Throughout 2019, the folks at CIP noticed some correlations between Not Secure websites and breaches. The ransomware attack on Travelex, a $3 billion FX entity on the 31 December 2019, revealed that their Homepage was displaying Not Secure in the address bar due apparently to their use of an invalid digital certificate.
Further research validated that assumption.
As a firm of Public Key Infrastructure experts, CIP knew that numerous cyberattacks were utilizing weak PKI management, revoked, expired, sanctioned, even fake digital certificates.
Because CIP scans those sites to determine the currency and credibility of their digital certificates. Their beacon is the same beacon that draws the attention of cyber attackers, the URL declaring Not Secure.
Throughout 2019, CIP’s observations started crystalizing and the ransomware attack on Travelex, a $3 billion FX entity on December 31st, 2019 cemented and confirmed their thesis as the Travelex Homepage was displaying the Not Secure warning in their address bar due to use of an invalid digital certificate.
What is a Not Secure Website?
A Not Secure website indicates that the website is unauthenticated, that any data on the site lacks integrity and any data in flight, to and from the server, is unencrypted.
This means data is displayed in plain text as opposed to cipher text.
When a certificate is invalid, it defaults the website status to Not Secure, and there can be many reasons. These include misconfiguration, expired certifications, HTTP to HTTPS redirection error, Port 443 closed and only using Port 80 and so on.
Is there a connection between cybersecurity breaches and Not Secure websites?
During 2020, CIP continued researching hundreds of cyberattacks, and after examining forensics from 1,000 cyber and ransomware attacks, 100% of the victims were found to be maintaining suboptimal websites, servers and website application interfaces.
In response, CIP developed the Whitethorn Shield, a product that examines the Public Key Infrastructure (PKI) element of domains and subdomains. That visibility includes all digital certificates, certificate chains and their validity and sequence. In addition, the Whitethorn Shield reviews the entire website configuration from Content Security Policy (CSP) to HSTS (HTTP Strict Transport Security) to Security Headers (several) and Redirection.
In addition, Whitethorn examines DNS (Domain Name Systems) and DNSSec (Domain Name Security Extensions), which are frequently overlooked by cybersecurity hygiene programs and can easily yield total access and control of domains and subdomains. Servers linked to all the above also require security and digital certificates and when these are invalid, the entire system is compromised, and all too frequently, unknowingly.
Today, most companies have become far more aware of cyber threats, but due to the increased complexity of our connected world, CISOs often look toward point solutions to solve problems that might be equally prevented through rigorous hygiene. Basic, fundamental security, where an entity connects to the weaponized internet, tends to get overlooked at enormous costs and loss.
No One is Immune, Even the FBI.
In November, the FBI, connected to the entire US Federal digital landscape, had mistakenly accepted an outsider who penetrated their network through a Not Secure site, and enabled complete administrative privilege and access.
This and God only knows what else, is still going on following the SolarWinds and Microsoft attacks at the beginning of the year.
It may be of little consolation to mitigate some of the risks to a webhost, a DNS, or even a Cloud provider if an attack occurs. Reactive security and risk mitigation are not the cybersecurity defense approaches we must embrace to put an end to this endless cycle of successful cyber breaches.
Where Do We Go From Here?
And, the only path toward a resilient Zero Trust strategy is by ensuring proactive security starting where the companies’ digital assets meet the internet, websites and servers.
Paying close attention to all of the fundamental aspects of cybersecurity hygiene including patching and configuration management will additionally subsume PKI requirements, but since humans are humans and mistakes will be made, the cover-six play is to grant access to resources only as determined by dynamic and granular policy.
The policy engine would include the observable state of client identity, application and or service, and the requesting asset—and may include other behavioral and environmental attributes. In a Zero Trust context, the default behavior for all resources is to deny all connections with an allow list. The members of the allow list must authenticate themselves and prove they meet the enterprise policy to be granted the session. This may include meeting requirements such as client software versions, patch level, geolocation, historical request patterns, etc.
Note that it may not be possible to perform all checks immediately prior to the access request, but some may be performed recently (e.g. daily software versioning checks) and when combined with others, will provide a confidence level that the requestor is actually who s/he says they are.
Under Zero Trust, the enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. Zero Trust adds a dynamic response factor that was lacking (or not possible) in previous perimeter based architectures.
System logs and threat intelligence are used to refine or change policy in response to new information. For example, when a new vulnerability in a software component in use in the enterprise is announced, a Zero Trust enterprise would move quickly to quarantine the affected resources until they can be patched or modified to mitigate the newly discovered vulnerability.
In much the same way as an intruder will be detected and isolated having entered through an expired website certificate.
We believe, and the CIP evidence confirms, that a majority, if not all, initial access to those 1,000 cyber and ransomware attacks studied were attained via insecure and Not Secure websites and servers. A great example of this is the forensic evidence from CNA Insurance, whose sites displayed Not Secure statuses both before and after their $40 million attack in March.
Improved hygiene means paying close attention to your certificates and your PKIs, so that while you are implementing your Zero Trust strategy, you can be sure you have not left back doors open with welcome signs beckoning cyber attackers.
The key to success is to start doing.