Less than a week after a major Heartbleed-enabled breach using compromised keys and certificates became public, the Payment Card Industry Security Standards Council (PCI SSC) announced ‘Securing Cryptographic Keys and Digital Certificates’ as a 2015 Special Interest Group (SIG) proposal finalist. Co-submitted by Venafi, the leader of Next-Generation Trust Protection solutions, and SecurityMetrics, a leader in data risk mitigation and compliance services, the proposal is driven by the rapidly changing threatscape that is seeing cybercriminals misuse keys and certificates to obtain trusted status, cloak their activities, gain access to sensitive data, and evade detection. The reported breach of 4.5 million patient records due to a compromised key and certificate following incomplete Heartbleed remediation is just one example of the rise and impact of these attacks.
The PCI community, made up of leading retailers, banks, and payment processors, will vote to select 2015 SIGs in October 2014. Interested community members can contact Venafi and SecurityMetrics to help support the proposal as well as meet when the proposals are presented at PCI Community Meetings in Orlando and Berlin.
To help better protect the global payments system and consumers, the SIG proposal by Venafi and SecurityMetrics is intended to equip organizations with specific guidance and recommendations to defend their business and customers. According to Ponemon Institute research, every major enterprise has been attacked using compromised keys and certificates in the last 24 months. The inability to protect the trust established by keys and certificates dramatically weakens other security controls which are fooled or blind to trusted, encrypted, or authenticated connections, software, applications, devices, or administrators —creating a security gap. This impacts strong authentication, privileged access, and threat detection and behavioral analytics. As the threatscape has changed quickly, most organizations cannot protect keys and certificates by policy, detect anomalies, and respond and remediate quickly.
The proposed SIG will provide these work products:
“Cybercriminals want the trusted status that keys and certificates provide to cloak their activities and evade detection. Failing to secure keys and certificates undermines security across an enterprise. The recent Heartbleed-enabled breach of 4.5 million healthcare records due to a compromised key and certificate is just one example of the changing threatscape,” said Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at Venafi. “Venafi Threat Labs research shows 97% of the Global 2000 public-facing servers’ keys and certificates are just as vulnerable as those in this Community Health System breach. It is important for the PCI Community to select Securing Cryptographic Keys and Digital Certificates 2015 SIG Proposal to equip retailers, banks, and payment processors with current guidance and recommendations to defend the payments system and consumers.”
The current version of PCI DSS provides general requirements for securing keys and certificates and some best practices for “strong cryptography.” However, many of the specific implementation options are left open and remain subject to interpretation by the QSA community and organizations. The accelerating attacks on keys and certificates leave retailers, banks, and payment processors in need of specific guidance to protect payments system and consumers.
“Keys and certificates are critical to securing cardholder data and are specifically referenced throughout the current PCI DSS. The standard provides flexibility in implementation. However, organizations and QSAs could significantly benefit from more information and guidance on the available security options and how they interrelate,” said Gary Glover, Director of Security Assessment at SecurityMetrics. “This guidance would help them implement the combination of security options that best secures their business and complies with the PCI DSS requirements.”
SecurityMetrics protects electronic commerce and payments leaders, global acquirers, and their retail customers from security breaches and data theft. The company is a leading provider and innovator in merchant data security, and as an Approved Scanning Vendor and Qualified Security Assessor, has helped over 1 million organizations manage PCI DSS compliance and/or secure their network infrastructure, data communication, and other information assets. Founded in October 2000, SecurityMetrics is a privately held company headquartered in Orem, Utah, USA.