SlideShare une entreprise Scribd logo

Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business

Venafi
Venafi

In this on demand webinar, learn how to identify these risks and the steps to keep your enterprise in control over trust. 1. Learn the four certificate and key management threats to your business 2. Hear how criminals are ruining businesses with attacks on certificates 3. Get insights into the five simple steps to prevent your own disaster

Technologie
1  sur  29
Télécharger pour lire hors ligne
Four Must Know Certificate and Key Management Threats Prepared for: Intelligent People 1
Use of Certificates and Keys in Enterprise Environments Certificate Authorities Server Authentication Secure Communications Client-side Server Authentication Server Authentication Secure Communications 2 © 2013 Venafi
Certificate and Key Management Challenges Certificate Authorities 3 © 2013 Venafi
Downtime Risk 4 © 2013 Venafi
Certificate-based Downtime Expired Certificate Application outage. Browser error message. Application server certificate expires Web server certificate expires 5 © 2013 Venafi
Certificate-based Downtime Expired Intermediate Root Certificate Multiple simultaneous application outages. Expired Intermediate Root Certificates CA1 6 © 2013 Venafi
Certificate-based Downtime Trusted Root Certificates Not Updated Downtime because new certs from CA2 are not trusted. Move to Trusted Root new CA Certificates from CA1 CA1 CA2 New Certificates 7 from CA2 © 2013 Venafi
Certificate-based Causes of Downtime • Scenarios – Certificate expires – Intermediate root certificate expires – Root certificates not updated • Causes 1. No inventory certificates to track expiration 2. Correct administrators NOT notified of impending expiration 3. Administrators notified but don’t not take action 4. Certificates renewed but not installed 5. Certificates installed but applications not restarted 6. No tracking or management of intermediate root 7. No tracking or management of trusted roots 8 © 2013 Venafi
Security Risks 9 © 2013 Venafi
The Threat is Evolving Stuxnet CA Compromises Adobe Duqu Flame Buster Attackers stole private Attackers Attackers exploited keys from two compromise or dupe MD5 to create a face Taiwanese companies certificate authorities Microsoft CA and Adobe to sign to issue fraudulent certificate and then code. certificates for further sign code. attacks. Hackers are increasingly targeting public key infrastructure for attacks because it is a broadly used security mechanism. Poor certificate management practices put you at risk. 10 © 2013 Venafi
Public Key Infrastructure (PKI) The Foundation of Digital Certificates Root CA Issuing CA Certificate Issuing CACA Registration CRL Authority CRL OCSP Responder End Entity Certificate CRL Distribution Subject Point Root Relying Certificate Party 11 © 2013 Venafi
Private Key Compromise Risk 12 © 2013 Venafi
Putting Private Keys at Risk Same password used on multiple keystores. Private keys and Keystore 2 passwords are not Password = abc123 changed when admins Keystore leave the organization passwords are not changed regularly. Keystore 1 Password = abc123 Server Server Performance Monitoring Customer Experience Monitoring Admins manually manage private keys, Security Monitoring making it possible to copy them. Private keys are manually passed to other groups/admins for distribution. 13 © 2013 Venafi
CA Compromise Risk 14 © 2013 Venafi
Recent Public Certificate Authority & Fraudulent Certificate Incidents Year Incidents • VeriSign issues Microsoft Corporation code signing certificate to a 2001 non-Microsoft employee. • Thawte issues certificate for Live.com to non-Microsoft employee 2008 • Comodo issues mozilla.org certificate to Startcom • Organization forges VeriSign RapidSSL certificates • Comodo issues nine counterfeit certificates (Google, Yahoo, Live, etc.) when registration authority is compromised. • StartSSL CA compromised 2011 • DigiNotar compromised. 531 fraudulent certificates issued. Dutch government experiences major service outages. • Boeing CA compromised 2013 • Microsoft CA certificates forged by exploiting MD5 (Flame) 2013 • Buster: DigiCert issues code signing certificate to bogus company * Electronic Freedom Foundation uncovers many more unpublicized CA incidents by analyzing CRLs from public CAs 15 © 2013 Venafi
NIST Alert on CA Compromise http://csrc.nist.gov/publications/nistbul/july-2013_itl-bulletin.pdf These recent attacks on CAs make it imperative that organizations ensure they are using secure CAs and are prepared to respond to a CA compromise or issuance of a fraudulent certificates. - NIST, July 2013 16 © 2013 Venafi
Using Fraudulent Certificates: A Two-Phased Attack Use the Get fraudulent fraudulent certificate(s) certificate(s). for nefarious purposes. 17 © 2013 Venafi
CA Compromise and Fraudulent Certificate Scenarios CA Key Theft: Stolen or derived copy of CA private D key is used to issue fraudulent certificates. CA System Compromise: Malware or other infiltration used to get fraudulent certificate signed by CA RA Compromise: CA (without getting copy Infiltrate RA or steal of CA private key). credentials and authorize fraudulent certificates. B C Impersonation: Trick RA into issuing RA a fraudulent certificate. A Subject Hacker 18 © 2013 Venafi
Man-in-the-Middle Subject: Alice.com Subject: Alice.com Issuer: CAx Issuer: CA1 Public Key: Public Key: Fraudulent Alice.com Alice.com Certificate Certificate Eve’s Alice.com Private Key Private Key Eve Bob is redirected thru Eve’s server and presented with the fraudulent certificate. Eve can Bob normally connects to view all encrypted Alice.com directly and data. verifies the authenticity of the server using its certificate Bob 19 © 2013 Venafi
Impersonation Subject: Bob Alice.com Issuer: CA1 Public Key: Bob authenticates to Alice.com using his certificate Eve authenticates as Bob’s Bob to Alice.com Subject: Bob Certificate using the fraudulent Issuer: CAx Bob certificate Public Key: Bob’s Private Key Eve Fraudulent Certificate Eve’s Private Key 20 © 2013 Venafi
Forge Digital Signatures Bob digitally signs documents Subject: Bob authorizing fund Issuer: CA1 transfers Alice Public Key: Eve is able to forge Bob’s Bob’s signature Subject: Bob using the fraudulent Certificate certificate Issuer: CAx Bob Public Key: Bob’s Private Key Eve Fraudulent Certificate Eve’s Private Key 21 © 2013 Venafi
Fallout from a CA Compromise All Certificates must be Replaced All certificates from compromised CA must be replaced. Must move to new CA CA1 CA2 22 © 2013 Venafi
Weak Algorithm Risk 23 © 2013 Venafi
Flame and MD5 Attack on Microsoft 1 2 3 4 Microsoft  Services  Fake Code  Information  Impersonated Compromised Signing Stolen • Focused on  • Microsoft  • Code was signed  • Malware stole  MD5 Certificate Licensing  using the fake,  small parts of  • Certificate was  Services  remanufactured  files remanufactured  Compromised certificate • Information was  using well‐ • Microsoft  • Windows  sent to 80  known attack Update Services  allowed the  different URLs • Man‐in‐the‐ Compromised malware to  • Once analyzed,  middle was  • Machines still  spread quickly  instructed to  setup thought they  and run return and get  • Targeted  were working  interesting files machines  securely with  detected no  Microsoft difference 24 © 2013 Venafi
Are Your Doors Open? • Nearly 1 in 5 certificates relies on outdated, “hackable” MD5 algorithm • Not a hypothetical risk • Security doors are open today • IDS, IPS, AV, firewalls do not close these doors (appears as authentic) • Legal and risk management departments are mandating that MD5 certs be removed 25 © 2013 Venafi
Summary • Your organization uses certificates broadly for SSL/TLS today…and use is growing • Attackers are increasingly targeting certificates and PKI (non-hypothetical risk) • Risks include: – Downtime – Private key compromise – CA compromise – Algorithm breakage • Lack of certificate and key management puts your organization at risk 26 © 2013 Venafi
Next Steps • Attend the second half of this webinar series: “5 Must Haves to Prevent Today’s Presentation Encryption Disasters” Feb 20, 10am EST, 7am PST, 3pm GMT • Download NIST’s ITL Bulletin: “Preparing for and Responding to CA Compromise” NIST ITL Bulletin www.venafi.com/NIST • Questions? – Paul Turner 27 info@venafi.com © 2013 Venafi
? ? ? 28 Discussion © 2013 Venafi
Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. 29 © 2013 Venafi © 2013 Venafi

Recommandé

Five Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersFive Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersVenafi
 
Forecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
Forecast 2012 Panel: Security POC NAB, Terremark, TrapezoidForecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
Forecast 2012 Panel: Security POC NAB, Terremark, TrapezoidOpen Data Center Alliance
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
Discovery, Inventory and Application Recognition
Discovery, Inventory and Application RecognitionDiscovery, Inventory and Application Recognition
Discovery, Inventory and Application RecognitionFlexera
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Adding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAdding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAFCOM
 
Aerohive-GuestManager
Aerohive-GuestManagerAerohive-GuestManager
Aerohive-GuestManagerppuichaud
 
Secure Multi Tenancy In the Cloud
Secure Multi Tenancy In the CloudSecure Multi Tenancy In the Cloud
Secure Multi Tenancy In the CloudRoger Xia
 

Recommandé

Five Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersFive Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersVenafi
 
Forecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
Forecast 2012 Panel: Security POC NAB, Terremark, TrapezoidForecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
Forecast 2012 Panel: Security POC NAB, Terremark, TrapezoidOpen Data Center Alliance
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
Discovery, Inventory and Application Recognition
Discovery, Inventory and Application RecognitionDiscovery, Inventory and Application Recognition
Discovery, Inventory and Application RecognitionFlexera
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Adding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAdding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAFCOM
 
Aerohive-GuestManager
Aerohive-GuestManagerAerohive-GuestManager
Aerohive-GuestManagerppuichaud
 
Secure Multi Tenancy In the Cloud
Secure Multi Tenancy In the CloudSecure Multi Tenancy In the Cloud
Secure Multi Tenancy In the CloudRoger Xia
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityCA API Management
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oesOracleIDM
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Az Managed Exchange Services(1)
Az Managed Exchange Services(1)Az Managed Exchange Services(1)
Az Managed Exchange Services(1)alwayson
 
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainMGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainLouis Göhl
 
Part2 DC Man Vision and Roadmap Finalcustext
Part2 DC Man Vision and Roadmap FinalcustextPart2 DC Man Vision and Roadmap Finalcustext
Part2 DC Man Vision and Roadmap FinalcustextMicrosoft Norge AS
 
Novell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell
 
Pki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsPki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsH9460730008
 
Maemo Platform Security Fosdem
Maemo Platform Security FosdemMaemo Platform Security Fosdem
Maemo Platform Security FosdemElena Reshetova
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
Conversys Profile V1.1.1250511
Conversys Profile V1.1.1250511Conversys Profile V1.1.1250511
Conversys Profile V1.1.1250511Ranajoy Roy | +91 9830033995
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsPeter Silva
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Securitydkaya
 
Cloud Adoption - A Practical Approach
Cloud Adoption - A Practical ApproachCloud Adoption - A Practical Approach
Cloud Adoption - A Practical ApproachLicensingLive! - SafeNet
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
Symantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementSymantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementDavid Martin
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksVenafi
 
Business Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicBusiness Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicCheapest SSLs
 

Contenu connexe

Tendances

Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityCA API Management
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oesOracleIDM
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Az Managed Exchange Services(1)
Az Managed Exchange Services(1)Az Managed Exchange Services(1)
Az Managed Exchange Services(1)alwayson
 
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainMGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainLouis Göhl
 
Part2 DC Man Vision and Roadmap Finalcustext
Part2 DC Man Vision and Roadmap FinalcustextPart2 DC Man Vision and Roadmap Finalcustext
Part2 DC Man Vision and Roadmap FinalcustextMicrosoft Norge AS
 
Novell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell
 
Pki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsPki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsH9460730008
 
Maemo Platform Security Fosdem
Maemo Platform Security FosdemMaemo Platform Security Fosdem
Maemo Platform Security FosdemElena Reshetova
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsPeter Silva
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Securitydkaya
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 

Tendances (19)

Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC Presentation
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud final
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oes
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Az Managed Exchange Services(1)
Az Managed Exchange Services(1)Az Managed Exchange Services(1)
Az Managed Exchange Services(1)
 
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainMGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
 
Part2 DC Man Vision and Roadmap Finalcustext
Part2 DC Man Vision and Roadmap FinalcustextPart2 DC Man Vision and Roadmap Finalcustext
Part2 DC Man Vision and Roadmap Finalcustext
 
Novell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell Identity Manager Troubleshooting
Novell Identity Manager Troubleshooting
 
Pki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsPki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcs
 
Maemo Platform Security Fosdem
Maemo Platform Security FosdemMaemo Platform Security Fosdem
Maemo Platform Security Fosdem
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidated
 
Conversys Profile V1.1.1250511
Conversys Profile V1.1.1250511Conversys Profile V1.1.1250511
Conversys Profile V1.1.1250511
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Security
 
Cloud Adoption - A Practical Approach
Cloud Adoption - A Practical ApproachCloud Adoption - A Practical Approach
Cloud Adoption - A Practical Approach
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 

En vedette

Symantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementSymantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementDavid Martin
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksVenafi
 
Business Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicBusiness Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicCheapest SSLs
 
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...Venafi
 
Certificate authorities under attack :A
Certificate authorities under attack :ACertificate authorities under attack :A
Certificate authorities under attack :ASaurabh Giratkar
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
HẠ TẦNG KHÓA CÔNG KHAI(PKI)
HẠ TẦNG KHÓA CÔNG KHAI(PKI)HẠ TẦNG KHÓA CÔNG KHAI(PKI)
HẠ TẦNG KHÓA CÔNG KHAI(PKI)ducmanhkthd
 
Tutorial membuat Public Key Infrastructure
Tutorial membuat Public Key InfrastructureTutorial membuat Public Key Infrastructure
Tutorial membuat Public Key InfrastructureSuci Rahmawati
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Frank Lesniak
 
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"idsecconf
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideEntrust Datacard
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 

En vedette (20)

Symantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementSymantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate Management
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and Attacks
 
Business Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicBusiness Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - Infographic
 
Presentation2 certificate farce
Presentation2 certificate farcePresentation2 certificate farce
Presentation2 certificate farce
 
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
 
Trojans
TrojansTrojans
Trojans
 
Certificate authorities under attack :A
Certificate authorities under attack :ACertificate authorities under attack :A
Certificate authorities under attack :A
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
HẠ TẦNG KHÓA CÔNG KHAI(PKI)
HẠ TẦNG KHÓA CÔNG KHAI(PKI)HẠ TẦNG KHÓA CÔNG KHAI(PKI)
HẠ TẦNG KHÓA CÔNG KHAI(PKI)
 
Tutorial membuat Public Key Infrastructure
Tutorial membuat Public Key InfrastructureTutorial membuat Public Key Infrastructure
Tutorial membuat Public Key Infrastructure
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2
 
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
 
Pki
PkiPki
Pki
 

Similaire à Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business

Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Do you trust that certificate?
Do you trust that certificate?Do you trust that certificate?
Do you trust that certificate?zunda
 
Venafi 2012 risk audit survey findings
Venafi 2012 risk audit survey findingsVenafi 2012 risk audit survey findings
Venafi 2012 risk audit survey findingsnickjplott
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityT.Rob Wyatt
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyJayHicks
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Siena Perry
 
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...Farooq Khan
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
The Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptxThe Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptxawakish
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 

Similaire à Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business (20)

Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
Do you trust that certificate?
Do you trust that certificate?Do you trust that certificate?
Do you trust that certificate?
 
CERTIFYING AUTHORITY
CERTIFYING AUTHORITYCERTIFYING AUTHORITY
CERTIFYING AUTHORITY
 
Venafi 2012 risk audit survey findings
Venafi 2012 risk audit survey findingsVenafi 2012 risk audit survey findings
Venafi 2012 risk audit survey findings
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read Only
 
Tech t18
Tech t18Tech t18
Tech t18
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Digi cert newsletter-2013-02
Digi cert newsletter-2013-02Digi cert newsletter-2013-02
Digi cert newsletter-2013-02
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
 
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
The Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptxThe Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptx
 
Patrick Hartford: eMortgages eDisclosures and eClosings
Patrick Hartford: eMortgages eDisclosures and eClosingsPatrick Hartford: eMortgages eDisclosures and eClosings
Patrick Hartford: eMortgages eDisclosures and eClosings
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 

Plus de Venafi

Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?Venafi
 
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?Venafi
 
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersPonemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersVenafi
 
Trust Online is at the Breaking Point
Trust Online is at the Breaking PointTrust Online is at the Breaking Point
Trust Online is at the Breaking PointVenafi
 
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsHow an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsVenafi
 
Breaching the NSA Graphic
Breaching the NSA GraphicBreaching the NSA Graphic
Breaching the NSA GraphicVenafi
 
Breaching the NSA
Breaching the NSABreaching the NSA
Breaching the NSAVenafi
 
The Evolution of Cyber Attacks
The Evolution of Cyber AttacksThe Evolution of Cyber Attacks
The Evolution of Cyber AttacksVenafi
 
RSAC2013 CME Group case study
RSAC2013 CME Group case studyRSAC2013 CME Group case study
RSAC2013 CME Group case studyVenafi
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflameVenafi
 

Plus de Venafi (10)

Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?
 
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
 
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersPonemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
 
Trust Online is at the Breaking Point
Trust Online is at the Breaking PointTrust Online is at the Breaking Point
Trust Online is at the Breaking Point
 
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsHow an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
 
Breaching the NSA Graphic
Breaching the NSA GraphicBreaching the NSA Graphic
Breaching the NSA Graphic
 
Breaching the NSA
Breaching the NSABreaching the NSA
Breaching the NSA
 
The Evolution of Cyber Attacks
The Evolution of Cyber AttacksThe Evolution of Cyber Attacks
The Evolution of Cyber Attacks
 
RSAC2013 CME Group case study
RSAC2013 CME Group case studyRSAC2013 CME Group case study
RSAC2013 CME Group case study
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflame
 

Dernier

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Dernier (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business

  • 1. Four Must Know Certificate and Key Management Threats Prepared for: Intelligent People 1
  • 2. Use of Certificates and Keys in Enterprise Environments Certificate Authorities Server Authentication Secure Communications Client-side Server Authentication Server Authentication Secure Communications 2 © 2013 Venafi
  • 3. Certificate and Key Management Challenges Certificate Authorities 3 © 2013 Venafi
  • 4. Downtime Risk 4 © 2013 Venafi
  • 5. Certificate-based Downtime Expired Certificate Application outage. Browser error message. Application server certificate expires Web server certificate expires 5 © 2013 Venafi
  • 6. Certificate-based Downtime Expired Intermediate Root Certificate Multiple simultaneous application outages. Expired Intermediate Root Certificates CA1 6 © 2013 Venafi
  • 7. Certificate-based Downtime Trusted Root Certificates Not Updated Downtime because new certs from CA2 are not trusted. Move to Trusted Root new CA Certificates from CA1 CA1 CA2 New Certificates 7 from CA2 © 2013 Venafi
  • 8. Certificate-based Causes of Downtime • Scenarios – Certificate expires – Intermediate root certificate expires – Root certificates not updated • Causes 1. No inventory certificates to track expiration 2. Correct administrators NOT notified of impending expiration 3. Administrators notified but don’t not take action 4. Certificates renewed but not installed 5. Certificates installed but applications not restarted 6. No tracking or management of intermediate root 7. No tracking or management of trusted roots 8 © 2013 Venafi
  • 9. Security Risks 9 © 2013 Venafi
  • 10. The Threat is Evolving Stuxnet CA Compromises Adobe Duqu Flame Buster Attackers stole private Attackers Attackers exploited keys from two compromise or dupe MD5 to create a face Taiwanese companies certificate authorities Microsoft CA and Adobe to sign to issue fraudulent certificate and then code. certificates for further sign code. attacks. Hackers are increasingly targeting public key infrastructure for attacks because it is a broadly used security mechanism. Poor certificate management practices put you at risk. 10 © 2013 Venafi
  • 11. Public Key Infrastructure (PKI) The Foundation of Digital Certificates Root CA Issuing CA Certificate Issuing CACA Registration CRL Authority CRL OCSP Responder End Entity Certificate CRL Distribution Subject Point Root Relying Certificate Party 11 © 2013 Venafi
  • 12. Private Key Compromise Risk 12 © 2013 Venafi
  • 13. Putting Private Keys at Risk Same password used on multiple keystores. Private keys and Keystore 2 passwords are not Password = abc123 changed when admins Keystore leave the organization passwords are not changed regularly. Keystore 1 Password = abc123 Server Server Performance Monitoring Customer Experience Monitoring Admins manually manage private keys, Security Monitoring making it possible to copy them. Private keys are manually passed to other groups/admins for distribution. 13 © 2013 Venafi
  • 14. CA Compromise Risk 14 © 2013 Venafi
  • 15. Recent Public Certificate Authority & Fraudulent Certificate Incidents Year Incidents • VeriSign issues Microsoft Corporation code signing certificate to a 2001 non-Microsoft employee. • Thawte issues certificate for Live.com to non-Microsoft employee 2008 • Comodo issues mozilla.org certificate to Startcom • Organization forges VeriSign RapidSSL certificates • Comodo issues nine counterfeit certificates (Google, Yahoo, Live, etc.) when registration authority is compromised. • StartSSL CA compromised 2011 • DigiNotar compromised. 531 fraudulent certificates issued. Dutch government experiences major service outages. • Boeing CA compromised 2013 • Microsoft CA certificates forged by exploiting MD5 (Flame) 2013 • Buster: DigiCert issues code signing certificate to bogus company * Electronic Freedom Foundation uncovers many more unpublicized CA incidents by analyzing CRLs from public CAs 15 © 2013 Venafi
  • 16. NIST Alert on CA Compromise http://csrc.nist.gov/publications/nistbul/july-2013_itl-bulletin.pdf These recent attacks on CAs make it imperative that organizations ensure they are using secure CAs and are prepared to respond to a CA compromise or issuance of a fraudulent certificates. - NIST, July 2013 16 © 2013 Venafi
  • 17. Using Fraudulent Certificates: A Two-Phased Attack Use the Get fraudulent fraudulent certificate(s) certificate(s). for nefarious purposes. 17 © 2013 Venafi
  • 18. CA Compromise and Fraudulent Certificate Scenarios CA Key Theft: Stolen or derived copy of CA private D key is used to issue fraudulent certificates. CA System Compromise: Malware or other infiltration used to get fraudulent certificate signed by CA RA Compromise: CA (without getting copy Infiltrate RA or steal of CA private key). credentials and authorize fraudulent certificates. B C Impersonation: Trick RA into issuing RA a fraudulent certificate. A Subject Hacker 18 © 2013 Venafi
  • 19. Man-in-the-Middle Subject: Alice.com Subject: Alice.com Issuer: CAx Issuer: CA1 Public Key: Public Key: Fraudulent Alice.com Alice.com Certificate Certificate Eve’s Alice.com Private Key Private Key Eve Bob is redirected thru Eve’s server and presented with the fraudulent certificate. Eve can Bob normally connects to view all encrypted Alice.com directly and data. verifies the authenticity of the server using its certificate Bob 19 © 2013 Venafi
  • 20. Impersonation Subject: Bob Alice.com Issuer: CA1 Public Key: Bob authenticates to Alice.com using his certificate Eve authenticates as Bob’s Bob to Alice.com Subject: Bob Certificate using the fraudulent Issuer: CAx Bob certificate Public Key: Bob’s Private Key Eve Fraudulent Certificate Eve’s Private Key 20 © 2013 Venafi
  • 21. Forge Digital Signatures Bob digitally signs documents Subject: Bob authorizing fund Issuer: CA1 transfers Alice Public Key: Eve is able to forge Bob’s Bob’s signature Subject: Bob using the fraudulent Certificate certificate Issuer: CAx Bob Public Key: Bob’s Private Key Eve Fraudulent Certificate Eve’s Private Key 21 © 2013 Venafi
  • 22. Fallout from a CA Compromise All Certificates must be Replaced All certificates from compromised CA must be replaced. Must move to new CA CA1 CA2 22 © 2013 Venafi
  • 23. Weak Algorithm Risk 23 © 2013 Venafi
  • 24. Flame and MD5 Attack on Microsoft 1 2 3 4 Microsoft  Services  Fake Code  Information  Impersonated Compromised Signing Stolen • Focused on  • Microsoft  • Code was signed  • Malware stole  MD5 Certificate Licensing  using the fake,  small parts of  • Certificate was  Services  remanufactured  files remanufactured  Compromised certificate • Information was  using well‐ • Microsoft  • Windows  sent to 80  known attack Update Services  allowed the  different URLs • Man‐in‐the‐ Compromised malware to  • Once analyzed,  middle was  • Machines still  spread quickly  instructed to  setup thought they  and run return and get  • Targeted  were working  interesting files machines  securely with  detected no  Microsoft difference 24 © 2013 Venafi
  • 25. Are Your Doors Open? • Nearly 1 in 5 certificates relies on outdated, “hackable” MD5 algorithm • Not a hypothetical risk • Security doors are open today • IDS, IPS, AV, firewalls do not close these doors (appears as authentic) • Legal and risk management departments are mandating that MD5 certs be removed 25 © 2013 Venafi
  • 26. Summary • Your organization uses certificates broadly for SSL/TLS today…and use is growing • Attackers are increasingly targeting certificates and PKI (non-hypothetical risk) • Risks include: – Downtime – Private key compromise – CA compromise – Algorithm breakage • Lack of certificate and key management puts your organization at risk 26 © 2013 Venafi
  • 27. Next Steps • Attend the second half of this webinar series: “5 Must Haves to Prevent Today’s Presentation Encryption Disasters” Feb 20, 10am EST, 7am PST, 3pm GMT • Download NIST’s ITL Bulletin: “Preparing for and Responding to CA Compromise” NIST ITL Bulletin www.venafi.com/NIST • Questions? – Paul Turner 27 info@venafi.com © 2013 Venafi
  • 28. ? ? ? 28 Discussion © 2013 Venafi
  • 29. Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. 29 © 2013 Venafi © 2013 Venafi