Adobe Hack Highlights Risks Of Managing Keys And Certificates

Reports mention that Adobe is to rework its code-signing certificate process after discovering malware that was signed with the code. This incident – the latest in a series of certificate-related security compromises – will add unnecessary expense to most organisations hit by the incident. It appears that hackers accessed a compromised build server that was able to get code approval from the firm’s code-signing system.

It’s important to understand that code-signing certificates are essentially cryptographic identifiers that confirm that executable software originates from the author and can be allowed to execute. It’s a verification of trust – in much the same way that most people trust a policeman’s warrant card. As a result, certificate-based compromises are becoming as common as phishing attacks and malware infections.

Because the certificate verification process is automatic, the fact that there is a compromised certificate in active circulation places the integrity of an organisation’s IT security resource at risk. And whilst most companies will probably escape any problems, there are clear enrolment admin overhead and management costs for those companies that continue to rely on manual enrolment and revocation processes.

Adobe’s admission that one of its certificates has been hijacked is another example of why organisations that rely on this most basic trust technology need to have a strategy in place for quickly identifying, revoking and replacing them when they have been compromised.

Continuous maintenance of certificates and keys throughout all stages of their lifecycle – from request to secure generation, renewal and revocation – is critical functionality of a good key and certificate management system – either done manually or through an automated process. Given the string of certificate- and CA-related attacks, I strongly advise companies to evaluate management best practices and automated solutions.

While it’s good to hear that Adobe is revamping its code-signing certificate processes in the wake of this latest certificate compromise, the bottom line here is that the extra administration involved adds to the cost of remediating this hack – as well as eroding confidence in the certificate system itself.

Unfortunately, most organisations wait until a disaster strikes before taking action, hopefully this will serve as a wake-up call to all enterprises that there is simply no excuse for not having a remediation plan in place.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Calum MacLeod has over 30 years of expertise in secure networking technologies, and as EMEA Director for Venafi is responsible for developing their business across Europe providing solutions in the automated encryption management arena including certificate management and enterprise key management. Before joining Venafi, Calum worked for Tufin Technologies growing their lifecycle security management business across Europe and South Africa and previous to this worked for Cyber-Ark and AEP where he was responsible for leading some of the early SSL VPN projects in Europe. Calum has also served as an independent consultant to corporate and government clients on IT security strategy for various European market segments, including the European Commission.