It was recently reported that Amazon is investigating some pretty worrisome internal cyber attacks. When a company is subject to an internal cyber attack, the instigators are usually employees. Amazon suspects that some of their employees who have privileged access to their networks and credentials may be leaking sensitive corporate data to independent merchants in exchange for money.
The Media Trust’s Niles Rowland said, “Most threats are internal and they can cause the most significant damage. And when you transplant operations to geographies where legal infrastructures are weaker, these threats can escalate. The growing number of consumer data protection laws like GDPR that are sweeping across the world will require companies to be more vigilant about how they and their third parties collect, process, share, and store personally identifiable information.”
Of course in my personal opinion, these sorts of internal attacks would be less likely to occur if Amazon paid their workers more.
But that’s besides the point. Amazon is not only a mega behemoth-sized international retailer of almost every type of good that can be sold in each country they operate in. Amazon is also the largest cloud services provider for enterprises—Amazon Web Services (AWS). AWS clientele often have Amazon handle their public key infrastructure. What if the alleged Amazon employee internal attackers are also selling the keys to the TLS/SSL encryption implementations that AWS deploys?
TLS/SSL keys and certificates are frequently sold for lots of money on The Dark Web. Eva Hanscom wrote about the growing problem on this blog last year. The data is based on a six-month investigation that Venafi sponsored.
“It’s frightening what criminals can buy on the dark web. But it’s even scarier that they may be buying your own security certificates to use against you. Venafi recently sponsored a six-month investigation into the sale of digital code signing certificates on the dark web. Conducted with the Cyber Security Research Institute, our research revealed that not only are code signing certificates readily available for purchase on the dark web, they are selling for up to $1,200.”
Here’s some of the alarming information that was uncovered by the research.
The risk of certificates falling into the wrong hands is growing because organizations are, rightfully, using them more and more frequently. But when they’re implemented insecurely, your cyber attack surface grows. Over 30 billion devices will need TLS/SSL certificates in 2020, compared to about 6 billion devices back in 2015. 86% of surveyed respondents reported a significant increase in certificate usage in 2016. An over 35% growth in certificate usage was projected for 2017.
For the price of a TLS/SSL certificate sold on The Dark Web for $1,200, a cyber attacker could have instead bought twelve targeted emal attacks, 48 targeted DDoS attacks, or 320 stolen credit cards. A certificate can be worth many, many times more to cyber attackers than a credit card... amazing!
86% of surveyed CIOs agreed that cryptography keys and TLS/SSL certificates are the next big target for cybercriminals. What we see definitely supports that.
When they’re in the wrong hands, cyber attackers can use your stolen certificates to escalate their privileges in your network, install malware, perform man-in-the-middle attacks on your data which is encrypted in transit, breach sensitive data, and even spoof trusted websites.
Whichever cloud providers your organization works with now, you need to have the flexibility to switch vendors in the future. Unfortunately, if you don’t deploy your own key management, your old certificates and keys could remain usable with the services you no longer use. As I wrote previously:
“The SSL certificates that are required to encrypt your online services, such the the HTTPS delivered web, are tied to domain names. Very often someone will own a domain name for a limited period of time. Let’s say for instance I bought the rights to hyperdimensionneptunia.ca for three years. During that three year period, I made a secure website which uses that domain name, at URL https://hyperdimensionneptunia.ca. I needed SSL certificates for the HTTPS protocol’s TLS implementation to work properly, so I had them made by a certificate authority and deployed them.
Time passes and I get bored with my JRPG video game fan website, and I don’t bother renewing my ownership of hyperdimensionneptunia.ca after the three year period. People still have SSL certificates on their PCs and mobile devices for the expired domain because they visited https://hyperdimensionneptunia.ca while I hosted a website there.
A few months after I let hyperdimensionneptunia.ca expire, someone else buys it. This presents a difficult cybersecurity problem. Some certificates have multiple domain names (‘hyperdimensionneptunia.ca’ and ‘nepneppudding.org,’ for example). Sometimes one domain name remains registered to the same owner, but the other domain name expires, which really complicates the problem further. Researchers have even found a certificate with about 700 domain names on it!”
It’s absolutely crucial that you maintain full visibility of all of your TLS/SSL certificates and keys. That’s why you need your own key management solution in order to maintain control. Part of the Venafi Control Plane for Machine Identities, Zero Touch PKI can help you maintain control of your PKI no matter which or how many cloud and general web service vendors you work with in the future.