IT-Trustmanagement at a glance

This is the start of a discussion which was started by the sentence "No one left to trust in cyber space" by the Information Security Forum ISF in 2014 and announced as one of the top challenges for company leaders in C-Level in very near future.

But if no one is left to trust, who cares about the trust in cyber space in my company? And if everybody just trust itself, how could our customer trust us?

In real live trusts are formulated via contracts and agreements. How is trust managed in meshed digital world where i do get many products from any companies?

Problem decription for non-techis:

X.509 Certificates are issued by many places by different management environments by different vendors in different silos. For a certificate to be considered as valid, you have to trust the Certificate issuing authority (CA). In Web browsers, many certification authorities are classified as trustworthy by default for this reason (e.g. WoSign Ltd, Turktrust,  ACNLB even if we have no relation to them). However, many of these companies and organizations are unknown to most users. The user delegated his confidence to the manufacturer of the software.

A second problem is that it is even difficult to decide about the certificate ,e.g how safe are the procedures used in its issuing and publication and if the certificate is at all suitable or intended for which applications. The user should read for the appropriate documentation of the CA, the certificate policy (CP) and the certification practice statement (CPS), whose contents are specified by RFC 3647 General. Qualified certificates can be used for high security requirements, whose Issuer are subject to legally prescribed safety standards and government supervision. However, governmental organizations have to request certificates for their own purposes at the issuing offices. This would officialize any surveillance software and enable the silent installation by the countries officials (e.g North Korea against Sony®, China against US-military aircraft industry).

These problems were evident, for example, by an incident where VeriSign ® issued certificates to persons which claims incorrectly to work for the company Microsoft ® .These certificates, the scammers had now apparently trusted evidence, that they were part of the company Microsoft. It would have been possible for example to sign program code, so that it would be installed by Windows operating systems without warning in the name of the Microsoft ®. Although these certificates have been revoked immediately after the error was noticed, they were still a security risk, because the certificates contained no indication, where a possible withdrawal could be retrieved. Also Foxconn’s® certificate was stolen and the base for the successful Kaspersky® Hack. This case is a sign that you can’t rely blind on the trustworthiness of certificates and the care of CA’s provided by OS and other Software. In addition, above press releases proof that also leading software manufacturer and experts are not yet been fully aware to the subject. The revocation of a certificate is only effective if current revocation information is available for examination. For this purpose, you can retrieve certificate revocation lists (CRL) and online checks (for example, OCSP). Every Browser, Operating System and Application uses a vendor dependent system for these Checks. No unified method is provided currently.

Who cares in the market for such a problem?

We started in analysing this issue and found nobody who was able to provide sufficient answers. Most IT-solutions just assess the SSL and SSH connection. After some years of research and development we are now in the position to enable our customers to find answers to the above compliance questions. Our advantage in deep experience in setting up PKI-environments and CA's at federal level plus the knowledge of building software for complex, aircraft and military environments was a big advantage to get into touch with this complex problem.

Talking about numbers: Date-Warehouse Cert’n key detects more than 25.000 certificates on a fresh installed Windows(R) (7 or 10) PC in different Silos, about 1200 are retired on installation, about 10 are weak and 1500 are self signed and need to be assessed. Your company trusts about 200-250 CA's and all kind of countries per default (e.g. US companies trust Chinese and Russians and vice versa). Microsoft uses and trusts by themselfes 14 CA's for issuing Certificates for one operating system. If you think other OS are better like Apple you are slightly right (Apple(R) uses about 39.000 Cert's for a in use Computer and MS about 125.000; Results by DeepScan Cert'n Key V.2.11) . Server counts are typically 4-10 times lower than Clients.

Your landscape looks typically like this:

From top left to down right: amount valid/invalid, issuer, retirement periods, key lenght, algorithms, requester, issuer(countries), selfsigned certs.

If you enumerate the amount of certificates to your enterprise you will very fast get the question to your CDO, how do we handle our trusts? How are the numbers about our company? How do we assess our digital relationships and what are the impacts? Could it be a risk for our company?

This is Data-Warehouse Cert’n Key`s approach:

To get an overview of your trust structure, there are two approaches:

  1. The user (company) allows only trusted software to install and get an overview of the certificate by the manufacturer.
  2. The user (company) verifies the certificate landscape with an automated software solution and defines its trust landscape itself.

Both approaches require a knowledge of the complete trust landscape. This overview can be reached with the Cert’n Key Trustmanagement Suite

Per device you save about 97% of managing (1 hour per PC vs. 35 hours). Per Network you save more than 99% (1 week vs. 20 hours*# of  devices).

Even if your network look like this:

For more information feel free to contact me or visit our homepage at www.dwh.info

Document Actions