Certificate Problems are a Common Cause of Downtime

The broad adoption and use of cryptography throughout modern enterprises is an important innovation and a key tool to improve the security of organizational systems and data. However, cryptography creates some complexities and dependencies that are often not well accounted-for and can lead to system downtime as a result. The use of cryptographic certificates for encryption and authentication is a key source of such downtime.

In a recent survey, 79% of responding organizations said they had suffered at least one certificate-related system outage during 2016; 38% suffered six or more such outages! This is something that we see from time-to-time in our business. Even when an outage is not directly attributable to a certificate problem, it is common to see a system or service restore be significantly delayed due to a difficulty in restoring a certificate or a need to generate or obtain new certificates.

A recent incident at the Department of Homeland Security underscores the risk here. On the morning of Monday, February 20th, 2017, DHS (specifically, Citizenship and Immigration Services) had a domain controller certificate expire, causing many users to be unable to log in to their accounts. Impressively, DHS was able to restore service by 10am, even though this was a federal holiday, so this was almost a best-case scenario. The majority of the organizations responding to the above-mentioned survey said that it would take their organization at least six hours to respond to such an outage.

Some basic guidelines for managing certificates include:
  • Develop organizational policies regarding cryptography, including the requirement that all cryptographic devices and keys be approved by and registered with one central authority (usually IT or the CIO).
  • Track all certificates in a central database (could just be a spreadsheet). Key information should include:
    • System(s) on which the certificate is used
    • Internal party responsible for the certs and/or system
    • External party from which the certificate was obtained, if any, including contact info
    • Expiration date
    • Any necessary notes or instructions on the use of the certificate
  • Store all certificates and parts of certificates in a backed-up location with strict access control and logging. Where possible, use a two-party rule, where the certificates are stored in portions accessible by different parties.
  • Check key services periodically for certificate expiration dates. If the expiration falls within the period of the inspection (i.e., if checking quarterly and a cert will expire in less than three months) create a task to immediately renew/replace the certificate. Be sure to check dependencies, such as upcoming expiration of a certificate authority's signing certificate.
NIST's SP 800-57 series on "Recommendations for Key Management" has more detailed advice concerning managing cryptographic certificates in your enterprise.

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief - Oct 12-18

Image
New Flash Zero-Day Vulnerability Being Actively Exploited Last Tuesday, the same day that Adobe released their regular monthly patches, Trend Micro disclosed their discovery of a new zero-day vulnerability being exploited by the “Pawn Storm” hacking group. The observed activity is directed primarily against various nations’ foreign affairs ministries, but the vulnerability (CVE-2015-7645) is not publicly disclosed and may be subject to further exploitation. Adobe released a new out-of-cycle patch for the issue on Friday evening. http://www.cnet.com/news/another-security-flaw-affects-all-versions-of-adobe-flash/ http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/ https://helpx.adobe.com/security/products/flash-player/apsa15-05.html Microsoft Releases Six Patches for IE/Edge, Office, Windows Last Tuesday, Microsoft released six updates that fix about 33 security issues in their browsers, in Windows, and in Office.
Read more