Recently published research by McAfee, which shows a shocking, multi-year attack campaign against more than 70 governmental organizations in the US and other Western nations, highlights the security problems faced by public sector agencies.
Security experts believe this may be the largest coordinated attack ever launched. The involved hackers have over the past, several years worked successfully to infiltrate the computer networks of thousands of companies, organizations and governments, stealing reams of intellectual property, military information and state secrets.
The public and private sector remain vulnerable to attacks like these due to difficulties in properly deploying and managing security systems within the infrastructure, including encryption keys and certificates.
Let’s be honest and see things as they are truly. This latest reported series of on-going breaches makes an irrefutable case. The bad guys are inside. Period, end of story. Anyone arguing with that is in denial. The malware and the intruders are operating inside organizations today undetected.
The best firewalls and intrusion detection obviously aren’t enough. If people want to protect the data, which is what they bad guys are after, it has to be encrypted and the keys must be well managed.
It’s interesting that recent media reports point an accusing finger at state-sponsored terrorists and governments. Regardless of which country or agency has been launching these attacks, the bottom line is that the attacks have been successful where government secrets have been leaked.
As some of the attacks on US government and United Nation servers date back five years, it is clear that public sector agencies need to significantly rethink their security practices.
The most logical method to prevent these kinds of leaks: first, encrypt all data flowing between the agencies’ IT resources, second, encrypt all data that is stored, and third, enforce authentication, encryption key access control and audit logging for all local and remote access to this data.
While the public sector has largely embraced encryption to secure data from prying eyes, they have struggled to implement adequate access controls and audits for the keys that unlock that data—largely due to the vast number of staff members that need to access the agency’s data in order to complete their duties.
The biggest headache stems from rotating and resetting encryption keys, authentication credentials and passwords, which many organisations—regularly ignore. In addition, private or asymmetric encryption keys—which protect data that flows between IT resources—are exposed to an array of risks due to lax distribution processes behind the firewall as well as poorly implemented and infrequent rotation of keystore passwords.
These private keys to the kingdom are frequently protected with the same password across hundreds of administrative keystores. Administrators also often have direct access to the keystores, duplicate the keys in them for distribution, and reuse the keys on other systems and applications throughout the infrastructure.
This represents a significant security risk, and likely violates regulatory mandates for data protection in most organizations. The ongoing nature of the recently revealed attacks underscores the danger of such poor practices, which allows attackers to continue capitalizing on a single cracked or exposed key year after year.
To truly lock down their resources, public-sector agencies must deploy a key management system that can help them automate the process in order to implement best practices. And any system that is deployed needs to be bulletproof and capable of operating in environments with large staffs on a consistently reliable basis.
Since the security system needs to stop staff from becoming victims of their own actions, an automated key management system offers the best option. Such a system mandates the use of the highest levels of security, which human administrators often neglect due to the management headaches and inherent vulnerabilities when human/manual processes are involves.
It also ensures quick and efficient key rotation—both on-going and when a potential exposure mandates an immediate response.
The need for such guidance is not overstated. Recently, major corporations, such as Lockheed Martin, L3, NHS, Epsilon, EMC and others, have also experienced unauthorized access that has been the subject of significant, mainstream press coverage.
In addition, hackers are increasingly targeting private keys, not only as a means for stealing customer details or intellectual property, but also as valuable assets themselves. With the private keys that sign a company’s software, hackers can launch all sorts of new malware and attacks.
Without leveraging best practices and automated management processes, organizations will never gain complete control of their key and certificate inventories, resulting in significant security, compliance and operational risk—risk that will be realized in access breaches unless organizations, both in the private and public sector, take action.
Automating the authentication process is a logical first step, because any system that allows remote access to government servers must be as secure as possible and ensure that foreign governments do not gain access to the agency’s data.
Once deployed, these key-management systems need to marry the highest level of security with the most efficient administration. But, provided that the required infrastructure is in place, it is perfectly possible to manage the mission-critical security assets like keys and certificates as well as the security needs of tens of thousands of staff members with relative ease.