In my previous article, I have talked about all that you need to know about network security. In this article, I will be talking about applications and their impacts on cryptography. Where can PKI be used by an enterprise?
The following provides a shortlist of common uses of PKIs:
- SSL/TLS certificate-based peer authentication
- Secure network traffic using IPsec VPNs
- HTTPS Web traffic
- Control access to the network using 802.1x authentication
- Secure email using the S/MIME protocol
- Secure instant messaging
- Approve and authorize applications with Code Signing
- Protect user data with the Encryption File System (EFS)
- Implement two-factor authentication with smart cards
- Securing USB storage devices
Encrypted Network Transactions
Consider how the increase of SSL/TLS traffic poses a major security risk to enterprises because the traffic is encrypted and cannot be intercepted and monitored by normal means. Users can introduce malware or leak confidential information over an SSL/TLS connection.
Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in a network.
Other SSL/TLS-related issues may be associated with validating the certificate of a web server. When this occurs, web browsers will display a security warning. PKI-related issues that are associated with security warnings include:
- Validity date range – The X.509v3 certificates specify “not before” and “not after” dates. If the current date is outside the range, the web browser displays a message. Expired certificates may simply be the result of administrator oversight, but they may also reflect more serious conditions.
- Signature validation error – If a browser cannot validate the signature on the certificate, there is no assurance that the public key in the certificate is authentic. Signature validation will fail if the root certificate of the CA hierarchy is not available in the browser’s certificate store.
Signature Validation Error
Encryption and Security Monitoring
Security analysts must know how to circumvent and solve these issues. Here is a list of some of the things that a security analyst could do:
- Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL traffic.
- Enhance security through server certificate validation using CRLs and OCSP.
- Implement antimalware protection and URL filtering of HTTPS content.
- Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS) appliances to identify risks normally hidden by SSL.
Cryptography is dynamic and always changing. A security analyst must maintain a good understanding of cryptographic algorithms and operations to be able to investigate cryptography-related security incidents.
After the algorithm has been cracked and the attacker has obtained the keys, any encrypted data that has been captured can be decrypted by the attacker and read, thus exposing private data. Secondly, the security investigation is also affected because data can be hidden in plain sight by encrypting it.
For example, command and control traffic that is encrypted with TLS/SSL most likely cannot be seen by a firewall. The command and control traffic between a command and control server and an infected computer in a secure network cannot be stopped if it cannot be seen and understood.
The attacker would be able to continue using encrypted commands to infect more computers and possibly create a botnet. This type of traffic can be detected by decrypting the traffic and comparing it with known attack signatures, or by detecting anomalous TLS/SSL traffic. This is either very difficult and time-consuming or a hit-or-miss process.
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.