Over 90 percent of organizations get hit by cyber-attacks in a calendar year. Among these, Gartner estimates close to 50 percent deal with SSL-based attacks. Most of them can be prevented with a well-documented SSL/TLS certificate management strategy. And the pillar of any certificate management strategy is visibility.
Introduction
Encryption has become standard for enterprises that want to secure their data and applications. When a cyber-attack happens, it’s common to blame the security device or service. But this is not helpful when the primary reason for the attack is a lapse in management of these security mechanisms. SSL/TLS certificates are a good example of one such security service. They protect access to your public-facing applications and customer data by encrypting them from end to end. But when these certificates are not being managed properly, they can aid in malicious intent. Your data is only as secure as your certificates. When mismanagement enables unauthorized access to these certificates, there is no point questioning the security these certificates provide to your applications.
Browsers’ fight against HTTPS-less websites and the expanding range of use cases for SSL/TLS have resulted in an increase in adoption of SSL/TLS certificates. Google reports that by the end of 2016, up to 68 percent of web pages loaded over the Chrome browser worldwide used HTTPS. This surge in SSL/TLS adoption has also inadvertently increased the attack surface, where cyber criminals can hide in your encrypted traffic.
Also, the increasing use of free certificates has seriously questioned the trust that SSL provides. A secure website need not necessarily be a safe website as it has become easier for anyone to obtain a free certificate without scrutiny. A large number of phishing sites have legitimate certificates obtained from cheap certificate authorities to trick innocent users into downloading malwares onto their computers.
Some of these phishing sites are registered under subdomains of legitimate enterprises. Hence, encrypted packets represent an imminent threat to your enterprise when you don’t manage and inspect its underlying PKI regularly.
The three things cyber criminals want you to do
When deploying SSL/TLS certificates, enterprises often overlook the importance of properly documenting every certificate. Undocumented installations can lead to poor visibility of certificates in your environment, and this can give malicious users a free pass into your applications. By gaining visibility into your certificate management, you can prevent cyber criminals from exploiting your SSL/TLS certificates.
Using free certificates
As the saying goes, you get what you pay for. Free certificates can save you a lot of money in the short run but can prove to be costly in the long run. Developer and DevOps teams may prefer free certificates from entities such as Let’s Encrypt because there are minimal barriers, but this can end up compromising on security. Often, the deployment of these certificates can become undocumented and the certificates can eventually fall out of compliance with your security policies. We recommend avoiding free certificates and always documenting every new certificate procurement.
Retaining unused certificates
Certificates can become unused for a variety of reasons. They may have been compromised, corrupted, or replaced by a new certificate, or the corresponding application may have become unused. Whatever the reason is, if the certificate is not deleted, it becomes a vulnerability. When certificates are being managed manually, these vulnerabilities increase because most unused certificates become undocumented. Hackers can then use these unused certificates to gather sensitive information from your applications. We recommend identifying and tracking unused certificates and removing them promptly to complications.
Possessing deprecated certificates
Cybercriminals are leveraging evolving computing power to break cryptographic techniques, hashing algorithms, and key lengths. A PKI refresh can be a daunting task. It becomes even harder if deprecated certificates were not documented earlier. You are likely to end up with deprecated certificates even after a migration. This helps cybercriminals gain access to your applications easily, and they will remain hidden until you become aware of the deprecated certificates. We recommend documenting every certificate procurement in your infrastructure, and when in doubt, contact your CA for comprehensive information on all certificates you have procured.
From these three common mistakes, it is evident how visibility can help you overcome these challenges. Documenting and managing each certificate manually can become cumbersome when the numbers run into hundreds of certificates. But, visibility does not need to be a difficult practice. It can be as simple as two clicks when you have the right certificate management tool. With AppViewX’s Certificate Lifecycle Automation solution, you can do just that.
Visibility with AppViewX’s Certificate Lifecycle Automation solution
Visibility with AppViewX Platform comes in three stages:
Discovery, Reporting and Insights, and Audit and Compliance.
Discovery
The first stage is Discovery, where you can discover certificates in ways that can guarantee that you inventory every certificate available in your environment. Certificates can be discovered using various modes, such as IP addresses/subnets, managed devices (such as ADCs), URLs, or certificate authorities. The discovered certificates are then presented in an easy-to-maintain inventory with important information displayed, such as associated application, requester info, and expiration date.
Reporting and Insights
Most application outages are caused by unplanned certificate expiration. With Reporting and Insights, you gain an application-centric view of all your certificates profiled by their expiration dates, CAs, or validations based on policy (set by you, such as SHA-1, RSA 1024-bit keys, etc.). You can get alerts on expiring and non-compliant certificates through various reports. You can set the application to automatically renew expiring certificates and ensure that you never miss a certificate expiration again.
Audit and Compliance
The third stage is Audit and Compliance, where you can audit each certificate procurement, its usage, and role-based access to keys and policies that can help you get the final piece of the visibility puzzle. Delegate role-based access control to certificates and create audit trails for each activity. Enforce strict policies for your certificates and keys, such as recommended cryptographic technique, hashing algorithm, and key length. Your sensitive keys are stored in a FIPS 140-compliant environment to ensure maximum security.
Conclusion
Implementing HTTPS has become easier and cheaper than ever before. Businesses have started leveraging the power of digital certificates to secure the application and user but need to take appropriate measures to avoid a hasty implementation. These certificates will be your last level of defense against hackers and you need to be absolutely sure that your own defense is not used against you. This guide outlines the common mistakes that an organization is prone to make while implementing HTTPS in their environment and a few recommendations on how to overcome these mistakes. This information can help you can take control of your certificates and prevent malicious users from hiding their exploits in your encrypted traffic.
Learn More
To find out more about SSL/TLS certificate management solutions from AppViewX, please visit
https://www.appviewx.com/solutions/certificate-lifecycle-automation/