To give you an idea of what I am talking about let’s take a look at the same lost keys example. When you lose a house key you know how many you have and how many locks you have to change. When it comes to certificates and keys it is not just that the market has lost them, but that they simply are not aware of how many keys, copies of keys they actually have and systems that run them they actually have. This is the conversation that we had when we met up with Tammy Moskites to talk about her new position at Venafi.
The concept of certificates, encryption keys and even secure communication was shattered more than once in the last few years. Edward Snowden, Heatbleed, Stuxnet, Duku, and more caused most of us to realize that simply having a certificate and the use of SSL or other “secure” connections were simply not enough. If you do not know what you have, how can you protect it? While companies are spending millions of dollars on security hardware and software they are still missing out on basic inventories of certificates, keys, user, credentials and more. Tammy stated that this has got to change and she is very right. The threat landscape is rapidly changing as the tools we take for granted are compromised.
Tammy expressed a concern for the way the industry has ignored this critical component stating the threat actors (she hates the term “bad guys”) are changing their tactics and attacking the trust system. To understand the threat you really need to understand that almost every device you put into a modern network is going to have some form of security certificate. This might be a self-sign SSL cert for connecting to a web UI or a telnet certificate (telnet should die in flames), or even an SSH certificate, but you are going to have at least one for the device. This means that many companies have hundreds, if not thousands of certificates and keys in play.
Tammy was quick to explain that many vendors and certificate authorities are not going to help with this issue. They really just want to sell their product rather than try to help companies get a handle on what is going on. So you end up with multiple certificates and keys from multiple companies all with different lengths, algorithms and expiration dates. To say it is a mess is something of a massive understatement.
So what do you do about this massive mess? Well there are a few changes in culture than need to happen first. Tammy very clearly stated that people have to begin to understand the expanse of keys and certificates in their environment. Without having a handle on the basics you are really just spinning your wheels. From there some “normal” policies need to change. Development teams need to stop pushing self-signed or out of band certs for code signing. This goes for automatically trusting certificates from systems that come with them preinstalled (Cisco Prime, VMWare, etc.). However, that is not enough. There also has to be some means to get a handle on the vast number of these items in the wild.
While Venafi can only make suggestions about changing culture they are able to offer more substantial help with the second (although they are quick to say they are not just selling something). Venafi offers consulting to help companies get a handle on the number of certificates and keys that they might really have and not just active ones. When certificates are renewed or changed the old cert and not always cleaned up. These can be used against a corporation to gain access in some cases. By getting a handle on what you have and establishing a list of known good and known not good you are gaining a better understanding of what you might really have in your environment. This type of inventory will also help you catch any “non-secure” certificates in your environment. You know, when someone uses the wrong cert or buys a cheap one just to get something done in many cases these can help an attacker compromise a network because the certificate can easily be used to generate a new private key. GoDaddy and Thawt have both been found with this little loophole. Just grab the cert from a site and run certutil with the serial number and you have a good cert (yes it is that simple).
Venafi also has a method of checking to see when this might have happened. Using TrustNet you can scan the internet looking for your certificates to see if anyone else it using them and to ensure the reputation of your external certificates and Keys. When this happens you can use the TrustForce utility to re-key your existing certificate, which would make the stolen one invalid. Venafi ‘s Trust Platform solution also allows you to get a better handle on when certificates are up for renewal which is a very nice touch. On top of all of this there are controls to automate many of the processes that have to be done manually. You can also control who has access to renew, purchase and re-key certificates in an organization.
Of course there is more to Venafi’s solution, but it was clear to me that this was not the whole reason for our chat with Tammy. Instead of pitching a solution or a product to me it as clear that she wanted to talk about the much more systemic issue of securing trust (certs and keys) and how to get people to understand that this must be more of a focus in IT security. The current mindset of buying costly solutions to protect networks is broken when you face the simple fact that basic trust systems are already compromised. SSL, TLS, Telnet, SSH, all of these are doors into your network. Right now most organizations simply do not know where all of the keys to these doors are and that is a scary thought.