DigiNotar Attack A Reminder To Focus On Basics

Sure, it's a big, scary world right now, but IT leaders need to stay focused on comprehensive security programs.
It would appear, on the surface, that subverting Bank of America's DNS server would be a non-trivial task, even for an attacker who has knocked over a CA. At least we hope it is. But as a long-time security consultant pointed out to me yesterday, you needn't subvert the bank to make this happen; you simply need to knock over an ISP's DNS server, or any DNS server that a lot of bank customers use. It's a much softer target and still lets the hacker fake out those bank customers.

Impact and Remediation

Most IT professionals I spoke with agree that "man in the middle" attacks are their biggest concern. Davis points out that having the private key for a CA lets a hacker decrypt communications, especially because "almost all private SSL certificates don't use passwords." (Passwords present an automation challenge to system administrators, since the server would require a human to key in the password at boot time.)

Most IT leaders are worried about their customers getting faked out. It's bad for business when user passwords and transactions are intercepted. But don't forget about SSL-based software updates and drivers, and even VPNs that rely on SSL certificates. Having a compromised key in those areas is an operational nightmare because it exposes your core business.

If there were a scalable certificate revocation protocol, such as OSCP, the Online Certificate Status Protocol, that would be fantastic. With a protocol like that, a client could be aware, in almost real time, of a bogus certificate, even if it were signed by the CA. One contributor told me: "The current situation is like having userID without any password reset or account lock-out function." Instead, the certificates, issued by a trusted CA, would need some manual intervention. For organizations with lots of workstations, that means lots of manual work or reliance on systems management tools.

Updates from the browser makers may beat worried IT managers to the punch. Mozilla, for example, removed DigiNotar "in response to their failure to promptly detect, contain, and notify Mozilla of a security breach." Mozilla also sent a tough-love letter to all CAs telling them to get their act together or be subject to what Mozilla calls "whatever steps are necessary to keep our users safe."

The Chromium project team (which works on Google Chrome and ChromeOS) has some new security features that may be more interesting to the CISOs in your organization than to IT leadership. And I'm already getting press releases from vendors claiming they have the answer to the problem. But products will not save you any more than the CAs stepping up their security protocols will save you.

Acute security events are going to happen. Floppy disks, CD-ROMs, and USB sticks were the vector once upon a time. Then many of us, myself included, stood on soapboxes and proclaimed that user workstations were the biggest threat, since they were often unprotected and sat on privileged networks. We were ignored until the era of malware began.

Once that era began, those who practiced multi-layer security were better off than those who had a single focus on virus protection or perimeter defense or anomaly detection or even user education. Again and again, security pros find that those IT organizations impacted the most are those that paid little attention to security basics, not so much the more esoteric stuff. Indeed, the interim report commissioned to investigate exactly what happened at DigiNotar concludes that a lack of attention to the basics--virus protection, updated patches, strong passwords--contributed to that breach.

My point is that the DigiNotar breach is just the latest in a huge laundry list of security threats. But it's a big enough problem with enough interested parties that it's going to be addressed except for some edge cases. The question for IT pros is: Are you going to be among those who stay vigilant in multiple areas, or are you going to focus on the problem du jour?

Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at [email protected] or at @_jfeldman.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing