Expert warns of new data security risk

Poor digital certificate management could lead to further Stuxnet attacks

Most companies have inadequate digital certificate management, leaving themselves open to cyber attack, according to several security experts.

"A failure to manage this kind of risk exposes organisations to increased vulnerabilities like the Stuxnet attack," said Jeff Hudson (pictured above), CEO of data security specialist Venafi.

Sophisticated virus Stuxnet includes a stolen digital certificate from Verisign which aids its propagation.

Hudson added: "This is not scaremongering – it is a real threat that will affect an organisation sometime soon."

The Stuxnet attack on an Iranian power station in November 2010 is likely to be followed by similar actions in 2011, according to some analysts, with US utilities companies being a potential target.

Stuxnet exploited four separate zero-day vulnerabilities, which by their definition are impossible to defend against.

There are steps organisations can take to significantly reduce the risk of a successful attack, Hudson said.

"Most organisations do not know how many digital certificates they have, where they are installed, who installed them, their validity, and their expiration dates," he said.

According to Hudson, this is exactly the same as not knowing which people in a secure building are authorised to be on the premises and which are unauthorised.

"Additionally, the certificates must be functioning as intended and monitored throughout their lifecycle so that they can be expired and replaced as dictated by the security policies of the organisation," he said.

Hudson added that before Stuxnet, poor management of digital certificates was viewed as acceptable. But new and more sophisticated recent threats have now appeared, meaning that policies have to change.

"Digital certificates are widely used to authenticate and identify entities in a network. Poor management practices render digital certificates ineffective for their intended purpose. In fact poor management in some cases creates an exploitation opportunity," Hudson said.