Ben Gidley from Irdeto on Symantec Certification
Quote Attributed to Ben Gidley, Director of Technology, Irdeto:
The fallout from Google Chrome planning to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities extends well beyond downgrading to less-secure domain-validated certificates. The discovery that more than 30,000 were not issued correctly greatly increases the potential for man-in-the-middle (MitM) attacks by potentially leaving many sites vulnerable. The purpose of a MitM attack is for the hacker to secretly position himself in the middle of a digital connection between the user and the web server/API. This allows the hacker to steal data or gain access to the back-end systems, inject malware and more. Once someone has executed a MitM attack, a web site’s traditional security no longer functions properly, allowing the hackers to steal money, customer data, intellectual property and much more.
In addition, Google’s decision will reduce all of Symantec’s extended validation (EV) certificates to behave as organization validated (OV) certificates. The PCI Security Standards Council notes that OV certificates provide a secure step where the CA vets the business before issuance of the certificate, but only recommend these certificates for public-facing websites dealing with less sensitive information. EV certificates provide the highest level of authentication of the business by the CA, and are recommended by PCI for websites handling CHD, PII, and other sensitive data. Given the sensitive information needed to conduct online banking and payments transactions, this decision and Symantec’s negligence could be felt immediately by the payments & banking industry that must maintain optimal security to ensure a safe and secure digital banking and shopping experience for consumers.
In order to protect against cyberattacks, website operators, banks and payments services providers need to implement a whitebox philosophy, where organizations design software to assume the hardware can and will be attacked by hackers. They should also perform an assessment of the risks, alongside mitigations and active responses that limit the damage an attacker can employ, making it much less lucrative for hackers to execute an attack. Combined with a ‘defence in depth’ approach, this strategy can help organizations control the risks and potential losses. This cybersecurity strategy not only helps prevent a costly cyberattack, but also helps protect a brand’s reputation, preventing customers from looking elsewhere to work with an organization that keeps their sensitive data secure.