NIST and Venafi Highlight the Risks of CA Compromises

With the release of a study entitled “Preparing for and Responding to Certificate Authority Compromise and Fraudulent Certificate Issuance," the National Institute of Standards and Technology (NIST) and Venafi are aiming to alert organizations to the risks posed by a security breach that affects certificate authorities (CAs).

The bulletin, a result of the collaboration between NIST’s Information Technology Laboratory (ITL) and the EKCM solutions provider, is not only meant to alert, but also to advise government and private agencies on what must be done in case certificates are fraudulently issued. The advisory covers both pre- and post-incident responses.

In the past few years, digital certificates, their issuers and private keys have become a tempting target for many cybercriminals, since these elements can allow them to gain unauthorized access to the sensitive information they’re after.

“Certificate authorities have increasingly become targets for sophisticated cyberattacks, particularly as the use of digital certificates for Secure Sockets Layer (SSL) has become widespread,” said Paul Turner, vice president of products and strategy at Venafi.

“Recent attacks on CAs make it imperative that organizations ensure they are using secure CAs, and are prepared to respond to CA compromises and the issuance of fraudulent certificates.”

Large organizations may use up to tens of thousands of certificates and encryption keys to secure their communications and they need to be aware of the fact that misplacing any one of them could have devastating consequences.

 In order to mitigate the risks posed by an incident that affects a CA, organizations must secure their CAs, they must establish a proper inventory of all the certificates they utilize (and a separate inventory for trusted anchors), identify certificate replacement procedures, and seek out backup sources for the rapid acquisition of new certificates.

"Because certificates are typically installed and managed by individual administrators in disparate departments, most organizations and executives are not aware of their dependence on certificates for security,” Turner added.

“Nor are they aware of the significant disruption to business operations that would result if they had to replace all affected certificates following a CA compromise.

“If enterprises are not prepared to respond to a CA compromise, they have overlooked business continuity planning that could prevent extended downtime for a majority of their applications and systems.”

The complete bulletin is available here.