NIST issues guidance on fraudulent certificates

The National Institute on Standards and Technology (NIST) and Venafi have released a new NIST Information Technology Laboratory (ITL) bulletin entitled, “Preparing for and Responding to Certificate Authority Compromise and Fraudulent Certificate Issuance.” NIST released the bulletin to alert both government agencies and private-sector organizations to the risks of certificate authority (CA) compromises. The bulletin also offers guidance on how to prepare for and respond to a CA compromise that results in fraudulently issued security certificates.

Fraudulent certificates have recently come onto the radar of lawmakers after two successful cyber attacks in 2011 used improper certificates as a means of attack. A recent CNET report that raised concerns about similar attacks to the US power grid also spurred a federal investigation into this and other cyber security concerns. Attackers can use fraudulent certificates to authenticate as other individuals or systems, or to forge digital signatures.

According to NIST, “responding to a CA compromise may entail replacing all user or device certificates, or trust anchors from the compromised CA. If an organization is not prepared with an inventory of certificate locations and owners, it will not be able to respond quickly and may experience significant interruption in its operations for an extended period of time.”

The institute is advising public and private sector organizations alike to include a certificate response strategy in their business continuity and disaster recovery plans.

“Certificate authorities have increasingly become targets for sophisticated cyberattacks, particularly as the use of digital certificates for Secure Sockets Layer (SSL) has become widespread,” bulletin co-author Paul Turner, vice president of products and strategy at Venafi noted. Many of the most common applications used by enterprises and even individual users come with pre-installed trust anchors that users may not be aware of or explicitly trust, which means when certificates are compromised the effects can be widespread.

The bulletin outlines the different ways a certificate can be compromised and how to respond if such an event occurs, organizations can start by sourcing and securing existing certificates and certificate authorities. In addition to maintaining an inventory of all security certificates, security teams should establish an inventory of all trust anchors (CA root certificates used to validate user and device certificates) and identify owners and other data for these trust anchors, removing any anchors that are deemed to be untrustworthy.

The full text is available here.