This week we take a look at something seemingly innocuous: why you should be checking that your SSL certificates are up to date to stay safe. In the past entries in this series, we have been talking about living in a world of digital pathogens and managing cybersecurity threats in this brave new world, and understanding the attack surfaces that can let the bad things into your business.
Now, let's start taking a deeper dive into some of the bad things we discover that perhaps may not appear to be as severe as they are. If a digital X.509 security certificate used on a server to authenticate and secure a connection expires, multiple things can go wrong. First, whoever connects to the service will get an explanatory message about the insecure or unverifiable connection. This scenario is familiar for most of us who have browsed the internet and bumped into it. Not serving your clients, of course, can lead to severe financial and reputational losses for an organization, and that is bad enough.
However, sometimes a failure in authentication does not deliver the “in your face” warnings that we often need to be prompted with to take action. A case in point is the major hack at Equifax a few years ago. Equifax had a system in place that inspected traffic for malicious activity. However, this system required a secure and authenticated connection, and the digital certificate expired, so it no longer checked the traffic. Quoting the report, “Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate.” The result was 148 million exposed records, and a $575M settlement.
As is common in many such systems, the security device was set to fail open. Essentially, this means that the system continues to allow things to carry on whether the certificate is valid or not. If it is invalid, the malicious actor can enter the network and essentially do as they please. This type of attack vector is perhaps the most insidious and irritating of all because the only thing worse than having no security is having a security system that is not doing what is expected and leading you to a false sense of security.
Going back to the digital pathogen analogy, it's like preparing for a vacation for that exotic location and getting the anti-malaria prescription, but then letting it expire and forgetting to buy the doses. You would then proceed into an infected and risky environment, somehow believing you are protected. Not good at all!
Now, depending on how systems are configured, there is a genuine possibility that an organization with a sizable number of systems and devices requiring valid digital certificates may remain blissfully unaware of the inherent risks. Moreover, on an extensive network, digital certificates expire at any given time because they typically do not have synchronized timestamps. If expired SSL certificates are a persistent issue in an organization, it is an indication that there is room for improvement in the IT-related processes. To avoid these risks, you must constantly monitor the network for problems.
Of course, that is only one example, and there are many more. Stay tuned.