The Need for Greater Flexibility and an Evolving Threatscape Put Spotlight on Keys and Certificates
The PCI Security Standard Council (SSC) recently previewed PCI DSS 3.0, the next update of the payment card standard which will be released at the North American Community Meeting in Las Vegas at the end of September. Detailed in the SSC’s highlights are a number of changes that will be important to protecting the keys and certificates used to secure payment card transactions. September’s meeting will also debut proposals for the 2014 Specific Interest Groups (SIGs), which include a key management SIG to provide more guidance for protecting the keys and certificates on which we depend for trust and privacy.
DSS 3.0 is driven by the increasingly complex threatscape targeting the entire PCI ecosystem, including attacks on keys and certificates. Forrester recently found that “there is simply a lack of visibility and control over the hundreds and thousands of keys and certificates responsible for creating the confidence and security in today’s modern world that we’ve all taken for granted.” Cybercriminals have caught on to this opportunity, as Forrester notes: “This gap enables a situation that is every attacker’s dream: 1) The enterprise has no visibility into the problem, and 2) the enterprise has no controls to respond to an attack. Basically, the enterprise is a sitting duck.”
The SSC is focusing on three themes for the PCI DSS 3.0 updates:
- Education and awareness: Increase the understanding of the standard’s purpose and the steps organizations must take to comply with that standard
- Flexibility: Allow more customization to help organizations implement the right controls coupled with monitoring and testing
- Shared responsibility for security: Increase awareness of the responsibilities for securing data and the fact that there are now more access points to cardholder data, especially with the adoption of cloud services
All three themes will impact the expectations for an organization to secure and protect keys and certificates.
The following updates in PCI DSS 3.0 are of particular interest:
- Requirement #2: Maintain an inventory of system components in scope for PCI DSS. Research has shown that enterprises have, on average, 17,000 keys and certificates. Many of these will fall in scope and need to be fully documented and maintained. Although organizations may have an awareness of the keys and certificates used on public-facing web servers, most fail to comprehend the number and use of keys and certificates on application servers, databases, load balancers, payment gateways, phone systems, printers, and much more. Organizations must consider not only X.509 certificates but also SSH keys. To keep an updated inventory, organizations will need systems that can constantly and thoroughly monitor all keys and certificates.
- Requirement #2: Clarified that changing default passwords is required for application and service accounts as well as user accounts. Keys and certificates are stored in a variety of keystores, which may sometimes have default passphrases. Organizations need systems that can discover all keys and certificates and identify their application owners so that, at a minimum, organizations can change keystore passphrases from the default settings.
- Requirement #3:Provided flexibility with more options for secure storage of cryptographic keys and clarified principles of split knowledge and dual control. Securing keys is just one area of increased flexibility outlined in the PCI DSS 3.0 update; however, the additional enhancements won’t be fully understood until 3.0 is available.
- Requirement #5: Evaluate evolving malware threats for systems not commonly affected by malware. Although this update does not state exactly how organizations should detect and evaluate evolving threats, it is vitally important because cybercriminals are always trying to attack where organizations least expect those attacks. Many organizations overlook attacks on keys and certificates, but according to McAfee, in 2013 malware enabled by compromised certificates grew 10x over 2012. In February 2013, Symantec found 800 Trojans, which were designed to steal certificates, and these Trojans have been used to infect millions of computers. Self-signed certificates, used with everything from application servers to printers, pose another problem: organizations may have tens of thousands of self-signed certificates but do not have the ability to discern valid certificates from anomalous ones. Mandiant’s APT1 report found that cybercriminals had used self-signed certificates purporting to be from “IBM” or for use as “WEBSERVER” to enable their attacks and exfiltration of data. The only way to establish a baseline, detect anomalies, and evaluate new risks is to continuously monitor keys and certificates and enforce policies.
- Requirement #8: Security considerations for authentication mechanisms such as physical security tokens, smart cards, and certificates. Since the last PCI DSS update, organizations have realized that password and one-time password authentication methods do not adequately protect their systems and data. Combined with the increased use of mobile devices and applications, certificate-based authentication has grown in popularity. In fact, Gartner noted that “certificate-based authentication can provide a high level of security, as well as a great UX.” Increased flexibility to use digital certificates for authentication will also require increased levels of monitoring and anomaly detection.
While the highlights revealed so far indicate that organizations will need to better demonstrate how they are securing and protecting keys and certificates, full details and understanding of these changes will need to wait until the SSC releases PCI DSS 3.0.
As mentioned, the other important event at the Las Vegas meeting will be the first presentation of 2014 Special Interest Group (SIG) proposals. These focused working groups will play an important role in removing ambiguities and improving controls for changing environments. One SIG that will be proposed for online voting in November is “Encryption Key Management Guidance.” If approved, the SIG’s work will likely increase the scrutiny Qualified Security Assessors (QSAs) give to analyzing how organizations are securing their certificates and keys.
Look for more updates and analysis from Venafi following the 2013 North America Community Meeting at the end of September.