A recent report from the British research firm Netcraft showing that 80 US government websites had expired Transport Layer Security certificates during the ongoing US government shutdown rightfully has caused quite a stir, and ISACA members ought to be paying attention.
TLS certificates protect users as they validate that the site you are visiting indeed is the intended legitimate site and protects against man-in-the-middle or redirection attacks. Maintenance of security certificates is a basic essential task for security organizations.
Expired TLS certificates on 80 US government sites may just be the tip of the iceberg. In fact, if the shutdown extends further, we likely will see many other certificates expire and not be updated as furloughed government employees and their highly skilled contractors remain off-duty. Additionally, if a basic essential function such as maintaining TLS certificates has lapsed, citizens are left wondering what other mission-essential tasks to protect the people’s information have been left unattended?
When I was an Air Force lieutenant, my Chief Master Sergeant told me that every situation should be a learning experience. Some are good examples and some are bad examples to follow. In this case, this is a bad example that ISACA members should learn from to better manage your cyber risk.
I suggest you look at your own organization and ask a series of questions. Does your organization use TLS certificates? If not, why? If so, where? Who is charged to maintain these certificates and how do they manage them? How does leadership monitor the status of security certificates so that there are no lapses? Does your team only use certificates from legitimate authenticated sources? Do your business continuity and disaster recovery plans have provisions for the maintenance of security certificates? In the event of a lapse, does your organization have the ability to detect the lapse and have a plan to remedy it and communicate with key stakeholders?
In parochial school, I learned that everyone is a sinner and, when it comes to security certificates, I too had an expired certificate. Nearly 20 years ago, my organization had a security certificate expire and one of my brother units discovered it. We fixed it right away and conducted a review of our processes to find out why it happened. It turned out we didn’t have a formal certificate management process to track all our certificates. Fixing the issue was fast and easy. We identified all our certificates, designated responsibility to the technicians who would manage them, ensured they were trained, and added the updates to the maintenance schedule so the certificates would be tracked and not expire without an update. Nearly 20 years ago, an expired certificate was a learning experience. Today, it is a concerning head-scratcher.
Paying attention to the basic essential functions is what we do as we execute our security, auditing, and control functions. During my time as a CIO, I had my organization identify all our mission-essential functions and the tasks required to accomplish them. I then applied activity-based costing measures so that my team and I could articulate the cost and impact of every task. Can you say the same applies in your organization?
The expiration of security certificates on government websites weakens security, increases risk and is of great concern to me and others. Let’s use this as learning experience. Check your own organizations and, as a citizen who is a “shareholder,” don’t be shy about asking your government representatives how they are protecting your information.