It’s hard to remember the years pre-COVID, at least as far as security is concerned. So let me take you back to the seemingly halcyon days of 2017 when an expired digital certificate on a network traffic device led to one of the most catastrophic data breaches in recent history.
Equifax, one of the three primary U.S. credit bureaus, suffered a massive data breach when attackers stole the personally identifiable information (PII) of more than 150 million Americans. That stolen data included Social Security numbers and dates of birth, along with drivers’ licenses, addresses and credit card numbers.
It all started with an expired digital certificate used by a network tracking device that the company failed to discover, let alone replace. As a result, the network device no longer could perform the vulnerability scanning that might have stopped the attackers from infiltrating the network undetected over a period of 76 (!) days as they stole PII from multiple databases.
What happened at Equifax was bad enough, but what makes the situation seem even more inexplicable was the fact that this network traffic device’s certificate had expired 10 months before the attackers even gained entry into Equifax’s system. The average consumer (and the U.S. Senate, among others) may wonder — understandably — how such a breach of security could have possibly happened.
But those of us familiar with securing PKI have a good idea why. It’s because the company lacked visibility into their digital certificate inventory. Traditionally, managing digital certificates has been scattershot. A few PKI admins would be responsible for managing digital certificates across the entire enterprise, and they typically attempted to do this using spreadsheets, in-house scripting and other point solutions that were prone to human error. None of these tools had the ability to discover or inventory certificates owned by individual business units. And more often than not, certificate owners in these business units lacked an understanding into the importance of ensuring that certificates were compliant with corporate policy and security standards.
While we don’t have a beat-by-beat analysis describing what led to Equifax’s failure, we can see how it could likely happen. It could have been something as basic as the certificate’s expiration alerts going to an admin who no longer worked for the company. Or the certificate having been procured from a Certificate Authority (CA) that wasn’t from one of the company’s approved CAs. The possibilities are legion.
While Equifax may be the most spectacular example of the damage certificate-related outages can do, they by no means are unique. Some recent public examples of certificate-related outages include:
And these incidents represent just the tiniest fraction of the total outages that take place in organizations. In a 2021 survey conducted by DigiCert, two-thirds of companies reported they experienced at least one PKI-related service outage in the previous year, with 25% saying they had experienced five-to-six PKI-related outages in the previous six months.
This is a persistent and prevalent problem — one that is only getting worse as the number of digital certificates increases exponentially. TLS/SSL certificates are now being used to authenticate everything from websites and servers to containerized applications incorporating hundreds of microservices. The average Global 2000 company already has a certificate population in the hundreds of thousands. They can no longer treat certificate lifecycle management using manual processes and crossed fingers.
In June 2020, the National Institute of Standards and Technology (NIST) published Special Publication 1800-16: Securing Web Transactions, TLS Server Certificate Management (SP 1800-16). This framework, which was mostly written before the pandemic accelerated digital transformation initiatives, stresses that organizations need to “establish and maintain clear visibility across all TLS server certificates in their environment,” so they can carry out fundamental certificate lifecycle management tasks, including:
NIST goes on to say: “This visibility is achieved by maintaining an inventory of all TLS server certificates. A single central inventory is recommended, as it minimizes the possibility of overlooking critical TLS server certificates” (emphasis added).
Equifax’s data breach cost the company $575 million in FTC fines alone. The damage to their reputation was incalculable. Imagine if Equifax had had the foresight to deploy an effective certificate lifecycle management (CLM) solution that gave them visibility across their network. That expired certificate would have been discovered and replaced before any threat actors had the opportunity to exploit that vulnerability.
As NIST points out, the only way to achieve true visibility of your digital certificate inventory across your enterprise is to centralize it. And to do that, you need a solution that can “see” your certificates no matter who owns them, where they’re located, how they’re used and how long their lifespan is.
In my next blog post, we’ll look at how certificate management, notifications and automation can support digital trust objectives.
DigiCert Trust Lifecycle Manager is a full-stack solution that brings together CA-agnostic certificate lifecycle management, private PKI services and public trust issuance for seamless digital trust infrastructure, including the visibility you need to manage digital certificates.
Learn more about how we centralize your organization’s certificate inventory at https://www.digicert.com/trust-lifecycle-manager.