By Calum MacLeod, EMEA Director, Venafi
It’s 4 AM Sunday morning and the telephone rings. My wife answers and duly informs me that she has a drunk on the line. Three calls later in the space of 10 minutes, including our children, who are now about to have heart attacks, we discover it’s the Alarm Center! Apparently they’ve just received a message from our security system telling them that someone is trying to sabotage our front door. Turned out to be a fault in the system, but who knows what the wife might have found when I sent her downstairs to check it out!
And if that’s not enough, airliners are reporting cracks in the wings, batteries exploding, leaking fuel, engines blowing up; supermarkets are telling us that beef burgers are not quite what they seem. In fact not a day goes by without us receiving security warnings, and we respond appropriately. Of course not all make sense, so for example a nasal spray at airport security is a WMD if it’s not in a plastic bag – place it in the bag and it’s instantly neutralized! But in general we tend to adopt a common sense approach, with one glaring omission.
Seems Like IT Security Is a Joke
According to reports in the press, less than 50% of enterprises are taking the warnings from organizations, such as GCHQ, that “real and credible threats to cyber security of an unprecedented scale, diversity and complexity,” exist. Add to this the warning in World Economic Forum’s Global Risks Report 2013, that technological risks are one of the five major risk categories, along with economic, environmental, geopolitical, and societal.
So it would be safe to assume that every large organization is ensuring that they are taking appropriate steps to ensure that technology will not be their downfall. Wrong, after all only 35% of enterprises plan to address key and certificate management in 2013. And this in spite of the fact that digitally signed malware presents probably the biggest single attack vector today. Over a year ago, McAfee reported that they detected over 350,000 unique pieces of malware that incorporated digital certificates – in one month!
Add to this the admission by the AV industry that they are no longer able to provide the protection that is needed. Leading AV experts such as Mikko Hypponen, and Roel Schouwenberg, have publicly stated that the failure to detect malware is “a spectacular failure for the antivirus industry in general”, and "If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about,"
Why is traditional security technology proving so ineffective in slowing the avalanche of breaches?
Stuxnet not only opened the floodgates when it came to recognising the power of malware, but it also brought the use of stolen digital certificates into the spotlight. The digital signing of malware had been a common practice but this had generally been perceived to use invalid certificates, relying on the carelessness of users and administrators to simply trust “untrusted” sources. But increasingly the key objective was to avoid detection, and with Stuxnet, Duqu, Flame, and probably Red October and hundreds of thousands of other pieces of malware, it has become clear that valid certificates, either stolen or maliciously issued, are needed to get under the radar. And the result is that there is no technology today that can distinguish between a valid certificate residing in malware, and the same valid certificate residing in valid code. How many enterprises have for months been happily allowing malware, masquerading as Windows Updates, to have access to their systems? How many are still allowing it?
How can a few security staff protect your organization against this malware army consisting of millions of soldiers, most of whom cannot even be identified? The answer: by limiting the points where they can attack you. Each and every system in your infrastructure trusts hundreds and most likely thousands of Certificate Authorities (CAs). And most, if not all, of these CAs are unregulated. And today you simply allow any code signed by any of these CAs to enter your infrastructure unchallenged. Imagine boarding an aircraft with absolutely no security scanning, or having no border control in your country!
For example, my browser trusts some Certificate Authority called “POSTArCA” from a country known as SI, and also trusts “China Internet Network Information Center EV Certificates Root”. It also trusts something with the “friendly name” of “AC Raíz Certicámara S.A.”
It’s not that I’m casting aspersions on these organizations or countries but should malware arrive in my system using a certificate issued by any of these, or thousands of others that I never work with, my system will simply trust it! At this point, we should all be experiencing chest pains, the telltale signs of a heart attack.
So if you want to take effective action to reduce the risk of attack, then manage your trust authorities across your entire infrastructure. For example internal systems in 99% of organizations only need to trust internal CAs, and possibly a handful of external trusted parties. If you don’t need it, it shouldn’t be there.
Are hackers simply smarter than IT Security staff?
Common sense demands that if I’m going to attack you, then I target the weakest point. Whether in the field of sports, love, or whatever; we naturally choose the path of least resistance. We all know “the way to a man’s heart is through his stomach”, “diamonds are a girl’s best friend”; and those targeting you with malware know that if there is a soft underbelly in any organization, its keys and certificates. IT staff generally don’t understand them, nobody knows where they are; in fact in the virtually every organization we deal with, we discover that 60% of all keys and certificates are unknown. What we refer to as “unmanaged and unquantified risk”. It is believed the market for stolen SSL certificates is worth in the billions annually. How much would your competitor pay to have one of your certificates in order to infiltrate your organization?
Can we still protect critical infrastructure from attack in the digital age?
I believe so, if you take the necessary precautions to manage your keys and certificates. It’s time to starve malware of its essential ingredient. In fact enterprise wide key and certificate management may just be the “kryptonite” you need to stop malware in its tracks! And as for my alarm system, I think the wife should sleep downstairs. There’s no need for me to get woken up if the front door is sabotaged!