Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    CAs Need to Invest in Infrastructure, Stronger Business Processes

    Written by

    Fahmida Y. Rashid
    Published September 19, 2011
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      In the wake of the breach on the Dutch certificate authority in which several hundred fraudulent digital certificates were issued, many security researchers claimed the certificate authority system was irrevocably broken and a new system was necessary to establish online trust. One CA, Symantec, argues that the incident just reinforces that CAs need to improve their security processes.

      Secure Sockets Layer (SSL) technology remains secure as attackers haven’t compromised the encryption algorithm, Michael Lin, senior director of trust services at Symantec, told eWEEK. What needs to change are the policies and processes around how certificate authorities issue and validate SSL certificates, according to Lin.

      Over 650 companies are authorized to issue SSL certificates, according to the Electronic Frontier Foundation. When a user navigates to a Website, the browser relies on the site’s SSL certificate to confirm that the user is on the legitimate site and not a fake copy. With a fake certificate, malicious perpetrators can launch man-in-the-middle attacks that allow them to eavesdrop on Internet users and intercept sensitive information.

      “SSL is perfectly viable as a technology, but CAs need to implement minimum standards” to keep the system secure and working, Lin said.

      Organizations need to invest in infrastructure, which includes deploying up-to-date malware-protection systems, conducting regular third-party audits, running vulnerability assessments to ensure no holes exist that can be exploited, implementing multiple layers of security, and continuously monitoring the environment so that breaches can be detected as quickly as possible and stopped, according to Lin.

      There is nothing wrong with having so many certificate authorities, but the bar that needs to be met to become one is currently too low, according to Lin. Symantec is currently working on a white paper outlining what some of the minimum requirements should be, some of which were outlined on the Symantec Connect blog by Fran Rosch, vice president of trust services at Symantec.

      Some of the requirements include using specially designed hardened facilities to defend against attacks, using hardware-based cryptographic signature systems, separating out SSL certificate systems from corporate systems, and enforcing strong password and access-control policies, Rosch wrote.

      “No security infrastructure is immune to breaches,” but organizations should be “investing in infrastructure,” Lin said.

      There is a common misperception that just because an organization is in the security space, it is “magically more secure,” Marc Maiffret, CTO of eEye Digital Security, told eWEEK. “Actually, they face the same security challenges as everyone else,” Maiffret said, suggesting that other organizations can learn from the DigiNotar incident as well.

      Most organizations tend to think in terms of which technology to buy next to meet a specific threat, instead of looking at the root cause, such as configuration errors or unresolved vulnerabilities, according to Maiffret. They are looking for the best antivirus or the best intrusion-detection system, but they aren’t looking at the Web application to ensure it isn’t susceptible to a SQL injection attack or that all known vulnerabilities had been patched with the latest software, he said.

      Having a lot of technology means there is more data about what’s happening, but for some organizations, more data results in more noise to ignore, not more security, according to Maiffret.

      For many years, security was about “set it up and forget it,” said Maiffret, but the volume of threats and the increasingly sophisticated nature of attacks means organizations have to keep an eye on the fundamentals and customize their architecture.

      Some companies may have all the right technology, but may be using it incorrectly because they didn’t realize they made a mistake setting it up, Maiffret said. Or they are using it in a standard configuration, which means attackers know exactly what the setup looks like and craft their attacks accordingly. If organizations architect the network and deploy security differently from what vendors suggested as the default, they are throwing a curveball and making it harder to breach, according to Maiffret.

      Securing the organization is not a technology challenge, but rather a business process, Maiffret said.

      Symantec’s Lin also said that certificate authorities need to be monitoring the infrastructure so that anomalies are detected immediately. More importantly, the organization needs to disclose the incident immediately, even if it thinks the problem has been resolved, so that everyone else is alert and on the lookout for problems, Lin said.

      CAs can’t just focus on their infrastructure, but should hold their partners to the same standard, Lin said. The attacks on Comodo earlier this year were actually on its resellers, and it was important that the same rigorous standards, such as third-party audits, strong authentication and access policies, are followed, according to Lin. Symantec requires all its partners to meet the same standards or risk having the relationship severed, Lin said.

      Fahmida Y. Rashid
      Fahmida Y. Rashid

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.