How to Prevent Digital Certificate Theft – A Lesson From a Recent Breach

On January 12, 2021, Mimecast, a company that provides cloud-based email management services for Microsoft Exchange and Microsoft Office 365 customers, reported a digital certificate compromise by a “sophisticated threat actor.” This digital certificate is used by some customers to connect Mimecast products to their Microsoft 365 Exchange software securely. The certificate verifies and authenticates Mimecast’s services to the Microsoft 365 Exchange web service.

Consequences

The Mimecraft’s digital certificate theft makes customers susceptible to Man-in-the-Middle (MITM) attacks. Attackers can use the stolen certificate to spoof trusted websites and trick clients into sharing sensitive information such as passwords. If the private key is also compromised, they can hack into the session encrypted using that particular private key eavesdrop on both client-server and server-client communication. Hackers can also sign malware using the stolen private key and inject it into systems, escaping detection.

Ways to prevent digital certificate and private key compromise

Monitoring digital certificates

Continuous, IP-based monitoring that goes as far as the network’s edge and locates every certificate in the network is the first line of defence in preventing digital certificate compromise. The monitoring software should scan every certificate’s content and alert the security team if the certificate’s digital signature is out of the ordinary – which is usually the first sign of a compromised certificate. Expired certificates pose the greatest risk to companies and are more likely to be targeted by hackers – the software should periodically alert security teams of certificates nearing expiry.

Storing certificates and private keys in a secure location

Store digital certificates and keys away from the user network in a centralized, secure location. Ideally, it should be an encrypted device such as a USB thumb drive, token, or an HSM (Hardware Security Module). This way, even if the users’ network or system is compromised, the certificates and keys remain safe. Restrict access to the storage unit to privileged users using strong passwords and RBAC.

Automating certificate and key management

Automating digital certificate processes such as discovery, renewals, enrolment, provisioning, and revocation helps avoid human errors, which is one of the significant reasons behind certificate vulnerabilities. Similarly, key management processes such as key rotation and cryptographic algorithm upgrades should be automated to tamper-proof keys.

2022 Ponemon Report: The State of Certificate Lifecycle Management in Global Organizations

Using built-in policy management

Use a certificate and key management software that automates policy management. This way, you don’t have to worry about unknowingly violating a policy at any time. Policy-based automation of key and certificate lifecycle identifies and decommissions rogue certificates, renews certificates nearing expiration, and ensures all of your processes are compliant with government and industry regulations.

Save Your Business from Certificate Expiry-Related Outages Now!

Controlling user access with identity and access management

Many security breaches occur because of accidental or intentional wrongful actions by insiders. Granularly controlling user actions and granting access privileges based on roles can dramatically bring down insider threats. Identity and access management (IAM) tools ensure only the right people get access to the right assets through single sign-on, multi-factor authentication, privileged access management, governance, and so on.

About AppViewX CERT+

AppViewX CERT+ provides certificate and key monitoring, management, and automation for multi-cloud, on-premise, and hybrid deployments. The solution is CA-agnostic, and the automation workflows are state and configuration-aware and self-serviceable. To know more, visit https://www.appviewx.com/products/cert/.

Let’s get you started on your certificate automation journey

Tags

  • certificate lifecycle management
  • Certificate Management
  • Digital Certificate Management
  • SSL Certificate Management

About the Author

Nishevitha Ramamoorthy

Product Marketing Manager - AppViewX CERT+

Nishevitha is the product marketer at AppViewX. She writes, does research, and builds strategies to communicate the product's value to prospective buyers.

More From the Author →

Related Articles

AppViewX AVX ONE CLM Citrix FAS Integration Streamlines Certificate Management to Enable Scalable User Authentication

| 5 Min Read

The Entrust Distrust Deadline is Closing In. Are you Prepared?

| 4 Min Read

Apple Follows Google’s Lead: Get Ready for 45-Day TLS Certificate Lifespans

| 7 Min Read