting that all enterprise encryption keys and digital certificates be protected in a similar manner to all other privileged access credentials at an organization.

    Industry Compliance Involving Keys and Certificates

    Requirements around the protection of keys and certificates (Next Generation Trust Protection) have been added directly or indirectly to nearly all major regulatory compliance bodies.

    Failing to protect trust can result in serious regulatory and business consequences for the enterprise, ranging from failed audits and fines to irreversible brand reputation damage. Our mission here at Venafi is to prevent this from happening to our customers. Given that enterprise keys and certificates provide trusted communication, implementing a program to protect enterprise keys and certificates is now more commonly referred to as “Next Generation Trust Protection.”

    The collective risks involved with unprotected keys and certificates are at an all-time high, and regulatory compliance bodies are now evolving to address them. This is a point of convergence for Next Generation Trust Protection, where the risk and real-life threats to keys and certificates drive widespread regulatory and security framework evolution. The Venafi Trust Protection Platform secures trust by protecting enterprise keys and certificates and is well positioned to meet industry best practice needs around Trust Protection. By instituting a Next Generation Trust Protection program, you’re not only better securing the enterprise brand and dramatically cutting costs, but you’re also staying ahead of the evolving information security compliance curve.

    ]]>
    2014-09-26T14:00:00+00:00
    <![CDATA[Failing to Protect Customers’ Trust Will Impact Your Business]]> https://www.venafi.com/blog/post/failing-to-protect-customers-trust-will-impact-your-business https://www.venafi.com/blog/post/failing-to-protect-customers-trust-will-impact-your-business/#When:14:00:00Z In my last blog on “SSL Vulnerabilities in Your Mobile Apps: What Could Possibly Go Wrong?” I reported on the latest threats facing many enterprises today, because enterprises are failing to secure the trust in the mobile apps they’re developing for their end users. Researchers discovered that many of the popular mobile apps developed by reputable companies often do not implement SSL validation correctly, making them vulnerable to active man-in-the-middle (MITM) attacks. In MITM attacks an attacker can substitute a legitimate SSL certificate with one under his control and view and/or manipulate private information submitted by the user.

    Failing to Protect Customers’ Trust Will Impact Your Business

    As a follow-up to my previous blog, I’d like to focus on the business impacts that these mobile app security vulnerabilities have on enterprises and why CISOs should keep them in mind.

    Customer Privacy Breached

    Adopting an app-based strategy for your customers is not easy and it comes with significant risks. As mentioned above, the SSL vulnerabilities found in mobile apps are prone to MITM attacks that trick users into leaking sensitive data. And these leaks are particularly threatening because consumers are using mobile apps to access banking records, healthcare benefit plans, and retail accounts. This creates security risks for enterprises because it requires them to expose backend systems and data via APIs, which means that consumers’ sensitive information is being placed at risk of compromise. Attackers exploit mobile apps that do not check the validity of SSL certificates by using fake unassigned certificates to attack end users. Attackers can intercept traffic on wireless networks used by mobile devices and insert the fake SSL certificates, inject malicious information-stealing code directly into the apps, and divert users to compromised sites to conduct fraudulent transactions without most users noticing the difference.

    Brand Reputation Damage

    When an attacker finds an exploit or flaw in your mobile apps that leaks your customers’ private information, be prepared for a PR nightmare, because this will surely make a very large splash in the media. Security and privacy issues can have a major impact on customer adoption of your mobile apps, damage your company's brand reputation, and even negatively impact revenue. Keep in mind that you will not always get a second chance to get it right with your customers.

    Audit Failure

    Fandango and Credit Karma mobile apps failed to secure SSL and validate certificates and exposed consumers’ sensitive personal information. Both were heavily penalized by the FTC and should serve as a reminder of the seriousness behind failing to secure and validate SSL certificates. By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app and exposed consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses, passwords, credit scores, and other credit report details such as account names and balances.

    It is the responsibility of IT security teams and CISOs to ensure that they protect customers’ privacy and safeguard them from fraudulent or malicious activities. And to do this, organizations need to ensure their apps are not leaking private information, ensure trusted connections to services, and have the right intelligence to ensure trust between the business and the customer.

    ]]>
    2014-09-25T14:00:00+00:00
    <![CDATA[Trust Is a Necessity, Not a Luxury]]> https://www.venafi.com/blog/post/trust-is-a-necessity-not-a-luxury https://www.venafi.com/blog/post/trust-is-a-necessity-not-a-luxury/#When:13:15:00Z Mapping Certificate and Key Security to Critical Security Controls

    I travel all over the world to meet with CIOs and CISOs and discuss their top-of-mind concerns. Our discussions inevitably return to the unrelenting barrage of trust-based attacks. Vulnerabilities like Heartbleed and successfully executed trust-based attacks have demonstrated just how devastating these attacks can be: if an organization’s web servers, cloud systems, and network systems cannot be trusted, that organization cannot run its business. 

    Given the current threat landscape, securing an organization’s infrastructure can seem a bit daunting, but CISOs aren’t alone in their efforts to protect their critical systems. Critical controls are designed to help organizations mitigate risks to their most important systems and confidential data. For example, the SANS 20 Critical Security Controls provides a comprehensive framework of security controls for protecting systems and data against cyber threats. These controls are based on the recommendations of experts worldwide—from both private industries and government agencies.

    SANS 2 - critical security controls

    These experts have realized what I’ve maintained for years—just how critical an organization’s keys and certificates are to its security posture. What can be more critical than the foundation of trust for all critical systems? As a result, the SANS 20 Critical Security Controls have been updated to include measures for protecting keys and certificates. Organizations need to go through their internal controls and processes—like I’ve done as a CISO—and ensure that their processes for handling keys and certificates map to recommended security controls.

    For example, most organizations know that best practices include implementing Secure Socket Layer (SSL) and Secure Shell (SSH), but they may not realize that they must go beyond simply using these security protocols to using them correctly. Otherwise, they have no protection against attacks that exploit misconfigured, mismanaged, or unprotected keys. SANS Control 12 points out two such common attacks for exploiting administrative privileges: the first attack dupes the administrative user into opening a malicious email attachment, but the second attack is arguably more insidious, allowing attackers to guess or crack passwords and then elevate their privileges—Edward Snowden used this type of attack to gain access to information he was not authorized to access.

    SANS Control 17, which focuses on data protection, emphasizes the importance of securing keys and certificates using “proven processes” defined in standards such as the National Institute of Standards and Technology (NIST) SP 800-57. NIST 800-57 outlines best practices for managing and securing cryptographic keys and certificates from the initial certificate request to revocation or deletion of the certificate. SANS Control 17 suggests several ways to get the most benefit from these NIST best practices. I’m going to highlight just a couple:

    • Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise (CSC 17-10)
    • Perform an annual review of algorithms and key lengths in use for protection of sensitive data (CSC 17-11)

    Think for a moment about how you would begin mapping your processes to these two recommendations:

    • Do you have policies that specify which CAs are approved?
    • Do you have an auditable process that validates that administrators must submit certificate requests to approved CAs?
    • Do you have a timely process for replacing certificates signed by non-approved CAs with approved certificates?
    • Do you have an inventory of all certificates in your environment, their issuing CAs, and their private key algorithms?
    • Do you have an inventory of all SSH keys in your environment, their key algorithms, and key lengths?
    • Do you have a system for validating that all certificates and SSH keys actually in use in your environment are listed in this inventory?

    I LOVE that I can say that Venafi solutions allow you to answer “yes” to all of these.

    If you are interested in more details about mapping your processes for securing keys and certificates to the SANS Critical Security Controls, stay tuned: my white paper on that subject, coauthored with George Muldoon, will be coming soon.

    ]]>
    2014-09-16T13:15:00+00:00
    <![CDATA[2015 PCI SIG Presentations—Rallying the Vote for Securing Keys and Certificates]]> https://www.venafi.com/blog/post/2015-pci-sig-presentations https://www.venafi.com/blog/post/2015-pci-sig-presentations/#When:22:20:00Z Today, at the 2014 PCI Community Meetings in Orlando, the 2014 PCI Special Interest Groups (SIGs) provided updates on their progress and presentations were given on the 2015 PCI SIG proposals in hopes of getting votes to become 2015 PCI SIG projects. As I’ve mentioned in previous blogs, Venafi has co-submitted a 2015 PCI SIG proposal with SecurityMetrics on Cryptographic Keys and Digital Certificates Security Guidelines. In the presentations today, Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, delivered the presentation for this SIG proposal. Watching the sessions at the PCI Community Meetings, now is the right time for this important PCI SIG topic.

    Kevin Bocek at 2014 PCI Community Meetings in Orlando

    Today’s keynote from Bob Arno, >Adventures of a Theifhunter, really called into question our trust of other people. He talked about how teams of pickpockets work together to steal from unsuspecting victims and how they use the stolen credit cards. The pickpockets are successful, because we generally trust the people around us. Keys and certificates also establish trust, but, in both cases, criminals are leveraging this trust to avoid detection while committing their crimes.

    Merchants, financial institutions, and payment processors rely on thousands of keys and certificates as the foundation of trust in the cardholder data environments (CDE), protecting cardholder data (CHD) across their websites, virtual machines, mobile devices, and cloud servers. Yet it is this very trust that cybercriminals want to use, not only to evade detection, but to achieve authentication and trusted status that bypasses other security controls and allows their actions to remain hidden. If only one of your critical keys or certificates is compromised, the digital trust you have established is eliminated. And this opens organizations up to PCI DSS audit failures and, more importantly, breaches.

    The PCI SIG on Cryptographic Keys and Digital Certificates Security Guidelines has already rallied support from Global 100 merchants, PCI Qualified Security Assessors (QSAs), and security experts, and we’re looking for more support from the PCI community.

     

    The 2015 PCI SIG proposals will be presented again at the 2014 PCI Community Meetings in Berlin (Oct 7-9). Then PCI Participating Organizations will vote on the 2015 PCI SIG proposals from October 13-23. After the vote, the PCI Security Standards Council (PCI SSC) will select 2-3 presentations to become 2015 PCI SIG projects. In early November, there will be a call for participation for the selected SIGs and the projects will kick off in January 2015.

    Want more information? Want to get involved? Visit the website for the PCI SIG on Cryptographic Keys and Digital Certificates Security Guidelines at www.protecttrust.org.

    ]]>
    2014-09-11T22:20:00+00:00
    <![CDATA[Malicious Security—Can You Trust Your Security Technology? ]]> https://www.venafi.com/blog/post/malicious-security https://www.venafi.com/blog/post/malicious-security/#When:15:20:00Z Encryption and cryptography have long been thought of as the exemplars of Internet security. Unfortunately, this is not the case anymore. Encryption keys and digital certificates have become the weakest link in most organizations’ security strategies, resulting in diminished effectiveness of other security investments like NGFW, IDS/IPS, WAF, AV, etc.

    In my previous post, I discussed the difference between key management and key security. The problem today is not that encryption and cryptography are broken, but rather that there are mediocre implementations to secure and protect keys and certificates from theft. Worse yet, most organizations cannot even tell the difference between rogue and legitimate usage of keys and certificates on their networks or stop attackers from using them. Bad actors and nation states continue to abuse the trust that most have in encryption, but very few in the security industry are actually doing something about it.

    Undermining Your Critical Security Controls

    The threatscape has changed:

    Even with all the advances in security technology over the last decade, cybercriminals are still very successful at stealing your data. The challenge is that security technologies are still designed to trust encryption. When threats use encryption, they securely bypass other security controls and hide their actions. Let’s review an example of how a bad actor can use keys and certificates to subvert any security technology or control.

    Using Keys and Certificates throughout the Attack Chain

    The use of keys and certificates in APT campaigns is cyclical. A typical trust-based attack can be broken up into four primary steps that include the theft of the key, use of the key, exfiltration of data, and expansion of its foothold on the network.

    keys and certificates used throughout the attack chain

    Step 1: Steal the Private Key

    When Symantec analyzed sample malware designed to steal private keys from certificate stores, the same behavior was noted for every malware variant that was studied. In this current example, the CertOpenSystemStoreA function is used to open stored certificates, and the PFXExportCertStoreEx function exports the following certificate stores:

    • MY: A certificate store that holds certificates with the associated private keys
    • CA: Certificate authority certificates
    • ROOT: Root certificates
    • SPC: Software Publisher Certificates

    The malware samples were able to steal the digital certificate and corresponding private key by performing the following actions:

    1. Opens the MY certificate store
    2. Allocates 3C245h bytes of memory
    3. Calculates the actual data size
    4. Frees the allocated memory
    5. Allocates memory for the actual data size
    6. The PFXExportCertStoreEx function writes data to the CRYPT_DATA_BLOB area to which the pPFX points
    7. Writes data (No decryption routine is required when it writes the content of the certificate store)

    Step 2: Use the Key

    With access to the private key, there are a multitude of use cases for a malicious campaign. Let’s review how cybercriminals impersonate a website and sign malware with a code-signing certificate.

    Website impersonation can easily be achieved using the stolen private key as part of a spear-phishing campaign. The attacker sets up a clone version of the target website—Outlook Web Access (OWA) or a company portal would be a prime target. By using the stolen private key and certificate anyone that visits the website would not see any errors in the browser. The fake website also hosts the malware that is intended for the victim.

    Step 3: Exfiltrate the Data

    Now that the fake website is prepped and ready to go, it’s time to execute the spear-phishing campaign. Using popular social networks like LinkedIn, it is a simple process to profile a victim and formulate a well-crafted email that will entice the victim to click on a malicious link. Imagine you get an email from the IT administrator stating that your password will be expiring shortly, and that you need to change your password by logging into OWA. The IT administrator very kindly also provided you with a link to OWA in the email for you to click on and reset your password.

    When you click on the link and input your credentials into the OWA website, not only are your credentials stolen, but malware is installed onto your machine. It’s important to note that the malware is also signed using a stolen code-signing certificate to avoid detection. By signing the malware with a legitimate code-signing certificate the attackers increase their chances of avoiding detection.

    In part 2 of this blog series, I will cover step 4 and discuss some examples of the actions trust-based threats perform and how bad actors use keys and certificates to maintain their foothold in the enterprise network. I will also offer some guidance on how to mitigate trust-based attacks.

    Register for a customized vulnerability report to better understand your organizations SSL vulnerabilities that cybercriminals use to undermine the security controls deployed in your enterprise network.

    ]]>
    2014-09-11T15:20:00+00:00
    <![CDATA[PCI Business-as-Usual Security—Best Practice or Requirement? ]]> https://www.venafi.com/blog/post/pci-business-as-usual https://www.venafi.com/blog/post/pci-business-as-usual/#When:15:34:00Z I’m attending the 2014 PCI Community Meetings in Orlando and the PCI SSC kicked off the conference with a presentation by Jake Marcinko, Standards Manager, on Business-as-Usual (BAU) compliance practices. The PCI DSS v3, released in November 2013, emphasizes that security controls implemented for compliance should be part of an organization’s business-as-usual security strategy, enabling organizations to maintain compliance on an ongoing basis.

    PCI community meeting

    Compliance is not meant to be a single point in time that is achieved annually to pass an audit. Instead, compliance is meant to be an ongoing state, ensuring sustained security within the Cardholder Data Environment (CDE). Security should be maintained as part of the normal day-to-day routines and not as a periodic compliance project.

    To highlight the lack of business-as-usual security processes, Jake referenced the Verizon 2014 PCI Compliance Report, saying that almost no organization achieved compliance without requiring remediation following the assessment and there is dismally low continued compliance—only 1 out of 10 passed all 12 of the PCI DSS requirements in their 2013 assessments. But this was up from only 7.5% in 2012.

    Four elements of ongoing, business-as-usual security processes were outlined:

    1. Monitor security control operations
    2. Detect and respond to security control failures
    3. Understand how changes in the organization affect security controls
    4. Conduct periodic security control assessments, and identify and respond to vulnerabilities

    Jake mentioned that automated security controls help with maintaining security as a business-as-usual process, providing ongoing monitoring and alerting. If manual processes are used, they need to ensure that regular monitoring is conducted for continuous security.

    The PCI DSS emphasis on business-as-usual security processes does not apply to any particular PCI DSS requirement, but instead applies across the standard. When considering how this applies to keys and certificates, manual security processes are unsustainable. A study by Ponemon Research found that, on average, there are 17,000 keys and certificates in an enterprise network, but 51% of organizations are unaware of how many certificates and keys are actively in use. Although some of these keys and certificates will not be in scope of the PCI DSS, a considerable number are used in the CDE to protect Cardholder Data (CHD).

    In a recent webinar on PCI DSS v3 compliance for keys and certificates with 230 attendees, a poll revealed that over half (53%) either applied manual processes to securing their keys and certificates (41%) or did not secure them at all (12%). When specifically asked about their business-as-usual security processes for keys and certificates, more than half (53%) said they had no business-as-usual processes, but merely applied a manual process at the time of audit.

    Organizations need automated security to deliver business-as-usual security processes for keys and certificates. This should include comprehensive discovery for a complete inventory of keys and certificates in scope of the PCI DSS, daily monitoring of all keys and certificates, establishment of a baseline, alerts of any anomalous activity, and automatic remediation so that errors, oversights, and attacks do not become breaches.

    During his presentation, Jake noted that, for now, implementing business-as-usual security controls is a best practice according to the PCI DSS v3, and not a requirement. But he said that best practices often become requirements—so don’t wait! Start incorporating business-as-usual security practices now.

    Learn how Venafi can help you automate key and certificate security required in PCI DSS v3—simplifying and ensuring repeated audit success while providing ongoing security for your CDE.

    ]]>
    2014-09-10T15:34:00+00:00
    <![CDATA[SSL Vulnerabilities in Your Mobile Apps:  What Could Possibly Go Wrong?]]> https://www.venafi.com/blog/post/ssl-vulnerabilities-in-your-mobile-apps-what-could-possibly-go-wrong https://www.venafi.com/blog/post/ssl-vulnerabilities-in-your-mobile-apps-what-could-possibly-go-wrong/#When:13:15:00Z The majority of people and consumers don’t usually think about security and data privacy when they log into their mobile banking app, take a photo of the check, and make a mobile deposit directly into their account. Nor do they think about security as they conveniently purchase their movie tickets on a Fandango mobile app.  People will automatically assume the company has issued a secure app, especially if the app comes from a reputable G2000 company and they downloaded it from the Apple or Google Play app store—or even directly from their employer.  What could possibly go wrong? 

    smart phone mobile applications security

    Well, evidently there’s a lot that can go wrong.  SSL vulnerabilities in the Android and iOS ecosystems and the man-in-the-middle (MITM) attacks they enable are exposing consumers’ banking credentials, health information, and other personal information.  What’s even scarier is that SSL vulnerabilities are prevalent in many of today’s most popular mobile apps as was recently uncovered by university researchers. The study found Android vulnerabilities that enabled the researchers to hack personal information such as usernames and passwords, social security numbers, and steal check images from popular mobile apps with the following success rates:

    • 92% for  Gmail
    • 83% for Chase 
    • 92% for H&R Block 
    • 86% for Newegg
    • 85% for WebMD
    • 83% for Hotels.com
    • 48% for Amazon

    FireEye also recently published data that reported security flaws in the most commonly downloaded Android apps and found that a significant number of the apps are susceptible to MITM attacks.  FireEye reported that as of July 2014, out of the 1,000 most downloaded apps in the Google Play store, 73% of the apps that use SSL/TLS to communicate with a remote server do not check certificates.  And of the 10,000 random apps in the Google Play store, 40% do not check server certificates, exposing data they exchange with their servers to potential theft.

    It wasn’t too long ago that MITM attacks emerged as a major threat to web-based, online transactions, and now we see that MITM attacks are increasingly becoming more widespread for mobile apps.  Mobile apps, just like websites, use the same method to secure communications—SSL/TLS.  However, SSL certificate validation is not trivial. Mobile apps often do not implement SSL validation correctly, making them vulnerable to active MITM attacks.  For example, an attacker can substitute a legitimate SSL certificate with one under his control and view data exchanged between the mobile device and remote server or manipulate private information submitted by the user.

    Enterprises that are developing or are otherwise responsible for mobile apps deployed to their end users—consumers, customers, or clients—should fix these security vulnerabilities.  It’s up to IT security teams to ensure that user convenience never trumps the security of private consumer data.

    ]]>
    2014-09-04T13:15:00+00:00
    <![CDATA[Following a Major Attack, the PCI SSC Announces Securing Cryptographic Keys and Digital Certificates]]> https://www.venafi.com/blog/post/pci-ssc-announces-securing-cryptographic-keys-and-digital-certificates https://www.venafi.com/blog/post/pci-ssc-announces-securing-cryptographic-keys-and-digital-certificates/#When:16:40:00Z Just last week, an exploit of the Heartbleed vulnerability that used compromised keys and certificates became public. Community Health Systems (CHS) was breached following incomplete Heartbleed remediation, impacting an estimated 4.5 million patients. This breach was particularly significant because it compromised a behind-the-firewall system that has been a low priority for remediation for many companies. The severity and scope of Heartbleed, and now its exploits, put a spotlight on the importance of protecting trust—securing our keys and certificates.

    With the rapid growth of threats that misuse keys and certificates, it’s not surprising that the Payment Card Industry Security Standards Council (PCI SSC) announced on Monday that Securing Cryptographic Keys and Digital Certificates is among the finalists selected for a 2015 Special Interest Group (SIG) project in support of the Payment Card Industry Data Security Standard (PCI DSS). Back in June, I posted a blog about our submission of a PCI SIG topic on Securing Cryptographic Keys and Digital Certificates. Now the acceptance of this PCI SIG as a finalist emphasizes how critical it is for organizations to protect key and certificates, which establish the trust on which businesses depend—securing data, keeping communications safe and private, and establishing trust between communicating parties.

    Both organizations and Qualified Security Assessors (QSAs) will benefit from this SIG. We have increased our reliance on keys and certificates that protect communications and authorize and authenticate servers, devices, software, cloud, and privileged administrators and users. As for the PCI DSS, keys and certificates are critical to securing cardholder data, as well as all sensitive electronic information, and are specifically mentioned throughout the standard. But the PCI DSS requirements demand more visibility and security over keys and certificates than most organizations can deliver.

    Most organizations have not fully remediated Heartbleed. Venafi research shows that 97% of G2000 public-facing servers are still vulnerable because keys and certificates haven’t been changed—and this doesn’t include the behind-the-firewall systems that have been a low priority for remediation. The bottom line is that there are hundreds of organizations that have not completed remediation and are another CHS waiting to happen.

    Are you one of the doubters that don’t think you’ll become a victim? It looks like many G2000 organizations are. But odds are you’re already a victim—according to Ponemon Institute research, every major enterprise has been attacked using compromised keys and certificates in the last 24 months. So, I hope all of the doubters are getting converted to believers—the likelihood that you’ll be a victim of an attack on trust is very high and, without the right security in place, the impact even higher. The CHS attack and Advanced Persistent Threats (APTs) that target keys and certificates such as APT1, Mask, Energetic Bear, Crouching Yeti, and Zombie Zero—just to name a few—underscore the importance of strong key and certificate security and remediation capabilities.

    The open approach of the PCI DSS requirements provides flexibility to implementing organizations, which is helpful when working to secure unique business environments. But organizations subject to the PCI DSS and QSAs need more clarity on how to secure keys and certificates to establish a foundation of trust for an effective security program and a defense against today’s cyber threats.

    We have two primary objectives for this SIG:

    • Develop the document PCI DSS Cryptographic Key and Digital Certificate Security Guidelines
    • Draft a compliance checklist which outlines the different security options to meet the PCI DSS requirements for keys and certificates

    Venafi co-submitted the PCI SIG proposal on Cryptographic Keys and Digital Certificates with SecurityMetrics, a leading QSA. SecurityMetrics brings extensive experience to the SIG—they have helped over 1 million organizations manage PCI DSS compliance and/or secure their network infrastructure, data communication, and other information assets. We also have several other participants committed to supporting the SIG, including QSAs, vendors, and merchants in the Global 2000.

    PCI DSS 2014 Community Meetings

    So what’s next? The selected PCI SIGs will present at the 2014 PCI Community Meetings in North America (September) and Europe (October). An election will be held from October 13-23 and the PCI Participating Organizations will vote. The leading 2-3 SIG topics will become PCI SIG projects for 2015.

    If you are a PCI Participating Organization, I hope you’ll vote for this important SIG, and even consider becoming one of the SIG participants. For more information, read the Venafi press release on our SIG for Securing Cryptographic Keys and Digital Certificates.

    ]]>
    2014-08-26T16:40:00+00:00
    <![CDATA[Complying with Data Security Laws and Regulations? Congratulations, You’re Doing the Minimum! Part 2]]> https://www.venafi.com/blog/post/complying-with-data-security-laws-and-regulations-2 https://www.venafi.com/blog/post/complying-with-data-security-laws-and-regulations-2/#When:13:45:00Z Dig Deeper for Security Vulnerabilities

    Business is booming and electronic information systems are running smoothly. You’ve passed all compliance audits and feel confident in your ability to defend your enterprise against cyber attacks. Data security, while a constant challenge, appears manageable. Attacks and intrusion attempts are ongoing, but breaches and direct losses so far appear to be both rare and manageable. As a Global 2000 leader with high profile, worldwide operations, you know intuitively that your systems and processes are prime targets for cybercriminals and miscreants. Perhaps your competitor just suffered an embarrassing breach? You read the news and the relevant industry press describing advanced persistent threats (APTs). Many of these APTs are now employing sophisticated malware communicating over secure sockets layers (SSL), looking to exploit cryptographic keys and digital certificates, and attempting to gain rogue secure shell (SSH) access with root access privileges. Despite copious investments in people, processes, and technology—plus verifiable compliance with all relevant data security laws and regulations—you still wonder, “Can I be missing something important? How would I even know?”

    Look Forward for Security Inspiration, Not Backward

    Audits are indispensable tools for certifying past performance against regulatory compliance standards that apply with general uniformity to all organizations within a given industry. They are much less effective, however, for ascertaining true information security defense capabilities on a particularized, forward-looking basis. Audits certify what took place over a specific historical reporting period—typically the last calendar or fiscal year—and may cover events that occurred long ago, even though much may have changed in the threatscape since that time. Looking backward is instructive, but looking forward is a far more effective means of assessing security readiness.

    Did we provide enough security last year to pass the audit? What does barely passing an audit reveal? How urgently will necessary changes be implemented if there are no repercussions resulting from just squeaking by?

    Strive for Continuous Improvement, Not Just to Pass Audits

    information security regulation

    Achieving an unblemished audit record is a laudable achievement and should be a goal of every organization, security team, and compliance officer. It is necessary, of course, but by no means is it sufficient for assuring data security against modern cyber attacks. If passing an audit is the primary yardstick and everyone is satisfied with the status quo, then what is the incentive to improve things for the next year? In some cases, failing an audit provides more impetus to pursue improvement, and would be more beneficial in the long run, than passing one by a small margin.

    With so much at stake, is “good enough” really good enough? Best security practices demand more than minimal compliance.

    Look Inward for Motivation, Not Outward

    Motivations for achieving regulatory compliance are typically externally focused: to pass an audit; to renew a certification; to prevent a lawsuit; or to avoid a penalty such as a fine or a suspension from government contracting. By contrast, motivations for achieving true data security against a fast-changing threatscape tend to be internally focused: to meaningfully secure proprietary, customer, and employee data; to bolster active defenses; to improve detection and response capabilities; and to reduce the organization’s overall vulnerability cross-section.

    The focus on passing an audit is fundamentally different from a commitment to achieving excellence in information security.

    Compliance is measured by “reasonableness under the circumstances,” a sliding scale based on the nature and scope of an organizations operations. Arguing gray areas is what keeps an army of lawyers gainfully employed, but what’s considered to be “reasonable” has been steadily expanding in recent years. So be proactive and don’t wait to be tripped up by an audit! Can you identify all cryptographic keys and digital certificates in use across your enterprise and to whom they are assigned? Are they secured and protected? How strong is their encryption and how often do they get rotated? Do you know the location of every SSH-enabled server and whether the authentication keys that access them are unique or shared? What does “trust” look like in your organization?

    If you strive to achieve strong security practices for their own sake, you will invariably find yourself exceeding the compliance requirements of the applicable laws and regulations in your industry. If you strive primarily for compliance, however, you will likely fall short of minimum practices necessary to achieve true data security and leave yourself vulnerable to trust-based attacks on the keys and certificates that enable enterprises to secure critical information systems.

    Learn how Venafi can help protect your encryption and authentication assets against trust-based attacks to achieve both industry compliance and strong data security practices across the enterprise.

    ]]>
    2014-08-26T13:45:00+00:00
    <![CDATA[Attack on Trust Threat Bulletin: APT Operators Exploit Heartbleed]]> https://www.venafi.com/blog/post/attack-on-trust-threat-bulletin-apt-operators-exploit-heartbleed https://www.venafi.com/blog/post/attack-on-trust-threat-bulletin-apt-operators-exploit-heartbleed/#When:20:30:00Z Situation

    On 20 August 2014, TrustedSec reported that Advanced Persistent Threat (APT) operators exploiting Heartbleed were responsible for the data breach of 4.5 million Community Health System patients. The Heartbleed exploit was used against a Juniper system behind the firewall to expand the APT operators’ attack in order, ultimately, to reach the patient records database.

    This breach is significant for two reasons:

    1. It demonstrates how APT attackers will patiently exploit Heartbleed over time.
    2. The target was a behind-the-firewall system where Heartbleed remediation has been a low priority in many organizations.

    The incident likely shows, as is being reported by TIME and Bloomberg, that attackers stole TLS/SSL keys and certificates to execute the breach (further confirmation needs to made).  

    Heartbleed remediation, as defined by experts from Bruce Schneier to Gartner, is still overwhelmingly incomplete in most organizations. Venafi Labs recently found 97% of Global 2000 public-facing systems remain vulnerable to attack following Heartbleed to attacks due to incomplete remediation. Complete remediation requires not only a system to be patched, but also new keys to be generated and then certificates to be re-issued, installed, validated, and revoked.   

    Venafi CISO, Tammy Moskites, has prepared guidelines for CISOs and their teams on why organizations need to prepare to respond to more incidents like Heartbleed.

    Threat

    CloudFlare and others have confirmed attackers’ ability to steal SSL/TLS keys and certificates by exploiting the Heartbleed vulnerability. The resulting use of stolen keys allows attackers to spoof trusted services and decrypt private communications. Such exploits can enable attackers to steal intellectual property, breach customer privacy directly, or allow the attacker to expand their foothold to reach the primary target.

    Given that remediation of public-facing systems was prioritized in most Heartbleed responses, and that many more behind-the-firewall systems remain vulnerable, it is likely that the lack of complete Heartbleed remediation is worse than what Venafi Labs, Netcraft, and others found. This delay in completing a full remediation, including revoking and reissuing all certificates and keys, provided APT operators ample time to plan and coordinate key-stealing incidents that facilitated the data breach. Both the Aviva compromise (that used Heartbleed and was executed 6 weeks after the vulnerability was first reported) and now the Community Health System compromise demonstrate the patience and persistence of APT operators. These examples also provide a reminder that Heartbleed is not over and that remediation by changing all keys and certificates in the organization must be completed.

    Impact

    Organizations must act quickly to complete Heartbleed remediation for all systems, both public facing and behind-the-firewall. Heartbleed remediation requires that all keys and certificates be replaced, not just for a system to be patched. Incomplete remediation means that business and government services can be spoofed with the trust that a valid digital certificate provides and sensitive communications can be decrypted.

    APT operators, from Mask to Crouching Yeti, have been known to exploit stolen keys over a period of up to 7 years. Until keys and certificates are replaced, your network, intellectual property, and customer data is still vulnerable.  

    Furthermore, failing to remediate Heartbleed undermines other security controls, from strong authentication and privileged access to behavioral analysis and network access, because attackers have the trusted status of valid keys and certificates to authenticate and cloak their malicious activities.

    Recommended Remediation

    Venafi recommends customers complete Heartbleed remediation following guidance from Gartner and others, as follows:

    • Identify all systems using OpenSSL 1.0.1 – 1.0.1f and upgrade to OpenSSL 1.0.1g
    • Prioritize replacement of keys and certificates to fix based on knowledge of vulnerable applications
    • Generate new keys and X.509 certificates
    • Install new keys and certificates on servers, revoke vulnerable certificates
    • Validate new keys and certificates are being used

    Venafi customers can learn more about this process and receive additional guidance from the Venafi support team.

    Venafi recommends customers use the Venafi Trust Protection Platform to take the following actions:

    1. Replace all TLS/SSL keys and certificates with Venafi TrustAuthority and Venafi TrustForce:
      • Prioritize replacement first for systems known to be Heartbleed vulnerable.
      • With TrustAuthority, generate and distribute new keys and certificates.
      • With TrustForce, installation and validation will occur automatically, greatly reducing the time to when remediation is complete and the organization is no longer vulnerable.
    2. Validate and report on remediation
      • Using the shared reporting services of the Trust Protection Platform, organizations can identify their progress in reducing risk.
      • The Venafi support team can provide more information and examples.
    3. Replace all SSH keys and certificates with TrustForce:
      • Replace all SSH keys by rolling over older versions—installing, validating, and updating authorized key lists will be performed automatically, greatly reducing the time to when remediation is complete and the organization is no longer vulnerable.
      • Just like passwords and TLS/SSL keys and certificates are changed, replacement of all SSH keys is recommended to stop possible expansion of attacks from privileged accounts.

    Please contact Venafi support with any questions or a request for help with remediation.

    Additional Resources
    ]]>
    2014-08-21T20:30:00+00:00
    <![CDATA[Key and Certificate Management vs. Key and Certificate Security—Time for a Change]]> https://www.venafi.com/blog/post/key-and-certificate-management-v-key-and-certificate-security https://www.venafi.com/blog/post/key-and-certificate-management-v-key-and-certificate-security/#When:14:09:00Z Even though your organization is spending millions in security technology to protect the business and stop adversaries, cybercriminals are still getting away with your data. It’s time to take a long hard look at your security strategy and ask yourself where all the gaps are. One area where most organizations fall short is key and certificate security. I’m not talking about key and certificate management—it doesn’t help mitigate or detect trust-based attacks.

    The sad truth is that your organization has probably invested millions of dollars in security solutions but failed to secure keys and certificates. And as a result, the security solutions you have implemented wind-up having diminished effectiveness, because you have a gaping hole in your security strategy in which adversaries are taking advantage. I’m talking about trust-based attacks. In the last 2 years, the attacks on keys and certificates have increased dramatically with enormous impact. There are hundreds of examples, but the more well-known ones, like Snowden, Energetic Bear, Carreto, or Heartbleed, all show just how ineffective the security investments your organization is making are against trust-based attacks.

    Time for a change

    encryption key and certificate management

    The perception that basic key management is good enough, either with a key lifecycle management solution or the good old spreadsheet, is like wearing a bikini in a snowstorm—you’re dangerously exposed! So if bad actors have realized the value in stealing, forging, and using keys and certificates in their malicious campaigns to bypass all the new security technology you’ve implemented, why are you still leaving your jacket at home? It’s time to dress for the weather. Take a good long hard look at your security strategy and evaluate your organization is protecting its keys and certificates.

    Basic key management is not going to help you identify rogue usage of keys and certificates in the network. Neither is an IDS/IPS, NGFW, Sandboxing, or even an SSL gateway scanning solution. The truth of the matter really is that keys and certificates are blindly trusted. Combatting threats that leverage these trusted assets requires a targeted solution designed to discover their misuse.

    Revamping your security strategy

    Don’t undermine the millions of dollars your organization has invested in security solutions with a gap in your key and certificate protection. Close this gap to make all of your security solutions more effective. Here are some recommendations on implementing key and certificate security:

    • Identify vulnerabilities related to keys and certificates and remediate by replacing vulnerable keys and certificates.
    • Establish a baseline norm of key and certificate usage. In doing so, you will quickly be able to identify any rogue usage of keys and certificates that trigger security events.
    • Define and enforce centralized policy for all keys and certificates—including SSH keys.
    • Automate the remediation of trust-based attacks to reduce the overall impact.

    Venafi helps organization address trust-based attacks with our Venafi Trust Protection Platform. To find your organization’s SSL vulnerabilities, register to generate an on-demand Venafi Labs Vulnerability Report.

    ]]>
    2014-08-21T14:09:00+00:00
    <![CDATA[Global Security is Like Running a Marathon While Juggling]]> https://www.venafi.com/blog/post/global-security-is-like-running-a-marathon-while-juggling https://www.venafi.com/blog/post/global-security-is-like-running-a-marathon-while-juggling/#When:13:51:00Z I’ve often been asked to provide some insight from a CISO perspective on how the threat landscape has changed and how, as a CISO, I’ve had to ensure business continuity while ensuring the environment is secure and in compliance to regulations. Having spent much of my career securing global organizations, I know firsthand how truly grueling it can be: a marathon that you run while juggling dozens of balls. For example, before you can even begin to set up your security programs, you have to understand the compliance and regulatory laws in each country where you do business.

    Year after year these regulations and laws become more stringent, compounding the difficulty of securing a global company. You have to have a top-notch security team—which I have been lucky enough to have—and establish a close partnership with your company’s legal, regulatory affairs, and compliance teams. These teams should be well versed in the laws in different countries and can help your security team align its security programs with those laws. It then requires a very coordinated effort to ensure that everyone is always on the same page. Most importantly, you need to ensure that you are doing the right things right.

    To stay on top of the accelerating threats that regulations and laws are meant to address, companies are going to have to make a lot of progress from where many of them are today. Just a few years ago companies thought that implementing tighter access controls with keys and certificates and encrypting sensitive traffic adequately protected their data. However, hackers have consistently and successfully used trust-based attacks to infiltrate networks and steal confidential data. Such attacks allow hackers to bypass traditional security measures. Security devices, such as data loss prevention (DLP) tools, cannot monitor encrypted traffic, and Gartner found that “less than 20% of organizations with a firewall, an intrusion prevention system (IPS), or unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.”

    gartner quote

    Your security team must be able to monitor traffic that appears to be trusted in your environment, to detect threats in that traffic, and to react to those threats. SSL visibility appliances can prop up security by decrypting data before it is sent out and monitoring it for anomalous behavior. However, SSL visibility appliances are only effective if you have an inventory of known trusted keys and certificates in your environment. You need to know whether you can truly trust encrypted traffic—or whether attackers have hijacked encryption for their purposes. Only Venafi solutions help your security team monitor for anomalous key usage or audit your encryption resources against the latest recommendations from the National Institute of Standards and Technology (NIST).

    I’m very passionate about the need to detect and stop trust-based attacks. And for five years—even before joining Venafi—I have been passionate about the tool that provides the best protection against these attacks: Venafi Trust Protection Platform. As the CIO and CISO of Venafi, I enjoy the opportunities I have to partner with other CIOs and CISOs across the globe, to give them more insight into trust-based attacks, and to discuss strategies for securing their global companies. The security world is a very tight-knit group that shares information freely, and the ability to help out all organizations, not just one, is a big plus for me. Did I mention I LOVE what I do each and every day?

    ]]>
    2014-07-31T13:51:00+00:00
    <![CDATA[Expose the Gaps in Your SSL Security Posture with Venafi Labs Vulnerability Report]]> https://www.venafi.com/blog/post/expose-the-gaps-in-your-ssl-security-posture-with-venafi-labs-vulnerability https://www.venafi.com/blog/post/expose-the-gaps-in-your-ssl-security-posture-with-venafi-labs-vulnerability/#When:13:27:00Z Venafi is pleased to announce the availability of the Venafi Labs Vulnerability Report. In the last 12 months, trust-based attacks that make use of, or abuse, the trust established by keys and certificates have been catapulted to the forefront of the security industry. Highly publicized examples, like Edward Snowden, , Heartbleed, and the issuance of fraudulent certificates from intermediate certificate authorities, are causing the security industry to reevaluate how keys and certificates are secured.

    Garter estimates that by 2017, 50% of network-based attacks will use SSL. This is no surprise when you consider that many organizations are enabling always-on-SSL and have little to no visibility into how keys and certificates are configured or secured. Most organizations lack the visibility into their SSL / TLS landscape. The result is that these organizations are in a state of increased exposure to trust-based attacks and have no ability to respond.

    The gaps in enterprise security for keys and certificates diminish the effectiveness of all other security investments. Bad actors are able to bypass defense-in-depth solutions because of the trusted status they gain from abusing keys and certificates.

    Venafi Labs frequently analyzes the websites of the Global 2000 organizations and the Alexa Top 1 Million to identify SSL / TLS vulnerabilities. The Heartbleed research [g1] that was recently published by Venafi was derived from the global SSL / TLS threat intelligence provided by the Venafi Labs Vulnerability Report. This threat intelligence is now available to anyone, allowing organizations to perform SSL / TLS vulnerability analysis for their entire publicly-facing server footprint.

    Venafi Labs Vulnerability Report provides organizations with the ability to easily identify where they need to take action first to reduce their attack surface against trust-based attacks.

    Automated vulnerability scanning for an organization’s entire SSL / TLS publicly-facing landscape

    Once an organization is registered on the portal, the Venafi Labs Vulnerability Report will identify any of its publicly-facing SSL / TLS hosts for evaluation. This is a critical step that many organizations miss. The majority of reports show hosts of which the information security group was not aware, to which it has not applied security policies, or weak security configuration. Imagine that you have a backdoor to your house that you didn’t know about, it’s unsecured, and criminals have been using it to secretly gain access to your house for years! Although this is unlikely for an actual house, this is commonplace for SSL / TLS hosts.

    It’s good practice to evaluate the hosts you know about from a SSL / TLS security perspective. But how can you evaluate the SSL / TLS security posture for systems of which you are not aware? Venafi Labs Vulnerability Report helps organizations find these ‘hidden secret doors’ into the enterprise network.

    Venafi Labs Vulnerability Report performs a detailed evaluation of SSL / TLS for an organization and is able to identify which hosts belong to that organization. Unlike other solutions that only focus on a single domain at a time, the Venafi performs deep analysis to gather all publicly-facing hosts associated with an organization—including subsidiaries.

    Identification of the most egregious SSL / TLS vulnerabilities

    When evaluating the publicly-facing SSL / TLS security landscape, it is very easy to get overwhelmed when trying to decide where first to start remediating vulnerabilities. Venafi Labs simplifies this task with the introduction of the Venafi Labs Vulnerability Report Vulnerability Scale.

    Vulnerability scale

     

    Using this Vulnerability Scale, users can quickly and easily identify where the most egregious publicly-facing SSL / TLS vulnerabilities are that should be addressed first. Using this methodology, organizations can rapidly reduce their overall threat surface.

    Register to generate your free vulnerability report for your entire SSL / TLS landscape and start remediating your most egregious SSL / TLS vulnerabilities.

    ]]>
    2014-07-29T13:27:00+00:00
    <![CDATA[Understanding Trust and How to Defend It in the Digital Age]]> https://www.venafi.com/blog/post/understanding-trust-and-how-to-defend-it-in-the-digital-age https://www.venafi.com/blog/post/understanding-trust-and-how-to-defend-it-in-the-digital-age/#When:13:44:00Z Trust is arguably the most important component of any functioning society on the planet. Since nearly all who will read this blog are information security professionals, you likely know that Bruce Schneier even wrote an insightful book about it. Without trust, we feel at risk, exposed, and uncertain, ultimately rendering all others in the society with whom we interact in a doubtful state of volatility.

    In the physical world, every hour of every day we perform what we view as pedestrian activities, which in reality, involve untold levels of trust to function as designed. Every day activities, like driving in a car, flying on an airplane, depositing money in the bank, eating out at a restaurant, and even drinking and using the water that comes out of the faucets in our homes, involve inordinate amounts of trust to remain, well, delightfully commonplace.

    So what if I told you the trust you know and love was beginning to slowly disintegrate before your very eyes? Wouldn’t you want to do something about it to save it? Of course you would, and that’s why you should read on.

    Since the dawn of the digital age, our trust in commonplace activities has evolved to include everything we do online.  You trust that when you open a web browser, type in the domain name of your bank, log in to your account, and transmit data with that financial institution online that you are communicating privately and securely.  In reality, you’re trusting all the load balancers, servers, devices, and machine-to-machine communication that occurs in nanoseconds, with each click of the mouse at your desk or push of the icon on your tablet or phone.

    With more and more of society’s activities occuring online, and growing faster than ever with the burgeoning “Internet of Things,” we rely more and more upon the authenticity and validation of each component making up the underpinning of the digital universe’s infrastructure.  Each Global 2000 enterprise owns or leases their respective online real estate within the greater digital universe, and if they care about their business, they are responsible for the security, authenticity, and privacy of the data stored upon it or passing through it.  In other words, to make any corporation’s real estate a place where people and other corporations want to do business, at its foundation, it must ultimately be trustworthy.

    In an effort to keep our online real estate as trustworthy as possible and secure the company against those that aren’t trustworthy, Global 2000 enterprises employ large security organizations. These teams of security experts in turn adopt and apply security strategies made up of security solutions. All of these solutions fundamentally afford the enterprise visibility to see various threat events and the ability to remediate these threat events. We use security frameworks, industry best practices, and security audits to understand what parts of our security strategy need corrective investment, have exposures to close, and have audit findings to be addressed.

    Securing Trust by Protecting Key and Certificates

     

     

     

     

     

     

     

    But at a more granular level, how do Global 2000 enterprises ensure each and every infrastructure component within their online real estate is secure and authentic, so the data stored upon each component (or passing through) will be kept private and secure?  Until the world invents a new mechanism, we all use encryption keys and digital certificates.  Each component of an enterprise’s online real estate relies upon encryption keys and digital certificates to confidentally authenticate each component and to keep the associated data private and safe from exposure.

    In addition to risk of deprication without innovation, it is these enterprise keys and certificates which are being misused, abused, and targeted more and more by bad actors, including well-organized cybercriminal and espionage groups, as well as malicious or otherwise compromised insiders. Encryption keys and digital certificates are THE foundation of trust online, and it’s this trust that is under attack.

    If we continue to allow this corrosion of online trust, our activities online are more and more at risk, exposed, and uncertain. We ultimately reach the same doubtful state of volatility that we reach in the physical world when trust becomes compromised. We must have the visibility into events that threaten encryption keys and digital certificates, just like we have visibility into our networks, user IDs and passwords, privlidged user accounts, and other digital components in which we demand visibility as part of our core security strategy. We must have the ability to respond and remediate threats and weaknesses associated with encryption keys and certificates.

    Without having full visibility, control, and remediation capabilities with keys and certificates, our security strategies have serious blind spots (and Gartner agrees). And even more vexing, the way in which we measure our success using security frameworks, industry best practices, and security audits may become completely undermined if we don’t account for threats using keys and certificates to conceal themselves, or threats which target weaker, vulnerable ones. This is exactly what SANS realized, when they recently added numerous control measures to Critical Security Control #17 (Data Protection).

    And this is what we do at Venafi. We eliminate the snowballing blind spot that typically exists with enterprises’ encryption keys and digital certificates and enable enterprises to give their trusted online real estate the security and protection it deserves.  We provide a proven technology platform which empowers enterprises to achieve comprehensive visibility into all encryption keys and digital certificates. We also provide the ability to respond and remediate against insider and outsider threats misusing, abusing, or targeting weak encryption keys and digital certificates. Venafi exists to defend and champion trust in the digital age. Given the ominous consequences of trust becoming compromised in your online real estate, and thus trust in your brand becoming compromised, nothing is more important. Nothing is of a higher priority than trust. This is why we named our solution the Venafi Trust Protection Platform. This is what we mean by Securing Trust by Protecting Keys and Certificates.

    ]]>
    2014-07-24T13:44:00+00:00
    <![CDATA[Have You Put a Welcome Mat Out for Attackers? Forrester Research Shows Gaps in SSH Security.]]> https://www.venafi.com/blog/post/forrester-research-shows-gaps-in-ssh-security https://www.venafi.com/blog/post/forrester-research-shows-gaps-in-ssh-security/#When:13:45:00Z Organizations have become reliant on SSH to provide authentication and establish elevated privileges between administrators, applications, and virtual machines in the data center and out to cloud. SSH helps enterprises establish trust. However, there is a darker side to SSH, a dirty little secret that research published by Forrester exposes. Most bad actors understand this secret and continuously take advantage of it. In fact, the problem is becoming worse as organizations become more reliant on SSH to administer workloads in the cloud.

    Lax Policy Enforcement

    On a daily basis, IT security professionals must balance a myriad of threats and security challenges, all while ensuring the business remains operational. When you take into account the elevated privileges SSH provides, you would assume that enterprises make SSH keys more secure and apply more well-defined, stringent polices than simple usernames and passwords, which provide fewer privileges. But this is not the case. Most organizations have a 30-, 60-, or 90-day password rotation policy. However, Forrester research shows that most organizations have no policies or controls to secure SSH keys. Almost three-quarters (73%) of organizations hardly ever rotate SSH keys. They also rely on system administrators to self-govern their SSH keys. This negligence provides bad actors with near unfettered access to enterprise networks with elevated privileges, sometimes for a span of several years (see an example of a multi-year APT attack).

    How Often does your Organization rotate SSH keys?

     

    Increasing Attack on SSH

    In the last 24 months, nearly 50% of survey respondents reported that they had to respond to security incidents related to the compromise or misuse of SSH keys. Unfortunately, even with such a high frequency in security incidents, information security professionals don’t seem to be taking the issue seriously. Only 9% of organizations scan for unauthorized SSH activity every 12 hours. The remaining survey respondents either do not scan at all or at a frequency that ranges from greater than every 12 hours to every month. When compared to vulnerability scanning or AV scanning, you would never consider 12 hours to be sufficient.

    Closing the Gaps in SSH Security

    When considering the importance of SSH and the fact that they provide the ‘keys to the kingdom’—your enterprise network—the security of SSH keys should be a high priority. Forrester research recommends the following minimum steps be taken to close the SSH security gaps:

    1. Ensure there is centralized visibility and control over SSH keys. Reliance on disparate administrative controls is proven to be ineffective.
    2. Ensure there is centralized policy enforcement. Policy enforcement helps reduce the number of mistakes made when configuring SSH.
    3. Ensure there is a clear understanding of baseline usage. Without an understanding of how SSH keys are used and by whom, it is near impossible to detect any security incident related to SSH compromise.
    4. Ensure there is continuous monitoring of the network to identify any anomalous SSH usage. With a clear baseline of SSH usage and continuous monitoring you can dramatically reduce your organizations threat surface.
    5. Ensure remediation of identified SSH vulnerabilities is acted upon swiftly. An SSH compromise provides bad actors with elevated privileges to the enterprise network.

    To learn more about the Forrester research, Gaps in SSH Security Create an Open Door for Attackers, visit Venafi.com.

    ]]>
    2014-07-22T13:45:00+00:00
    <![CDATA[Complying with Data Security Laws and Regulations? Congratulations, You’re Doing the Minimum!]]> https://www.venafi.com/blog/post/complying-with-data-security-laws-and-regulations https://www.venafi.com/blog/post/complying-with-data-security-laws-and-regulations/#When:14:05:00Z Is Compliance Really Just Complacence?

    You’ve built a thriving business, earned a powerful brand in the marketplace, and deliver goods and services around the globe with world-class speed and efficiency. As a Global 2000 leader, you naturally have the best interests of your employees and your customers at heart, have painstakingly earned their trust, and would never willfully do anything to put them at risk. You’re confident that you provide a secure and trusted online presence, employ rigorous information security safeguards, and do everything necessary to protect the valuable data in your charge. You’ve invested heavily in people, processes, and technology, and truly believe that you’re doing all the right things. Don’t look now, but you might be deluding yourself.

    Since industry-specific data security and privacy regulations now apply to most sectors of the economy in the United States, you probably find yourself falling under one or more of the following regulatory categories:

    • Financial Services—Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB)
    • Healthcare—Health Insurance Portability and Accountability Act (HIPAA)
    • Retail—Payment Card Industry Data Security Standard (PCI DSS)
    • Government Contractors—Federal Information Security Management Act (FISMA)
    • Industrial Control and SCADA Systems—National Institute of Standards and Technology (NIST)

    information security regulation

    You take your compliance obligations seriously and devote great amounts of time and energy to ensure that your business meets all applicable legal and regulatory requirements. Despite best efforts and intentions, disturbing questions still gnaw at you. You ask yourself, “Does compliance standing alone truly make things sufficiently secure and keep sensitive data away from theft or exploitation?” Then you wonder, “How much more should I be doing?” Well, what if I told you that by focusing on compliance you’re really only doing the minimum necessary to keep the government regulators off your back and that compliance bears but a slim relationship to true data security?

    Commitment to Strong Security Practices or Just Toeing the Line?

    You passed an audit—hooray! But don’t pop the champagne corks quite yet. Just because you, or your auditors, certify that your business has met narrowly-defined, industry-specific information systems management requirements for the applicable reporting period doesn’t necessarily mean that all of your enterprise data or internal systems are safe from attack by outside interests or misuse from inside sources. How can this be? Don’t government regulations exist to ensure our safety? If only it were this simple. In reality, it all comes down to the ways in which rules are made, namely through legislation and through regulations.

    Legislative processes in a democracy are messy, slow, and fraught with political compromise, often resulting in watered-down laws designed to obtain just enough votes to pass the chamber. Even good, noncontroversial bills are routinely held up, delayed, or filibustered for months—or entire congressional sessions—by legislators seeking publicity or near-term political gain. Lawmakers frequently trade their support for one bill in exchange for another legislator’s vote on a different matter in an age-old congressional process known as “logrolling.” Finally, obscure or unpopular legislative “riders” with slim prospects of passing on their own merits are frequently attached to popular or “must pass” bills covering completely different legal subjects, leading to the passage of convoluted Frankenlaws consisting of multiple unrelated parts.

    Regulatory processes are no better. Under authority granted to them by Congress in broad, general terms, the responsible agency typically conducts a months-long study, promulgates new proposed regulations based on the study findings, and then opens an often-lengthy public comment period. After reviewing the initial comments, the agency then revises the regulations, waits again for public comments, and then ultimately publishes the final version of the requirements in the Federal Register—regulations which take effect at a future date, often the following January 1 or July 1. Businesses need time to absorb and adapt to these new regulations, and then a year later, an audit tells them whether or not they have successfully interpreted the changes.

    Wow! All through this extended time period, technology steadily advances and human ingenuity methodically progresses, including the actions of threat actors on a worldwide stage. New data security and privacy perils steadily emerge, while existing dangers morph or retreat across the ever-changing threatscape. Legislation and regulation are also highly mutable over time, as they are subject to shifting political trade winds. As a result, they can change course or even reverse themselves as presidential administrations come and go. Ultimately, legislation and regulations often significantly lag behind, and poorly reflect, the actual threats they are intended to address.

    Protecting the Enterprise against Trust-Based Attacks

    To truly protect your critical data and server infrastructure, you must look beyond parochial compliance requirements and take a broader view of your overall information security practices, specifically in relation to protecting information assets against trust-based attacks. First, conduct a full and complete inventory of all encryption keys and digital certificates, plus all authentication keys used within the enterprise. Use the strongest mainstream cryptography possible to secure these digital assets and then enforce robust security policies across your enterprise without exception. Understand trust relationships between users, keys, and the systems and servers they properly access. Replace weak signing algorithms and short key lengths, use trustworthy certificate authorities, and shorten key and certificate validity periods to one year. Monitor authentication and encryption usage patterns and alert when anomalies are detected. Finally, ensure that you have the ability to rotate all keys and certificates if a security breach is ever detected or suspected.

    minimum required

    No CEO or CISO wants to tell stakeholders that he or she is doing just the minimum required by compliance requirements—and not everything possible—to protect the enterprise and its customers against trust attacks.

    If you strive to achieve strong security practices for their own sake, you will invariably find yourself exceeding the compliance requirements of the applicable laws and regulations in your industry. If you strive primarily for compliance, however, you will likely fall short of minimum practices necessary to achieve true data security and leave yourself vulnerable to trust-based attacks on the keys and certificates that enable enterprises to secure critical information systems.

    Learn how Venafi can help protect your encryption and authentication assets against trust-based attacks to achieve both industry compliance and strong data security practices across the enterprise.

    ]]>
    2014-07-17T14:05:00+00:00
    <![CDATA[Attack on Trust Threat Bulletin: Malicious Certificates Issued in India Threatens All Enterprises]]> https://www.venafi.com/blog/post/attack-on-trust-alert-malicious-certificates-issued-in-india-threatens-all https://www.venafi.com/blog/post/attack-on-trust-alert-malicious-certificates-issued-in-india-threatens-all/#When:18:30:00Z Situation

    On 8 July 2014 Google reported it had discovered certificates issued without authorization for the multiple Google-owned domains from the National Informatics Centre (NIC) Certificate Authority (CA). NICCA CA certificates are Intermediate CA certificates issued by the Indian Controller of Certifying Authorities (ICCA). NICCA CA certificates, and as a result NICCA, are trusted in Microsoft Windows and other applications, which makes this is a serious security issue for all enterprises worldwide. There are some reports that other malicious certificates were issued to fraudulently represent Yahoo and other organization. It is not clear whether this malicious action was due to fraud, breach, or complicity from the Indian authorities.

    Threat

    No information is available on the actors who requested or maliciously issued these certificates but their intent should be assumed to be malicious. Certificates issued for a domain would allow for spoofing of websites, encrypted communications to be disclosed, and information to be tampered with. With information obtained from the attack, attackers may proceed to steal more data or elevate privileges from credentials gained through operations. Any communication with Google, including Gmail, Google Drive, and other applications, could be compromised for all organizations and individuals worldwide, not just those operating in India. And it appears that other web services that businesses and governments communicate with, including Yahoo, have also been targeted with malicious certificate issuance.

    Impact

    ICCA, and as a result, NICCA-issued certificates, are trusted by Microsoft Certificate Store, including Internet Explorer and Google Chrome. NICCA CAs may be trusted in other enterprise applications. Therefore, the certificates issued for Google domains (and likely others including at least Yahoo) would be trusted allowing for websites to be spoofed, sensitive information captured, and all traffic decrypted. 

    Recommended Remediation

    Venafi recommends customers use the Venafi Trust Protection Platform to take the following actions:

    1. Detect NICCA certificates with Venafi TrustAuthority:
      • Scan for any certificates on their network issued by NICCA
      • Evaluate if NICCA CA certificates are trusted by enterprise applications
      • Report and escalate any NICCA CA certificates and issued certificates
    2. Remediate with Venafi TrustForce
      • Remove all NICCA CA certificates using certificate whitelisting
    3. Review CA Compromise Plan

    Please contact Venafi support with any questions or help with remediation.

    Additional Resources
    ]]>
    2014-07-11T18:30:00+00:00
    <![CDATA[Taking Key and Certificate Security Analytics to the Next Level ]]> https://www.venafi.com/blog/post/taking-key-and-certificate-security-analytics-to-the-next-level https://www.venafi.com/blog/post/taking-key-and-certificate-security-analytics-to-the-next-level/#When:20:15:00Z It’s another exciting day at Venafi and another great product release! I am thrilled to announce the release and availability of Venafi Trust Protection Platform version 14.2. This release represents our ongoing commitment and priority to prevent our customers from being vulnerable to key and certificate threats. In this latest release, we focus on improving certificate threat visibility, anomaly detection, and vulnerability remediation.

    In order for organizations to detect key and certificate anomalies and vulnerabilities, they must first have a clear and in depth visibility across their entire environment. And with the increasing attacks on keys and certificates, organizations must be able to proactively detect and continuously monitor anomalies and vulnerabilities as new threats and breaches occur.

    In this release, we supercharged our Certificate Dashboard to aid in the detection and continuous monitoring of certificate anomalies. The newly enhanced Certificate Dashboard gives organizations a comprehensive, real-time view of their entire SSL certificate inventory, so they can quickly detect critical SSL security vulnerabilities and anomalies.

    Venafi Trust Protection Platform Certificate Dashboard

     

    Certificate Vulnerability Trending

    Certificate trending graphs gives a view of all of the critical certificate statistics over time, so security teams can proactively identify imminent risk patterns, discover any weak links, and respond faster to attacks on certificates.

    With the Certificate Trending graphs, security analysts can identify if and when vulnerabilities are increasing and the progress in addressing those vulnerabilities. You can select different trending graphs from key lengths, signing algorithms, key algorithms, validity periods, and certificate types.

    In addition, monitoring critical certificate statistics allows organizations to track their remediation and security improvements over time and show they are improving their security posture. As an example, if there’s a sudden spike in MD5 certificates from a group who inadvertently deployed MD5 certificates with a new application, administrators can quickly identify this vulnerability, establish a remediation plan, and track the replacement of the vulnerable certificates until it is fully addressed.

    Critical Certificate Alerts

    The “Critical Alerts” section quickly highlights and identifies these critical certificate vulnerabilities:

    • Weak key lengths of 1024-bits or less
    • Weak signing algorithms such as SHA1 and MD5
    • Validity periods of greater than two years
    • Certificates expiring within 15 days
    • Wildcard certificates

    This is useful, for instance, when a security analyst sees a critical alert that must be addressed. They can immediately get detailed information about the vulnerable certificates and take action.

    Venafi Trust Protection Platform Critical Certificate Dashboard

     

    90-day Expiration View

    The Certificate Dashboard provides the ability to graphically view certificate expirations and zoom in and out on any particular timeframe to get a list of certificates.

    Venafi Trust Protection Platform 90-day expiration view

     

    Splunk Integration—Certificate Vulnerability

    Venafi TrustAuthority can automatically feed critical certificate alerts and trends to other security systems and analytics such as SIEM vendor, Splunk.

    Venafi Trust Protection Platform 14.1 dashboard

    These are just some of the highlights of the version 14.2 release. For more details on the release, please contact your local Venafi account representative.

    We will continue to help our customers identify and fix their key and certificate vulnerabilities, detect new threats and breaches in real-time, and ensure that when breaches do happen that they have the power to respond and take action. Venafi Trust Protection Platform 14.2 is available now.

    ]]>
    2014-07-02T20:15:00+00:00
    <![CDATA[This Is Only a Test: Tabletop Simulations Prepare You for the Worst]]> https://www.venafi.com/blog/post/this-is-only-a-test-tabletop-simulations-prepare-you-for-the-worst https://www.venafi.com/blog/post/this-is-only-a-test-tabletop-simulations-prepare-you-for-the-worst/#When:14:04:00Z P.F. Chang customers probably felt like they were taking a step back in time when cashiers ran their credit cards through ancient systems and handed them back carbon copy receipts to sign. But if the customers then asked why the cashier wasn’t using the normal point of sale system, they would have been disturbed by the revelation of an all too modern problem: P.F. Chang had experienced a security breach, as the company announced publicly on June 10, 2014.

    Unfortunately in today’s world, breaches occur more frequently than one would expect, but for companies with “Big Brand Recognition” breaches like these generate a lot of media attention. As the compromised company races to determine how many locations have been impacted and verify if data was actually stolen or altered in some way, the company’s reputation can be damaged for years to come, significantly reducing its sales and market share.

    Not surprisingly, hackers have been targeting retailers because the payoff—the ability to obtain thousands or millions of valid credit card numbers—is huge. The security breach at P.F. Chang’s is yet another example of how any retailer—large, medium, or small—is at risk.

    As I am writing this blog, P.F. Chang’s is still in the investigation stage; the company’s security experts haven’t yet disclosed exactly how hackers bypassed its security defenses. Other retailers that have been compromised in the last year (such as Neiman Marcus, Target, and Michaels) reported that malware was injected into their point of sale systems—systems that they might rely on partners to manage and protect. Although there appears to be some commonality in the attacks on these retailers, any part of a retailer’s onsite or online systems is at risk. Encryption alone cannot protect the transactions; the keys and certificates that enable encryption are often targeted for attack themselves.

    Keep Calm and Call CSIRTOne key defense strategy against such security breaches is having a Computer Security Incident Response Team (CSIRT). This team of security experts takes responsibility for responding to cybersecurity incidents within the organization. The team must be quick, agile, and knowledgeable about any security issue. Further, the team must define roles and responsibilities, document processes, and facilitate communication and collaboration across the entire organization and its partners. During a security issue, the team becomes command and control, actually coordinating through matrix business teams, to determine the company’s needed actions and response. Because a CSIRT team partners across the company, they are able to leverage the expertise of the cross-functional members to ensure they understand impact to the business, legal issues, as well as ensure they have a good communication strategy. This will allow the team members to create actionable plans that mitigate the company’s risk factors.

    Tabletop exercises of security breaches and attacks are a critical part of any defense strategy. I was very lucky that in my past roles as CISO, I had amazing CSIRT teams with great employees (yes—I am throwing in a shout out here for all of my awesome employees!) We regularly held tabletop exercises which addressed credit card information theft or other potential emergencies that could impact the company. Some were small activities and some also included the executive leadership team up to the CEO. When these activities were completed, we would conduct a post mortem to determine what did and didn’t go well, until we were confident that everyone—including all the company’s partners—knew who to contact in the case of a threat, how to clean up any damage, and how to recover quickly.

    A great scenario to add to your CSIRT tabletop planning should focus on a neglected security issue: an attack against a trusted key or certificate. Your CSIRT should know how to protect these assets and how to respond to compromises. Unfortunately, since joining Venafi, I’ve found that many people don’t know how many keys and certificates they have or where these assets are deployed. To avoid chaos when an attack occurs, companies and their partners must have an inventory of all—and I mean all—certificates and keys. The foundation of security is to know what you are protecting—therefore you must have an inventory of all hardware, software, and identities (and their corresponding user IDs, keys, and certificates).

    Over the last few months, as I partner with CIOs and CISOs globally, Venafi is helping companies find insecurities in their companies’ public-facing SSL landscape. For example, when companies use wildcards, MD5, and self-signed certificates, they provide openings for hackers. Venafi solutions, which help your security teams easily pinpoint problems like these and quickly resolve them, fill in a critical gap in many security teams’ threat management plans.

    Cheers!

    Tammy Moskites, Venafi CIO & CISO

    ]]>
    2014-06-26T14:04:00+00:00
    <![CDATA[Around 90% Are Not PCI DSS Compliant—Join Our PCI SIG Efforts for More Clarity on Securing Keys and ]]> https://www.venafi.com/blog/post/around-90-are-not-pci-dss-compliantjoin-our-pci-sig-efforts-for-more-clarit https://www.venafi.com/blog/post/around-90-are-not-pci-dss-compliantjoin-our-pci-sig-efforts-for-more-clarit/#When:14:00:00Z This year, the Payment Card Industry Data Security Standard (PCI DSS) is ten years old. Happy birthday PCI DSS, ten years is a significant milestone. Yet the Verizon 2014 PCI Compliance Report reveals that around 90% of organizations are not fully PCI DSS compliant. In fact, only a little more than half of the companies in the study passed 7 of the 12 PCI DSS requirements.  And with the release of PCI DSS version 3 in November 2013, and an implementation date of June 30, 2015, we can expect compliance to dip even further in the near term.

    PCI Security Standards CouncilThis lack of compliance is disconcerting because the PCI DSS is meant to serve as a minimum security standard. A company’s security program should meet and exceed the PCI DSS requirements, achieving compliance as a by-product of implementation. But if organizations aren’t meeting the PCI DSS requirements, not only are they not compliant, they’re not secure—providing opportunities for cybercriminals. 

    With ten years under its belt, and now three versions, the PCI DSS has had time to mature and evolve to help close gaps posed by new threats. However, the requirements are often purposefully general in their mandates to provide flexibility in implementation. Although this flexibility can be helpful, it means that the requirements sometimes lack specificity. This is another reason why organizations should implement a strong security program regardless of the PCI DSS mandates. However, organizations could also benefit from additional guidance in the PCI DSS.

    To help address this need for clarity, the PCI Security Standards Council (PCI SSC) supports two Special Interest Groups (SIG) each year.  The SIG topics cover either a technology challenge or implementation within a specific industry. The outcome of these SIGs is usually a guidelines document and recommended changes or clarifications to the standards.

    As a PCI Participating Organization, Venafi is proposing a SIG to address Securing Cryptographic Keys and Digital Certificates. These cryptographic assets are essential to protecting all of our sensitive electronic data:

    • Protect data at rest
    • Secure data in transit
    • Authorize and authenticate servers, devices, software, cloud, and privileged administrators and users

    Cryptographic keys and digital certificates are the foundation for securing data, keeping communications safe and private, and establishing trust between communicating parties. They are critical to securing cardholder data—as well as the organization’s business—and are specifically mentioned throughout the PCI DSS. However, the PCI DSS lacks clarity and breadth on the security needed. 

    What’s more, new requirements were just introduced in PCI DSS v3 that increase the demands to secure keys and certificates, such as protecting these assets against malware, providing inventory capabilities, and offering certificate-based authentication. Protection against malware is of particular importance because changes in the threat landscape have increased the attacks that target cryptographic assets to enable trust-based attacks.  

    There has been a dramatic increase in the criticality of vulnerabilities and threats that impact keys and certificates, including Heartbleed,  the Mask APT operation, and Operation Windigo—just to name a few. And in the McAfee Labs Threat Report for the fourth quarter of 2013, McAfee reveals that malware signed with legitimate certificates rose by 52% quarter over quarter and more than tripled from the previous year. The report emphasizes, “… the misuse of legitimate code-signing certificates erodes user trust.” These threats underscore the importance of strong security and remediation capabilities for keys and certificates.

    The proposed SIG will provide guidance on how to approach the PCI DSS requirements that address cryptographic keys and digital certificates, offering a guidance document and checklist on security options and how they interrelate to best secure businesses and comply with PCI DSS requirements. This SIG is also needed to propose new security requirements for keys and certificates:  

    “New forms of attack are emerging that target data during processing and transmission — partly driven by increasing security measures put in place to protect data at rest. The PCI DSS does not currently require organizations to encrypt data being transmitted within the [cardholder data environment]. We believe that unless this is addressed, it could become a significant threat to [cardholder data].” Verizon report.

     

     

    At Venafi, we know that it is already a significant threat and want to help businesses and cardholders stay secure—this is driving our SIG proposal for Securing Cryptographic Keys and Digital Certificates. Want to join our SIG efforts? The 2015 PCI DSS SIG proposal period is now open, with a deadline of July 7, 2015, so we will be submitting our SIG proposal shortly. If selected for the shortlist of proposals, our SIG topic will be voted on during the PCI Community Meetings in September and October 2014.

    We would love your support. Contact me on LinkedIn if you’d like to participate in or endorse our SIG proposal efforts.

    ]]>
    2014-06-24T14:00:00+00:00
    <![CDATA[Think You’re Done Remediating Heartbleed? Think Again!]]> https://www.venafi.com/blog/post/think-youre-done-remediating-heartbleed-think-again https://www.venafi.com/blog/post/think-youre-done-remediating-heartbleed-think-again/#When:09:00:00Z OpenSSL has been highly publicized in the last few months—at least for the long standing bugs that have resulted in the complete breakdown of trust in the Internet and the way we do business!

    Of the last 6 bugs patched in OpenSSL the most noteworthy are Heartbleed, Cupid, and OpenSSL CCS injection:

    • Heartbleed enables an attacker to steal private keys and other sensitive credentials.
    • Cupid takes advantage of the Heartbleed flaw in TLS over the Extensible Authentication Protocol (EAP) to attack vulnerable clients connecting to a wireless network or to attack vulnerable wireless access points. The result is similar to that of Heartbleed.
    • OpenSSL CCS injection is exploited by an attacker using crafted handshakes to force weak key material to be used between a client and server to perform a man-in-the-middle (MITM) attack.

    It would seem from the recent examples that attackers are more brazenly using SSL / TLS against organizations with great success. We need to ask ourselves why. I believe we can answer this question by simply reviewing the response that most organizations have taken to remediate Heartbleed and evaluate where they are now.

    Venafi Labs frequently analyzes the websites of the Global 2000 organizations and the Alexa Top 1 Million to identify SSL / TLS vulnerabilities. We have found that although many organizations believe they are not susceptible to Heartbleed anymore, the data shows otherwise.

    As part of our analysis for Heartbleed we first compared scanning results with previously published Heartbleed vulnerable lists from ZMAP and Github. It was pleasant to see that most domains listed on these repositories have remediated correctly. However, there are a large number of organizations that are not included on the lists and are still vulnerable. Our scan data specifically focuses on Global 2000 organizations to better understand how successful they have been at remediating Heartbleed.

    Even though most Global 2000 organizations have taken steps to remediate Heartbleed, many have not fully remediated. When comparing the organizations that have correctly remediated, it would seem that discount stores took the Target breach to heart. They account for 9% that achieved full remediation of systems from the sample set.

    Global 2000 industries which remediated heartbleed

    On the other hand, telecommunications services have a long way to go to remediate Heartbleed. They are responsible for 41% of the confirmed Heartbleed vulnerable systems from the Global 2000 scan. Think of the wealth of information that cybercriminals are still syphoning off these vulnerable systems from Telecommunications services’ customers!

    G2000 industries still vulnerable to heartbleeda

    Heartbleed has been known to the world for 10 weeks now. Yet we still see evidence of thousands of systems susceptible to Heartbleed that have not even been patched yet. Venafi Labs will periodically publish updated information on organizations’ effectiveness with remediating the Heartbleed vulnerability based on our analysis of trust-based attacks.

    Learn how Venafi can help identify systems susceptible to Heartbleed and the required remediation.

    ]]>
    2014-06-19T09:00:00+00:00
    <![CDATA[The Evolution of Threats against Keys and Certificates]]> https://www.venafi.com/blog/post/the-evolution-of-threats-against-keys-and-certificates https://www.venafi.com/blog/post/the-evolution-of-threats-against-keys-and-certificates/#When:18:50:00Z In my blog post about the Heartbleed hype, I stress that threats against keys and certificates neither started with the Heartbleed vulnerability, nor certainly will end with it. Threats specifically against keys and certificates go back to 2009 and 2010, where Stuxnet and Duqu provided the virtual blueprint to the cyber criminal communities around the world by using stolen certificates to make the malware infection payload look legitimate.

    Attacks on the Certificate Authorities themselves accelerated in 2011, with well-known CAs such as Comodo and Digicert Malaysia suffering breaches. In September of 2011, with the breach of DigiNotar, some of its customers were left with no choice but to consider shutting down operations all together. By the end of 2011, there were 12 significant, publicly disclosed breaches of Certificate Authorities around the globe. It’s also worth mentioning that it was New Year’s Eve 2011 when Heartbleed was “born.”

    In simple terms, Heartbleed is the result of a developer’s coding flaw. It’s a mistake that resulted in a massive 2+ year exposure. And no one knew it was happening. Vulnerabilities that expose keys and certificates occur frequently, although certainly not on as massive a scale as Heartbleed. Weak cryptography, along with weak processes and mistakes working with cryptography, are a daily occurrence.

    In 2012, this burgeoning war on trust continued to evolve. To counteract the growing install base of advanced threat detection solutions in Global 2000 enterprises, we began to see a run on code signing certificates and widespread adoption of signing malware with certificates. Adobe announced that its code signing infrastructure had been compromised. Security vendors themselves were targeted, such as the case in which Bit9 had its secret code signing certificates stolen.

    Bad actors of 2012 also realized they could subvert trust by obtaining and misusing Secure Shell (SSH) Keys on a wide scale. Various breaches and vulnerabilities, which ultimately exposed SSH Keys, were reported, most notably at GitHub and FreeBSD. Exposures involving SSH Keys are even more nebulous in some regards in that enterprises have much less visibility into or control of them. Moreover, unlike a digital certificate with a validity period shelf-life, which will eventually expire, SSH Keys have no such expiration date.

    If 2012 was the year that attacks against trust learned to walk, then 2013 was the year they learned to drive….and drive fast. New attack schemes against TLS/SSL, such as Lucky 13, BEAST, CRIME, BREACH, and more, emerged, allowing for attackers to exfiltrate sensitive data from encrypted pages. Edward Snowden went from being an obscure, soft-spoken NSA contractor living in Hawaii to becoming a household name after stealing thousands of classified NSA files—all made possible by subverting the trust and access security provided SSH keys and digital certificates. The year 2013 also marked the first time we began to see a significant percentage increase in Android malware enabled by digital certificates (24% of all Android malware as of October 2013, up from 6.6% in 2012 and 2.9% in 2011).

    Here in 2014, attacks on trust have graduated from college and are here to stay. Highly complex Advanced Persistent Threats exist with the main objective of stealing legitimate corporate keys and certificates of all types. Have a look at the breakdown of “El Careto” (or “The Mask”), which was discovered by Kaspersky in February after 7+ years undetected in the wild. Careto, which looks like a state-sponsored campaign due its complexity and professionalism, gathers sensitive data from infected systems, largely including VPN configurations, SSH Keys, and RDP files.

    We’ve also seen substantive evidence of forged certificates being used to decrypt and monitor traffic as well as steal credentials and sensitive data. In a recent study by Facebook and Carnegie Mellon researchers, over 6,800 connections to Facebook used forged certificates.

    Then over the past few weeks, evidence emerged around “ZBerp,” which is a hybrid Trojan “love child” of Zeus and Carberp and uses SSL to secure communications with command and control to evade detection by today’s most popular network security products.

    From the accidental introduction of vulnerabilities, like Heartbleed, to advanced, persistent, professional efforts to both circumvent and misuse keys and certificates, the risk to these cryptographic assets is evolving and advancing. These threats undermine the trust we inherently place in keys and certificates to authenticate people and machines and encrypt data we intend to safeguard and keep private. PKI is under attack. Securing, protecting, and controlling enterprise keys and certificates is no longer simply a nice operational benefit. It’s a must have to defend the veracity of your entire business and brand.

    ]]>
    2014-06-04T18:50:00+00:00
    <![CDATA[Heartbleed Hype Left Enterprises Uninformed]]> https://www.venafi.com/blog/post/heartbleed-hype-left-enterprises-uninformed https://www.venafi.com/blog/post/heartbleed-hype-left-enterprises-uninformed/#When:21:06:00Z In early April, the vulnerability known simply as “Heartbleed” became the latest rage. During the first week after discovery, the mainstream media aggressively reported on Heartbleed, stirring up a tornado of fear, uncertainty, and doubt amongst all Internet users. Never thought I’d see “Fox and Friends” talking about OpenSSL, two-factor authentication, and digital certificates, but it happened daily only 7 short weeks ago.

    This “Heartbleed Tornado” subsequently led to enterprise security professionals receiving email inbox loads of offers claiming to help you remediate. For many, especially those in the executive suites and board rooms, it was the first time they understood the true power and importance of private encryption keys and digital certificates, as well as the imperative need to protect them. Finally, I thought, the world is waking up and understanding the need to secure and protect its most valuable assets, which provide the backbone of a trustworthy Internet—encryption keys and digital certificates.

    Unfortunately, as loud as the Heartbleed Tornado roared, the lions’ share of the remediation advice related to Heartbleed was simply the following:

    1. Check and see if websites you use are vulnerable (and have been patched), and
    2. Emphasize the importance of changing your passwords.

    Patching OpenSSL and changing user-credential passwords are two of the steps to remediation. But the elephant in the room, the exposure of private encryption keys and certificates (and thus the need to revoke and reissue them ALL), was only consistently reported on by those media outlets and bloggers in the security space itself.

    Any hot media story has a shelf life, and there’s only so many Heartbleed stories that will continue to draw readers in. So once the clicks died down, the mainstream all but forgot it. And those mainstream stories that remain, only touch upon the surface of the vulnerability, such as NBC’s cosmetic piece on “How Major Websites Rank on Password Security.”

    But the important thing to realize is this: The threat against a trustworthy digital universe did not begin with Heartbleed. And it certainly does not end with it either. Heartbleed was simply the latest in a growing mountain of threats that continue to evolve against encryption keys and digital certificates, and thus trust online.

    For more information on Heartbleed and how to remediate effectively, check out the Venafi Heartbleed Solution page.

    ]]>
    2014-06-02T21:06:00+00:00
    <![CDATA[5 Ways to Prevent Unauthorized Access of Misused Mobile Certificates]]> https://www.venafi.com/blog/post/5-ways-to-prevent-unauthorized-access-of-misused-mobile-certificates https://www.venafi.com/blog/post/5-ways-to-prevent-unauthorized-access-of-misused-mobile-certificates/#When:18:41:00Z Mobile devices and mobile applications are becoming more dangerous threat vectors against the corporate network. Android devices seem to be continually under attack with new reports of malware appearing at an astounding rate of 197% from 2012 to 2013, based on Fourth Quarter 2013 McAfee Labs research. And according to the Verizon Data Breach Report, 71% of compromised assets in 2013 involved users and their endpoints.

    Today, enterprises are turning to certificates to secure mobile devices, applications, and users. Digital certificates authenticate mobile users to applications, VPNs, and WiFi networks. However, many organizations have little to no control or visibility into their mobile certificate inventory and they’re unaware to which mobile certificates their users have access. A number of security risks from misused or orphaned mobile VPN certificates to unauthorized access by terminated employees or contractors can be easily exploited. Cybercriminals take advantage of mobile certificates and pose as trusted users, thereby infiltrating your network and stealing intellectual property.

    Remember that mobile certificates issued to users serve as trusted credentials for secure access to your critical networks, applications, and data. So the biggest threat to your enterprise isn’t necessarily the mobile malware, but rather the unauthorized users who may access your information.

    Here are 5 ways you can prevent unauthorized access of misused mobile certificates.

    1. Get visibility into your entire mobile and user certificate inventory
      With clear insight into your full mobile and user certificate inventory, you can identify duplicate, orphaned, and unneeded certificates. By mapping users to the certificates they are issued, you can identify certificates that are exposed to unauthorized user access. This will enable you to establish a baseline of known certificates and normal usage.
    2. Automatically enforce policies for mobile certificate issuance
      Issuing certificates to mobile devices and mobile applications according to centralized IT security policies is paramount. By enforcing cryptographic policies that control attributes such as key length, validity period, and approved CAs and by applying workflow processes to mobile certificate issuance, you can reduce your organization’s attack surface.
    3. Go beyond Mobile Device Management capabilities for certificates
      Although Mobile Device Management (MDM) solutions can provide capabilities such as deploying applications, remotely wiping devices, or deploying certificates for mobile devices, protecting mobile certificates and keys extends beyond the scope of MDMs. MDMs alone cannot remove potentially orphaned or compromised mobile certificates. As organization adopt new mobile applications, they must have the ability to enforce IT security policies to establish norms and detect mobile certificate-based anomalies such as orphaned or duplicate certificates. They must also respond quickly by revoking a user’s certificates across multiple CAs. Furthermore, users do not always receive mobile certificates through MDMs. They may request certificates using other tools or even multiple CAs. Therefore you must implement a solution that is capable of enforcing certificate and key policies consistently across your entire environment.
    4. Immediately revoke mobile certificates when authorized use is concluded
      In the event that an employee is terminated, leaves the company without notice, or reassigns, you should immediately revoke all mobile and user certificates associated with that employee in order to prevent unauthorized access to your network. Also, keep in mind that wiping a mobile device using your MDM solution is not sufficient, because the employee could have made a copy of the certificate and key before leaving the company. Rapid revocation of all certificates, whether deployed through an MDM solution or some other means, is critical in these situations.
    5. Ensure secure end-user self service If your organization enables users to request certificates using enrollment portals, you must provide a secure self-service portal that enables your end users to quickly request certificates for WiFi, VPN, email, browser, or other applications. You need a mechanism that governs user certificate issuance to ensure certificates comply with security policies, to eliminate guesswork on the part of inexperienced users, and to prevent errors.

    As mobile devices continue to become more prevalent, it is important for you to take a strategic approach to securing your organization’s mobile device certificates. Following these 5 steps will help you to avoid misuse of these certificates and protect your organization against trust-based attacks that use mobile devices as an attack vector. But you don’t have to do it alone. Venafi offers a solution that can help you develop an approach to securing your mobile certificates.

    Related Resources:

    ]]>
    2014-05-27T18:41:00+00:00
    <![CDATA[Have You Budgeted for the Next Heartbleed?]]> https://www.venafi.com/blog/post/have-you-budgeted-for-the-next-heartbleed https://www.venafi.com/blog/post/have-you-budgeted-for-the-next-heartbleed/#When:16:00:00Z Last month the Heartbleed vulnerability took the world by storm. IT groups across the globe scrambled to patch systems that were susceptible to the OpenSSL vulnerability known as Heartbleed. Y2K—the millennium bug—has been dwarfed in comparison to the impact the Heartbleed vulnerability has had on the world. Let’s face it, software has vulnerabilities and cybercriminals will take advantage of them. We can expect another “Heartbleed-like” vulnerability and should prepare—now. The question is, have you budgeted for it?

    IT Security Budget

    Have you considered the costs associated with responding to the Heartbleed vulnerability? I’m not talking about the financial impact from the theft of intellectual property or brand damage but the man-hours and salary costs to respond. Before doing so, here’s a quick recap on the severity of the Heartbleed vulnerability:

     

    1. An attacker can steal keys and certificates without a trace.
    2. The stolen keys and certificates can then be used in trust-based attacks like phishing, man-in-the-middle (MITM), and replay attacks.
    3. The only way to remediate is to patch susceptible OpenSSL systems and replace all keys and certificates.
    4. Replacement of all keys and certificates is recommended, because you don’t know which systems—even non-OpenSSL ones—may have had keys and certificates stolen via stepping-stone attacks. You must assume all keys and certificates have been stolen!

    The average large enterprise has in excess of 17,000 encryption keys and certificates. Consider the monumental task of changing all 17,000 encryption keys and certificates in an enterprise network. This task is especially burdensome, because most organizations manually manage their public key infrastructure (PKI) via spreadsheets or basic tracking software to detect expiring certificates. To replace a certificate on a system, an administrator needs to perform multiple manual steps:

    1. Generate a new key
    2. Issue a certificate signing request (CSR)
    3. Install the new key and certificate on the respective system
    4. Revoke the old certificate

    The average large enterprise takes up to four hours to perform the necessary steps to replace a certificate on a single system. The median salary for a system administrator responsible for administering the PKI is U.S. $60,000. When extrapolating the cost to respond to the Heartbleed vulnerability, it costs the organization $115.00 per certificate. To replace 17,000 encryption keys and certificates it will cost your organization $1.95 million—in labor costs alone!

    And 17,000 keys and certificates is a moderate estimate for the average enterprise network. At Venafi, we have customers that have replaced all of their keys and certificates within their networks and this equaled hundreds of thousands of keys and certificates per customer.

    Netcraft

    It seems that the world is still very much in a vulnerable state. Research published by Netcraft shows that 86% of public websites susceptible to compromise from the Heartbleed vulnerability have not correctly been remediated.

    Last month, I published a blog detailing how any organization can use Venafi Trust Protection Platform to expedite and automate the remediation of Heartbleed and drastically reduce the response time from hours to minutes. You can read about it here.

    By using Venafi TrustAuthority™, organizations can quickly identify systems impacted by the Heartbleed vulnerability and then determine how many keys and certificates are in use, where they are used, and who is responsible for them. Venafi TrustForce™ enables automated remediation of keys and certificates. This includes the installation and validation on impacted systems.

    Whether you were impacted by Heartbleed or preparing to defend against the next crippling vulnerability, now is the time to implement a solution that enables your organization to quickly and efficiently replace all keys and certificates. Can you really afford not to?

    Related resources:

    ]]>
    2014-05-15T16:00:00+00:00