Unlike before, when trust could be measured in terms of locks, safes and video cameras, trust today is established in such security technologies within the enterprise network that canít be seen, only managed. As organizations adopt cloud computing and employee-owned devices have increased access to the corporate networks and sensitive information, the challenge of securing company data everywhere increases exponentially. Cryptographic keys and digital certificates establish trust in the enterprise, ensuring that corporate data remains secure whether accessed by the employee in the cube on the second floor or by an executive in a hotel room in Singapore.
The attack vehicle
When it comes to Advanced Persistent Threats (APTs), bad actors will take advantage of the trust gap - using any and every exploit that they can leverage to steal your organizationís data. They will look for the weakest link in your security systems and find the path of least resistance. Over the past several years, criminal organizations and individual bad actors have found that by taking advantage of poor key and certificate management practices that they can breach trust to infect systems with information-siphoning malware and in some cases even implant weaponized code that can inflict physical damage on facilities.
All you have to do is look back at the past few years to realize the impact trust-based attacks have had on organizations. Organized groups have been using encryption keys and digital certificates to steal information for years, as they serve as perfect vehicles for sliding past defensive systems. Case in point: Stuxnet and Flame. These two well-known examples of malware took advantage of stolen and weak certificates. Why did the actors choose this method? Compromised certificates authenticated the malware on the network making it appear as if it was legitimate code. As a result, the infected operating systems allowed the installation of the malware without any warning.
The certificate-based attack problem is ongoing and growing. In April, the Common Computing Security Standards (CCSS) forum has logged sixteen legitimate digital certificates associated with malware. In the grand scheme of things, this doesnít sound too bad, but when you take into account that an average of 200,000 new malicious programs are found every day, the use of legitimate certificates becomes a very real problem that organizations arenít ready to face. Cybercriminals have gone as far as setting up fake companies to deceive a public Certificate Authority (CA) into issuing legitimate certificates that could be used to distribute malware, as was the case with the Brazilian banking malware signed with a valid DigiCert certificate.
Does this mean that trust-based technology is broken? Not quite.