Certificate Authority Security: Seven Ways to Defend Against Hacking
According to Symantec and the Online Trust Alliance (OTA), CAs should ensure the correct and secure operation of CA information processing facilities, minimize the risk of systems failure and infection by malware, and develop incident reporting and response procedures. In addition, steps should be taken to protect media from theft, loss or damage and unauthorized account access, and employee and partner revocation systems should be in place and tested.
There were a number of high-profile cyber-attacks targeting certificate authorities, including one that ultimately forced embattled company DigiNotar to close its doors for good. In the case of DigiNotar, a hacker managed to compromise their systems and issue fraudulent Secure Sockets Layer (SSL) certificates for several domains, including Google.com and Yahoo. In the aftermath of the attack, the hacker used the fake Google certificate to launch man-in-the-middle attacks against people—primarily in Iran—that were using Google services. Aside from DigiNotar, CAs such as KPN, GlobalSign and Comodo were impacted by security breaches. And in late September, Adobe Systems had to revoke trust in a digital certificate that had been used by attackers to sign malicious utilities. For many, these incidents highlighted the fragility of trust on the Internet and put a spotlight on the importance of tightening standards for SSL certificates. In August, the National Institute of Standards and Technology (NIST) and security vendor Venafi published guidelines to help organizations make preparations for possible breaches at certificate authorities. But what about protecting the CAs themselves? In this slide show, we detail some advice from Venafi, GlobalSign and others that can help keep CAs safe, and help your organization prepare for the worst in the event of a CA compromise.