{"id":77,"date":"2017-01-19T23:47:43","date_gmt":"2017-01-19T23:47:43","guid":{"rendered":"https:\/\/hjinterim.wordpress.com\/?p=77"},"modified":"2017-01-19T23:47:43","modified_gmt":"2017-01-19T23:47:43","slug":"trust-is-a-necessity-not-a-luxury","status":"publish","type":"post","link":"https:\/\/hjinterim.tech\/index.php\/2017\/01\/19\/trust-is-a-necessity-not-a-luxury\/","title":{"rendered":"Trust Is a Necessity, Not a Luxury"},"content":{"rendered":"
\n

Mapping Certificate and Key Security to Critical Security Controls<\/strong>
\nI travel all over the world to meet with CIOs and CISOs and discuss their top-of-mind concerns. Our discussions inevitably return to the unrelenting barrage of trust-based attacks. Vulnerabilities like Heartbleed and successfully executed trust-based attacks have demonstrated just how devastating these attacks can be: if an organization\u2019s web servers, cloud systems, and network systems cannot be trusted, that organization cannot run its business.<\/p>\n

Given the current threat landscape, securing an organization\u2019s infrastructure can seem a bit daunting, but CISOs aren\u2019t alone in their efforts to protect their critical systems. Critical controls are designed to help organizations mitigate risks to their most important systems and confidential data. For example, the\u00a0SANS 20 Critical Security Controls<\/a>\u00a0provides a comprehensive framework of security controls for protecting systems and data against cyber threats. These controls are based on the recommendations of experts worldwide\u2014from both private industries and government agencies.<\/p>\n

\"Matrix\"<\/p>\n

These experts have realized what I\u2019ve maintained for years\u2014just how critical an organization\u2019s keys and certificates are to its security posture. What can be more critical than the foundation of trust for all critical systems? As a result, the SANS 20 Critical Security Controls have been updated to include measures for protecting keys and certificates. Organizations need to go through their internal controls and processes\u2014like I\u2019ve done as a CISO\u2014and ensure that their processes for handling keys and certificates map to recommended security controls.<\/p>\n

For example, most organizations know that best practices include implementing Secure Socket Layer (SSL) and Secure Shell (SSH), but they may not realize that they must go beyond simply using these security protocols to using them correctly. Otherwise, they have no protection against attacks that exploit misconfigured, mismanaged, or unprotected keys. SANS Control 12 points out two such common attacks for exploiting administrative privileges: the first attack dupes the administrative user into opening a malicious email attachment, but the second attack is arguably more insidious, allowing attackers to guess or crack passwords and then elevate their privileges\u2014Edward Snowden<\/a>\u00a0used this type of attack to gain access to information he was not authorized to access.<\/p>\n

\"sans20\"<\/p>\n

SANS Control 17, which focuses on data protection, emphasizes the importance of securing keys and certificates using \u201cproven processes\u201d defined in standards such as the National Institute of Standards and Technology (NIST) SP 800-57.\u00a0NIST 800-57<\/a>\u00a0outlines best practices for managing and securing cryptographic keys and certificates from the initial certificate request to revocation or deletion of the certificate. SANS Control 17 suggests several ways to get the most benefit from these NIST best practices. I\u2019m going to highlight just a couple:<\/p>\n