ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Expired TLS Certificates Must Be Used as a Learning Experience

Expired TLS Certificates Must Be Used as a Learning Experience

Gregory J. Touhill, CISM, CISSP, Brigadier General (ret), ISACA board director and president of Cyxtera Federal Group
| Posted at 1:34 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (2)

Gregory J. TouhillA recent report from the British research firm Netcraft showing that 80 US government websites had expired Transport Layer Security certificates during the ongoing US government shutdown rightfully has caused quite a stir, and ISACA members ought to be paying attention.

TLS certificates protect users as they validate that the site you are visiting indeed is the intended legitimate site and protects against man-in-the-middle or redirection attacks. Maintenance of security certificates is a basic essential task for security organizations.

Expired TLS certificates on 80 US government sites may just be the tip of the iceberg. In fact, if the shutdown extends further, we likely will see many other certificates expire and not be updated as furloughed government employees and their highly skilled contractors remain off-duty. Additionally, if a basic essential function such as maintaining TLS certificates has lapsed, citizens are left wondering what other mission-essential tasks to protect the people’s information have been left unattended?

When I was an Air Force lieutenant, my Chief Master Sergeant told me that every situation should be a learning experience. Some are good examples and some are bad examples to follow. In this case, this is a bad example that ISACA members should learn from to better manage your cyber risk.

I suggest you look at your own organization and ask a series of questions. Does your organization use TLS certificates? If not, why? If so, where? Who is charged to maintain these certificates and how do they manage them? How does leadership monitor the status of security certificates so that there are no lapses? Does your team only use certificates from legitimate authenticated sources? Do your business continuity and disaster recovery plans have provisions for the maintenance of security certificates? In the event of a lapse, does your organization have the ability to detect the lapse and have a plan to remedy it and communicate with key stakeholders?

In parochial school, I learned that everyone is a sinner and, when it comes to security certificates, I too had an expired certificate. Nearly 20 years ago, my organization had a security certificate expire and one of my brother units discovered it. We fixed it right away and conducted a review of our processes to find out why it happened. It turned out we didn’t have a formal certificate management process to track all our certificates. Fixing the issue was fast and easy. We identified all our certificates, designated responsibility to the technicians who would manage them, ensured they were trained, and added the updates to the maintenance schedule so the certificates would be tracked and not expire without an update. Nearly 20 years ago, an expired certificate was a learning experience. Today, it is a concerning head-scratcher.

Paying attention to the basic essential functions is what we do as we execute our security, auditing, and control functions. During my time as a CIO, I had my organization identify all our mission-essential functions and the tasks required to accomplish them. I then applied activity-based costing measures so that my team and I could articulate the cost and impact of every task. Can you say the same applies in your organization?

The expiration of security certificates on government websites weakens security, increases risk and is of great concern to me and others. Let’s use this as learning experience. Check your own organizations and, as a citizen who is a “shareholder,” don’t be shy about asking your government representatives how they are protecting your information.


Re: Expired TLS Certificates Must Be Used as a Learning Experience

You make an excellent point here.  We should be asking ourselves what other controls are being missed in this period of shutdown?  Who is taking notice, who will address them when everything gets back to normal eventually, and how will they prioritise the backlog of tasks like this?

How many people are now getting used to getting certificate warnings from official websites and getting used to clicking through, "safe" in the knowledge that this is now expected behaviour and they need to accept the expired certificate if they want to access services?
David948 at 1/24/2019 3:50 AM

Was the use of ABC the solution?

This a a nice piece to awaken our sense of security concerning our various information systems and organisational security consciousness.

Was the use of the ABC cost system which is primarily based on task the best approach to knowing the cost to serve in the organisation?
Enock242 at 1/24/2019 3:54 AM
You must be logged in and a member to post a comment to this blog.