English   Deutsch   Русский   中文    

Martin Kuppinger: DigiNotar and RSA hackings demonstrate need for multi-level IT security

DigiNotar and RSA hackings demonstrate need for multi-level IT security
DigiNotar and the single point of failure
by Martin Kuppinger
mk@kuppingercole.com

In late August it emerged that Dutch SSL certificate authority DigiNotar, a subsidiary of the VASCO Group, had been the subject of a successful attack in which an attacker, presumably from Iran, hacked into DigiNotar’s certificate authority (CA). Claims have meanwhile surfaced that the CA was insufficiently secured.

Now – when an attack succeeds, the existence of a vulnerability is obvious. The question, however, is whether it is even possible to sufficiently secure a CA. The problem is that certificates issued by this CA can no longer be considered trustworthy, as they may be false.

The usual verification process, which uses either CRLs (Certificate Revocation Lists), i.e. lists of invalid certificates, or sometimes OCSP (Online Certificate Status Protocol), is fairly weak: CRLs are not always up to date, and OCSP is often not used.
The first consequence of this attack is that Microsoft, Apple and various Linux distributions have removed DigiNotar from their lists of trustworthy root certificate authorities. This means that certificates issued by DigiNotar are no longer accepted, and will – assuming appropriate system and browser settings – trigger warning messages.

Because the websites of, for example, the Dutch government are secured via DigiNotar, this of course creates a number of problems, especially in the Netherlands. The resulting financial loss is almost impossible to estimate when all the follow-up costs of switching to other certificates, support for access problems, and the like are included.

But there is nothing surprising about the DigiNotar case. It matches the RSA attack that recently caused a furore when sensitive, secret information for authentication via RSA SecurID tokens was hacked at RSA.

In both cases, attackers were able to overcome the central element of the security concept – in one case the CA, in the other the central storage of security information at RSA. In both cases there was a “single point of failure”; once this has been breached, security is non-existent.

This means that we have to fundamentally reconsider what security on the Internet might look like in future. The concept of CAs has long since reached its limits – and now that fact has become widely apparent. In the case of RSA, the best response is “versatile authentication”.

This approach uses and combines various authentication solutions with a wide range of different mechanisms. The authentication method varies depending on security requirements, user groups and other circumstances, removing the dependency on a particular mechanism.

Security must however also be designed in such a way that it no longer depends on a single entity. One question is what form such a solution could take on the Internet. Internally, it means that security concepts must be multi-layered.

Most companies have long recognised that in addition to increasingly porous firewalls, further security levels are required to protect internal IT. These multi-layered models must be rigorously designed and implemented. The aim is explicitly not to use as many technologies as possible, but to specifically implement several layers of security.

Options include firewalls, system, database and application security, Endpoint security solutions (as part of an overall concept, not as an isolated solution) or Information Rights Management (IRM). The main objective is to ensure that a successful attack on a single system is not sufficient to compromise the entire security set-up. A “single point of failure” is even less affordable in security than it is elsewhere in IT.

Created: 06.10.11, modified: 06.10.11

top
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Register now
Spotlight
Real-time Security Intelligence
Over the last couple of years, challenges in the IT industry have led to the emergence of a new technology called Real-time Security Intelligence. The biggest technological breakthrough that made these solutions possible is Big Data analytics. The industry has finally reached the point, when business intelligence algorithms for large-scale data processing have become commoditized. This makes it possible to combine real-time and historical analysis and identify new incidents as being related to others that occurred in the past, which can greatly facilitate identification of ongoing APT attacks on the network.
KuppingerCole Analyst Services
KuppingerCole offers clients a wide range of reports, consulting options and events aimed at providing companies and organizations with a clear understanding of both technology and markets, enabling them to fine-tune their own strategies and projects avoid costly mistakes in choosing vendors and solutions.
Links
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing

 GenericIAM
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2014 KuppingerCole