14 DAY TRIAL // Last week Kaspersky experts came across a piece of malware that was signed with a stolen digital certificate in order to avoid detection.
If the security experts concentrated on the malware itself, other companies such as Venafi, the inventor of enterprise key and certificate management (EKCM) solutions, focused their attention more on the stolen certificate.
“The Trojan-Dropper.Win32.Mediyes malware is a wolf in sheep's clothing and in this case the clothing has the VeriSign brand sewn in the label. Kaspersky's researcher has done an excellent job of finding the wolf, but more needs to be said about the primary culprit -- the stolen digital certificate,” Jeff Hudson, CEO of Venafi, said at the time.
In the interview we’ve had with him, Mr. Hudson was kind enough to offer more details regarding digital certificates and the threats presented if they got stolen from their rightful owners.
Softpedia: A lot of certificate authorities were affected by data breaches in the last few months. Is this the only way in which cybercriminals get their hands on digital certificates?
Jeff Hudson: Firewalls, antivirus software and intrusion detection tools may work to keep out stealthy attackers, but what is to be done about rogue insiders? The reality is that the bad guys are already in—working from the inside of your organization. Hacktivist or malicious insiders have access to certificates signed by a trusted third-party CA.
Rather than deploying them on their intended server or application, the stolen certificates can and have been used in several well-publicized instances to sign and authenticate the malware within the targeted network.
CAs and enterprise companies have suffered devastating compromises due to malware that harvests passwords, keys, and accessed systems inside their organizations, avoiding detection, while human beings were knowingly or unwittingly helping the malware do its job.
The less publicized though equally detrimental security risk with certificates involves unfettered and shared admin access to encryption keys. Take an analogy from the physical world. Increasing the size of the lock on your door or business may make you feel more secure.
But the reality is that if the key — no matter its size or strength — is left on the transom, under the mat, or distributed willy-nilly out in the open, it doesn’t matter how large or strong the lock is. The data can be easily accessed.
In fact, Shady RAT’s malware had no sooner installed itself than it went in search of encryption keys, which it found, no doubt, in the myriad locations where people routinely leave them exposed.
As is almost always the case, the individuals or admins who install the encryption to protect the data typically have unfettered access to the keys. This means that the keys and certificates can be copied, used maliciously, or given to a third party to do so.
The keys that protect the data are often accessible to multiple administrators with no audit or access controls, no separation of duties, and are often distributed widely and insecurely within organizations.
Softpedia: A company that relies on digital certificates should clearly have strong policies regarding their use. Why do you think it’s so difficult for companies to implement these policies?
Jeff Hudson: The world’s Fortune-ranked organizations and government agencies utilize thousands and even tens of thousands of certificates and keys — in the data center, private clouds and increasingly on mobile devices — to protect data and authenticate systems.
They’re nearly ubiquitous, yet receive little attention or management oversight and therefore can post tremendous risks.
Most organizations do have policies in place that govern the use, deployment and management of digital certificates and other encryption assets.
Unfortunately, most organizations also rely on laborious, error-prone human processes to manage them, where even the best polices — separation of duties, access controls or encryption key lengths, for instance — cannot be enforced.
An unenforceable/un -auditable policy is a worthless policy. Companies need to deploy solutions that can automate digital certificate and encryption key management and access controls across the wide range of encryption technologies deployed. Until they do, we are going to continue to see costly incidents like these.
Softpedia: Venafi released an interesting report recently that reveals some concerning figures regarding the misuse of certificates. How are the figures presented in the report compared to other periods? Are businesses starting to acknowledge the dangers that hide behind the lack of proper certificate management?
Jeff Hudson: This is the latest in a series of reports we've published that outline what we refer to as 'worst practices' in not only security and compliance in general but also in encryption and certificate management.
Alarmingly, the trend in this latest research shows that companies are more aware then ever but are still failing miserably when it comes to effective certificate and encryption key management.
This latest report showed that 54 percent of respondents admit to having an inaccurate or incomplete inventory of their Secure Socket Layers (SSL) certificate populations. In effect, these protect the most mission-critical data that flows within organization and are the figurative ‘keys to the kingdom’.
How can these security instruments be properly monitored and managed if enterprises don’t even know where they are—let alone when they expire or if they’re within policy.
Deploying encryption solutions without maintaining comprehensive certificate and key inventories is a worst practice that jeopardizes vital business systems and processes, and exposes organizations to substantial risk of security and compliance incidents.
Softpedia: Should we expect another major incident similar to the one that forced Diginotar out of business? Have certificate authorities learned anything from the incident?
Jeff Hudson: If history has taught us anything at all, it's that we should definitely expect another incident. If a CA is forced to stop selling certificates for an extended period of time, then it could absolutely impact their ability to remain viable.
I believe that security community in general and the certificate authorities in particular have become acutely aware of the risks and costly consequences of CA compromises like DigiNotar. We'll know better who learned and didn't learn from it after the next incident.
Never in the history of the security industry has something that's happened once not happened again. With DigiNotar joining the ranks of other successfully hacked CAs, businesses and browser manufactures alike need to move past the shock and begin formulating recovery and business continuity plans.
There will be more CA breaches in the future, and more users, companies and governments agencies will be affected if the affected organizations don’t have actionable, recovery plans in place.
Softpedia: While surfing the web, either from home or from their workplace, users tend to ignore warnings that notify them of revoked or expired certificates. Do you think security software or even web browser vendors should come up with more effective ways to block potential threats, or is this simply a matter of raising awareness?
Jeff Hudson: It's going to take a combination of awareness and improved security technologies. Individual and corporate users should never visit any websites if they receive a warning that the digital certificate is revoked, expired or otherwise in question.
These warnings are analogous to a 'ramp closed' sign on the freeway -- if you proceed past one, chances are you are going to wind up in trouble.
Fortunately, CAs and browser providers are starting to work more closely together to improve the situation. The Certificate Authority Authorization project between Google and recently-compromised CA Comodo seems to hold some promise.
Softpedia: Recently, Kaspersky experts have written about a variant of the Mediyes Trojan that was signed using a certificate stolen from a Swiss company. Do you think that in these situations security solutions providers should focus their efforts more on the stolen certificate instead of the malware itself?
Jeff Hudson: Equal attention needs to be given to the malware and the attack vehicle. Malware can only install itself and execute commands on critical systems or servers if it can authenticate through a certificate. So in many cases, no certificate means no attack.
That being said, SSL certificates can be stolen by malicious insiders making it almost impossible to track and stop. Protecting against malicious malware and stolen digital certificates that help hide and authenticate the malware within unsuspecting networks still needs attention and equal effort.
To best address this growing issues, organizations must have comprehensive certificate and encryption key inventories to ensure certificates are known and being used within policy.
Softpedia: How can your company aid businesses when it comes to the management and security of digital certificates?
Jeff Hudson: Venafi is the only company today that provides out-of-the-box automated management capabilities for the widest range of digital certificate and encryption key technologies used by today's enterprises, including symmetric keys, SSH keys, asymmetric keys and digital certificates.
Knowing what's in your inventory is half the battle, protecting it is the other half. An Enterprise can now gain greater understanding of what's in their environment.
Venafi recently released Assessor, a free solution that allows security, risk and compliance executives the ability to rapidly discover critical SSL certificate, encryption key and certificate authority (CA) vulnerabilities in their networks. It can be downloaded at www.venafi.com/Assessor.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.