Locks are great for safeguarding things from unauthorized access. Keys are necessary for allowing authorized people to open those locks. What happens, though, when there are so many locks, and so many keys that you lose track? What happens when those keys fall into the wrong hands, or can be easily duplicated? That is the dilemma facing Internet security and privacy today.
Digital certificates and encryption keys form the backbone of security and privacy online. When those certificates and keys are poorly managed, however, it puts the network and data at risk. Actually, the risk is even greater than if you had no keys and certificates at all, because having them creates a false sense of confidence. The existence of the keys and certificates provides an illusion of security that can make it even easier for attackers to exploit poorly managed keys and certificates.
At the RSA Conference in San Francisco earlier this month, Stephen Jordan, Senior Vice President and Technology Area Manager for Wells Fargo Enterprise Information Security Engineering and Services, presented a session titled “How Poorly Managed Keys and Certificates Impact the Trust Model.” Jordan focused on the fact that businesses and consumers trust one another online based on the promise of security from digital certificates and encryption keys, but that attackers can take advantages of weaknesses in the system and exploit that trust.
Some of the high-profile data breaches in the past year or two have been the result of attackers somehow compromising or exploiting digital certificates and encryption keys. Jordan shared examples of two such incidents to illustrate the techniques and strategies attackers use to obtain fraudulent certificates or hijack legitimate ones for nefarious purposes. One case study focused on an attack against a global banking company, and the other involved the misuse of keys and certificates to circumvent security.
As an individual, there isn’t a whole lot you can do. When you connect to a website or mobile service you assume that the little padlock icon indicates a secure connection—which it should. It’s very challenging for the average consumer to detect a well-crafted phishing site or fraudulent email when the attacker has a digital certificate.
Businesses, on the other hand, can take steps to guard against these sorts of attacks by doing a better job of managing the digital certificates and encryption keys they’ve been issued. That starts with automation.
According to a Ponemon Institute study cited by Jordan in his presentation, an average business has 23,992 keys and certificates deployed on its networks. The daunting challenge of managing certificates and keys is probably going to get much worse. Gartner predicts there will be 25 billion connected devices by 2020, and each one of those 25 billion things will likely depend on a certificate to verify its identity online.
Any effort to manually track and manage nearly 25,000 keys and certificates is almost doomed to fail. New devices and services introduce more keys and certificates on a regular basis, and other devices and services are removed from the network and no longer need to be tracked. Businesses need to automate the process of monitoring keys and certificates in order to effectively stay on top of things.
This article was written by Tony Bradley from Forbes and was legally licensed through the NewsCred publisher network.