Where We Are, and Where We Need to Be
By Danielle Adams, Freelance Writer, Venafi
Public Key Infrastructure (PKI) is the foundation of secure communications on the internet. That said, it’s a system that’s not always as secure as we intend, and much of that is due to how we implement and run the PKI system. There are a number of mistakes that the vast majority of businesses are making, and it’s making the internet a much less safe than we need it to be.
This article discusses the most common problems and challenges we create for ourselves in the course of managing our PKI, and the cost of continuing to operate in the same way. If you’re afraid that your PKI procedures aren’t as robust as they should be, keep reading.
Hardware security modules
The 2015 PKI global Trends Study, commissioned by Thales, found that the vast majority of businesses don’t use the best available technology to protect things like Certificate Authorities (CAs), certificates, keys, and signatures. Instead of using stronger, more effective security tools like Hardware Security Modules (only 28% of businesses use them), businesses are opting to keep using less secure techniques, such as password protection (53%).
When you remember that odds are really good that any given password contains a) the individual’s dog’s name and b) a thimbleful of numbers at either the beginning or the end, it’s easy to see why that might be a bad idea. Dictionary attacks are extremely effective at cracking predictable passwords that use common password elements and patterns. Even when passwords are hashed, rainbow tables can make short work of weak ones. And PKI keys and certificates, are too valuable to leave secured with a cheap lock.
Certificate requests and issuing
Large organizations that have to ensure the security of lots of physical doors usually employ a locksmith, so that there’s an allowance for things like master keys. Usually, they’ll employ only one locksmith (or, at least only one central department to keeping the keys and locks), and requests to issue new keys or rekey old locks have to go through them.
Even though digital keys, certificates, and signatures are just as important, we don’t often handle them the same way. According to a poll conducted by Venafi, 66% of their customers use two or more CAs to issue certificates and signatures, and nearly 40% allow IT professionals, developers, and line-of-business owners to request certificates. That means there’s a legion of certificates being issued that Operations/InfoSec doesn’t even know about.
That also means the company is trying to manage keys and certificates that are coming from multiple sources, so they can’t even rely on a single CA’s records to keep track of all their certificates. With more moving parts, it’s harder to keep all of these “locks and keys” safe from theft, tampering, and copying.
Another problem is the certificate expiration. According to the Venafi poll, 45% of companies use certificates that are set to expire more than a year after issuance. Another 30% let their certificates go as long as a year when Google advised that it’s best to turn them over in six months or less.
Certificates are like underwear: they should be changed frequently, and discarded (or revoked; more on this below) if ever used by a stranger. Anything less is just unsanitary.
An important part of running PKI is the ability to revoke old or compromised certificates. If something’s wrong with your certificates, you need to be able to put it on a Certificate Revocation List (CRL), and publish it. That’s apparently not a possibility for everyone, though. According to the Thales study, a whopping 37% of IT professionals say that they have no revocation techniques in place to make this a possibility.
Going back to our locksmith analogy, imagine one of your nighttime janitors lost a master key. Then, imagine your locksmith had no way of changing the locks to ensure the physical security of the premises. Anyone who’s worked a janitorial or maintenance job knows this idea is ridiculous—the boss gives you a lengthy speech on the first day about the thousands it will cost you if you lose one of those masters. That’s because they have to rekey every last lock that the master key can open.
Now, an outdated or stolen certificate doesn’t necessarily mean you have to scrap your whole PKI system. But it is certainly a problem that needs to be addressed because it gives outsiders (especially malicious ones) the ability to pass off software or web pages as yours to users. This is a dangerous problem that needs to be avoided at all costs.
Lastly, we have an issue that’s just a matter of convenience at first glance but gets more serious the longer you look at it. That’s the matter of tracking (or managing) your certificates. How do you keep track of all of them? These days, the number of certificates a company might have in use can easily reach the tens of thousands. That means there’s a lot of things to keep tabs on.
The Venafi poll asked clients how they did it. Among the companies, 44% relied on their CAs to keep track of everything, leaving themselves in the dark about the details. Another 28% was using a spreadsheet to get it done. Less than a third had partnered with a third-party solution to manage their certificates effectively.
Now, keeping track of all that information can seem overwhelming, but as we mentioned above, the less you have a handle on your certificate tracking, the easier it is for something to slip through the cracks, and for something nefarious to happen.
The costs of bad PKI management
At this point, many of you might be thinking “well, nothing’s gone wrong so far; why should I worry?” The answer is “because doing nothing makes exploiting the system very easy.” Malware that’s signed with stolen code-signing certificates is getting past security software. Even the best antivirus software is only somewhat effective at catching malware with a stolen digital Signature. That means, if your certificates are compromised (which is pretty easy, if you’ve fallen into any of the above traps), hackers and malicious users can pass viruses and malware off as trustworthy software from your company, tricking thousands into downloading and executing it.
The same goes for HTTPS communications. Having your certificate makes it a lot easier for a hacker to execute a Man-in-the-Middle (M-i-t-M) attack, which can tank your credibility with users really fast.
If we want to improve cybersecurity, for ourselves and for our users, we need to adopt better practices and policies regarding PKI management. It’s not necessarily easy, and it’s rarely cheap, but it’s better than leaving vulnerabilities that can damage people’s lives.
About the Author
Danielle Adams is a freelance writer who writes for a variety of publications including Venafi. When not writing, Danielle enjoys reading tech journals and learning new skills. Danielle can be reached online at Danielle.firstname.lastname@example.org.