By Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi
The White House has been forced to rapidly issue new cyber security rulings for government agencies after it emerged that a second security breach against the U.S government’s Office of Personnel Management (OPM) has exposed the files of millions of federal workers, as well as information on their friends, families and colleagues.
The breach could leave federal workers and their contacts open to blackmail or spear phishing attacks by cyber criminals, or users may be duped into downloading dangerous malware.
The OPM breach was the second attack in as many weeks – and comes on the back of other high profile security attacks such as the Community Health Systems breach in the US, which affected 4.5 million patients and the attack on Sony Pictures. It therefore comes as no surprise to seethe White House announce major developments to ramp up encryption and intensify website security across the board.
In the wake of this second attack, The White House has directed all federal agencies to take a series of rapid measures to lock down government systems. U.S. Chief Information Officer Tony Scott has launched what is being referred to as a 30-day cyber security sprint. During this time, agencies are being asked to patch all known vulnerabilities and shore up systems using information provided by Homeland Security, the Government department designated to protect the nation. Agencies will all be asked to report on their progress during this period.
The U.S. Office of Management and Budget (OMB) has also announced that all federal agencies will be required to use HTTPS to improve website security. On its coat tails, the House Energy Commerce Committee sent letters to the CEOs of Apple, Google, Microsoft and Mozilla expressing concern that Certificate Authorities (CAs) owned by national governments have the power to issue certificates which could be used for fraudulent purposes. Although these two initiatives are unrelated – they are linked.
The Committee is seeking industry direction on whether limiting CAs can actually improve the way the certificate system is run, if it is technically possible, what adverse effects such restrictions would have, and how security can be improved overall?
Federal agencies will be required to inspect all inbound TLS/SSL traffic for potential risks as they move to 100 percent encryption.All traffic will need to be carefully examined as cyber criminals are happy to play the waiting game and hide out for as long as it takes to launch a successful attack.
Agencies will also need to search out the malicious use of forged, compromised, or fraudulent certificates across the Internet to brick wall so called spoofing and man-in-the-middle (MITM) attacks. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, mobile devices, and system administrators, and decrypt communications thought to be private.
While the motives behind increasing encryption are largely positive – the OMB’s announcement to use HTTPS has some gaping holes. If HTTPS isn’t properly implemented with an immune system to protect the cryptographic keys and digital certificates, the increased use of HTTPS may actually increases the security risks. More encrypted traffic will require bad guys to use HTTPS and either forge or compromise certificates to mount effective attacks. Unfortunately, we live in a world without trust today because there is no immune system to detect keys and certificates that do not belong and are being misused as the bad guys accelerate their attacks.
In its directive, the OMB has yet to specify or mandate any type of key or certificate management system to ensure it is efficiently managed and safeguarded. There has also been no reference to the U.S government’s National Institute of Standards and Technology(NIST) guidance issued two years ago for preparing for a CA breach. NIST guidelines are aligned with internationally accepted best practices and standards on computer security. This is what makes the Committee’s letters to the industry seeking advice on limiting CA’s all the more intriguing.
Governments should be anxious about who we trust in our browsers and if we can have confidence in the security of websites. This is why we welcomed Google’s decision to block CNNIC, the Chinese CA, earlier this year, following the discovery that the state-run organisation had issued unauthorised certificates for Google domains that left it exposed to man-in-the-middle attacks capable of intercepting private communications.
Shockingly, any CA in the world, through fraud or compromise, could issue malicious certificates for .gov domains, as well as more obvious .com sites and others. It is imperative that CAs cannot abuse certificates or issue malicious ones that could be used as ammunition against the US or its allies. Google Certificate Transparency (CT) is undoubtedly a help – butit only covers the high-level extended validation (EV) certificates, and does not address compromise or misuse after issuance. This is why we are seeing a rise in so called Certificate Reputation, which allows website operators to monitor their web domains to help ensure there are no fraudulent issued SSL certificates.
The move that the US Government have taken is undoubtedly a step in the right direction – but unfortunately more encrypted traffic makes them an even more inviting target for cyber criminals. Unless we have an Immune System for the Internet – a system that that can identify certificates, safely deliver them for use with SSL/TLS inspection, and detect and stop the misuse of certificates for governments and enterprises – we will continue to see a frightening number of attacks take place.