The SSL ‘handshakes’ that occur between online entities when conducting transactions, the companies that certify and offer keys, and their customers, are the new targets for cybercriminals, says Venafi’s CISO Tammy Moskites.
She joined the company at the beginning of this year, after roles as CIO at Time Warner and Home Depot. Venafi specialises in a newer segment of the security market that it calls ‘trust protection’, namely, the ability to monitors SSL traffic for anomalies and protect systems.
Moskites estimates that most companies have around 17,000 keys or certificates floating in their environment, but as much as 51 per cent of companies surveyed had no firm grasp of exact numbers.
Certificates, especially during online transactions such as internet shopping, are a foundational aspect of online retail, and have increasingly been targeted by hackers. Even encrypted data can be intercepted at this level – where the two systems make their ‘handshake’.
Moskites believes that the famous Stuxnet worm may have been spread by compromising online certificates, and major Dutch certificate authority, Diginotar, declared bankruptcy in 2011, after it was hacked and 500 fake DigiNotar certificates were found – causing all the major Web browsers to block sites using the company’s certificates.
The Heartbleed SSL catastrophe has meant that there has been a fundamental rethink with regards to security, Gartner research recently adding that ‘certificates can no longer be blindly trusted”.
[Update: Since the time of this story, the revelation of Microsoft’s own SChannel SSL vulnerability, which dates back to Windows 95, proves the point further]
Venafi’s threat centre produced a whitepaper that researched just how many companies had taken these threats seriously and taken action to protect their web facing entities.
“We found that around 387 of the global 2000 that we looked at on a regular basis had taken remediation – that means that they replaced all of their web facing certificates. Another 1252 we found were still vulnerable,” Moskites said.
The remainder is made up of entities that aren’t threatened, and government entities that Venafi chooses not to reveal.
“These threats are across the board globally. There is no one specific country that is better off, or any specific type of business, such as retail. In general, you could point to any type of industry; government, public industry and private industry are all about the same.”
She recommends for any managers looking to ensure best of class security for their web facing entities, they visit sans.org which has a list of 20 critical security controls you can use as benchmark guidelines to ensure they are best in class – especially data leakage protection (DLP).
Its not just good business practise, it may be vital for any security audits your company may face.Read more:Adobe expands use of Splunk Enterprise
Another key issue is staff leaving the business or moving departments and retaining access to sysadmin passwords and logins (and thus, keys and certificates), which can then be used, either inadvertently or deliberately, to allow unauthorised access.
The simplest solution for certificates is to just replace them, or, at a more basic level, have them automatically expire and need to be renewed, perhaps even yearly. Most companies don't do this, Moskites said.
“We never change them. We don’t have an asset inventory, we don’t have a common way to order them, however, this is entrusted secure traffic. How do you protect something you don’t know about? How do you stop any attacks if you can’t detect them? There’s no policy.
“Best practise is that you should have your certificates expire anyway. But no one cares, because they’ve just checked a box that enables a secure certificate in your environment. No policy, no control, no awareness, no audit, no audit guidelines.Read more:McAfee's 12 scams of Christmas warnings for consumers
“Every business, every hour, this kind of data is going out.”
Gartner predicts that 50 per cent of all network attacks will come via SSL by 2017.
“This statistic was released before Heartbleed. I haven’t talked to Gartner about this since, but even before Heartbleed I said ‘this is not right’, because more than 50 per cent are getting attacked today,” she said.
The goal of the Venafi platform is about taking back control, she said. It builds inventory lists, replaces vulnerable keys, and it forces policy. It monitors, detects and alerts anomalies, and gives you complete visibility into your SSL traffic. The key advantage to her company’s software is that it is certificate agnostic. Venafi does not produce any certificates of its own.Read more:UTS aims to be Australia’s Silicon Valley
“By not being able to quickly respond, and have the awareness and availability, and the visibility into your keys and certificates, it undermines all your other security infrastructure," Moskites said.
“That goal of having trusted traffic – it never ceases.”