By Nate Couper
In the last few years, security breaches of signed SSL certificates, as well as a number of certificate authorities (CA’s) themselves, have illustrated gaps in the foundations of online security.
It is no longer safe to assume that CA’s, large or small, have sufficient stake in their reputation to invest in security that is 100% effective. In other words, it’s time to start assuming that CA’s can and will be breached again.
Fortunately for the white hats out there, NIST has just released a bulletin on responding to CA breaches. Find it on NIST’s website at http://csrc.nist.gov/publications/nistbul/july-2012_itl-bulletin.pdf.
The NIST document has great recommendations for responding to CA breaches, including:
- Document what certificates and CA’s your organization uses.
- Document logistics and information required to respond to CA compromises.
- Review and understand CA’s in active use in your organization.
- Understand “trust anchors” in your organization.
- Develop policies for application development and procurement, and implement them.
- Understand and react appropriately to CA breaches.
Let’s dive into these:
1. Document the certificates and CA’s that your organization uses
Any compliance wonk will tell you that inventory is your first and best control. Does your organization have an inventory?
Let’s count certificates. There’s http://www.example.com, www2.example.com, admin.example.com, backend.example.com, and there’s mail.example.com. There may also be VPN.example.com, ftps.example.com, ssh.example.com. These are the obvious ones.
Practically every embedded device from the cheapest WIFI router to the lights-out management interface on your big iron systems these days comes with an SSL interface. Count each of those. Every router, switch, firewall, every blade server enclosure, every SAN array. Take a closer look at your desktops. Windows has a certificate database, Firefox carries its own, Java has its own, and multiple instances of Java on a single system can have multiple CA databases. Now your servers—every major OS ships with SSL capabilities, Windows, Linux (OpenSSL), Unix. Look at your applications – chances are every piece of J2EE and .NET middleware has a CA database associated with it. Every application your organization bought or wrote that uses SSL probably has a CA database. Every database, every load balancer, every IDS / IPS. Every temperature sensor, scanner, printer, and badging system that supports SSL probably has a list of CA’s somewhere.
All your mobile devices. All your cloud providers and all the services they backend to.
If your organization is like most, you probably have an excel spreadsheet with a list of AD servers, or maybe you query a domain controller when you need a list of systems. Forget about software and component inventory. Don’t even think about printers, switches, or cameras.
If you’re lucky enough to have a configuration management database (CMDB), what is its scope? When was the last time you checked it for accuracy? In-scope accuracy rates of 75% are “good”, if some of my clients are any measure. And CMDB scope rarely exceeded production servers.
Each one of these devices may have several SSL certificates, and may trust hundreds of CA’s for no reason other than it shipped that way.
Using my laptop as an example, I’ve got several hundred “trusted” CA’s loaded by default into Java, Firefox, IE and OpenSSL. Times five or so to account for the virtual machines I frequent. Of those thousands of CA’s, my system probably uses a dozen or so per day.
2. Document logistics and information required to respond to CA breaches
How exactly do you manage the list of trusted CA’s on your iPad anyway? Your load balancer? Who is responsible for these devices, and who depends on them? If you found out that Thawte was compromised tomorrow, would you be able to marshal all the people who manage these systems in less than a day? In a week?
What would it take to replace certificates, to tweak the list of CA’s across the enterprise? It will definitely take longer if you’re trying to figure it out as you go.
3. Review and understand CA’s in active use in your organization
Of all the dozens of CA’s on my laptop, I actually use no more than a dozen or so each day. In fact, it would be noteworthy if more than a handful got used at all. I could disable hundreds of them and never notice. After all, I don’t spend a lot of time on Romanian or Singaporean sites, and CA’s from those regions probably don’t see a lot of foreign use.
Most organizations are savvy enough to source their certificates from at most a handful of trusted CA’s. A server might only need one trusted CA. Ask your network and application administrators – which CA’s do we trust and which do we need to trust? It might make sense to preemptively strike some or all the CA’s you’re not actually using, if only in the name of reducing attack surface.
4. Understand “trust anchors” within your organization.
Trust Anchors are the major agents in a PKI – the CA’s. Trust anchors provide rules and services to govern the roles of others such as the intermediates, the registrars, and the users of certificates. Go back through your inventory (you made one of those, right?) and document the configuration. What do the trust anchors allow and disallow with your certificates? Will revoked certificates get handled correctly? How do you configure it?
Does your organization deploy internal CA’s? Which parts of the organization control the internal CA’s, and what other parts of the business depend on them? What internal SLA’s / SLO’s are afforded? What metrics measure them?
5. Develop policies for application development and procurement.
How many RSA SecurID customers really understood that RSA was holding on to secret information that could contribute to attacks against RSA’s customers? Did your organization ask RIM if trusted CA’s on your Blackberries could be replaced? Do you use external CA’s for purely internal applications, knowing full well the potential implications of an external breach?
Does your purchase and service contract language oblige your vendor even to tell you if they do have a breach, or will you have to wait till it turns up on CNN? Do they make claims about their security, and are their claims verifiable? Do they coast on vague marketing language, or ride on the coattails of once-hip internet celebrities and gobbled-up startups?
6. Understand CA breaches and react appropriately.
Does your incident response program understand CA breaches? Can you mobilize your organization to do what it needs to when the time comes, and within operational parameters?
CA breaches have happened before and will happen again. NIST has again delivered a world-class roadmap for achieving enterprise security objectives. Is your organization equipped?