EDITOR ’ S QUESTION
When security researchers unpicked the Flame malware in 2012 , an artform comprising several zero days , perhaps the most shocking was a forged MD5 signature . It appeared the hackers had forged a signature from the Windows update server by cracking the MD5 hash algorithm . What was so unusual about this was that someone had gone to the trouble of actually breaking the cryptography .
In the vast majority of crypto-related hacks , the underlying compromise is that a secret that has been leaked , stolen , or spilled through traditional attacks like phishing , misconfiguration or other poor security hygiene , and then not fixed due to lack of visibility .
Securely implemented cryptography based on strong maths that should take an external adversary tens of thousands of years to break provides no protection if the secret keys are not secret anymore .
API keys , access tokens , cryptographic private keys , and other secrets of all shapes and sizes now spend the majority of their lifecycles outside of the secure tooling that proclaims to protect them . Your secure secret storage doesn ’ t provide any protection while you are not storing it .
Your certificate lifecycle manager generates , rotates and revokes your certificates , but does not guarantee anything once the private key it certifies has left its perimeter . HSMs purport to solve this issue , but come at such great cost that they are practicable only where they are mandated by regulation , or protect secrets which have existential value to the organisation .
CIOs need tooling that manages the entire lifecycle of the secret , maintains accountability not just while in secure storage , but out to the edge where the secrets are actually used by processes and applications , and provide visibility into what sensitive info exists in the
Securely implemented cryptography based on strong maths , provides no protection if the secret keys are not secret anymore .
organisation and where . This tooling doesn ’ t exist today , and don ’ t security researchers know it ?
Among the 90,000 environment variables discovered on web servers hosted in AWS , there was a spicy bounty of infrastructure credentials , proprietary source code , application databases , and even credentials to additional external services , discovered when the attackers themselves misconfigured their own S3 bucket .
Until solutions for full lifecycle protection arrive , we continue to rely on diligent coding practices of developers , robust manual processes led by infrastructure teams , and cross our fingers as the monthly trickle of breaches continues . p
DAVID JOSEPH , PRODUCT MANAGER , SANDBOXAQ
www . intelligentcio . com INTELLIGENTCIO AFRICA 29