Playing roulette with IT security

GEORGE BEST was one of the greatest football players to ever step on a field. He died after a long illness in 2005, probably due to years of what could be termed a self-destructive lifestyle. “In 1969, I gave up women and alcohol,” he once said. “It was the worst 20 minutes of my life.”

George saw the writing on the wall, yet he continued merrily along, unchanging. This reminds me very much of the attitude many organisations have towards their IT security. Some organisations appear to be totally oblivious to what could lie around the corner, but the vast majority are simply allowing bad practices to continue in the misguided hope that it won’t happen to them.

At a time when company after company reports some form of information breach – 251 in the US alone in the first five months of 2011 – most organisations continue to play IT security Russian roulette with their business.

Companies that have faced cyber attacks in recent months include Sony, Epsilon, Google, Lockheed Martin, and many banks and government organisations. The growing list a testament to the reality that no one is safe. According to analyst firm Frost and Sullivan, the global black market for email addresses and national ID numbers is now worth about $5bn, making it a lucrative area for hackers looking to steal contact information.

And yet I regularly talk with risk managers who tell me that they have to justify investment in better security management to their directors, who “need to see the business case”. I often wonder how “staying in business and not going bust” fails to plead its own case.

An expert at a global tax and advisory organisation, with whom I recently spoke, told me that certificate and key lifecycle management is underexposed in most IT audits, and the subject is also avoided in other security-related engagements. And why? Because most organisations have absolutely no control over their encryption assets, such as encryption keys including asymmetric or private keys, SSH keys and symmetric keys as well as digital certificates.

Risk managers have no way of ensuring that policies – if they do exist – are adhered to. Keys and certificates are strewn throughout the organisation, currently managed in silos and departments if they are managed at all.

No one, from the chief executive down, has any idea who manages these critical encryption resources or how they are being managed. These organisations have opened themselves to systemic, unquantified and unmanaged risk, with potentially “life-threatening” consequences that could include security breaches, audit failures and operational failures.

Even worse, when the long-ignored issue of key and certificate management is brought to light by a crisis, most companies are ill-equipped to respond. In my experience, the vast majority do not know how long it would take to remedy a data breach. Very few organisations have a response plan for Public Key Infrastructure (PKI) disasters such as the compromise of a certification authority (CA) or an algorithm that becomes computationally weak. Administrators and stakeholders are simply not trained or prepared to respond to such events.

Every day, another organisation reaps the unfortunate consequences of these poor practices in the form of a data breach or operational downtime while expired certificates and keys are replaced. All this happens much to the chagrin of the IT security department, which usually has a plan to begin a project to manage its encryption assets – once it can discover where they were!

Organisations might manage their key and certificate resources as if they had little value, but attackers understand the enormous attack leverage they gain from targeting these high-value assets. Recent breaches and compromises at Comodo and RSA Security have demonstrated the very real threat of internal or external compromise, even in organisations that exist to provide security. These events would have been considered impossible just a few months ago.

When a CA or a private key is compromised, an organisation must immediately suspend normal business operations until it has replaced everything related to the source of the breach. Unfortunately, managers in the vast majority of enterprises wouldn’t know where to start. Only this past week, a risk manager in a global financial organisation told me that he didn’t know where their Verisign certificates were installed, or even how many purchased certificates were actually being used.

“Security, privacy and compliance are driving organisations to deploy encryption key and digital certificate technologies at an aggressive pace,” says Eric Ouellet, vice president of secure business enablement at analyst Gartner.

“Sensitive, regulated information and systems would be completely exposed without them, and organisations are levering them increasingly to protect themselves from external threats and internal hackers.

“Unfortunately, encryption assets can turn into liabilities if managed improperly. Understanding the best practices of how to approach the access controls and centralised management of these encryption assets are of critical importance.”

You can take steps to protect your encryption assets, or you can let your chief executive appear on the evening news saying, to paraphrase George Best, “I never went to work in the morning with the intention of getting hacked. It just happened.”

Calum MacLeod is EMEA Director at Venafi