Assessing Certificate Risk with Qualys VMDR

Digital certificates and SSL are everywhere. However, managing an accurate inventory of all current certificates in use across your enterprise is an ongoing challenge. This blog examines the scale of the problem, the shortcomings of some popular certificate tracking methods, and how Qualys VMDR’s CertView offering addresses both.

When you connect to your bank, you are using SSL. When you connect to a VPN, you are using SSL. When you connect to social media networks like Facebook and LinkedIn, you are using SSL. When you connect to public clouds like AWS or Azure… well you get the idea.

When applications talk to each other over the Internet or the Intranet, they use SSL to communicate, authenticate, and encrypt data between the channels.

Every time you visit a website with a URL that begins “https” or displays the little padlock icon, that means the site’s security has been verified by a certificate authority (CA). On the other hand, websites that are “not secure” either have not been validated by a CA or their validation has expired.

Given the critical role that certificates play in securing our digital world, enterprises large and small should do everything possible to manage them properly. This includes collecting and maintaining an accurate certificate inventory, making sure that certificates are adequately protected from theft, and most importantly, making sure that they don’t expire.

Let’s look at some of the risks from unmanaged certificates.

Unmanaged Certificates Pose Security Risks

A certificate authority (CA) is a trusted organization that issues digital certificates for websites and other entities. CAs validate a website’s domain and ownership (depending on the type of certificate), and issue TLS/SSL certificates that are trusted by web browsers.

Most organizations rely on SSL and certificates to protect their business. A few years ago, Gartner’s research concluded that 80% of network attacks would use SSL by the year 2022. Just three years ago this number stood at 50%.

But many organizations don’t have any visibility into their certificates. They don’t know where they are. They don’t know how many there are. They don’t know what purpose they serve. Certificate ownership information is typically incomplete or missing entirely. These conditions create unnecessary security risk.

Not having an accurate certificate inventory is a concern because many bad things hide in encrypted traffic. Encryption can hide the delivery of malicious payloads, things like ransomware and trojans. Encryption also hides the malware’s call back to its command-and-control center as well as any data that is being exfiltrated from the victim’s system.

What is unknown cannot be managed. These unknowns can result in unplanned outages. For every unplanned outage caused by an expired certificate, there are surely many more near-misses. Most organizations have a policy about which CAs should be used. But without active oversight, security teams have no way of knowing how many certificates are coming from unapproved CAs.

For example, DevOps teams often use free or unapproved CAs. Why? Because they can’t wait days for infosec teams to get them a certificate. This means that when auditors enforce risk mitigation processes or when you’re out of compliance, you can’t fix those issues because you don’t know where these non-compliant certificates are configured or used.

State of Certificate Security, by the Numbers

Qualys performs billions of security scans for our customers. In addition to looking for vulnerabilities and control failures, we also monitor the health of digital certificates and their underlying SSL/TLS configurations.

Recently we analyzed our customer knowledgebase anonymously, to come up with an aggregate set of insights into the state of certificate risk across enterprises worldwide.

Here’s what we found:

• Qualys analyzed over 3 million certificates in inventory.  
• More than 7% of the certificates have already expired and nearly 21% of certificates are expiring in the next 90 days. Expired certificates are one of the primary reasons for business outages.  
• A recent study by the Ponemon Institute found that the average Global 5000 company spends about $15M to recover from the loss of business due to a significant outage caused by an expired certificate. This includes remediation costs, loss of productivity, loss of revenues, and brand damage. Instagram, Google, Microsoft, and LinkedIn have all suffered outages blamed on expired certificates. 
• In addition, Ponemon reported the average Global 5000 company spends around $25M on audit and compliance remediation costs during recovery.  
• Qualys found that approximately 9% of websites have inadequate security simply based on the grade of the current certificate, which we assess using the Qualys SSL Labs rating.  
• Inadequate security for validating digital certificates is primarily due to one of four factors: a self-signed certificate, an untrusted certificate authority, expired certificates that were not renewed, or usage of older protocols such as SSL v3 or TLS1.0/TLS1.1.  
• Among sites with expired certificates, 48% were still using TLS1.2, 43% were using TLS1.1, and RC4-enabled accounted for 12%. Best practices dictate that servers should be configured to support the latest protocol versions to ensure you are using the strongest algorithms and chippers. It’s equally important to disable older protocol versions.  
• Most browsers have officially announced that they will no longer support TLS1.0/TLS1.1, so it’s time to migrate to higher encryption methods like TLS1.2/TLS1.3. 
• Usage of insecure encryptions methods like SSL v3 and TLS1.0/TLS1.1 leave your sites vulnerable to hacks and attacks. Threat actors can use publicly available exploit techniques to leave encrypted connections open to man-In-the-middle and other types of cyberattacks.  
• The number of stolen digital certificates has rapidly increased over the years and are sold in marketplaces on the Dark Web.  

This analysis reveals that enterprises can do a better job at managing their digital certificate security. Vulnerabilities and control failures are still lurking, and every organization can benefit from a more thorough vulnerability and compliance assessment of its certificate risk.

Certificate Tracking Alternatives Fall Short

Some enterprise security teams track their certificates manually, using a calendar or spreadsheets. This is better than no tracking at all, but this crude method leads to complacency. The spreadsheet might track some certificates, but only if they were reported. Keeping a close watch on every detail of the SSL certificate, policy changes, and expiration dates is time-consuming, error-prone, and risky. 

This leaves a gap, sometimes quite large, between what is tracked and what is out there waiting to be exploited. Even worse, spreadsheets can’t track the underlying TLS configuration, leaving certificate administration to a select few who understand SSL well.

Poor certificate management can lead to service downtime or display of error messages that could destroy customer trust in the organization’s data security (or lack thereof), and in extreme cases even result in security breaches.

There are alternatives to the spreadsheet, but these certificate tracking options have their own challenges. Most of these alternatives are point tools. While some do help, most are just that: tools that increase the administrative effort and total cost of ownership. Many popular certificate tracking tools are not scalable and are deployed in either operational or technology silos. Each silo deploys its own instance of the tool without each team knowing about the others or being able to leverage them. Because of the way these tools are designed, many can work only within the enterprise or only in the cloud but have a hard time working across both environments.

In today’s complex computing environment, the enterprise network and the cloud are inextricably linked. There are very few areas where the public cloud and enterprise networks can operate independently. Most solutions in the market are certificate-only or vulnerability-only tools. They limit visibility of your security posture across all IT infrastructure. What remains is still unknown. Often another kind of tool must be deployed to complete the scanning and analysis necessary to protect the entire enterprise. 

To deal with these issues, organizations need a centralized monitoring process that automatically alerts administrators when SSL certificates are about to expire so that they can take immediate action.

Certificate Inventory in Qualys VMDR using CertView

Qualys VMDR, our flagship vulnerability management solution, includes Certificate View (“CertView”), which gives security teams a comprehensive view of all the SSL/TLS certificates across their enterprise and cloud-hosted assets.

Qualys CertView extends inventory and assessment of Internet-facing certificates to include the internal network, where an organization’s most critical data resides. It continuously discovers and monitors digital certificates across the enterprise to ensure certificates are renewed before they expire. This stops certificate-related outages and improves availability, across both on-premises and cloud instances.

Qualys CertView stops expired/expiring certificates from interrupting critical business functions and offers direct visibility on them right from the dashboard. It also prevents “wildcard” certificates, which are single public key certificates designed to be used on multiple subdomains. Instead of purchasing separate certificates for subdomains, some businesses think a single wildcard certificate is more convenient to serve all domains and subdomains across multiple servers.

The problem is wildcard certificates can disrupt business functions that rely on secure communications with authenticated partners and customers. Their usage can lead to a single point of failure – if the key is compromised, all servers and subdomains are at risk. If the wildcard certificate is revoked, the private key will need to be updated on all the servers.

Even better, Qualys CertView works in concert with Qualys SSL Labs, a publicly available service that performs a deep analysis of web server configurations and detects common problems related to SSL certificates. Qualys SSL Labs provides grades to certificates using the standard criterion such as certificate type, protocol support, key exchange, certification authority, cipher strength, and HTTP Strict Transport Security.

Signup for Qualys CertView – free from Qualys – to review the certificate status of all your internet-facing assets.

Summary

Understanding which digital certificate vulnerabilities exist in your environment is critical, but many organizations don’t have any visibility into their certificate inventory. Blind spots such as expired certificates create unnecessary security risk such as possible breaches or system outages. Current solutions such as manual tracking using spreadsheets or siloed tools miss the bigger picture of the entire enterprise’s certificate security posture.

Qualys VMDR with CertView closes these gaps. It helps you review the status of all digital certificates exposed to the Internet, with industry grades assigned. It provides a high-level view of expiring certificates, so you can actionably remediate certificate problems by working with trusted Certificate Authorities.

This post was first first published on Qualys Security Blog’ website by Ramesh Ramachandran. You can view it by clicking here