Here are the SANS 20 CSC 17: Data Protection Updates
17-2: Verify that cryptographic devices and software are configured to use publicly-vetted algorithms.
17-10: Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise.
- 17-11: Perform an annual review of algorithms and key lengths in use for protection of sensitive data.
- 17-14: Define roles, responsibilities, and lifecycle for encryption keys.
Reducing Risk with Quick Wins
Too often cyberattacks are successful because basic security controls are not present or not properly configured. The Critical Security Controls for Effective Cyber Defense, frequently referred to as SANS 20, brings the 80/20 to cybersecurity: a blueprint of prioritized guidance to reduce risk. As attacks on keys and certificates accelerate and vulnerabilities like Heartbleed are being discovered and exploited more frequently, Critical Security Control 17: Data Protection has been updated to include guidance on how to monitor, enforce policy, and prepare to respond to incidents involving keys and certificates.
CIO Study: Software Build Pipelines Attack Surface Expanding | Current Security Controls No Match for Modern Attack Methods
Threatscape Drives Updates
Updates to the Data Protection security control come at a critical time in the evolution of PKI when we are establishing what is trusted or not in the digital world, as shown in these drivers that establish key and certificate security as a requirement in data protection:
- SSL/TLS attacks accelerating: Gartner expects 50% of attacks to use SSL/TLS by 2017.
- Rapid growth in certificates: The average Global 5000 organization has over 17,000 keys and certificates,1 and data protection and privacy as well as Google’s prioritization of HTTPS are driving an increase in SSL/TLS.
- Blind spot with keys and certificates: Over half of security teams admit they do not know where their keys and certificates are or how they are used.1
- A Top cybercriminal target: Intel believes the next wave of underground marketplaces will sell stolen certificates, which already sell for $1000 a piece.
- Shorter certificate lifetimes: Google and others are shortening certificate lifetimes to 3 months or less, reducing certificate risk exposure.
- New security standards: NIST and CAs are replacing SHA-1 with SHA-2. Experts believe SHA-1 attacks are now feasible4 and browsers will identify SHA-1 certificates as less trusted in 2015.
- New vulnerabilities: Research from Netcraft, Venafi, and others show that most have not fully remediated Heartbleed, which requires the replacement of all keys and certificates.
Scalable Controls Reduce Risk
To keep up with the growing use of keys and certificates, controls need automation, monitoring, reporting, policy enforcement for issuance and renewal, workflow, escalations, and remediation.
What capabilities do you need to Map your security to CSC 17? Data Protection Updates.
17-2 Use publicly-vetted algorithms, and 17-11 Perform an annual review of algorithms and key lengths.
Scanning for all SSL/TLS, SSH, MDM/EMM, WiFi, and VPN use
- Continuous discovery of all certificates and trust stores
- Detailed reporting and escalation of violations, vulnerabilities, and risks
17-10 Only allow approved Certificate Authorities (CAs) to issue certificates
- Continuous discovery of all certificates and trust stores
- Automated, policy-enforced certificate issuance from authorized CAs
- Policy-enforced, self-service portal for certificate issuance and renewal
- Detailed reporting and escalation of violations, vulnerabilities, and risks
17-14: Define roles, responsibilities, and lifecycle for encryption keys
- Hierarchical policies integrated with enterprise identification systems
- Certificate ownership assigned to individuals or groups
- Customizable workflows
- Detailed reporting and escalation of violations, vulnerabilities, and risks
SSL/TLS Certificates and Their Prevalence on the Dark Web
Related Posts