Venafi’s EMEA Director Calum MacLeod examines why the Certification Authorities are still playing fast and loose with our safety and outlines the key steps to safeguard your business from disaster

Certificate Authorities (CAs) are still allowing themselves to fall victim to hackers despite a fundamentally catastrophic effects which a compromised CA can produce. Even after the DigiNotar disaster recent research shows that CA is still being compromised regularly. As there are more than 650 CAs trusted by commercial browsers, it only takes one of them to be compromised for hundreds of thousands of websites to be potentially under attack. It is unfortunately the case, that with 650 CAs able to issue certificates the probability is that at least some of them will, even after DigiNotar and Comodo, still not properly secure the infrastructure allowing the relentless hackers a way in.

Access, an international non-governmental organisation (NGO) and digital rights advocate maintains: “If a single one of the 650 public certificate authorities (CAs) that your systems support, by default, is compromised the entire system is compromised - so keeping 100% of the CAs at 100% compliance and 100% impervious from zero-day attacks is a very hard problem indeed.” I’d add, especially when you don’t control them!

As breaches have tragically become a regular occurrence, the different incidents seem to be turning into a blur as they add up. What might be shocking then is that the reality is most breaches actually go unnoticed, and even unreported, because many believe that these breaches are not considered newsworthy. According to the Electronic Frontier Foundation, public CAs are revoking approximately 50,000 certificates a month – this is nothing short of criminal. It is astonishing that in these days of heightened security, when the Olympic games is protected by massive security, tweeting too light-heartedly about security can get you locked up and air travel has almost ground to a halt because of security – some CAs are as well protected as cheese on a mousetrap.

Preparing and responding for a CA breach has to be a priority for every organisation. However, no one said it’s going to be easy. With several recent breaches, I believe it is important to learn and apply some practical lessons.

Filtering out the ‘Noise’

So what lessons, if any, can we learn and apply to the challenges we face from cyber-terrorism?

1) Too much information:

We all suffer from information overload. Many of us add to this deluge by subscribing to news-feeds, twitter, and various other information sources that effectively drown us in words. In addition we all receive “junk mail” from a variety of sources. And many of us – myself included – regularly contribute to the “essential reading” that you receive.

The problem is, amongst all this ‘noise’, is hidden a vital piece of information. Take the time to at least skim messages instead of just deleting them. You never know what might catch your eye, and give you an early warning!

2) There are bigger problems:

The problem with a ‘to do’ list is that it’s never, or very rarely, finished. Sound familiar? However, with many people feeding into fix lists it’s always easier to deal with the person shouting the loudest while someone who isn’t clamouring for attention, but could have the bigger issue, gets forgotten. Another common problem is the person prioritizing the items doesn’t fully understand the implications of the risks.

For example, those responsible for PKI and security have at best an “arm’s length” relationship with their IT colleagues, and as a result have little or no appreciation for the challenges that IT face. On the other had IT regards security teams with suspicion, and often are preoccupied with the suspicion that security just wants to take over responsibility.

This requires action by senior management at the CIO, CSO, CFO, CTO level to ensure that different groups cooperate rather than compete.