EB: Before we dig a little deeper, what exactly is a digital certificate?
TM: Digital certificates function like user names and passwords do for people. It allows machines to exchange information securely over the Internet. Just like user names and passwords, certificates come with identifying information – such as the name of the certificate holder, an expiration date and a serial number – and is issued by an official, trusted agency known as a ‘Certificate Authority’ (CA) so recipients know it can be trusted.
EB: How do digital certificates work?
TM: Certificates provide identity and access management for machines in the way that passwords do for human users. When we send data anywhere – be it to a website or email server – there is a danger the message could be intercepted by a third party. This is a danger that applies all online communication and business; there would be no ecommerce if people thought their communications and payment details were not private and secure.
We use encryption as a way around this, and modern encryption requires certificates. Through a system known as Public Key Infrastructure (PKI), certificates are able to verify machine identities and control the flow of information to authorised machines. They can also prevent the flow of information to unauthorised machines. A tangible example of certificates in action is the green padlock we see in our browsers on most websites. The padlock tells us that the certificate on the website has been verified as genuine and trustworthy by the browser we are using. Without the PKI and certificate system, there would be no way for machines to determine that a given website or email server is a) authorised and b) secure.
EB: Why are digital certificates important for security?
TM: Certificates are absolutely foundational to security. We rely on keys and certificates to know which machines can and cannot be trusted. Imagine trying to run a business without knowing if the person you’re sending emails to is really that person or just an imposter. And last year saw one of the biggest cyber heists in the world – the attacks on the SWIFT banking system – being carried out by criminals using stolen or forged certificates in order to appear trusted.
Security professionals need to adopt the same approach to certificates as they have for users – no CISO would accept having thousands of unknown users accessing their networks, yet the average enterprise has around 16,500 unknown certificates on their network.
EB: How can digital certificates be misused?
TM: The misuse of certificates can come in several forms. By abusing certificates – either faking them or stealing them – hackers are able to perform Man-In-The-Middle (MITM) attacks which allow them to intercept and eavesdrop on communications, potentially even altering the communication between two machines. This is particularly worrying when sending sensitive data or payment information. Secondly, certificates can be used to impersonate or spoof websites, making them appear genuine and secure to fool unwitting victims. Finally, certificates can be used to sign malware, making it appear to come from legitimate sources such as Apple or Microsoft. Using a certificate in this way can hugely speed up the rate at which malware is distributed, because if it is signed with a certificate from a trusted source it’s far more likely to be accepted by machines around the world.
READ MORE: Venafi CEO: Creating trust in the machine
EB: How can organisations prevent this?
TM: One of the most important steps for organisations is to gain control over all certificates on their network. Security teams need access to the right tools to enable discovery and automated responses to anomalous behaviour. This allows organisations to find and evaluate all certificates on their network to make sure they are secure and automatically remove any that have been compromised. This involves understanding ‘normal’ behaviour for a certificate and spotting when any are behaving anomalously.
Beyond this, the growth of certificates means automation is crucial – in 2016 50% of companies increased the number of certificates they use by at least 25 percent. DevOps and the Internet of Things are set to accelerate this trend for 2017. With so many certificates being created, the pressure on security teams to manage machine identities effectively is only going to increase – so enterprises should make sure that issues such as certificate creation, renewal and replacement are automated as much as possible, preventing any from expiring or being forgotten about.
Finally, because the number and types of machines on enterprise networks is exploding and because 50% of cyber-attacks escape detection because they hide in encrypted communications firms must put in place very clear processes and policies to manage machine identities. Questions such as who is responsible for any given certificate need to be understood across all relevant stakeholders. At the same time, policies around how certificates are managed – need to be implemented across the global, extended enterprise. Unless these dangers are tackled head on, online trust will continue to be eroded and enterprises exposed to potential disaster.