There’s a popular meme online that goes, “On the Internet, nobody knows you’re a dog.” The phrase is from a cartoon published in The New Yorker in July of 1993, which illustrates the anonymity of the Internet. Regardless of who or what an entity on the Internet claims to be, you generally don’t know for sure if you’re dealing with a 40-something male in Boca Raton, a 13-year-old girl in Berlin, or a bot with artificial intelligence.
The one method we have that provides some reasonable assurance of identity and authenticity is the system of cryptographic keys and digital certificates. The key and certificate trust model allows for secure communication, commerce and computing by providing some form of proof that the site or individual is what or who it claims to be.
Stephen Jordan, Senior Vice President and Technology Area Manager for Wells Fargo Enterprise Information Security Engineering and Services, presented a session on this topic at the RSA Conference in San Francisco last week. Jordan’s session, titled “How Poorly Managed Keys and Certificates Impact the Trust Model” explored the weaknesses inherent in the current model of digital trust, and provided some prescriptive guidance to help strengthen it.
Trusted Third Party
Most of the keys and certificates online are issued from a certificate authority—a trusted third party that exists solely to validate the identity of a company or individual and issue an associated certificate that can be used to verify and authenticate with others. That certificate is what enables your Web browser to determine that the site you’re visiting is genuine and secure so you can get the green light, or padlock, or whatever icon or image your browser uses to display that a site is secure.
It’s possible to create a self-signed certificate, but it would be foolish to blindly trust such a certificate. Jordan pointed out that a self-signed certificate is like letting people create and publish their own passports. A passport is arguably the quintessential verification of your identity as a human being, and it allows you to travel and enter foreign countries. The whole point of a passport is that your home country is vouching for your identity and verifying that you are, in fact, who you say you are. It would be a major security flaw if a nation allowed people to enter the country based on homemade passports they created themselves.
There are situations where self-signed certificates can and should be trusted. It costs money to obtain valid third-party certificates. For traffic and communications that occur strictly internally, it is fine for an organization to recognize and accept its own self-signed certificates. Jordan stressed, however, that it is unwise to blindly accept self-signed certificates from outside companies or individuals you do not implicitly trust.
The bad guys know that organizations trust the certificate authorities as well as the keys and certificates they issue, and they’ve been vigilant in finding ways to exploit that trust. According to Jordan, most security controls blindly trust keys and certificates, and the cyber criminals know that. They will misuse keys and abuse certificate trust to bypass security controls.
Cyber criminals use a variety of methods to compromise or exploit trust in certificates. Jordan listed a few, such as hiding in encrypted traffic to transmit malware or steal data, eavesdropping on “secure” communications using a man-in-the-middle (MitM) attack, spoofing websites for phishing attacks, and distributing malware that is signed using a seemingly legitimate certificate.
Jordan shared two real-world case studies that investigate and recreate recent attacks to understand the techniques and strategies employed by attackers. One explores an APT (Advanced Persistent Threat) attack against a global banking company, and the other scrutinizes a real-world attack involving the misuse of keys and certificates to bypass critical security controls.
A common theme of these two case studies, and recent attacks in general, is that the online bad guys have figured out that one of the easiest ways to break certificate security is to compromise the certificate authorities themselves. If the attackers can either fraudulently obtain a legitimate certificate verified by a trusted certificate authority, or somehow infiltrate the certificate authority to issue certificates for legitimate companies to the attackers, it is very simple to then set up convincing attacks that seem to originate from a trusted source.
Jordan cited a Ponemon Institute study claiming that an average organization has 23,992 keys and certificates deployed on its networks. He also explained that Gartner predicts there will be 25 billion connected devices communicating across the Internet by 2020. Each one of those 25 billion things will likely have a certificate to verify its identity / authenticity online.
In my opinion, the overall message of the session can be distilled to three main points.
1. Automation is crucial because there are too many connected systems and devices with too many keys and certificates for any manual effort to be effective.
2. Don’t get overwhelmed trying to do everything all at once. Look at it as a journey and just start taking steps in the right direction.
3. View key and certificate management as an ongoing effort, not a one-time event, or else you will end up with gaps in your security strategy that will result in increased risk of a breach.
Jordan wrapped up with some tips to help attendees of the RSA session do a better job of maintaining keys and certificates and managing trust. He recommended that organizations immediately review current key and certificate management and security practices, and review reconstructions of recent attacks to gain a better understanding of how the bad guys are playing the system to compromise trust
Next, he suggested that organizations should conduct a full inventory of all keys and certificates, including a vulnerability assessment. He acknowledged the challenge of doing so manually. The analogy he used was that of the census bureau. As they go door-to-door gathering census data, they will be able to report on all who answer the door. But what about the households that don’t answer? Jordan suggested the limitations of simple network discovery tools and their similar limitations with port-based scanning: you only find those keys and certificates that respond, though there may be far more on one’s network that don’t. Jordan also stressed that attendees evaluate tools to help automate key and certificate management, and develop a management strategy and policies to support better certificate security.
On the Internet, nobody knows you’re a dog. But, the companies and individuals you do business with expect to be able to verify that you are who you say you are—within reason—and you must do the same with the businesses and individuals you connect with online. Key and certificate management is crucial to the security of the Internet, and you need to manage these things effectively and securely to maintain trust.