CAs Need to Invest in Infrastructure, Stronger Business Processes

There's nothing wrong with the SSL system or the certificate authorities, Symantec said. CAs just need to improve their security.

In the wake of the breach on the Dutch certificate authority in which several hundred fraudulent digital certificates were issued, many security researchers claimed the certificate authority system was irrevocably broken and a new system was necessary to establish online trust. One CA, Symantec, argues that the incident just reinforces that CAs need to improve their security processes.

Secure Sockets Layer (SSL) technology remains secure as attackers haven't compromised the encryption algorithm, Michael Lin, senior director of trust services at Symantec, told eWEEK. What needs to change are the policies and processes around how certificate authorities issue and validate SSL certificates, according to Lin.

Over 650 companies are authorized to issue SSL certificates, according to the Electronic Frontier Foundation. When a user navigates to a Website, the browser relies on the site's SSL certificate to confirm that the user is on the legitimate site and not a fake copy. With a fake certificate, malicious perpetrators can launch man-in-the-middle attacks that allow them to eavesdrop on Internet users and intercept sensitive information.

"SSL is perfectly viable as a technology, but CAs need to implement minimum standards" to keep the system secure and working, Lin said.

Organizations need to invest in infrastructure, which includes deploying up-to-date malware-protection systems, conducting regular third-party audits, running vulnerability assessments to ensure no holes exist that can be exploited, implementing multiple layers of security, and continuously monitoring the environment so that breaches can be detected as quickly as possible and stopped, according to Lin.

There is nothing wrong with having so many certificate authorities, but the bar that needs to be met to become one is currently too low, according to Lin. Symantec is currently working on a white paper outlining what some of the minimum requirements should be, some of which were outlined on the Symantec Connect blog by Fran Rosch, vice president of trust services at Symantec.

Some of the requirements include using specially designed hardened facilities to defend against attacks, using hardware-based cryptographic signature systems, separating out SSL certificate systems from corporate systems, and enforcing strong password and access-control policies, Rosch wrote.

"No security infrastructure is immune to breaches," but organizations should be "investing in infrastructure," Lin said.

There is a common misperception that just because an organization is in the security space, it is "magically more secure," Marc Maiffret, CTO of eEye Digital Security, told eWEEK. "Actually, they face the same security challenges as everyone else," Maiffret said, suggesting that other organizations can learn from the DigiNotar incident as well.

Most organizations tend to think in terms of which technology to buy next to meet a specific threat, instead of looking at the root cause, such as configuration errors or unresolved vulnerabilities, according to Maiffret. They are looking for the best antivirus or the best intrusion-detection system, but they aren't looking at the Web application to ensure it isn't susceptible to a SQL injection attack or that all known vulnerabilities had been patched with the latest software, he said.

Having a lot of technology means there is more data about what's happening, but for some organizations, more data results in more noise to ignore, not more security, according to Maiffret.

For many years, security was about "set it up and forget it," said Maiffret, but the volume of threats and the increasingly sophisticated nature of attacks means organizations have to keep an eye on the fundamentals and customize their architecture.

Some companies may have all the right technology, but may be using it incorrectly because they didn't realize they made a mistake setting it up, Maiffret said. Or they are using it in a standard configuration, which means attackers know exactly what the setup looks like and craft their attacks accordingly. If organizations architect the network and deploy security differently from what vendors suggested as the default, they are throwing a curveball and making it harder to breach, according to Maiffret.

Securing the organization is not a technology challenge, but rather a business process, Maiffret said.

Symantec's Lin also said that certificate authorities need to be monitoring the infrastructure so that anomalies are detected immediately. More importantly, the organization needs to disclose the incident immediately, even if it thinks the problem has been resolved, so that everyone else is alert and on the lookout for problems, Lin said.

CAs can't just focus on their infrastructure, but should hold their partners to the same standard, Lin said. The attacks on Comodo earlier this year were actually on its resellers, and it was important that the same rigorous standards, such as third-party audits, strong authentication and access policies, are followed, according to Lin. Symantec requires all its partners to meet the same standards or risk having the relationship severed, Lin said.