The Week When Attackers Started Winning The War On Trust

The Week When Attackers Started Winning The War On Trust by Kevin Bocek.

Kevin details four news stories:

And concludes:

This is important because …
All of these news stories should be a serious wake-up call for the infosec industry. The threatscape has changed. Attackers need trusted status, and they know they can get it by misusing keys and certificates. What else does this mean? Unfortunately, it means almost every single security control that you’ve spent millions on to protect your network, apps, and data can be undermined and circumvented.

Kevin has a good argument. The compromise of identity (identity being a favorite theme of topic maps) strikes deep into the first assumption of any security system. The first assumption being an identified user has a right to be on the system. Once an intruder gets past that hurdle, …. damage will follow.

Kevin advises to stop blindly trusting certificates and keys. OK, then what?

In a separate post from April of this year, Kevin advises:

  • Know where all keys and certificates are located
  • Revoke, replace, install, and verify keys and certificates with new ones

Not without difficulty, particularly if you don’t know where all the keys and certificates are located but necessary steps none the less.

The admonition to “not to blindly trust certificates” sounds great but in practice will be a question of the potential loses from blind trust. In some cases the risk may be low enough that blind trust is a reasonable choice. In others, like traveling executives, there will be a need for hardware based encryption by default with no user intervention.

Comments are closed.