Page 30 - CDM Cyber Warnings February 2014
P. 30
Revelations that the U.S. National Security Agency (NSA) certificates. They therefore lack the ability to identify and
can purportedly crack encrypted communications should respond to attacks that target them. Ironically, these
not be a surprise. By contrast, living in a world without methods were turned against the NSA by Edward
digital trust, without privacy and authenticity, should be Snowden. It�s reported that Snowden fabricated his own
shocking. Why shouldn� t we be surprised by the idea that keys and certificates, which enabled him to exfiltrate data
the NSA can crack encrypted communications or gain from NSA systems. In an interactive chat with The
digitally trusted status� Guardian, Snowden recognized the real threat posed by
attacks on keys and certificates, not by direct attacks on
First, the NSA outlined cryptographic guidelines for the cryptography, by stating:
U.S. government in its Suite B guidelines, which were
Encryption works. Properly implemented
released in 2005. These guidelines DO NOT include the
strong crypto systems are one of the few
most commonly used commercial cryptographic methods,
things that you can rely on. Unfortunately,
including RSA, MD5, and SHA-1. Yet these commercial endpoint security is so terrifically weak that
methods are frequently used to establish trust and privacy, NSA can frequently find ways around it.
whether we're shopping online, connecting to a cloud
While it�s not surprising that the NSA can break
service, or adding a mobile device to our enterprise
cryptography that it long ago recommended the U.S.
network. The NSA�s Suite B guidelines were certainly made
government should not use, criminals are not taking the
in light of the agency�s own methods and the methods of
time to learn how to break cryptography. Instead they are
others to break cryptography and trust. And it�s the
launching highly successful attacks on keys and certificates,
methods of others that need to be underscored. The
thereby gaining trusted status, breaching systems, and
Chinese, the Russians, and a handful of other friendly and
stealing data - methods first perfected by the U.S. and its
not-so-friendly nations have some of the same capabilities
allies. Just as we�ve seen before, criminals always adapt and
as the NSA—maybe not all of the same capabilities, but
evolve their methods much faster than ever expected. How
definitely some. And the history of cyber weaponization
long before some of the cryptanalytic methods that today
shows that it takes a much shorter time than we ever can
only a few nation-states know are in the hands of common
imagine for powerful weapons to make their ways into the
cybercriminals� To protect themselves, businesses must be
hands of the average cybercriminal.
aware of how they use keys and certificates, have the ability
to identify risks, and respond to and remediate attacks.
Second, it is common knowledge that you do not need to
Otherwise, Forrester�s �sitting duck � warning will become
directly attack cryptography to break private
a reality.
communications and gain trusted status. For example, two
worms, Stuxnet and Duqu, used stolen keys and digital
About the Author
certificates to gain trusted status and compromise targeted Kevin Bocek, VP, product marketing
systems. Reportedly launched by the United States and
As Vice President of Product Marketing, Kevin Bocek is responsible for
Israel, these attacks have since provided criminals, both product positioning, go-to-market strategy, and sales enablement at Venafi.
nation-states and organized crime rings, with a blueprint Kevin brings more than 15 years of experience in encryption and key manage-
ment with trailblazing startups and market leaders including
for the perfect attack. From stealing Secure Shell (SSH) keys CipherCloud, IronKey, nCipher, PGP, RSA Security, Thales, and Xcert.
to corrupting FreeBSD source code or misusing Adobe�s
Most recently, Kevin accelerated the marketawareness of CipherCloud as the
certificates to send malicious software, criminals are using leader in cloud encryption and established IronKey as the innovator in online
against businesses the same weapons that were likely banking security and cloud-based BYOD management. He has authored
several books, including PCI Cardholder Data Protection for
perfected by the U.S. government. Forrester recently said Dummies and Laptop Encryption for Dummies and co-authored research
that �basically, every enterprise is a sitting duck � because projects with The Ponemon Institute including the Cost of a Data
Breach and Worldwide Encryption Trends reports. Kevin earned a BS degree
businesses have no visibility into their use of keys and in Chemistry from the College of William and Mary and an MBA from the
Wake Forest School of Business.
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 30
