When Yahoo finally admitted in September that a state-sponsored hacker had stolen over 500 million user account details, it made headlines around the world. With the firm now claiming this could lead to Verizon pulling out of its proposed $4.8 billion acquisition, it should serve as a wake-up call for businesses everywhere to improve their cybersecurity. Although the source of the hack has not been made public, it became clear to security researchers that one of the primary ways this massive breach could have been accomplished was by exploiting the failed use of encryption. This is particularly relevant because most organisations are plagued with the chaotic use of encryption and its enabling technologies.
IT leaders need to urgently improve their understanding of these risks, and take concrete steps to improve visibility and control of keys and certificates. If not, they’ll increasingly find the foundation for their IT security program is built on sand.
Foundations of trust
Cryptographic keys and digital certificates form the foundational layer of trust on which the internet is built. They allow anything with an IP address – from a web server to an IoT device – to authenticate each other and establish secure encrypted tunnels between connections. These processes form the basis of security and privacy online. Yet because encryption has worked invisibly in the background for over 20 years, the assets used to secure encryption are not fully understood and increasingly the system has shown itself to be vulnerable to attack. The problem stems from the fact we have more ‘things’ that need to connect and authenticate, which means there has been an explosion in the number of keys and certificates that need to be tracked and protected.
Unfortunately, most businesses are still trying to do this manually on spreadsheets. This means that keys and certificates are often lost, stolen or duplicated without anyone realising. DevOps and fast IT is compounding these problems by creating even more keys and certificates that connect a complex web of applications, systems, services and devices, without consideration of the importance of managing them. This means there are many keys and certificates created that IT security teams are not even aware of. The result is more encrypted tunnels where bad guys hide.
This lack of central visibility, intelligence and automation is a huge blind spot across the organisation. Many firms have no idea how many certificates they even have, and if or when they’re due for renewal. This creates ample opportunity for attackers to easily hide in encrypted tunnels or misuse certificates and masquerade and appear trusted. This problem is being made worse by the increasing commercial pressures most firms are under to deliver innovative new services and applications at ever greater pace. This hunger for speed and innovation is leading businesses to shift to new ways of working, such as agile, bi-modal IT and DevOps; all of which create even greater chaos and confusion around keys and certificates, pushing security concerns to the back of the queue.
The Yahoo challenge
When a major breach happens, organisations invariably announce a range of visible security measures such as password resets. A vital part of this remediation process is to change out any potentially compromised keys and certificates. However, most businesses do not have an automated means of discovering and replacing keys and certificates, which makes this an extremely onerous task. When you consider a large organisation can have hundreds of thousands of keys and certificates, replacing them all manually could take an entire team weeks, and cause untold disruption to end users. As a result, many companies end up skipping this crucial step.
Let’s return to the Yahoo breach. The news was so devastating, it put the entire company in jeopardy. Yet according to Venafi Labs research, the company is still using insecure cryptographic hashing functions which could be cracked and exposed by hackers. Some 41% of external Yahoo certificates we analysed used SHA-1, which most mainstream browsers will cease supporting within months because of security issues. A surprising number used MD5 – another insecure hashing function which also contains serious and well-documented vulnerabilities.
All of this raises a question: did Yahoo have control over encryption and the keys and certificates that enable it? Were they able to deliver these keys and certificates to security systems tasked with looking inside of encrypted traffic for threats? The answer to both of these questions appears to be no. Venafi’s analysis shows that Yahoo’s control over encryption and keys and certificates was chaotic. It’s not surprising that intrusion and exfiltration on the order of magnitude of this breach could have occurred under these conditions.
Venafi Labs also found over a quarter (27%) of certificates on external Yahoo sites hadn’t been reissued since January 2015, when hackers were known to be inside its network. In fact, staff knew that hackers were in the system as far back as 2014. These kinds of mistakes are not unique to Yahoo, they are endemic and they’re exposing organisations to unnecessary security risks. For example, a year after the notorious Heartbleed bug in 2014 three-quarters of firms had not fully remediated this critical vulnerability by replacing all affected keys/certs. All indicators are then that Yahoo’s inability to effectively use and protect encryption and the keys and certificates that enable it helped attacked hide and evade detection.
The Internet of Risk
If even a major technology firm like Yahoo is having problems gaining visibility and control over its digital certificates, then we should assume it is a very real challenge for organisations everywhere. It can be a struggle for organisations of every size to find and quickly replace their certificates, but Yahoo’s woes have demonstrated the potential repercussions of failing to do so.
Gartner predicts that 6.4 billion connected ‘things’ will be in use by the end of this year, rising to 20.8 billion by 2020. This explosion in corporate endpoints, and the primacy of commercial interests over security in DevOps, means these challenges will only grow going forward.
There are no silver bullets when it comes to security. But the first step towards mitigating the risks outlined above must come from improving the discovery and control of keys and certificates. Businesses should automate this process, as well as the reissuance of certificates when they are due to expire or after a breach. Next, set best practice encryption policies, for example, mandating a specific key length and algorithm strength. And look for technology which is able to share key information with security tools so that encrypted traffic can be inspected.
But most importantly, IT leaders need tools which are able to gather information on all of the enterprises keys and certificates to establish a baseline of “normal” behaviour. From there, spotting anomalous or suspicious behaviour becomes far easier and remediation steps can be taken before significant damage is inflicted. It’s vital for firms to wake up to the foundational importance of this issue, or the march of trust-based attacks will continue and the consequences for businesses could be disastrous.
Image Credit: Gil C / Shutterstock