With the rise of Cybercrime, companies are investing significant amounts in Information Security in order to protect themselves, their employees and partners, but in the end that might not be enough.
The most common technology used to protect confidential data in transit is Secure Socket Layer(SSL). Yet is SSL-encryption enough to protect a company from industrial espionage and other malicious activities that would lead to sensitive data falling into the wrong hands? It should be, but that is not always the case. Too many companies ignore the fact that they are responsible for the private key that is required to unlock their SSL-certificate.
There are basically two key components to an SSL-certificate. The public key and the private key. The public key is accessible for anyone to use and it is used to encrypt data. The private key is used by the company to decrypt the data turning it into readable information. If an attacker has full access to the private key; then attackers can eavesdrop and decrypt all communication that was previously encrypted. Imagine user credentials, credit card details, sales proposals, sensitive HR information, internal communication etc… falling into the wrong hands.
If your networks or systems are compromised in any way and your private keys are not properly protected then, you could become victim of a major security breach even though you are using SSL from a reputable Certificate Authority. Consider that with control of your private keys an attacker could set up a fully authenticated phishing site within your domain and cause irreparable damage to your company’s reputation. So if you lose your private keys and it could be game over.
Compromised keys? Bad news.
If you do not store your private keys within a secure, well-managed infrastructure, then you’re making it easy for hackers and criminals to read encrypted traffic, including SSL-encrypted customer data, or create more convincing fake websites. What’s worse, you’ll have no idea they are doing it.
The cracks your keys can slip through
In fact, the easiest way to penetrate a company’s defences might not be to go straight through it and hack a firewall but rather to use social engineering to gain access to your internal network. Once inside your network, locating the private keys might a very easy task for an attacker. Imagine if an attacker is an internal threat, a disgruntled employee or consultant, and he/she wouldn’t even have to compromise your security mechanisms to gain access to your private keys? Restricting access to your Private Keys should be a top priority for any company.
Private keys aren’t only used for SSL and secure communication but also for any type of encryption. Is your database encrypted? Then there’s a private key that needs to be protected. Is your software signed with a Code Signing certificate to authenticate the origin of the software to your customers? Then there’s a private key that needs to be protected.
Gartner has some chilling words on this subject ‘As you secure your enterprise systems, remember that insiders with privileged and knowledgeable access can cause significantly more damage than an outside hacker acting alone.’
In today’s threat environment, multi-layer security is not nice to have but rather a must have. Firewalls, Anti-Virus Software and Intrusion Detection/Prevention Systems are necessary to keep attackers from gaining access to your data. Unfortunately, poor management, multiple administrators and easily-broken passwords all make it easy for people to get hold of your most important digital assets: the encryption keys that unlock the doors to almost everything.
Keeping your keys safe
Some straightforward procedures can make a big difference when it comes to private key security My colleague Fran Rosch blogged about this in the past here but it’s good to remind ourselves:
- Implement an Intrusion Prevention System that monitors any tampering with your private keys
- If you’re using a third party hosting provider, ask them what measures they have in place to protect private keys
- Keep track of how many copies are made of your private keys and exactly which machines they are stored on, and keep both to a minimum
- Where possible, store private keys on PCs that are not connected to the internet or connected to the company LAN in order to reduce exposure to hackers or intruders
- Consider using an automated certificate and key management system to reduce human involvement in the private key generation and storage process
- Use strong passwords and limit access to servers to trusted, even vetted, security managers or higher-level admins. Consider using a second factor of authentication
- Regularly change passwords, and be sure to have different passwords for each of your keystore locations.
- Anytime a member of the administration team changes, change the keystore passwords and update processes
- Reduce proliferation. Never email, save copies or back up private keys unnecessarily
- Consider renewing private keys annually and always do so if a security event happens
- Minimise the number of people who have access to your keystores and consider having separate administrators for managing the passwords for the keystore and for managing the systems where the keystores reside
- Adopt a proactive approach to personnel security.
Some of these steps may seem simple, but you wouldn’t take any chances with the keys to your house, so why treat your digital ones any differently?