Most businesses understand that security is important but, as we discussed in a previous post (How do you measure the value of Information Security?) there is a tendency for owners to downplay the risks.
This is understandable, and sadly security is all too often seen as a “cost” which should be cut, but the reality is that security is the linchpin that keeps your business running. Security provides the environment that allows you to continue to make profits and without it, few businesses are able to survive.
This stark message was hammered home in the case of the Dutch Certificate Authority – DigiNotar®.
Certificate Authorities (CA) provide the “trust” framework which powers almost all security measures on the internet. When you connect to an HTTPS site (such as a bank, or paypal) the security (the “s”) is based around a process whereby your browser and the website exchange credentials to enable encryption routines to protect your data. The problem is that your browser has no idea if the credentials it gets belong to your bank, or to an evil hacker who has mocked up a site pretending to be you bank.
This is where the CA steps in. A certificate authority is someone your web browser is hard-coded into trusting, normally as a result of various relationships between the CA and the browser manufacturer (Microsoft, Google, Apple etc). The CA then, through various means, takes measures to convince itself that the person asking for a “certificate” is who they say they are, and the certificate is issued.
When your browser tries to connect to the HTTPS site (bank etc), the site presents the certificate from the CA to your browser. The browser then checks that this is a valid certificate from the CA (again, there are different ways this happens and the mechanics arent important here) – if it is, it assumes the site is legitimate and you get a little padlock icon.
If an attacker can get between you and your bank (for example), then the certificates should flag up the fact that there is a problem so you can stop yourself from putting sensitive details in.
The problem with DigiNotar came when a hacker (the ‘Comodo hacker’) was able to break into DigiNotar’s infrastructure and gain the ability to issue certificates as if he was the CA. This was not the first time the hacker had managed this – which does raise the question as to why no one seems to have learned the lessons of the first attacks (lack of investigation?) – but with DigiNotar it seems to have been very, very successful.
By hacking into DigiNotar, the attacker was able to pass off various website as legitimate, because the browser had an inherent trust of the CA, meaning an unknown number of people will have thought they had a secure web session when they didnt. At the moment it is not possible to know how many (if any) people suffered as a result of this attack but the main casualty was DigiNotar.
To counter this security risk, almost all the browser vendors issued patches which removed DigiNotar as a trusted CA. Without that trust, DigiNotar didnt have a business and, once trust is lost, it is nearly impossible to regain (and certainly not quickly).
In this sad chain of events, DigiNotar may not have been the end-target of the hacker. The fact is that not implementing sufficient security led to the loss of customer confidence to the point at which they were no longer able to function as a business. When it came to infrastructure security risk management, this is a situation where spending a little bit more earlier on, might have saved the business.
This is the value of security.
Huge multinationals, like Sony, might be able to absorb the damage that a hack can do – loss of revenue, costs to remediate, loss of customer confidence etc – this is not always the case. DigiNotar was not a small business, but it was still unable to weather the damage one malicious individual caused.
It is very rarely “good business sense” to cut security. It may seem like you are cutting costs, but without a solid risk management based decisions, you may be cutting the head off your business. If you want to remain profitable, protect your assets and this includes your customer’s trust.