Security Experts:

NIST Issues Guidance on Certificate-Based Breaches: Is Your Organization Prepared?

How Can Today’s IT Managers Prepare and Recover From a Certificate Authority Breach?

It is no secret that IT security breaches, data theft and attacks on the rise – consequently forcing IT managers to evolve their security foundations and turn to different technologies to protect the intellectual property of the data stores and data transmission systems they are charged with protecting.

Encryption Key ManagementHowever, the rush to new and more sophisticated security technologies comes with some dangers, such as exposure to breaches no one thought possible or worse yet, a lack of understanding on how to prevent these new attacks and mitigate the costly breaches that are bound to occur.

Preventing and mitigating breaches requires a specific skill set, one that is built upon the knowledge and understanding on how PKI and digital certificates (Transport Layer Security [TLS] and Secure Sockets Layer [SSL]) actually work, and then actually taking the appropriate steps, if disaster occurs.

Digital X.509 certificates have become the de-facto standard for ensuring online trust. Nearly all government and private-sector organizations use them broadly. Large organizations may use thousands and even tens of thousands of certificates and encryption keys—issued from internal and external CAs—in their data centers, private clouds, and increasingly on mobile devices to authenticate systems and users and to encrypt communications.

As a result, CAs, certificates, and private keys have become high-value targets for cybercriminals in search of sensitive government and corporate information. Protecting enterprises (and even small and medium businesses) from digital certificate failures is becoming more important than ever, especially with the increased use of digital certificates and the rise in the number of attacks on CAs.

The increase in certificate issuance and CA compromises has spurned the federal government's National Institute for Standards and Technology (NIST) to act. NIST has issued its first-ever guidelines for government agencies and private-sector businesses to protect themselves in the wake of the breach of their digital certificate authorities.

A flood of certificate authority compromises over the last year-and-a-half has become a wake-up call for a multitude of federal and private sector organizations. The increase in attacks was highlighted by the Flame malware's abuse of a Microsoft digital certificate, which demonstrated how susceptible organizations are to CA breaches.

NIST's new "Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance" guidelines bulletin, which my company, Venafi, helped to co-author, was in direct response to concerns about how a CA breach could affect agencies and businesses.

NIST’s guidance bulletin highlights some very specific tasks that IT managers should perform to reduce compromises and provides best practice guidance on how to prepare for a breach, which may be an inevitability, especially in light of past attacks. One of the first recommendations from NIST is to make sure that IT managers fully inventory and track all of the certificates in use, including what authority provided the certificates, what systems use certificates, and the issuance and expiration dates of those digital certificates.

For many businesses, that simple advice could prevent a tsunami of certificate-related failures. Today, most businesses have very poor inventory control over certificates, often tracking certificates by using a spreadsheet or some other manual process. What’s more, most businesses don’t protect their encryption keys appropriately, by keeping passwords and other issuance information in unprotected spreadsheets and databases, something akin to leaving the keys to the house in the mailbox, for anyone looking to just grab and enter.

Another recommendation stemming from NIST centers on knowing your CAs – in other words, making sure the certificate authorities used are themselves secure and adhere to best security practices. However, a “trust, but verify” approach should also be used. That means performing regular third-party audits and implementing best security practices across the infrastructure as well. Arguably, the most important element here is to make sure that if a CA suffers an "impersonation" attack or one of its Registration Authorities is compromised, it should have clear-cut emergency revocation response in place, immediately revoking the affected certificates and preventing fraudulent activity from occurring.

What’s also interesting, the CA must immediately inform the organizations identified as subjects in the fraudulent certificates and all potential relying parties that might rely on those certificates. NIST goes a little further into the definition of that and recommends: "The CA must revoke the certificates and inform the organizations identified as subjects in the fraudulent certificates and all potential relying parties that might rely on those certificates. If a CA system compromise or signing key theft occurs, the CA’s certificate(s) must be revoked by any CAs that have issued certificates to it, all subjects that the compromised CA has issued certificates to must be notified that they will require new certificates, and all possible relying parties must be notified.”

While those guidelines prove to be a good start, agencies and organizations should not rely solely on a CA’s security team and procedures to ensure complete data safety. IT managers need to be part of the security equation as well, and that takes proactive management. However, managing PKI, certificates and everything that goes along with it takes more than perseverance; it takes the appropriate tools and technologies to handle the volume of minutia associated with CAs, certificates and keys.

However, it's not easy to ensure that a CA breach is detected as quickly as possible. The massive breach of now-defunct CA DigiNotar serves as a cautionary tale for any agency or company. Although that attack was focused on Iranian citizens, there was also fallout for the Dutch government, which was the biggest user of DigiNotar certificates. The breach forced the Dutch government to issue warnings that its sites could not be trusted, at least until all the certificates on the front-end and back-end systems relying on DigiNotar were accounted for and vetted. The DigiNotar case exemplifies a worst case scenario, which could have been mitigated if an appropriate response and a reliable certificate accounting system was in place.

That drives NIST’s most important recommendations:

- Get a detailed inventory of your digital certs and corresponding CAs

- Have a backup option in place for replacing a certificate or acquiring a new one

- Make sure you know the nature of a CA security incident when it occurs, such as whether it was a true breach of their systems or some sort of impersonation attack.

However, those recommendations all point to one critical element – make sure you are able to respond. And to do that, you need to have an adequate understanding of your certificate infrastructure, as well as an accurate inventory of all of the certificate elements. No one knows where the next CA compromise will occur, or whether it will occur in a week or three months. Organizations must ready themselves to respond immediately to ensure business continuity and a speedy recovery.

You can review the NIST ITL Bulletin here.

Subscribe to the SecurityWeek Email Briefing
view counter
Jeff Hudson serves as CEO of Venafi. A key executive in four successful, high-technology start-ups that have gone public, Hudson brings over 25 years of experience in IT and security management. Prior to joining Venafi, Hudson was the CEO of Vhayu Technologies which was acquired by ThomsonReuters. Prior to Vhayu, Hudson held numerous executive leadership posts, including CEO and cofounder of MS2, SVP of Corporate Development at Informix Software, CEO of Visioneer, and numerous senior executive posts at NetFRAME Systems and WYSE Technology. He started his career with IBM. Mr. Hudson earned a B.A. in communications at the University of California, Davis.