Cloud-based email management company Mimecast recently disclosed that a threat actor obtained one of its digital certificates and used it to gain access to some of its clients’ Microsoft 365 accounts.
Chris Hickman, chief security officer at Keyfactor, a leading provider of secure digital identity management solutions, says:
“These attacks are not about FireEye, SolarWinds or Mimecast; the disturbing trend we are seeing is that these breaches are becoming habitual. The threat actors behind the attacks, whether they are using the SolarWinds backdoor or another, are targeting certificates and credentials. They are leveraging cryptographic assets to gain network access and evade security controls.
The current trendline indicates that parts of the industry are still treating certificates as ‘just certificates’ rather than cryptographic assets that play a more important role in hardening network security. Technology alone cannot prevent breaches like this – companies need to ensure that they have in place the right controls, policies and follow industry best practices in order defend themselves against the evolving thread landscape. Companies need to take a hard look at how they manage and secure digital certificates and cryptographic keys in order to better protect themselves and their customers.
Here are some best practices to mitigate misuse of keys and certificates:
- Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM
- Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.
- Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).
- Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.
- Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.”
Keyfactor Announces Strategic DevSecOps Partnership With Infinite Ranges
Posted in Commentary with tags Keyfactor on January 19, 2021 by itnerdKeyfactor, the leader in PKI as-a-Service and crypto-agility solutions, today announced a strategic partnership with digital transformation solutions provider Infinite Ranges. The collaboration enables enterprise teams to overcome the DevSecOps gap through the implementation of best practices and automated solutions.
A recent survey of more than 600 IT and security professionals identified likely occurrences of code signing and key misuse in enterprise environments over the next two years; 73% of respondents experienced unplanned downtime and outages due to mismanaged digital certificates. Many enterprises employ Public Key Infrastructure (PKI) and digital certificates in DevOps workflows to secure code through its lifetime. However, traditional PKI relies on manual processes, making it ill-equipped for agile process requirements.
Infinite Ranges’ specialization as an implementation partner for both Keyfactor and Hashicorp Vault provides a unique offering within the market.
Keyfactor provides cloud-hosted PKI-as-a-Service infrastructure through integrated certificate and key management, secure signing and secure IoT device design. The platform provides discovery, integration and orchestration capabilities, enabling teams to gain complete crypto-agility, extensibility and visibility.
Leave a comment »