“Last year at Black Hat we had an interesting conversation with Tammy Moskites from Venafi. Although Tammy is both the CIO and CISO of Venafi the conversation did not focus on that company or the product as a whole. Instead we talked at length about trust and controlling the keys to data and devices. This conversation is still a very important one as continue to see attacks and vulnerabilities in the systems that control access to and the encryption of important data.
Fortunately since last year the message is getting out and people are starting to take notice. Sadly, this awareness has come due a large jump in breaches where data was removed. The message has also highlighted an area than many security professionals often overlook; code development and system implementation. The idea that some developers (not all) and systems engineers are cutting corners by using WMI and self-signed certificates for systems that have access into sensitive data is a sobering one. However, it happens more than most would like to admit and there have not really been any good tools to find and remediate this.
The use of these types of certificates is a serious concern as they are easy to capture and spoof. This leaves many of those systems open to attack and also allow a potential attacker to appear as a trusted system if something like Group Policy is used to push trust of these certificates out to a larger group. This is only compounded by the bad habit of using wild card certificates for internal systems and web servers. Once again these certificates are not all that hard to grab from a server and then gain access to the private keys behind them. You can imagine what can happen from there. So it seems that even though the message is getting out there, we still have a very, very long way to go.
Companies still need to get a handle on what they have in their environments and not just from a certificate and key aspect. Most companies do not have a complete list of the system (workstation or other) in their environments and this is also an issue. During our conversation Tammy mentioned that there needs to be a push to education IT and security leadership about this to help push this out to the technicians doing the actual work. The security mind set is no longer an option or an add-on to the network or sysadmin’s job. It really is a requirement and until this shift happens things are not going to get better.
Venafi, as a company, is helping to get a handle on the trust side of things by ensuring there is a secure lifecycle management of the inventory, control, and management of certificates and keys though their Trust Protection Platform, but this is just part of the conversation that needs to take place in IT. The rest is going to be up to individual companies. As Tammy put it, they will need to shift the conversation from the technology used to the risks faced and align their thinking and policies with this.
We hope that when we catch up with Tammy next year more companies will have gotten the message and have started to have the right conversations to clean up the mess that is inventory and trust in most organizations.”