WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

2012 IT security predictions: blanket encryption or apocalypse now

By Jeff Hudson.

2011 provided us with every type of security drama possible from major insider breaches such as WikiLeaks and the UBS insider, to the Norwegian Army data breach, the Sony hack and the demise of DigiNotar. It has truly been a game of two halves – the first half manic and dramatic, the second half steady but still tension-filled with its unfolding stream of incidents.

It was the year of the third-party trust compromise, and the year of the bring your own device (BYOD) mobile revolution. Both of these will have their parts to play in 2012.

These two ‘personalities’ have more in common than you might think. For example, both engendered 2012’s emerging personality, ‘the year of ubiquitous encryption’, which is already taking shape. And both relate to a common security problem: attacks from within an organization’s systems. They also share the solution to this problem: improved processes and management.

The year of the third-party trust compromise
The year of the third-party trust compromise followed a year with ominous security implications: 2010, the year that saw Stuxnet come to public awareness. This worm, which some call a cyberweapon, lies dormant and difficult to detect on infected systems, waiting for a trigger to unleash it. Stuxnet was a warning shot, announcing the arrival of highly sophisticated, authenticating malware capable of targeting physical infrastructures. One of Stuxnet’s strategies was to use a SSL certificate to authenticate to the infected system’s software environment.

Although industry pundits dismissed Stuxnet as a one-time occurrence, it was actually a proof of concept. Duqu (aka Son of Stuxnet) arrived in November 2011. Malware of Stuxnet’s ilk allows criminals to operate on the inside. In 2010, this ability foreshadowed one of 2011’s most significant security events.

In the first quarter of 2011, the previously unimaginable happened: Hackers breached RSA’s security and compromised the root of this third-party trust provider’s SecureID technology. Virtually all SecureID tokens immediately became untrustable. Companies are still in the process of replacing these tokens and the costs to do so have been astronomical. In the ensuing months, four CAs fell prey to attackers (Comodo, GlobalSign, Digicert, OpenSSL, and DigiNotar), cementing 2011’s identity as the year of the third-party trust compromise.

As a parting gift, this 2011 personality left three valuable lessons:

1) Third-party trust is an integral piece of our worldwide security infrastructure. It is important: the world we know cannot operate without it.

2) Because the world relies on digital certificates and the CAs (third-party trust providers) that sign them, digital certificates and CAs are among the highest-value targets for hackers. If hackers can compromise CAs and create counterfeit certificates, they can perfectly assume others’ identities.

3) In 2012, organizations must be prepared for an epidemic of third-party trust compromises, which they were not in 2011. Such compromises were not even represented in 2011 risk analyses and mitigation plans. The DigiNotar compromise virtually shut down the Dutch government for days as it scrambled to find and replace its affected certificates.

Unfortunately, many organizations are still using DigiNotar certificates, even though these certificates provide a near-zero level of trust. Why? The answer to this question is alarming: organizations don’t know which CAs issued the certificates they’re using and they don’t know where these certificates are or how many they have in their environments.

The year of the BYOD mobile revolution
The year’s other personality evolved from an explosion of mobile devices in the workplace. By the end of 2011, BYOD was becoming a corporate mantra. Board members and employees alike injected iPhones, iPads, Androids (and other) devices into the corporate landscape - all with the same mandate: that they had to be supported by corporate IT and information security departments. The top-to-bottom BYOD movement reflected the consumerisation of IT. It accelerated throughout the year. It was and is unstoppable.

The split is narrower than it looks
How did 2011’s two personalities work together to shape 2012’s? The answer hearkens back to 2010’s Stuxnet exposure. Firewalls, intrusion detection systems (IDSs), virus scanners, and vulnerability scanners are not perfect, and this lack of perfection makes organizations vulnerable. The CAs suffered devastating compromises because the malware that harvested passwords, keys, and accessed systems was inside the CAs’ organizations, avoiding detection. And human beings were knowingly or unwittingly helping the malware do its job.

With the BYOD revolution taking hold, the opportunity for ‘bad guys’ to get inside any organization on the planet is going up logarithmically. Organizations have no physical control of these devices, which as everyone knows, makes them completely vulnerable to compromise. In other words, the combination of 2011’s two personalities yields a weakness that only an oblique approach can fix.

2012: the year of ubiquitous encryption
if the bad guys are on the inside, and it is becoming easier for them to get there through an explosion of systems, applications and devices that connect with and share valuable information, what can organizations do to stop them?

In most cases, hackers compromise systems to steal data. Intellectual property, financial data, and personal data are all valuable commodities: hackers can use them for financial gain, to maliciously expose secrets, and to deliberately harm reputations. Security systems in 2011 focused on keeping bad guys out. But now the bad guys are on the inside. Now an organizations’ best defence is to encrypt data everywhere - whether the data is at rest or in motion - because encrypted data isn’t recoverable without its encryption key. Hence, 2012 will go down in IT security history as the year of ubiquitous encryption.

In conclusion
The split-personality year of 2011 will logically lead organizations to make sure they are protected in 2012, the year of ubiquitous encryption. If 2011’s leaked and stolen data had been encrypted, and the encryption keys stored in a secure area away from the data, the data would have been worthless to the bad guys. The compromised CAs would have considered the breaches inconsequential, and may not even have reported them. Again, it’s important to understand that encrypted data isn’t usable without its encryption key. With keys that are separate and safe from prying eyes, the bad guys can take all the data they want: because they’ll never know what they have.

With data and applications moving to the cloud, where they are fully accessible to all devices and can move from one physical location to another almost instantly, ubiquitous encryption becomes even more important. Even if malefactors get their hands on mobile devices (which are relatively easy to steal and compromise), encrypted data makes the thefts trivial.

Author: Jeff Hudson is CEO of Venafi.

•Date: 1st January 2012 • Region: World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here