The price for information security shortcomings …

Just about four weeks back, the security incident in that company came to light. Today, the company has filed for bankruptcy. The security breach has forced the organization to voluntarily shut down its operations.

A recap of the events that led to the fall of the organization:

An intruder gained access to the CA servers of DigiNotar – a trusted, digital certificate authority in The Netherlands sometime during June and started illegally generating fraudulent SSL certificates, qualified certificates and Government accredited certificates.

The breach became public knowledge only on Aug 29, 2011 when a rogue certificate generated for google.com was presented to a number of internet users in Iran. Users were presented with fake certificates, but the browsers assumed them as ‘secure, trusted connection’- just as they would treat the genuine certificates signed by the CAs.

The following day (Aug 30), DigiNotar officially reported the security incident, though it internally identified the breach on July 19 itself. DigiNotar’s press statement reads: “On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com”.

Just about of couple of weeks later, on Sep 20, DigiNotar voluntarily filed for bankruptcy. VASCO Data Security International, the company that acquired DigiNotar barely eight months ago, has announced that it does not plan to re-enter the certificate authority business in the near future.

This security breach has come as a big shock, even rocking the very concept of the internet trust services.

An investigation on the breach by Fox-IT, experts in IT security, has revealed the following on the DigiNotar’s network infrastructure (interim report published on DigiNotar’s website):

The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.
The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.
The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.
The software installed on the public web servers was outdated and not patched.
No antivirus protection was present on the investigated servers.
An intrusion prevention system is operational. It is not clear at the moment why it didn’t block some of the outside web server attacks. No secure central network logging is in place.

The above investigation clearly brings out that certain basic security measures have not been sufficiently taken care of.

Generally, when you dig deep into the security incidents such as identity thefts, breaches, DoS attacks and others, you will find certain basic security measures carelessly handled.

In this case, an effective vulnerability scanner could have easily detected vulnerabilities; enforcement of standard password management practices could have helped automatically randomize passwords and combat the compromise of the password of the domain in which the CA servers where present; an efficient patch management software could have helped keep the software on web servers up-to-date; real-time monitoring of security events and analysis of system logs could have helped identify security breaches.

The growing list of cyber-criminal activities across the globe have assumed such grave proportions that all enterprises – big and small, are exposed to security breaches and identity thefts of various kinds. Though in reality, it is not possible to prevent all types of security incidents, the ones that happen due to lack of mandatory security measures are indeed preventable.

Combating the sophisticated cyber threats mandates a multi-pronged
strategy – deploying security devices, enforcing security policies,
controlling access to resources, monitoring events, analyzing logs,
detecting vulnerabilities, managing patches, tracking changes, ensuring
compliance, monitoring traffic and a host of other activities.

ManageEngine has a range of affordable Enterprise Security Management Software Solutions that help you build a secure fortress enabling you stay secure, ensure business continuity and enhance productivity.