Digital Trust and Enterprise Integrity, you either have it, or you don't!
Andy Jenkinson
CEO CIP. Fellow Cyber Theory Institute. Director Fintech & Cyber Security Alliance (FITCA) working with Governments. NAMED AN EXPERT IN INTERNET ASSET & DNS VULNERABILITIES
Digital X.509 Certificates, our complete reliance upon them for Critical Infrastructure and Global economic stability.
Some Interesting Facts:
Every Company, every Government and every single computerised device relies upon Digital Certificates to provide Trust to enable communication to another device. This includes every single Mobile, every PC, laptop, IoT devise and many more. A brand new Gold Standard laptop has circa 150k-250k Certificates on them from new! Typically over 25% of these are expired (some revoked) and can be harmless, however compromised, replicated and rogue Certs, according to Gartner are responsible for over 55% of all Global breaches so it’s worth asking the question why are they there in the first place? They certainly do not need to be and can, once identified be removed, which is not as easy as it sounds due to ‘Discovery’ capabilities. It is estimated that circa 1.5% of all Certs are potentially dangerous and can create vulnerabilities.
The providers of these Certificates are known as Certificate Authorities (CA’s) and they play a vital role in maintaining order across the Internet and the connectivity of all devices. Companies are completely reliant upon these CA providers however over the last decade or so a number of CA companies have let their clients down with dire consequences. Symantec and GoDaddy to name just two who provided compromised Certs to their clients en mass which in turn created business continuity and breach vulnerabilities.
https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat
Managing ones Cert estate is not easy and has been the ‘thorn in the side’ of many a CISO/CTO/CIO over the last few decades as it has been almost an impossible challenge due to the aforementioned not having a full device inventory let alone visibility of the tens of millions of Certs collectively attached to them. The challenge has been further complicated with the introduction of Bring Your Own Device (BYOD) and the Internet of Things (IoT) the later are manufactured with little or no security at all which further compounds the challenge.
We are often asked the following question: 'Do illegal, rogue, compromised or retired Certs cause any issues and if they do what examples are there?
British Airways was recently breached causing some 380k customers to buy and pay for their flights via a rogue website pretending to be BA, this was achieved by inserting and utilising a rogue Cert which in turn created the Digital Trust that enabled the devices to accept the security and allow these transactions. This breach went totally undetected for 6 days. This breach is estimated to cost BA circa £1.5Billion.
https://www.bbc.com/news/technology-45446529
Facebook was also recently breached with 25 million users personal data breached via a ‘token’ which was implanted and accepted by a compromised Cert, the cost to FB is again estimated to be circa $1,5Billion.
https://www.theguardian.com/technology/2018/oct/12/facebook-data-breach-personal-information-hacker
O2 one of the world’s leading Mobile Network Operators (MNO’s) went ‘off air’ rendering circa 30 Million users unable to work, communicate and unable to use any data. MNO's are part of the Critical National Infrastructure (CNI). Furthermore some critical Infrastructures that rely on this O2 were also paralyzed which ultimately effects businesses, energy companies, and the UK economy, it might seem dramatic, however lives could genuinely be at risk. This was due to a expired Cert that went unnoticed until it was too late and caused one of the longest business continuity outages for an MNO to date. Estimated costs for this outage is circa £250Million.
The estimated costs do Not include share values which typically plummet between 5-15% after such breaches.
The above cases happened to companies that we might rightly assume take Information Security and CA management seriously and certainly can afford to however all three have fallen hard for possible poor CA management and have all ‘patched’ the issue. Just a word of WARNING without proper Full CA Discovery and Management, this could happen again today or tomorrow to any or all of them and multiple times!
The fundamental issue is these giants are not addressing Public Key Infrastructure (PKI) but simply re mediating by using a cure to an individual challenge (Cert). Every device relies on Certs which are the Digital Trust that sit on the PKI. If a company or Government don't take PKI seriously and manage the millions/billions of Certs, they will do what they do which is expire, get replicated or simply sit on an Enterprise waiting to resurface or be reused having already achieved Digital Trust so will not get challenged when re emerging as in many cases. This is an easy ‘hunting ground’ for would be Cyber criminals and they know exactly how to exploit this easy access particularly as most Information Security expert are focusing on the latest and greatest phishing or firewall perimeter security.
Certs come in many forms ranging in permitted access, term length and many are ‘self signed’. 12 month Certs are good practice (or even more frequently) 120 months self signed Certs are obviously not! Ten year Certs came out in 2008/9, many self signed with good access. These Certs are now starting to expire and will potentially cause O2 type issues unless identified and managed in a proper manner. Put simply, our reliance upon Certs demands that they are managed properly which is not the case currently, add to this few organisations actually have a full and correct Inventory of devices let alone what Certs they have so are simply unable to manage them, it's a lottery with no chance of anything but large losses. This will continue to undermine businesses, critical infrastructure and potentially the UK and Global economy.
Is there an answer?
Good CA management and Agility is a ‘Must have not a nice to have’. A full inventory of devices across an Enterprise must be undertaken as you cannot protect what you do not know about and finally robust Policies and Procedure for Pre and Post Breach must be implemented. NIST and NCSC standards are very clear and adoption of them is our recommendation as a minimum.
What can Cybersec Innovation Partners (CIP) do to address the challenges above?
CIP are a team of recognised Cyber and Security leaders led by Industry specialists. Our mission is to identify military grade technology with proven risk reduction capabilities and fast track deployment into enterprise use. CIP solutions inform executive and management teams of cyber threats and operational risks.
CIP have a proprietary software (Whitethorn) that was developed in a Military environment following a breach. The brief was to develop a technology that could, via multi scanners ‘Discover’ all X.509 Certs including SSH and SSL Certs and Keys that make a PKI secure. The technology has been further developed and enables full Inventory of devices, Certs and Keys. By adopting our technology rogue certs can be quickly identified and not accepted, the agility of the technology enables listing of white and black Certs, automatic renewals and replacements. Rotation and management via a simple set of rules on a dashboard will, for the first time ever enable the CISO/CTO and CIO to have full visibility and management which in turn will greatly reduce Cert issues be they rogue, compromised or Expiring.
To have a breach or business disruption once is unfortunate and usually the result of poor CA management, now that Whitethorn? is readily available to have it happen a second time is nothing short of being foolish.
Contact us to request a recent Fortune 250 CA Discovery Report or to discuss ensuring you have Digital Trust in 2019
www.cybersecip.com