listen to this article:
Crypto hygiene, surprisingly enough, is a lot like personal hygiene. Just like showering regularly and brushing teeth twice daily is vital for combating and preventing illness and maintaining overall well-being, organizations must practice good crypto hygiene to reduce security risk and maintain good business health.
However, just like one needs to brush one’s teeth correctly in order to prevent cavities, organizations need the know-how and capability to practice proper crypto hygiene. Crypto hygiene means that your cryptography implementation is done correctly, ensuring that your entire cryptography infrastructure is secure, manageable, and efficient. This in turn helps assure that your data, applications, and systems are secure from both external and internal threats. An added benefit of a robust cryptography implementation is that it can quickly adapt to changing needs within an organization.
To put it simply, when you have poor crypto hygiene, bad things can happen. The ASUS supply chain attack is just one recent example – according to Peter Nohe at Hashed Out, the crux of the attack has to do with poor private key security. ASUS uses code signing certificates to sign its software updates so that they will be trusted by external systems and users as official ASUS software. This security measure is designed to safeguard users from downloading malware that’s masquerading as a legitimate update. However, one of ASUS’ updates servers was compromised, and on one of those servers were at least two signing keys. If the attacker got access to the keys, he/she can sign malware and distribute it through the ASUS Live Update tool in a legitimate way. Had ASUS stored the key securely, the attackers would not have had access to it.
When it comes down to security, we have to assume that we’re in a zero-trust environment and that there are attackers everywhere. And not only that, we also have to assume that attackers are constantly figuring out how to bypass even the most defensible mechanisms. That being said, even if we implement the most advanced security technologies, if they are not implemented correctly, then it can end up being even more dangerous. Let’s say for example that you encrypt all your sensitive data, but don’t store the keys properly. All it takes for an attacker is to steal the keys and then it’s game over.
Here are some crypto hygiene best practices to consider:
- Take Inventory: you can’t protect what you don’t see—get a clearer picture of all the cryptographic keys and certificates in your organization.
- Prioritize: first protect the highly sensitive data and systems that if compromised could negatively impact people’s lives or present significant risk to your business.
- Enforce key protection best practices: the security of a cryptography implementation rests on the protection of private keys from exposure or misuse. Do not store keys on servers or endpoints, or even worse hardcoded into the applications that use them. Sensitive keys such as master encryption keys and code signing keys should be strongly protected, for example in an HSM or virtual HSM.
- Protect key usage: not only do the keys have to be protected themselves, but also the applications and users that can use the keys. Using a SIEM to monitor real-time logs of cryptography operations, while not foolproof, can help reduce risk through timely detection and prevention of unauthorized key usage.
Good crypto hygiene is by no means a trivial undertaking, but with the help of experts, it is definitely achievable. Just like we consult professionals such as doctors and dentists for our own personal hygiene, we should do the same for our crypto! Cryptography is not packaged in one product or solution; it is one of the basic technology foundations upon which an organization’s overall security rests, and in-depth domain expertise and experience the necessary experts are required to implement it properly.