Certificate Problems are a Common Cause of Downtime

The broad adoption and use of cryptography throughout modern enterprises is an important innovation and a key tool to improve the security of organizational systems and data. However, cryptography creates some complexities and dependencies that are often not well accounted-for and can lead to system downtime as a result. The use of cryptographic certificates for encryption and authentication is a key source of such downtime.

In a recent survey, 79% of responding organizations said they had suffered at least one certificate-related system outage during 2016; 38% suffered six or more such outages! This is something that we see from time-to-time in our business. Even when an outage is not directly attributable to a certificate problem, it is common to see a system or service restore be significantly delayed due to a difficulty in restoring a certificate or a need to generate or obtain new certificates.

A recent incident at the Department of Homeland Security underscores the risk here. On the morning of Monday, February 20th, 2017, DHS (specifically, Citizenship and Immigration Services) had a domain controller certificate expire, causing many users to be unable to log in to their accounts. Impressively, DHS was able to restore service by 10am, even though this was a federal holiday, so this was almost a best-case scenario. The majority of the organizations responding to the above-mentioned survey said that it would take their organization at least six hours to respond to such an outage.

Some basic guidelines for managing certificates include:
  • Develop organizational policies regarding cryptography, including the requirement that all cryptographic devices and keys be approved by and registered with one central authority (usually IT or the CIO).
  • Track all certificates in a central database (could just be a spreadsheet). Key information should include:
    • System(s) on which the certificate is used
    • Internal party responsible for the certs and/or system
    • External party from which the certificate was obtained, if any, including contact info
    • Expiration date
    • Any necessary notes or instructions on the use of the certificate
  • Store all certificates and parts of certificates in a backed-up location with strict access control and logging. Where possible, use a two-party rule, where the certificates are stored in portions accessible by different parties.
  • Check key services periodically for certificate expiration dates. If the expiration falls within the period of the inspection (i.e., if checking quarterly and a cert will expire in less than three months) create a task to immediately renew/replace the certificate. Be sure to check dependencies, such as upcoming expiration of a certificate authority's signing certificate.
NIST's SP 800-57 series on "Recommendations for Key Management" has more detailed advice concerning managing cryptographic certificates in your enterprise.

Comments

Post a Comment

Popular posts from this blog

Vulnerability in Cisco Devices VPN Functionality

Image
A few weeks ago a vulnerability was publicized in the VPN functionality of Cisco PIX firewalls, along with a tool to exploit it. This exploit was part of the Shadow Brokers dump of tools allegedly stolen from the NSA; in this case it was the BENIGNCERTAIN tool. This exploit was viewed as being of limited impact, since Cisco discontinued support for the PIX firewall years ago in favor or their newer ASA firewall line. This weekend it was announced that the same vulnerability exists in the IOS software that powers the vast majority of Cisco devices. This means that Cisco routers and routing switches with VPN functionality can be exploited with the BENIGNCERTAIN tool as well, rendering their VPN sessions subject to snooping. The vulnerability affects all versions of IOS going back to 12.2, as well as most versions IOS XR and IOS XE. Cisco has not yet released updated software to fix this issue, and they say there are no work-arounds; they have, however, published intrusion detectio...
Read more

Weekly Infosec News Brief – Mar 09-15, 2015

Microsoft Releases Fourteen Patches, Five Critical, on Patch Tuesday Last Tuesday, on this month’s “Patch Tuesday,” Microsoft released security bulletins on fourteen new vulnerabilities, five of which can lead to critical remote code execution exploits. The Office update (MS15-022) is particularly important, as it is the first new remotely-exploitable Office document vulnerability announced in some time. The other four critical bulletins are all remotely exploitable via malicious websites viewed using Internet Explorer, or possibly even other browsers in the case of MS15-021. https://technet.microsoft.com/en-us/library/security/ms15-mar.aspx https://isc.sans.edu/forums/diary/Microsoft+March+Patch+Tuesday/19445/ One March Microsoft Update Causing Problems on Some PCs On some Windows 7 computers, the KB3033929 update released last week has been causing continuous reboot loops. The update provides important new security capabilities, but does not patch a serious vulnerability. Th...
Read more

Ransomware Attack on Office365 Corporate Users

Image
A phishing campaign was discovered last week that targeted possibly millions of users of Microsoft's Office365 Corporate service. The campaign was delivering the Cerber ransomware, which encrypts documents, videos, and photos on the compromised computer, as well as any network file shares to which the compromised computer is attached, and then demands a ransom to provide the ability to decrypt them. The malware was delivered via a document with malicious macros embedded in it. Previous versions of Cerber were delivered via web-based exploits that exploited Flash vulnerabilities. The malware was able to bypass the built-in security tools in Office365, but was detected using the Check Point SandBlast malware protection system. The SandBlast technology can run on a Check Point firewall, as an agent on network endpoints, or as a cloud-based service. To learn more about Check Point Sandblast, contact Anchor.
Read more