Responding to a CA Compromise - Is Your Organization Prepared?
In last month’s Information Technology Laboratory (ITL) Bulletin, the National Institute on Standards and Technology (NIST) focused on offering guidance for incident response teams dealing with the aftermath of a Certificate Authority (CA) breach, an issue that is worth examining if your organization uses PKI in any capacity.
Digital X.509 certificates have become the de-facto standard for ensuring online trust. Nearly all government and private-sector organizations use them broadly for SSL, TLS, and other security protocols, explained Venafi, who co-wrote the bulletin.
Moreover, Venafi adds, large organizations may use thousands and even tens of thousands of certificates and encryption keys—issued from internal and external CAs—in their data centers, private clouds, and increasingly on mobile devices to authenticate systems and users and to encrypt communications.
Thus, CAs, certificates, and private keys have become high-value targets for cybercriminals in search of sensitive government and corporate information. In 2011, the DigiNotar and Comodo breaches left many organizations confused as they attempted to protect their assets in the wake of nearly back-to-back breaches at well known CAs.
Microsoft’s recent admission that a certificate compromise help propagate the Flame Trojan only compounds the issue. The problem is, organizations of all sizes use PKI on different scales, and on top of that, some of them use it incorrectly – such as improper implementation of SSL. So when a CA is breached, the aftermath can be just as painful as the breach, but it doesn’t have to be.
The ITL issued in July from the NIST addresses the risks of certificate authority (CA) compromises, and offers guidance on how to prepare for and respond to a CA compromise that results in fraudulently issued security certificates.
“Certificate authorities have increasingly become targets for sophisticated cyberattacks, particularly as the use of digital certificates for Secure Sockets Layer (SSL) has become widespread,” said Paul Turner, vice president of products and strategy at Venafi.
Responding to a CA compromise isn’t easy, and could entail replacing all user or device certificates, or even trust anchors from the compromised CA itself, something many organizations would be challenged by if they don’t maintain an inventory of certificate locations and owners.
To avoid this, experts say that organizations must establish CA-compromise preparation and response plans.
"Because certificates are typically installed and managed by individual administrators in disparate departments, most organizations and executives are not aware of their dependence on certificates for security. Nor are they aware of the significant disruption to business operations that would result if they had to replace all affected certificates following a CA compromise,” turner added.
“If enterprises are not prepared to respond to a CA compromise, they have overlooked business continuity planning that could prevent extended downtime for a majority of their applications and systems,” Turner said.
The bulletin itself is available here.