A report from the US Congress has revealed that credit agency Equifax’s 2017 network breach (which affected 143 million people) was not spotted because of an expired software certificate.
Last week, mobile operator O2 blamed a similar issue for causing a network blackout which affected the UK.
Digital certificates are basically small pieces of code created by using sophisticated mathematics that ensure that communication between devices or websites are sent in an encrypted manner, and are therefore secure. They play an essential role in keeping IT infrastructure up and running safely and are issued by certificate authorities, who electronically vouch that the certificates are genuine. When issued, these certificates are given an expiration date of anything between a few months and several years.
Digital certificates are issued for a variety of software that encrypts communications, including those embedded in hardware. In O2’s case it seems that a certificate linked to network equipment installed by Ericsson was the weak link.
Equifax’s certificate was linked to crucial software that monitored the network for suspicious traffic, meaning the hackers were not spotted in time.
While some think that the reason they expire is to allow the authorities to keep charging for renewals, there are some valid reasons why they need to be regularly updated – including changing technology, new vulnerabilities to encryption and the ownership of the certificate changing hands.
In O2’s case, the certificate reached its expiry date, which in turn meant that when different parts of the network attempted to communicate securely, they no longer trusted each other and refused to connect.
In Equifax’s case, the certificate in question was linked to software which monitored the network for suspicious traffic and had expired 19 months ahead of the breach. This means that their networks were not being monitored for hackers.
There are billions of certificates in circulation and, with the internet of things flourishing and connecting ever more devices to the web, more are needed each day.
“As business becomes digital in increasingly complex and ubiquitous ways, all enterprises need to protect themselves from repeating this disastrous outcome. A best practice in so doing is to automate the discovery, monitoring, and renewal of certificates of all types,’ said Tim Callan, a senior fellow at Sectigo.
“The proliferation of certificates and ever-increasing complexity of IT infrastructure has made it more and more challenging for IT professionals to stay on top of this component of their networks.”
www.bbc.co,uk/technews (12th December 2018)