My all-time favorite zombie book is Max Brooks’ “World War Z.” He took the zombie apocalypse to a global scale—covering what was happening in the U.S., China, North Korea, United Kingdom, Israel and even South Africa. The reader is fully immersed into the before, during and aftermath of a zombie apocalypse. There were several parts of his book where I had to pause reading and remind myself that it was fiction. It.Is.Not.Real.
The book shows how various world governments responded to the crisis. The United States did little to prepare because they were overconfident in their abilities to thwart the zombie threat. The North Korean population just simply disappeared, presumably to live in underground bunkers. Israel decided to build a tall border wall to keep all zombies out. A few countries took extreme measures at the expense of the lives of their non-infected citizens. Yet, other countries didn’t believe the threat was real and did nothing until it was too late. One of my favorite lines from the book is:
“Most people don't believe something can happen until it already has. That's not stupidity or weakness, that's just human nature.”
Max Brooks, World War Z: An Oral History of the Zombie War
So why am I reviewing a zombie book when this blog is supposed to be about code signing? Well, my blog guru said I needed to write a Halloween-themed post this week! But, as I started to investigate ideas for a scary-themed blog I realized that there were actually a large number of similarities between World War Z and code signing, especially in terms of how one responds to said threats.
I’ve talked to a lot of customers and prospects over the past year. It’s amazing to hear how different their responses to code signing threats are. Some choose to ignore the threat saying it won’t happen to them. Others have responded in extreme fashions by removing the ability for developers to sign ANY code and instead all requests need to go through InfoSec or PKI team (can we say BOTTLENECK???) See the similarities with World War Z???
But, let’s deep dive into a code signing breach that surfaced in the news this week. This time it was Avast and there was concern that their CCleaner utility was being targeted. Fortunately, this time, CCleaner wasn’t infected with malware as it was two years ago. Back then, hackers broke through the company’s ‘border wall’, found unprotected code signing keys, infected CCleaner with malware and then code signed it with the company’s legitimate code signing keys.
I read through Avast’s blog post about this latest incident, which provided a pretty thorough description of what they found and the measures they had taken, one thing struck me. It was the measure that they didn’t take, or at least didn’t mention taking in their blog post. And that is the critical measure of protecting their code signing process. Instead, it appears that most of their measures were around border wall security and looking for the infected. Folks, border walls don’t work for protecting code signing credentials. Hackers will find their way in somehow or some employee will be careless and let them in inadvertently.
And looking for the infected doesn’t help with preventing it in the first place!
In today’s digital world, it is imperative for businesses to protect their code signing process. Their brand reputation, revenue and market share all depend on it. Their customers depend on it too.
Keeping code signing keys safely locked up just isn’t enough anymore. (was it ever enough?) You need measures/processes in place that guarantee that keys are only used in authorized situations (authorized code, authorized certificates, authorized signers) with specific people required to approve the use of the code signing key. You need to have a segmentation of roles and responsibilities. You need to be able to track every code signing operation (know what code was signed, with what certificate, using which code signing tool, on what machine, by what person) that happens anywhere in your company so that you can quickly spot any anomalies.
"You need a code signing solution that appeals to your dev teams"
But, even doing this may not be enough. You also need a solution that is designed to appeal to your development teams. If they have to jump through hoops to use it, or if it delays what they are doing, or if they have to change the way they do things, they will find ways to bypass what you have put in place and keep a secret stash of code signing keys stored somewhere convenient. And when that happens, you’re back at square one with significant vulnerabilities in your code signing process.
In World War Z, Israel was very proud of the tall border wall that they built to keep out the zombies. They started planning and building years before the zombie apocalypse became a global concern. They were ready. Or so they thought. They weren’t prepared for those few soldiers that bent the rules to let in a few infected people.
Unfortunately, unlike the World War Z zombie apocalypse, the code signing apocalypse is real. IT.IS.VERY.REAL. How is your company responding?