Last year saw the very guardians of data security facing compromises of their own security processes. Gregory Webb, director of marketing, Venafi details how those data breaches occurred and the lessons that the victims learned from them.
There have been some unique and worrying data breaches in the last year. The main question to be answered from our analysis of all these breaches is, have we learned anything from them? The answer will unfold this year. But one thing is certain - not everyone will heed the warnings.
When a company prides itself in providing the most advanced and sophisticated network security solutions - and that company’s own network is hacked - brand insult is added to data injury. Not only must the company compensate customers for their losses, but the breach of information incurs an unquantified cost to its reputation. No-one wants to call on the services of a Fire Brigade whose own fire station burned down. Customers will invariably ask how a company’s information security solutions can protect them if they couldn’t protect the company itself.
In 2011, the world has witnessed several cases in which network security companies - RSA, Comodo and StartSSL - themselves fell victim to hacking at a severe cost to their reputation. With DigiNotar recently joining the ranks of a trusted third-party security organisation successfully compromised by hackers, enterprises need to move past the shock and begin formulating their own compromise recovery and business continuity plans.
All enterprises need to look at their highest-value assets - servers and applications where sensitive and regulated data flows, and that are protected by certificates. Plans must be in place to recover anytime the trust provider is compromised.
RSA Breach - leaving the backdoor open
RSA, the security division of storage vendor EMC, forms a pillar of the security industry. Its name is so synonymous with security that the RSA Conference, considered one of the premier security conferences, bears its name (though there is no longer any official tie). And yet, in mid-March 2011, RSA was hit by a breach that compromised the two-factor authentication product SecurID used by thousands of its customers.
RSA described the breach as an “advanced persistent threat” (APT), implying that a group with vast resources had targeted RSA over a long period of time. (Some critics contend that RSA is saving face with a too-liberal use of the term - security analyst Scott Crawford called the scheme “plain old phishing.”)
According to RSA, the attackers used “social engineering” tools to glean information on a group of RSA employees by searching social networking sites. The perpetrators fashioned “spear phishing emails” containing personal information that would entice the targets to open the messages. Clicking on the attached Excel file, “2011 Recruitment plan.xls,” unleashed a zero-day exploit that installed a backdoor in victims’ computers through an Adobe Flash vulnerability, since patched. Once in, the hacker was able to sniff around, seeking accounts with higher access privileges than the person originally duped. These privileged accounts allowed the attacker to extract the SecurID credentials from the network, RSA said.
While RSA executive chairman Art Coviello blogged that RSA does not believe the items exposed could be used to steal from a customer, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” Presumably, hackers obtained information that allows them to calculate the passwords generated by a given SecurID product at a given time, thus removing one factor in the authentication, leaving the user’s password to stand on its own.
Sure enough, in late May, news outlets reported an attack on defense contractor Lockheed Martin’s network by hackers who reportedly used duplicate SecurID electronic keys pilfered in the RSA attack. Even though the attack failed, RSA has since offered to replace the SecurID tokens for any customer who wants them.
Comodo Breach - certified for security
Comodo also operates in the security space as, among other things, a Public Key Infrastructure (PKI) Certificate Authority (CA). As a CA, Comodo issues certificates to other entities, attesting that those entities truly represent who they claim to represent. For example, when a browser attempts to establish a Secure Socket Layer (SSL) connection to a Web site, the site presents its CA-signed certificates to authenticate itself as legitimate. If hackers can trick a CA into signing their fraudulent certificate requests, they can pose as Google, Yahoo or, worse, a bank. They can then freely download malware, for instance, to users’ computers or trick users into exposing their financial account credentials.
Comodo discovered in March last year that it had inadvertently granted certificates to an Iranian hacker who called himself “Comodo Hacker” in a blog post. Somewhat like RSA, Comodo has attempted to present the attack as a vast, state-sponsored affair. Comodo’s CEO and founder, Melih Abdulhayoglu, blogged that Comodo interpreted the breach as “state driven/funded’ attacks…from Iran.”
However, Comodo Hacker challenged this interpretation. Although supportive of the Iranian regime, Comodo Hacker acted alone. He wrote, “I'm not a group. I'm [a] single hacker with [the] experience of 1,000 hackers. I'm [a] single programmer with [the] experience of 1,000 programmers.”
News reports stated that the digital certificates were obtained from an affiliate of Comodo by someone who used a valid username and password. Comodo acted quickly by revoking the fraudulent certificates through an update to popular browsers like Internet Explorer, Firefox and Chrome. Comodo further assured its customers that it had suspended the two affiliated businesses that were supposed to vet certificate applications.
But analysts have noted serious flaws in Comodo’s processes. That the requester had an Iranian IP address should have raised eyebrows, as well as the fact that the requests were for well-known sites such as Google, Yahoo, Mozilla and Skype. Some security experts contend that cleaning up the fraudulently obtained Comodo certificates only deals with the known attack. To combat unknown risks, someone should cross-check the work of all CAs - besides Comodo, the leading ones are VeriSign and GoDaddy - to catch mistakes like these.
Learning the lessons
The biggest lesson learned is that virtually any company - security vendor or otherwise - is vulnerable, such is the insecure nature of the Internet. Comodo, DigiNotar and RSA showed the world that despite, for lack of a better description, “rock-solid security”, the inevitable can happen. Despite the irony of these successful attacks against two of the world’s pre-eminent security companies, these vendors found themselves as vulnerable as any to attacks that targeted employees and practices, rather than specific technologies and security systems. Companies that haven’t yet suffered a breach, or who are unaware if they have, should be grateful that RSA, Comodo and now DigiNotar are now shining a light on how to improve the situation.
For example, the Comodo and DigiNotar breaches illuminate the key role that humans play in all security efforts. As third-party trust providers, both certificate authorities learned the necessity of counteracting human error with well-documented policies and built-in dual controls for issuing and managing certificates.
RSA’s breach followed a slightly different pattern. But the company learned a similar lesson in the importance of confronting security risks - not merely with new technologies, but with better practices. Uri Rivner, head of new technologies and consumer identity protection at RSA, blogged that RSA is building a whole new “defense doctrine” to respond to the attacks.
In the same way, with advanced and improved defence practices and management, enterprises can continue to send data more securely across the Internet despite new and increasing attacks. Placing particular emphasis on the human element in the latest attacks, Rivner wrote: “It’s time to respond as an industry, define and execute a new defence doctrine based on information sharing, deep analytics and advanced threat management.”
Further, few organisations have a management platform in place that gives them the power to replace compromised certificates quickly. Otherwise, the replacement of known, compromised certificates is largely a manual effort. This forces organisations to continue operations in a compromised condition - possibly for many months - while the thousands of compromised certificates are manually replaced. In some cases, that may not even be an option and entire systems may have to be shut down until remediated.
Gartner’s view on certificate management
Late in November 2011, Gartner published a report related to X.509 Certificate Management. It makes fascinating, compelling and necessary reading for all organisations. Some of the key findings in the report are:
•Many high-profile, externally-facing and internally-facing system outages are as a result of X.509 certificate expiry.
•Most organisations rely on spreadsheet-based tracking methods and manual processes to keep track of certificates, resulting in increased exposure to risks.
•Organisations with roughly 200 or more X.509 certificates in use and using manual processes typically need one full-time equivalent staff member per year to manage certificates within their organisations.
•Service outages due to unplanned certificate expiration impact service availability and can lead to non-compliance with regulatory or other requirements.
Recommendations in the report include:
•Organisations with roughly 200 or more documented X.509 certificates in use are at high-risk and should begin a formalised discovery process immediately.
•Organisations need to create an inventory of X.509 certificates and certificate issuers to minimise the impact and downtime in the event of a certificate issuer compromise, suspected compromise or attack as seen over the past 18 months involving several certificate authorities.
•Organisations need to plan for and practice what they will do in the event of a certificate authority compromise in the context of a security incident.
(The full report can be downloaded from: http://bit.ly/yA5T4m)
With hackers operating on the inside, attempting to extract data by leveraging legitimate users’ access, enterprises must respond with better processes for managing and auditing all means of access to critical data, whether user accounts or the asymmetric encryption keys that are used as credentials by applications and servers. Better access and audit controls will enable companies to contain breaches and to discover them more quickly.
And by shoring up this element in defence - the neglect of which can cause embarrassing data breaches in the most security technology-driven of companies - enterprises reduce the risk of becoming this year’s next high-profile victim.