On January 12, 2021, Mimecast, a company that provides cloud-based email management services for Microsoft Exchange and Microsoft Office 365 customers, reported a digital certificate compromise by a “sophisticated threat actor.” This digital certificate is used by some customers to connect Mimecast products to their Microsoft 365 Exchange software securely. The certificate verifies and authenticates Mimecast’s services to the Microsoft 365 Exchange web service.
The Mimecraft’s digital certificate theft makes customers susceptible to Man-in-the-Middle (MITM) attacks. Attackers can use the stolen certificate to spoof trusted websites and trick clients into sharing sensitive information such as passwords. If the private key is also compromised, they can hack into the session encrypted using that particular private key eavesdrop on both client-server and server-client communication. Hackers can also sign malware using the stolen private key and inject it into systems, escaping detection.
Ways to prevent digital certificate and private key compromise
Monitoring digital certificates
Continuous, IP-based monitoring that goes as far as the network’s edge and locates every certificate in the network is the first line of defence in preventing digital certificate compromise. The monitoring software should scan every certificate’s content and alert the security team if the certificate’s digital signature is out of the ordinary – which is usually the first sign of a compromised certificate. Expired certificates pose the greatest risk to companies and are more likely to be targeted by hackers – the software should periodically alert security teams of certificates nearing expiry.
Storing certificates and private keys in a secure location
Store digital certificates and keys away from the user network in a centralized, secure location. Ideally, it should be an encrypted device such as a USB thumb drive, token, or an HSM (Hardware Security Module). This way, even if the users’ network or system is compromised, the certificates and keys remain safe. Restrict access to the storage unit to privileged users using strong passwords and RBAC.
Automating certificate and key management
Automating digital certificate processes such as discovery, renewals, enrolment, provisioning, and revocation helps avoid human errors, which is one of the significant reasons behind certificate vulnerabilities. Similarly, key management processes such as key rotation and cryptographic algorithm upgrades should be automated to tamper-proof keys.
Using built-in policy management
Use a certificate and key management software that automates policy management. This way, you don’t have to worry about unknowingly violating a policy at any time. Policy-based automation of key and certificate lifecycle identifies and decommissions rogue certificates, renews certificates nearing expiration, and ensures all of your processes are compliant with government and industry regulations.
Controlling user access with identity and access management
Many security breaches occur because of accidental or intentional wrongful actions by insiders. Granularly controlling user actions and granting access privileges based on roles can dramatically bring down insider threats. Identity and access management (IAM) tools ensure only the right people get access to the right assets through single sign-on, multi-factor authentication, privileged access management, governance, and so on.
About AppViewX CERT+
AppViewX CERT+ provides certificate and key monitoring, management, and automation for multi-cloud, on-premise, and hybrid deployments. The solution is CA-agnostic, and the automation workflows are state and configuration-aware and self-serviceable. To know more, visit https://www.appviewx.com/products/cert/.