The Split-Personality Year of 2011 will Lead Organizations to Make Sure they are Protected in 2012: The Year of Ubiquitous Encryption.
People have long named years according to their personalities—in Chinese astrology, 2011 was the Year of the Tiger, for example, and in American culture, 2003 was the Year of the Blues. In the IT security sphere, pinning down 2011 to just one personality would deny another, equally strong personality: The year had a split personality. It was the Year of the Third-party Trust Compromise, and the Year of the Bring Your Own Device (BYOD) Mobile Revolution.
These two personalities have more in common than you might think. For example, both engendered 2012’s emerging personality, the Year of Ubiquitous Encryption, which is already taking shape. And both relate to a common security problem: attacks from within an organization’s systems. They also share the solution to this problem: improved processes and management.
The Year of the Third-party Trust Compromise
The Year of the Third-party Trust Compromise followed a year with ominous security implications—2010, the year that saw Stuxnet come to public awareness. This worm—which some call a cyberweapon—lies dormant and difficult to detect on infected systems, waiting for a trigger to unleash it. Stuxnet was a warning shot, announcing the arrival of highly sophisticated, authenticating malware capable of targeting physical infrastructures. One of Stuxnet’s strategies was to use a SSL certificate to authenticate to the infected system’s software environment.
In the first quarter of 2011, the theretofore unimaginable happened: Hackers breached RSA’s security and compromised the root of this third-party trust provider’s SecureID technology. Virtually all SecureID tokens immediately became untrustworthy. Companies are still in the process of replacing these tokens and the costs to do so were astronomical. In the ensuing months, 4 CAs fell prey to attackers (Comodo, GlobalSign, Digicert, OpenSSL, and DigiNotar), cementing 2011’s identity as the Year of the Third-party Trust Compromise.
As a parting gift, this 2011 personality left three valuable lessons:
1) Third-party trust is an integral piece of our worldwide security infrastructure. It is important; the world we know cannot operate without it.
2) Because the world relies on digital certificates and the CAs (third-party trust providers) that sign them, digital certificates and CAs are among the highest-value targets for hackers. If hackers can compromise CAs and create counterfeit certificates, they can perfectly assume others’ identities.
3) Organizations must be prepared for an epidemic of third-party trust compromises, which they were not in 2011. Such compromises were not even represented in 2011 risk analyses and mitigation plans. The DigiNotar compromise virtually shut down the Dutch government for days as it scrambled to find and replace its affected certificates. Unfortunately, many organizations are still using DigiNotar certificates, even though these certificates provide a near-zero level of trust. Why? The answer to this question is alarming: Organizations don’t know which CAs issued the certificates they’re using and they don’t know where these certificates are or how many they have in their environments.
The Year of the BYOD Mobile Revolution
The year’s other personality evolved from an explosion of mobile devices in the workplace. By the end of 2011, BYOD was becoming a corporate mantra. Board members and employees alike injected iPhones, iPads, and Droids (and other) devices into the corporate landscape—all with the same mandate-- that they had to be supported by corporate IT and InfoSecurity departments. The top-to-bottom BYOD movement reflected the consumerization of IT. It accelerated throughout the year. It was and is unstoppable.
The Split is Narrower than It Looks
How did 2011’s two personalities work together to shape 2012’s? The answer hearkens back to 2010’s Stuxnet exposure. Firewalls, intrusion detection systems (IDSs), virus scanners, and vulnerability scanners are not perfect, and this lack of perfection makes organizations vulnerable. The CAs suffered devastating compromises because the malware that harvested passwords, keys, and accessed systems was inside the CAs’ organizations, avoiding detection. And human beings were knowingly or unwittingly helping the malware do its job. With the BYOD revolution taking hold, the opportunity for bad guys to get inside any organization on the planet is going up logarithmically. Organizations have no physical control of these devices, which as everyone knows, makes them completely vulnerable to compromise. In other words, the combination of 2011’s two personalities yields a weakness that only an oblique approach can fix.
2012: The Year of Ubiquitous Encryption
If the bad guys are on the inside, and it is becoming easier for them to get there through an explosion of systems, applications and devices that connect with and share valuable information are secured through certificates and encryption keys, what can organizations do to stop them? In most cases, hackers compromise systems to steal data. Intellectual property, financial data, and personal data are all valuable commodities: Hackers can use them for financial gain, to maliciously expose secrets, and to deliberately harm reputations. Security systems in 2011 focused on keeping bad guys out. But now the bad guys are on the inside. Organizations’ best defense is to encrypt data everywhere, whether the data is at rest or in motion, because encrypted data isn’t recoverable without its encryption key. Hence, 2012 will go down in IT-security history as the Year of Ubiquitous Encryption.
The split-personality year of 2011 will logically lead organizations to make sure they are protected in 2012, the Year of Ubiquitous Encryption. If 2011’s leaked and stolen data had been encrypted, and the encryption keys stored in a secure area away from the data, the data would have been worthless to the bad guys. The compromised CAs would have considered the breaches inconsequential, and may not even have reported them. Again, it’s important to understand that encrypted data isn’t usable without its encryption key. With keys that are separate and safe from prying eyes, the bad guys can take all the data they want…because they’ll never know what they have.
With data and applications moving to the cloud, where they are fully accessible to all devices and can move from one physical location to another almost instantly, ubiquitous encryption becomes even more important. Even if malefactors get their hands on mobile devices (which are relatively easy to steal and compromise), encrypted data makes the thefts trivial.