The recent McAfee story, which shows the shocking scale of cyber security vulnerabilities in western governmental organisations, rumbles on, with EKCM firm Venafi advising that enterprise key and certificate management is critical.
Jeff Hudson, Venafi CEO, says that public and private sector organisations remain vulnerable to attacks on their computer networks, due to difficulties in deploying and managing security systems within the infrastructure, including encryption keys and certificates.
"This latest reported series of ongoing breaches makes an irrefutable case," insists Hudson. "The bad guys are inside. Anyone arguing with that is in denial. The malware and the intruders are operating inside organisations today undetected."
And he adds: "The best firewalls and intrusion detection obviously aren't enough. If people want to protect the data, which is what they bad guys are after, it has to be encrypted and the keys must be well managed."
For him, regardless of which countries or agencies have been launching these attacks, the bottom line is that the attacks have been successful.
The Venafi CEO says that companies need, first, to encrypt all data flowing between IT resources, second, encrypt all data that is stored and, third, enforce authentication, encryption key access control and audit logging for all local and remote access to this data.
The biggest headache, says Hudson, stems from rotating and resetting encryption keys, authentication credentials and passwords, which many organisations regularly ignore. In addition, private or asymmetric encryption keys, which protect data flowing between IT resources, are exposed to multiple risks, due to lax distribution processes behind the firewall, as well as poorly implemented and infrequent rotation of keystore passwords.
The ongoing nature of the recently revealed attacks underscores the danger of such poor practices, he observes, which allows attackers to continue capitalising on a single cracked or exposed key year after year.
Hudson points to major corporations, such as Lockheed Martin, L3, NHS, Epsilon and EMC, which have also experienced widely publicised unauthorised access problems. He makes the point that hackers are increasingly targeting private keys, not only as a means for stealing customer details or IP, but also as valuable assets.
With the private keys that sign a company's software, hackers can launch all sorts of new malware and attacks, he warns.
"Automating the authentication process is a logical first step, because any system that allows remote access to … servers must be as secure as possible and ensure that [others] do not gain access to the data," states Hudson.
"Once deployed, these key-management systems need to marry the highest level of security with the most efficient administration. But, provided that the required infrastructure is in place, it is perfectly possible to manage mission-critical security assets, like keys and certificates, as well as the security needs of tens of thousands of staff members with relative ease," he concludes.