Default title

CERTIFICATES PROVIDE GREAT SECURITY

ONLY IF UNDERSTOOD AND IMPLEMENTED PROPERLY

Secure Certificates protect almost everything on the internet. Whether Symmetric or Asymmetric the foundational technology usually relies on a certificate or key. The key system is usually part of a set of private and public keys used for various purposes and relying on eachother for functionality.

Implementing a certificate is a very well documented process. In many cases it is too well documented and allows for less than qualified person's to effectively demonstrate a skill that they do not fully understand.

In an asymmetric key system the private key is never presented publicly, only public keys are presented to systems who wish to communicate with the target system. This is where a major security problem usually creeps into an otherwise secure system. Many times in my career I have noticed Private Keys left on the System Drives or desktops of mail servers, web servers and Linux Systems. These private keys are the kryptonite to good PKI. Keys should never be left unaccounted for or misplaced. They should be stored offline using secured, audited access methods. Gaining access to the private key of a secured system allows unfettered access to any encrypted communications using that key. This potentially allows access to emails, passwords, queries, bank information etc not because of a technical problem but instead because a lack of process and poor understanding of the technology. It is a purely preventable issue. If your key has been copied because it was left unsecured and is being used to read your encrypted communications there are very few tell-tale signs.

It might be tempting to let more junior people perform your key maintenance it is always advisable to leave anything regarding security safely in the hands of the experts who understand the technology.

RECENT THREAT POSTS

- Nate Nelson
Link Found Connecting Chaos, Onyx and Yashma Ransomware
A slip-up by a malware author has allowed researchers to taxonomize three ransomware variations going by different names.
- Sagar Tiwari
Zoom Patches ‘Zero-Click’ RCE Bug
The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.
- Elizabeth Montalbano
Verizon Report: Ransomware, Human Error Among Top Security Risks
2022’s DBIR also highlighted the far-reaching impact of supply-chain breaches and how organizations and their employees are the reasons why incidents occur.
- Sagar Tiwari
Fronton IOT Botnet Packs Disinformation Punch
Fronton botnet has far more ability than launching DDOS attack, can track social media trends and launch suitable propaganda.
- Threatpost
Zero Trust for Data Helps Enterprises Detect, Respond and Recover from Breaches
Mohit Tiwari, CEO of Symmetry Systems, explores Zero Trust, data objects and the NIST framework for cloud and on-prem environments.
- Elizabeth Montalbano
Snake Keylogger Spreads Through Malicious PDFs
Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.
- Threatpost
Closing the Gap Between Application Security and Observability
Daniel Kaar, global director application security engineering at Dynatrace, highlights the newfound respect for AppSec-enabled observability in the wake of Log4Shell. 
- Elizabeth Montalbano
380K Kubernetes API Servers Exposed to Public Internet
More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access.
- Elizabeth Montalbano
Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover
Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.
- Nate Nelson
DOJ Says Doctor is Malware Mastermind
The U.S. Department of Justice indicts middle-aged doctor, accusing him of being a malware mastermind.

Archives

Leave a Reply

Your email address will not be published.

4 × one =