STE WILLIAMS

As every security professional quickly learns, trusted relationships must be managed. And digital certificates – a standardized, encrypted exchange of credentials between two endpoints – are the medium for managing trust online for more than two decades.

Digital certificates aren’t particularly complex from a technical perspective. But they do sport a built-in expiration date that if ignored can bring operations to a screeching halt. While most users manage their certificates manually, a host of products and services have emerged to simplify the task. More on this in a minute.

Digital certificates originally started to keep buyers and sellers in sync in early e-commerce applications. But certificates have evolved in the past few years as essential for all websites, thanks to a change in Google’s search algorithms that give greater preference to URLs using digital certificates. Sites with digital certificates show up in the browser bar as https://; a small green padlock graphic shows up in the URL bar of some Web browsers for TLS-protected sites. Non-certificated sites render their address with plain, old http://.

In addition to Google search changes, the Internet of Things (IoT) is also making the market more active. Digital certificates are increasingly being tapped by organizations to better secure IoT’s galaxies of instrumented, automated endpoints, experts say.

“Every IoT device needs a certificate to pair up with the mothership that [shows] all the rights and protections are there,” notes David Collinson, senior director and analyst at Gartner.

Recent statistics pegged the 2018 global market value of digital certificates at $76.2 million, forecasted to grow about 10% annually to $123.8 million in 2023, according to Research and Markets.

Nuts and Bolts
In a nutshell, digital certificates help organizations ensure identity, privacy, or both. They establish “mutual nonrepudiation”; a sender can’t deny sending a message or transaction, and a receiver can’t deny receiving it. While a would-be user can create his own digital certificate, an individual or an organization more typically applies to a trusted third-party called a certificate authority (CA).

Using the X.509 standard, which is essentially an encryption standard for how Public Key Infrastructure (PKI) information gets formatted and exchanged, the certificate gets issued for a fee with a number of unique criteria, including a serial number, subject (applicant’s name), usage information, as well as public key, associated signature algorithm, and the signature of the issuer.

The certificate also contains “not before” and “not after” fields, which specify how long it’s valid. The maximum term of a digital certificate is 27 months – 825 days, to be exact, though most CAs will limit the term to 24 months to help certificate holders avoid inadvertent expiration.

While digital certificates once used Secure Sockets Layer (SSL) as their communications protocol, that’s since given way to Transport Layer Security (TLS) as the means for two entities to exchange PKI information and verify the integrity of their connection.

Managing Your Certificates
Certificates need to be managed … just ask any Mozilla user. While it’s not clear whether the issue was neglect or something else, the add-ons for the Firefox Web browser were disabled in early May after the supporting digital certificates expired. Mozilla started requiring digital certificates for add-ons in mid-2016. A workaround was issued within a week, but not before Mozilla incurred lots of trouble tickets and grumbling in user forums.

If you’re managing fewer than 100 digital certificates, you can likely use a time-honored management template: the spreadsheet. Some infosec pros get even more basic than that with pen and paper, but a digital document is more easily shared.

“I have a lot of clients with thousands of [endpoints] who do this on a spreadsheet,” says John Pironti, president of security consultancy IP Architects. “They just put them in the calendar with an expire alert.”

If your workload is exponentially larger, a variety of digital certificate management products are available from vendors including Venafi, Webroot, and CyberReason. They make sure certificates are renewed before their expiration dates and promise seamless security and connectivity.

Both Pironti and Collinson warn digital certificate users and the staff who manage them to be vigilant about attacks aimed at endpoints, especially in IoT applications where there are huge volumes of small devices that are also widely distributed.

“They create an inadvertent vulnerability because it puts keying material out to intermediary devices,” Pironti explains. “If an adversary can compromise the device, then they get access to the keying materials.”

And bad actors have proved they’ll then leverage the underlying cryptoware, which leads to scourges like ransomware. It’s one of many tradeoffs associated with encryption organization have to resolve as they deploy it more widely, Pironti warns.

Related Content: 

• Getting Up to Speed with “Always-On SSL”
• What’s Next After HTTPS: A Fully Encrypted Web?
• New Zombie ‘POODLE’ Attack Bred from TLS Flaw 
• Abusing X.509 Digital Certificates for Covert Data Exchange 

Image Source: peshkova via Adobe Stock

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/keep-your-eye-on-digital-certificates/b/d-id/1335374?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Containers — virtualized applications that are key to DevOps — are maturing as critical parts of enterprise application infrastructures. And even though security strategies are maturing, organizations are still struggling to have security keep up with the other facets of container deployment.

A new report, sponsored by StackRox and based on research by AimPoint Group, shows that more than a third of companies haven’t begun to implement a container security policy yet. While 15% say their company is in the planning stage with its container security strategy, 19% say that they haven’t even gotten that far.

Part of the problem, says StackRox CEO Kamal Shah, is the complexity of the environment into which containers are being deployed. While many people look at containers as a technology for the cloud, Shah says, “We found that 70% are running containers on-prem and 53% are running in hybrid mode, which means running it on-premises as well as on one of the public cloud platforms.”

Companies are turning to containers because the speed of deployment in containers is critical for organizations that are implementing agile or DevOps disciplines. And studies by other researchers show that some container practices, such as downloading and reusing popular pre-existing application images, don’t insulate a company from security issues.

Jerry Gamblin, principal security engineer at Kenna Security, scanned the 1,000 most popular application images and found that over 60% of the top Docker files held a vulnerability with at least a moderate risk score, and over 20% of the files contained at least one vulnerability that would be considered high risk. [Note: A container is a virtualized application running on a system. An image is the file containing that application and its configuration files before it is launched.]

When looking at the source of vulnerabilities, the StackRox report says that poor deployment is the principal problem. According to the report, 60% of executives say that misconfigurations create the greatest security risks.

“The challenge in this new world is that there are a lot of options, a lot of controls that you have to configure, and there are a lot of configuration options,” Shah says. “On top of that, what makes matters worse is that a lot of the controls that exist are not enabled by default.”

Those controls are important because 43% of respondents say that runtime is the phase of the container life cycle that worries them the most. Though the report indicates that fixing issues is most cost-effective in building or deployment phases, the lack of a container security strategy hinders many companies in making those fixes.

Procedures and tools are available for better container security, if companies will employ them. Researchers at Alcide conducted surveys of best container practices and found that a handful of processes can make a huge difference in container security. Those best practices include familiar items like regular software updates and secure access, as well as container-specific practices, including namespace isolation (keeping containers completely separate from one another) and automated tools for scanning and setting container configurations.

Related Content:

• Answer These 9 Questions to Determine if Your Data Is Safe
• Malware in PyPI Code Shows Supply Chain Risks
• The Truth About Vulnerabilities in Open Source Code
• The Truth About Your Software Supply Chain
• Serverless Computing from the Inside Out

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/container-security-is-falling-behind-container-deployments/d/d-id/1335392?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data is the new currency. Businesses will thrive or wither based on their ability to properly handle, protect, and utilize data. And although the importance and potential of data is not in question, the priority of data protection within security programs still has a way to go. 

For far too long, the fundamental thinking around enterprise cybersecurity has circled around external threats. If we build a strong perimeter of firewalls and scrutinize traffic crossing the boundary, then we’ll keep the “good” in and the “bad” out. More modern security programs still have doubled down on external threat actors with endpoint security software, antivirus sandboxes for email attachments, and mobile device management. 

In the past, these investments made sense in order to pursue a defense against general threats and malware from “the outside.” But technology has evolved, and what matters now is different. In today’s world, fueled by rich web applications, corporate interconnectivity, cloud systems, contract workers, and remote access, the notion of “outside” and “inside,” “us” and “them,” is dead. In the world of a CISO who can’t focus on every problem, risk prioritization is king. So, instead of attempting to thinly spread the security focus across a wide array of externally facing infrastructure, we must ask ourselves this question: “What do we fundamentally need to protect most?” The answer is data.

While serving as CISO of Twitter, I instituted a “data-first” security program. The goal of this was simple. From our risk analysis, the item most important to our company was the protection of sensitive data against any form of inappropriate or unauthorized access or manipulation. Since data was the priority, we applied the focus of our security efforts as close to the data as possible and then moved outward. This meant asking questions like: “How is the data protected at rest?” “What services/people can access the data?” and “How do we authenticate the services and detect malice or deviations?”

We asked these questions even though the data was deep inside the internal network. By inverting the traditional security model, we focused on the controls that actually protect the data first. Afterward, we moved outward in “concentric circles” to provide layers of defenses across the entire stack used to access the data (that is, the servers, workstations, humans, etc.).

The reason the data-first security thinking is so important is that the traditional “outside-in” perimeter security approach makes too many assumptions that no longer hold true. If the strength of your security relies on a strong perimeter, then what happens if an internal employee is compromised or goes rogue? Do the attackers have full lateral movement and access to data? If so, then the perimeter security approach is only one security failure away from a massive company data breach.

Because of data protection regulations such as GDPR and the California Data Protection Act, a shift to a data-first security program makes a lot of sense. But this isn’t just a movement driven by compliance. Available data supports the need to shift to a data-first security approach:

• The “2019 Verizon Data Breach Report“ shows for one of its measured sectors that “Privilege Misuse and Error by insider account for 30 percent of breaches.”
• A 2019 data privacy survey conducted by Opinion Matters found that “83 percent of security professionals believe that employees have put customer [personally identifiable information] and business sensitive information at risk of exposure through error.” 
• The “Insider Threat 2018 Report“ from Cybersecurity Insiders found that “53 percent [of surveyed organizations] confirmed insider attacks against their organization in the previous 12 months.”

The takeaway here is clear. There is a real threat from within the organization by individuals who are granted some level of trust and access. With this reality in mind, there’s no choice other than to move security as close to the data as possible. 

How to Move to a Data-First Approach
First, a sound security program must have risk modeling and strategic risk prioritization processes in place. Without such components, the security organization will be unable to focus on the most important issues to make meaningful changes. Second, conduct an updated risk prioritization and assessment exercise. Be sure that the value of your data assets and the likelihood of an internal threat are appropriately weighted by statistics discussed above and other information specific to your organization. In this exercise, be sure to explore different potential paths of compromise that lead to data access and consider if existing security controls provide any mitigating protection. 

The likely output of this activity will include new prioritized risks focused on data access controls and visibility of data use. With this new data in hand, reach out to other business leaders to build support for the new focus. As security leaders know, it’s imperative to have allies across the business; security is not a single org activity and requires company support. Finally, as you embark on identifying new security controls, processes, and technology, be sure to maintain your laser focus in the face of other security “fires.” Question whether your and your team’s time is being spent on the highest-priority risks and most valuable activities for your company.

Implementing a data-first security program will require effort and reprioritization, but it will also enable your company to combat modern-day threats and protect your most important assets. In addition, it will also enable flexibility so the business can more easily adopt new technologies knowing that the control structure put in place is based on protecting core assets first, independent of the surrounding technology.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 7 Hot Cybersecurity Trends to Be Highlighted at Black Hat
• Answer These 9 Questions to Determine if Your Data Is Safe
• The Commoditization of Multistage Malware Attacks

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Michael Coates is the CEO and Co-Founder of Altitude Networks. Previously, Michael was the Chief Information Security Officer at Twitter. Michael has also served for six years on the OWASP global board of directors, three of those years as the chairman.Prior to Twitter, … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cisos-must-evolve-to-a-data-first-security-program/a/d-id/1335334?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than half of IT and security professionals consider their security operations center (SOC) ineffectual, and the long hours, alert overload, and incomplete visibility into their IT infrastructure has 65% considering quitting their jobs.

The saga of the stressed-out SOC has been well documented over the past few years as organizations have amassed a cache of security tools amid an ever-expanding threat landscape where they don’t have the time, resources, or expertise to fully tap into the tools nor keep up with all of the data they generate. Meantime, nearly 70% of organizations studied in a new report by the Ponemon Institute consider their SOC essential or very important to their security posture.

“There was a general concern or lack of confidence in the SOC being able to achieve its important role because of burnout, the crazy hours people are working, and a whole bunch of reasons,” including lack of visibility into their IT networks, says Larry Ponemon, president of the Ponemon Institute and author of the SOC study.

A recent report from Exabeam, meanwhile, echoed some similar concerns by SOC analysts about their ability to keep up with the attacks coming at them: Their biggest time-suck and pain points were reporting and documentation (33%), alert fatigue (27%), and false positives (24%).

Julian Waits, general manager for security analytics firm Devo, which sponsored the new Ponemon study, says the incomplete visibility of systems and threats is a major issue for SOC analysts. He says some SOC analysts he knows admit they feel defeated: “Going to work each day and knowing you’ve been compromised” yet not knowing just how, he says. “What’s disturbing to me is analysts spend so much time chasing things but the least amount of time thinking strategically.”

According to the Ponemon report, most SOCs are not at all or only somewhat aligned with the business side of the organization, which can leave them out of the loop for business and funding support. Less than one-third of the security budget on average is used for the SOC, and some 4% of organizations say more than half of their budget goes to the SOC.

The result of immature and ineffective SOCs: dangerously long times to resolve and remediate an attack. Some 42% of the SOC analysts say it takes months or years on average to resolve a hack. That mean time to resolution, as it is called, occurs at 22% of organizations in a matter of hours or days. That’s not only costly operationally, but financially. IBM reported in its recent data breach study that for organizations that contain a breach in less than 30 days, the average cost is nearly $1 million less.

“What we’ve seen within our customer base is … that they had an incident that occurred a year ago and they only recently discovered it. Then they began the process of remediation,” Waits says.

Cloud Shines
There was a ray of hope: Some 53% of the organizations say their SOC’s IT infrastructure is mostly cloud-based, or a mix of cloud and on-premises. Around 47% say their infrastructure is on-premises. “I see outsourcing as very sensible. It gives you a greater opportunity for standardizing,” Ponemon says, and it provides easier and more timely access to the latest technologies.

He predicts that most SOCs within the next two to three years will operate mostly in the cloud, via managed security services and outsourcing.

Waites adds that large organizations likely will continue to maintain their own physical SOCs with some cloud-based services but still run and control at least the data side of the operation.

What to Do About It
The report recommends that security leaders nip burnout in the bud by automating workflow as much as possible, and adjusting work schedules and adding more resources. Ponemon also says stronger alignment between the SOC and the business is key: “Often, the needs of the business and the needs of the SOC are in alignment — everyone wants a stronger security posture but not at the expense of an oversubscribed budget. Leaders should create opportunities for leaders of each silo to discuss and prioritize objectives, and better address the turf and silo issues between the SOC and IT security operations,” the Ponemon report says.

Also, ensure that SOC team members have the right tools and they are provided enough visibility into the network to do their jobs and that tools interoperate with their security systems, the report recommends.

Related Content:

• With Data Breach Costs, Time Is Money
• 7 Stats That Show What It Takes to Run a Modern SOC
• 4 Reasons Why SOC Superstars Quit
• Death of the Tier One SOC Analyst

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/cloud/suffering-soc-saga-continues/d/d-id/1335376?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple