Recently published research by IT security firm McAfee, which suggested a multi-year attack campaign against more than 70 governmental organisations in the US and other Western nations, highlights the security problems faced by public sector agencies, says Venafi, a provider of Enterprise Key and Certificate Management (EKCM) products.
Itโs suggested this may be the largest coordinated attack ever launched. The involved hackers have over the past, several years worked successfully to infiltrate the computer networks of thousands of companies, organisations and governments, stealing reams of intellectual property, military information and state secrets.
According to Jeff Hudson, Venafi CEO, the public and private sector remain vulnerable to attacks like these due to difficulties in properly deploying and managing security systems within the infrastructure, including encryption keys and certificates.
โLetโs be honest and see things as they are truly. This latest reported series of on-going breaches makes an irrefutable case. The bad guys are inside. Period, end of story. Anyone arguing with that is in denial. The malware and the intruders are operating inside organisations today undetected. The best firewalls and intrusion detection obviously arenโt enough. If people want to protect the data, which is what they bad guys are after, it has to be encrypted and the keys must be well managed.โ
Hudson said: "It’s interesting that recent media reports point an accusing finger at state-sponsored terrorists and governments. Regardless of which country or agency has been launching these attacks, the bottom line is that the attacks have been successful where government secrets have been leaked.โ As some of the attacks on US government and United Nation servers date back five years, it is clear that public sector agencies need to significantly rethink their security practices.
The Venafi CEO said the most logical method to prevent these kinds of leaks: first, encrypt all data flowing between the agenciesโ IT resources, second, encrypt all data that is stored, and third, enforce authentication, encryption key access control and audit logging for all local and remote access to this data.
While the public sector has largely embraced encryption to secure data from prying eyes, they have struggled to implement adequate access controls and audits for the keys that unlock that dataโlargely due to the vast number of staff members that need to access the agency’s data in order to complete their duties.
The biggest headache, says Hudson, stems from rotating and resetting encryption keys, authentication credentials and passwords, which many organisationsโregularly ignore. In addition, private or asymmetric encryption keysโwhich protect data that flows between IT resourcesโare exposed to an array of risks due to lax distribution processes behind the firewall as well as poorly implemented and infrequent rotation of keystore passwords. These private keys to the kingdom are frequently protected with the same password across hundreds of administrative keystores. Administrators also often have direct access to the keystores, duplicate the keys in them for distribution, and reuse the keys on other systems and applications throughout the infrastructure. This represents a significant security risk, and likely violates regulatory mandates for data protection in most organisations.
The ongoing nature of the recently revealed attacks underscores the danger of such poor practices, the IT firm says; which allows attackers to continue capitalising on a single cracked or exposed key year after year.
To truly lock down their resources, Hudson emphasises, public-sector agencies must deploy a key management system that can help them automate the process in order to implement best practices. And any system that is deployed, he adds, needs to be bullet-proof and capable of operating in environments with large staffs on a consistently reliable basis.
Since the security system needs to stop staff from becoming victims of their own actions, the Venafi CEO says that an automated key management system offers the best option. Such a system mandates the use of the highest levels of security, which human administrators often neglect due to the management headaches and inherent vulnerabilities when human/manual processes are involves. It also ensures quick and efficient key rotationโboth on-going and when a potential exposure mandates an immediate response.
The need for such guidance is not overstated. Recently, major corporations, such as Lockheed Martin, L3, NHS, Epsilon, EMC and others, have also experienced unauthorised access that has been the subject of significant, mainstream press coverage. In addition, hackers are increasingly targeting private keys, not only as a means for stealing customer details or intellectual property, but also as valuable assets themselves. With the private keys that sign a companyโs software, hackers can launch all sorts of new malware and attacks. Without leveraging best practices and automated management processes, organisations will never gain complete control of their key and certificate inventories, resulting in significant security, compliance and operational riskโrisk that will be realised in access breaches unless organisations, both in the private and public sector, take action.
"Automating the authentication process is a logical first step, because any system that allows remote access to government servers must be as secure as possible and ensure that foreign governments do not gain access to the agency’s data," Hudson said.
"Once deployed, these key-management systems need to marry the highest level of security with the most efficient administration. But, provided that the required infrastructure is in place, it is perfectly possible to manage the mission-critical security assets like keys and certificates as well as the security needs of tens of thousands of staff members with relative ease," he added.
For more on the government cyber-attack campaign: http://bbc.in/nI0NdC
