The National Institute on Standards and Technology (NIST) and Venafi today announced publication of the NIST Information Technology Laboratory (ITL) bulletin entitled, "Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance." NIST released the ITL bulletin, which information-security experts at NIST and Venafi co-authored, to alert both government agencies and private-sector organizations to the risks of certificate authority (CA) compromises. The bulletin also offers guidance on how to prepare for and respond to a CA compromise that results in fraudulently issued security certificates.
Digital X.509 certificates have become the de-facto standard for ensuring online trust. Nearly all government and private-sector organizations use them broadly for Secure Sockets Layer (SSL), Transport Layer Security (TLS), and other security protocols. Large organizations may use thousands and even tens of thousands of certificates and encryption keys—issued from internal and external CAs—in their data centers, private clouds, and increasingly on mobile devices to authenticate systems and users and to encrypt communications. As a result, CAs, certificates, and private keys have become high-value targets for cybercriminals in search of sensitive government and corporate information.
In 2011, attackers successfully targeted several public certificate authorities and, in at least two of these incidents, the attackers successfully issued fraudulent certificates. An attacker who breaches a CA to generate and obtain fraudulent certificates does so to launch further attacks against organizations or individuals. Attackers can use fraudulent certificates to authenticate as other individuals or systems, or to forge digital signatures.
Responding to a CA compromise may entail replacing all user or device certificates, or trust anchors from the compromised CA. If an organization is not prepared with an inventory of certificate locations and owners, it will not be able to respond quickly and may experience significant interruption in its operations for an extended period of time. To avoid this, organizations must establish CA-compromise preparation and response plans.
“Certificate authorities have increasingly become targets for sophisticated cyberattacks, particularly as the use of digital certificates for Secure Sockets Layer (SSL) has become widespread,” bulletin co-author William Polk of NIST’s Computer Security Division noted. “Recent attacks on CAs make it imperative that organizations are prepared to respond to CA compromises and the issuance of fraudulent certificates. This bulletin was published to provide organizations with practical guidance and proven best practices, which they can implement right away to minimize risk and damages should a CA compromise occur.”
"Because certificates are typically installed and managed by individual administrators in disparate departments, most organizations and executives are not aware of their dependence on certificates for security. Nor are they aware of the significant disruption to business operations that would result if they had to replace all affected certificates following a CA compromise,” said Paul Turner, vice president of products and strategy at Venafi. “The goal of this paper is to provide clear, easy to follow steps and procedures to prepare for and respond to a CA compromise. If enterprises are not prepared to respond to a CA compromise, they have overlooked business continuity planning that could prevent extended downtime for a majority of their applications and systems.”
NIST and Venafi provide several important steps organizations should implement to prepare for a CA compromise:
For applications that have public key certificates of their own, procurement requirements should ensure that CA-independent mechanisms exist for obtaining new system and application certificates
To download the full July 2012 NIST ITL Security Bulletin go to http://csrc.nist.gov/publications/PubsITLSB.html
Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major handicap to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of England, Germany, and other economic rivals. Today, NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communications networks. We invite you to explore our website to learn about our current projects, to find out how you can work with us, or to make use of our products and services.
As one of the major research components of the National Institute of Standards and Technology, the Information Technology Laboratory (ITL) has the broad mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics, and statistics.
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.