Easing Strain of CA Compromises

Monday, August 13, 2012 @ 06:08 PM gHale


Companies or organizations now have a guide to help prepare for the risks posed by a security breach that affects certificate authorities (CAs).

The bulletin, a result of the collaboration between National Institute of Standards and Technology’s (NIST) Information Technology Laboratory (ITL) and the EKCM solutions provider, is not only meant to alert, but also to advise government and private agencies on what must happen in case certificates end up fraudulently issued. The advisory covers pre- and post-incident responses.

RELATED STORIES
Security Firm Updates Key Leak
Rogue SSL Certificate Plan Proposed
NASA Investigates Compromise
U.S. Jams Taliban, Yemen Frequencies

In the past few years, digital certificates, their issuers and private keys have become a tempting target for cyber criminals, since these elements can allow them to gain unauthorized access to the sensitive information.

“Certificate authorities have increasingly become targets for sophisticated cyber attacks, particularly as the use of digital certificates for Secure Sockets Layer (SSL) has become widespread,” said Paul Turner, vice president of products and strategy at Venafi.

“Recent attacks on CAs make it imperative that organizations ensure they are using secure CAs, and are prepared to respond to CA compromises and the issuance of fraudulent certificates.”

Large organizations may use up to tens of thousands of certificates and encryption keys to secure their communications and they need to be aware of the fact misplacing any one of them could have devastating consequences.

In order to mitigate the risks posed by an incident that affects a CA, organizations must secure their CAs, they must establish a proper inventory of all the certificates they utilize (and a separate inventory for trusted anchors), identify certificate replacement procedures, and seek out backup sources for the rapid acquisition of new certificates.

“Because certificates are typically installed and managed by individual administrators in disparate departments, most organizations and executives are not aware of their dependence on certificates for security,” Turner added.

“Nor are they aware of the significant disruption to business operations that would result if they had to replace all affected certificates following a CA compromise.

“If enterprises are not prepared to respond to a CA compromise,” Turner said, “they have overlooked business continuity planning that could prevent extended downtime for a majority of their applications and systems.”



Leave a Reply

You must be logged in to post a comment.