What do Chet Sherer and George Best have in common? Most of us have heard of George, one of the greatest football (soccer) players to ever step on a field. George died after a long illness in 2005, probably due to years of what could be termed a self destructive lifestyle. He is famously quoted as saying: “In 1969 I gave up women and alcohol - it was the worst 20 minutes of my life,” and later “I've stopped drinking, but only while I'm asleep.” Chet was a colleague who lived a quiet life, did his job, and recently died suddenly from a burst aorta. Both are gone – the one after years of apparently not looking after his health, and the other through a sudden aortic aneurysm.
George saw the writing on the wall, yet he continued merrily along, unchanging – which reminds me very much of the attitude many organisations are currently taking with their IT security risk practices. Some organisations appear to be living totally oblivious to what may lie around the corner, but the vast majority are simply allowing bad practices to continue in the misguided hope that “…it won’t happen to us”. Surprisingly – during a period when company after company is reporting information breaches (251 in the US alone in the first 5 months of 2011) – most organisations continue to play IT security Russian roulette with their business.
This seeming nonchalance is even more concerning when companies such as RSA Security, Comodo and StartSSL are being compromised – events which, a few months ago, were considered impossible.
Companies that have faced cyber attacks in recent months include Sony, Epsilon, Google, Lockheed Martin, and many banks and government organizations – the growing list a testament to the reality that no one is safe. Every organization is a target. According to Frost and Sullivan, “the global black market for email addresses and national ID numbers is now worth about $5 billion, making it a lucrative area for hackers looking to steal contact information.”
And yet I regularly talk with risk managers who tell me that they have to justify investment in better security management to their directors, who “need to see the business case.” I often wonder how “staying in business and not going bust” fails to plead its own case.
According to an expert at one global tax and advisory organisation, with whom I recently spoke, “Certificate and key lifecycle management is underexposed in most IT audits, and also in other security related engagements the subject is avoided.” And why? Because most organisations have absolutely no control over their encryption assets – encryption keys including asymmetric or private keys, SSH keys, and symmetric keys as well as digital certificates. Risk managers have no way to ensure that policies – if they do exist – are being adhered to. Keys and certificates are strewn throughout the organisation, currently managed – if they are managed - in silos and departmentally.
No one, from the CEO down, has any idea who manages these critical encryption resources or how they are being managed. These organizations have opened themselves to systemic, unquantified and unmanaged risk – with potentially “life threatening” consequences, including security breaches, audit failures and operational failures.
Worse, when the long-ignored issue of key and certificate management is brought to light by a crisis, most organizations are ill-equipped to respond. In my experience, the vast majority of companies do not know how long it would take to remedy a data breach. Very few organisations have a response plan for Public Key Infrastructure (PKI) disasters such as the compromise of a certification authority (CA) or an algorithm that becomes computationally weak. Administrators and stakeholders simply are not trained or prepared to respond to such events.
Every day, another organization reaps the unfortunate consequences of these poor practices in the form of a data breach or of operational downtime while expired certificates and keys are replaced. All this happens much to the chagrin of the IT Security department, which had a plan to begin a project to manage their encryption assets – once they could discover where they were!
Organisations might manage their key and certificate resources as if they had little value, but attackers (including those that are state sponsored) understand the enormous attack leverage they gain from targeting these high-value assets. Recent breaches and compromises at Comodo and RSA Security have demonstrated the very real threat of internal or external compromise, even in organisations that exist to provide security.
When a CA or a private key is compromised, an organisation must immediately suspend normal business operations until it has replaced everything related to the source of the breach. Unfortunately, managers in the vast majority of enterprises wouldn’t know where to start. Only this past week a risk manager in a global financial organisation told me that he didn’t know where their Verisign certificates were installed or even how many purchased certificates were actually being used!
According to Eric Ouellet, Vice President, Secure Business Enablement at Gartner, Inc., “Security, privacy and compliance are driving organisations to deploy encryption key and digital certificate technologies at an aggressive pace. Sensitive, regulated information and systems would be completely exposed without them and organisations are levering them increasingly to protect themselves from external threats and internal hackers. Unfortunately, encryption assets can turn into liabilities if managed improperly. Understanding the best practices around how to approach the access controls and centralised management of these encryption assets are of critical importance.”
Risk managers should consider several practical steps based on industry best practices:
1 Clarify the importance of proper encryption deployment and management for the business. Clearly articulate where encryption fits in the organisation’s security architecture, including the threats against which encryption protects. Consider the consequences of a security breach, quantifying the consequences in as concrete terms as possible (such as lost revenue, regulatory fines and IT costs). Similarly, quantify the consequences of operational downtime from issues such as a certificate expiring unexpectedly.
2 Define clear encryption certificate and key management policies, processes, and procedures. These policies might include guidelines for generating certificates requests from authorized CAs, for deploying certificates and private keys in a secure manner, for defining who has access to which keys, and more. Publish these policies, educate all stakeholders, and track/audit compliance. (Note – you are not creating a CPS but rather a common sense guide that your staff can understand!)
3 Implement a central inventory and monitoring system to ensure that all encryption assets are accounted for and tracked, that owners for each asset are known, and that notifications are sent for impending certificate expiration, errors and other issues.
4 Wherever possible, automate key and certificate lifecycle management. Automation reduces the need for managers to have direct access to critical components such as private keys, minimizing the risk of a data breach as well as the exposure if a breach does occur.
5 Dedicate sufficient staff to managing the implementation and maintenance of central encryption key and certificate management policies and technologies. (Note: This does mean that you have a “PKI guy.”)
Too many risk managers are surprised by security breaches, compromised keys or operational failures that occur from sheer neglect—but they shouldn’t be and neither should you. You can take steps to protect your encryption assets, or you can let it be your CEO on the evening news saying, to paraphrase George Best, “I never went to work in the morning with the intention of getting hacked. It just happened."