Preventing Unauthorized Access & Attacks: Strategies for Securing Mobile Certificates

Transcription

1 Preventing Unauthorized Access & Attacks: Strategies for Securing Mobile Certificates White Paper

2

3 Table of Contents Executive Summary 3 Introduction 3 Mobile and User Certificates in the Enterprise 4 Risks and Challenges 5 Orphaned mobile certificates 5 Constantly changing environments 5 Fraudulent mobile certificates and CA compromise 6 Weak cryptography 6 Poor application security 6 Keeping up with rapid mobile business requirements 7 Implementing Strategies for Securing Mobile and User Certificates 7 Extend mobile certificate protection beyond MDM 7 Gain visibility into threats 7 Establish baselines and detect anomalies 8 Enforce policies 8 Gain control of certificates and reduce risk 8 Respond more quickly to attacks 8 Conclusion 8 1

4 2

5 Executive Summary As the availability of sensitive corporate content become increasingly mobile, the possibilities of unauthorized access and other malicious threats become larger and larger 71% of compromised assets in 2013 involved users and their endpoints. 1 The rapid deployment and use of mobile and user certificates creates a number of security risks to organizations most have no visibility into the keys and certificates that a user might have access to, leaving them with no ability to identify anomalies and respond to certificate-based attacks. Other risks, include misused or orphaned mobile certificates which can lead to unauthorized access if certificates are not quickly revoked, improper certificate issuance against corporate policy, certificates exceeding the lifespan of mobile devices, and much more. Today, IT security lacks the kill switch to respond to mobile certificate-based anomalies and remediate to a known good state. Although most organizations are adding significant mobile management and security solutions to secure mobile access to critical networks, applications, and data none address the visibility and control problems with mobile and user certificates that hackers are exploiting. This paper will explore the risks and challenges organization face with mobile certificates. It will also provide strategies to help organizations gain visibility and respond faster to mobile certificate-based attacks reducing the risk of unauthorized access and network infiltration. Introduction In recent years, mobile devices have taken a central role in communications, and enterprise communications form no exception. According to a SANS survey, more than 60% of organizations allow Bring Your Own Device (BYOD), in which employees access corporate networks from their personal mobile devices. 2 This trend has forced IT staff to take steps to secure the corporate data on the now ubiquitous mobile devices. Gone are the days when all employees were physically connected to the network and username and passwords were sufficient to manage access to corporate 3

6 assets. To authenticate users on mobile devices and regulate their access to the corporate network and sensitive data, IT security has primarily turned to digital certificates, which are widely accepted as the strongest option for authentication. But what happens when trust that is established by keys and certificates breaks down as a result of them being compromised? Or when trust is poisoned by a targeted attack? Today we are seeing more systems compromised from trust exploits that take advantage of the methodologies put in place to manage the keys and certificates. As the use of certificates rise, the CAs that issue certificates have increasingly become targets for sophisticated attacks. The attacks on CAs have enabled attackers to obtain fraudulent certificates that grant them unauthorized access to corporate networks. Sophisticated attackers executing advanced persistent threats (APTs) are taking advantage of key and certificate exploits. When it comes to APTs, bad actors will take advantage of any and every exploit they can use to steal corporate data. Trust exploits like a misused VPN key and certificate, poor key and certificate management, fraudulent certificates, and weak outdated cryptographic methods are all still prevalent in many organizations. The rapid adoption of mobile devices makes it difficult for enterprises to secure and protect the certificates on these devices. The improperly managed certificates become targets for attackers eager to exploit security vulnerabilities and hijack certificates for their own use. A cybercriminal s dream is when organizations lack both visibility into a weakness and the ability to take action to remediate detected threats the precise situation in which almost every enterprise finds itself with mobile certificates and keys. As companies deploy more certificates to users personal devices, they need insight into their certificate inventory both to protect authorized users access and to prevent unauthorized access by terminated employees or by cybercriminals. Because cybercriminals will continue to capitalize on trust-based attacks using compromised keys and certificates, organizations must be ready to implement the necessary controls to secure mobile and user certificates. Ideally, IT security needs a kill switch to quickly respond to mobile certificatebased anomalies. Most organizations have no visibility and no controls with respect to keys and certificates - leaving a huge risk that has been left unaddressed. Mobile and User Certificates In The Enterprise Most security professionals agree that usernames and passwords do not offer a sufficiently strong method of authentication for enterprise IT assets. Gartner recommends that organizations consider certificatebased authentication as a replacement for other two factor authentication methods including cumbersome one-time passwords. 3 Many organizations have followed this recommendation, issuing digital certificates to users mobile devices to grant the users access to the corporate network and applications. A user certificate identifies a user for a variety of purposes such as Wi-Fi authentication, VPN authentication, encryption and message signing, and web authentication. A mobile certificate similarly identifies a device. Certificates might also identify both the user and the device, confining users to particular devices to gain specific forms of access. This paper generally refers to mobile and user certificates, which include all of these types. 4

7 Mobile and user certificates can be replicated across different mobile and personal platforms laptops, desktops, smartphones, and tablets allowing users to easily access the correct resources without needing to remember different passwords for each access point or form of access. The combination of security and user convenience makes certificate authentication an ideal choice for mobile devices. Risks and Challenges However, as organizations transition to using mobile and user certificates to regulate access to critical enterprise resources, they confront a new set of challenges. The rapidly growing influx of certificates adds stress to IT security teams, interfering with their ability to secure and protect these critical assets. A lack of insight into and control over the inventory leaves the staff unable to close risks introduced by orphaned mobile certificates, constantly changing environments, compromised CAs, and weak cryptography. The unmanaged risks translate to devastating costs; Ponemon research estimates that the average enterprise risks almost $35M in potential losses from security incidents arising from key and certificate management failures. 3 Orphaned Mobile Certificates Orphaned mobile or user certificates have escaped the company s security controls. Administrators know that certificates have been issued and grants access to various resources perhaps critical ones. But they do not know which users have access to the certificates, how 51% of organizations don t know how many keys and certificates they have, how the certificates are used, and if the right person has been issued the right certificate. many were issued, nor where the certificates are deployed. Unfortunately, such loss of control is prevalent; in a 2013 Venafi survey, 60% of respondents reported that they lack visibility into their certificate inventory. Sophisticated attackers executing advanced persistent threats (APTs) will take advantage of any and every exploit to steal corporate data including exploiting orphaned mobile and user certificates. In fact, the APT1 report from Mandiant shows that, in every attack, hackers hijacked valid credentials such as keys and certificates. 5 Certificates should form the foundation of trust, but, when organizations lack visibility into their mobile certificate inventory, they leave themselves exposed to such betrayals. Worse, organizations cannot respond quickly to stolen mobile and user certificates, extending their threat surface and leaving their network excessively vulnerable to unauthorized user access and intellectual property theft. 6 Constantly Changing Environments Every certificate represents the equivalent of an identification card that ties a user (an employee, contractor, or business partner) to specific forms of access. Yet, as more and more personal mobile devices access the corporate networks, a volatile environment leads to certificates that no longer grant the correct forms of access to the correct users. Employees leave the company Employees can and do use their access to data against the company. Nearly 60% of U.S. workers say they have already downloaded sensitive corporate data in anticipation of a future layoff. Approximately the same percentage of terminated employees do indeed take that data with them. 7 Terminated employees or contractors who have access to mobile and server certificates, S/MIME encryption keys, and SSH keys can use those keys to impersonate corporate servers or steal data. Therefore, when an employee leaves a company or is terminated, his or her certificates should be revoked immediately. Devices are lost With the growing number of mobile devices per user, the frequency of loss or theft of those devices also increases. Organizations must be able to react to these events by revoking any certificates deployed to the compromised device and recovering S/MIME encryption keys. 5

8 Companies add solutions and expand the workforce As the company brings new applications and network access methods online, or as new users join the company, IT staff must issue new sets of mobile certificates. The expanding certificate inventory increases the organization s attack surface, particularly when the inventory expands in an ad-hoc and unmanaged manner. Users frequently change roles Whenever users change roles, the level of access they require to corporate data changes as well. In response, IT security must extend, reassign, or revoke users keys and certificates. Certificates expire Additional challenges occur when certificates expire unexpectedly or when certificate renewals fail, causing users to lose access to the corporate network. The organization pays in terms of lost productivity and help desk resources. As you see, IT security often needs to revoke or extend mobile and user certificates both to prevent unauthorized access and to protect authorized access. Unfortunately, at least 60% of companies lack the comprehensive certificate inventory that IT staff members require to complete such tasks. While administrators can change a user s status in Active Directory to revoke access to corporate networks, they cannot revoke the user s mobile certificates. Similarly, organizations that have implemented Mobile Device Management (MDM) solutions can remotely find, lock or wipe a device, but an MDM deployment alone has limitations such as the inability to revoke a user s mobile certificates. Without a clear picture of the certificates exposed to a former employee or lost mobile device, the organization becomes exposed to unquantified risk of unauthorized access. Fraudulent Mobile Certificates and CA Compromise As the use of certificates has increased, the CAs that issue certificates have increasingly become targets for sophisticated attacks. Hackers have succeeded in obtaining fraudulent certificates that grant them unauthorized access and in forging digital signatures. These attacks on CAs make it critical for organizations to ensure they are using secure CAs. Organizations also need to respond quickly to a CA compromise or to the issuance of a fraudulent certificate. To respond to a CA compromise, organizations must replace all mobile and user certificates issued by that CA. If the primary CA for mobile certificates is compromised, organizations must be able to rapidly migrate to another CA without disrupting the MDM infrastructure. Unfortunately, lack of visibility into the certificate inventory and manual deployment processes make such migrations an arduous task of days, as 60% of RSA 2013 survey respondents admitted. 8 The longer it takes for an organization to respond to an attack, the more costs the company incurs. According to the Ponemon Institute, those costs could soar up to US$125 million per incident. 9 Weak Cryptography The U.S. National Institute of Standards and Technology (NIST) will officially discontinue the use of encryption key lengths shorter than 1024 bits on December 31, However, at the average Global 2000 company, 1024-bit keys still make up almost 70% of the encryption key inventory. The MD5 cryptographic hash algorithm was discontinued in 2005 due to weaknesses that allow hackers to create a rogue CA root certificate that is trusted by all browsers. The weakness was proven in 2008 and used very effectively by Flame malware. 11 Today, many mobile certificates involved in VPN access still use the MD5 algorithm, leaving a huge backdoor wide open for attackers to steal information. Every day companies put themselves at risk due to weak, outdated, and poorly configured cryptography. Poor Application Security A digital certificate infrastructure can serve a number of enterprise applications on mobile devices. According to an Information Security mobility survey, 12 employees access the following types of applications on personally 6

9 owned mobile devices: 79% use , instant messaging and chat applications, 68% use webbrowser applications, 49% access corporate intranet via VPN or Wi-Fi and 41% use corporate applications. Mobile applications are vulnerable to Man-in The-Middle (MiTM) attacks through rogue certificate insertion. For example, a vulnerability was discovered that allowed attackers to access and modify calls and text messages sent by T-Mobile users on millions of Android smartphones. 13 In this vulnerability, the certificate validation was not fully implemented, so without proper verification, hackers can create a fake certificate and pretend to be the T-Mobile server. Keeping Up With Rapid Mobile Business Requirements IT security has long been perceived as barriers and inhibitors, not business enablers. While other groups within the IT department, such as the mobile operations team is trying to get users connected, with easier and more access to corporate data the IT security team is viewed as questioning every decision and locking everything down. The increasing use of mobile devices and applications is inevitable today s workforce and business units expect it and security professionals do not have a choice but to support the rapidly growing mobile business requirements. As a result, IT security is quickly losing control due to the process complexity of securing hundreds and thousands of mobile and user certificates that are being issued within the enterprise. Today, IT security teams are measured on their ability to enable business while providing security with the lowest amount of friction. IT security faces the challenge of delivering fast, easy and secure mobile certificate issuance in the rapidly moving mobile enterprise. Implementing Strategies for Securing Mobile and User Certificates Lack of visibility into and control over mobile and user certificate deployments have left businesses exposed to all the risks about which you just read. To address escalating attacks on trust, enterprises must move beyond simple MDM solutions. They must gain visibility into threats, establish baselines and detect anomalies, enforce policies that ensure secure certificate deployments, manage user access to certificates, and automate their response to attacks. Only then can enterprises reduce risks and regain control of their own assets while still enjoying all the benefits of BYOD. Ultimately organizations need a kill switch that enables IT security teams to respond to quickly respond to mobile certificate-based anomalies and Extend Mobile Certificate Protection Beyond MDM Some organizations have implemented MDM solutions as the first step in implementing and enforcing a mobile security policy. Administrators use enterprise MDM solutions to configure mobile device settings, provision mobile devices for use on the corporate network, and remotely wipe or lock devices. MDM provides an important first step in managing mobile devices, but MDM alone cannot secure mobile and user certificates nor protect organizations from the risks outlined earlier. As organizations adopt new mobile applications and solutions, they must address these security risks by implementing a solution that manages certificates in a secure manner no matter which CA issued the certificate and no matter where that certificate is installed. Gain Visibility into Threats Organizations can only defend against trustbased attacks and exploits when they have a clear understanding of their mobile and user certificate inventory. Therefore, it is critical for organizations to obtain complete visibility into 7

10 this inventory to minimize the loss of intellectual property and damage related to attacks on keys and certificates. A comprehensive key and certificate inventory helps IT security professionals analyze and view critical information about mobile and user certificates. In addition to the certificates location, this information includes data such as CAs, key lengths, signing algorithms, and validity periods. IT security teams can discover weak links in need of rectification such as duplicate, orphaned, and unneeded certificates. Wi-Fi, VPN, and S/MIME certificates are not revoked, those users can still access the corporate network and sensitive information. System administrators should immediately revoke all mobile and user certificates associated with terminated or reassigned employees to prevent unauthorized access to the corporate network. Insight into the certificate inventory and tools for automating certificate management help administrators complete these tasks quickly and efficiently. 8 Establish Baseline and Detect Anomalies Once an organization has gained visibility into its mobile and user certificate inventory, it can begin to identify opportunities to reduce risk. Through continuous evaluation of and reporting on cryptographic key and certificates inventories, the IT security staff can establish a baseline for certificates normal use. They can then easily detect anomalies such as duplicate, orphaned or unneeded mobile certificates, unapproved CAs, or unintended key usage and rapidly remediate them. Enfore Policies A comprehensive mobile and user certificate inventory also grants organizations the flexibility to adopt new mobile applications and solutions without exposing their mission critical applications and data to security risks. By enforcing cryptographic policies such as approved key lengths, validity periods, and CAs for mobile certificates, as well as implementing workflow processes for deploying the certificates, administrators can reduce the organization s attack surface and mitigate targeted attacks. Business units can rapidly pursue new mobile business initiatives while ensuring that newly issued certificates protect against security lapses and breaches. Gain Control of Certificates and Reduce Risks Mobile certificates issued to users serve as trusted credentials, granting users secure access to critical networks, applications, and data. But if employees or contractors are terminated or reassigned and their mobile, Gain Detect Enforce Automate Visibility Anomalies Policy Gain visibility into threats, establish baselines and detect anomalies, enforce policies that ensure secure mobile certificate deployments and automate response to attacks. Automate certificate management to respond more quickly to attacks Companies face hundreds of millions in costs when they cannot respond to stolen certificates or CA compromises quickly. Automating security processes like mobile certificate requests helps organizations respond to attacks more quickly, replacing compromised keys and certificates in minutes rather than days. Conclusion The explosion of mobile and user certificates within the enterprise, coupled with the difficulty of monitoring and controlling these certificates, exposes enterprises to greater risks of unauthorized access and stolen data. Cybercriminals can easily pose as trusted users using compromised mobile and user certificates, thereby obtaining nearly unlimited access to sensitive corporate data. Organizations with existing MDM deployments can further reduce their overall attack surface by implementing a solution for securing mobile and user certificates. Enterprises today need solutions that give them a complete picture of ever-changing mobile and user certificate deployments and that help them to implement the necessary controls to secure these certificates.

11 About Venafi Venafi is the market leading cybersecurity company in Next-Generation Trust Protection (NGTP). As a Gartner-recognized Cool Vendor, Venafi delivered the first trust protection platform to secure cryptographic keys and digital certificates that every business and government depend on for secure communications, commerce, computing, and mobility. As part of an enterprise infrastructure protection strategy, Venafi Director prevents attacks on trust with automated discovery and intelligent policy enforcement, detects and reports on anomalous activity and increased threats, and remediates errors and attacks by automatically replacing keys and certificates. Venafi Threat Center provides research and threat intelligence for trust-based attacks. Venafi customers are among the world s most demanding, security-conscious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit References Verizon Data Breach investigations Report 2. SANS Mobility/BYOD Security Survey, March Gartner, Digital Certificates Can Be a Good Alternative to OTP Hardware Tokens for Smartphone Authentication, February SANS Whitepaper: Protecting Against Insider Attack 8. Venafi survey RSA Information Security Mobile Security by the Numbers, July/August Copyright 2013 Venafi, Inc. All rights reserved. Venafi, the Venafi logo are trademarks of Venafi, Inc. in the United States and other countries. All other company and product names may be trademarks of their respective companies. This white paper is for informational purposes only. Venafi makes no warranties, express or implied, in this summary. Covered by United States Patent #7,418,597; #7,568,095; #7,650,496; #7,650,497; #7,653,810; # 7,698,549; #7,937,583 and other patents pending. Part number:

12 Contact Venafi If your enterprise is experiencing challenges related to controlling trust, specifically with securing and protecting cryptographic keys and digital certificates, Venafi can assist. For more information about our products and services, visit us online at or contact us at