Thu Jan 6 UTC (22 days ago)
In your timezone (EST): Thu Jan 6 10:00am - Thu Jan 6 10:45am
Public Key Infrastructure (PKI) was globally accepted in the mid 1990's. PKI can be thought of the Authentication, Encryption and Decryption of all digital devices and all data. Think modern day Enigma or Lorenz encryption machines as used in the Second World War that Alan Turin and William Tutte cracked the codes on and you're thinking on the right lines.
PKI is made up of Digital Certificates and Encrypted Keys. It is used to identify and encrypt billions upon billions of messages daily in the totally reliant, digital world of communication. Digital certificates in essence take Plain Text data, just like this sentence, and encrypt it into Ciphertext. Once it is received, the recipients PKI, (if trusted) deciphers the text back into plaintext. This exchange of data is seamless. However, if either part is insecure, a Man in the Middle attack (MiTM) can easily be achieved and result in plain text exfiltration. Ransomware has become so popular because organisations have unfortunately a lack of PKI controls and their data can be accessed, at rest (on a server) or in flight (being sent to or from a server) and remain in plain text throughout. Criminals can capture or exfiltrate that data and then hold it to ransom. This situation then quickly, and unequivocally falls foul of all Privacy laws including UKDPA and GDPR.
Certificate Authorities (CA's) issue digital certificates in their billions and certificates typically last for 12 months. Many CA's have become household names such as Digicert, GoDaddy and Let's Encrypt. Certificates, have access, and privileges and due to their sheer numerical scale, few, if any companies know what digital certificates make up their PKI or Network. It is why the world's first digital cyberattack (cyber warfare) used digital certificates and weaponised them to create Stuxnet by planting malicious code into them. These weaponised (Microsoft) digital certificates were readily accepted by the Iranian Nuclear power facility in Natanz and used. After 13 days they triggered the malicious code. This resulted in centrifuge disruption resulting in mass destruction through harmonic rupturing. Stuxnet, and more latterly, SolarWinds' cyberattack in December last year, the worlds largest ever cyberattack on thousands of consequential hacks including the US Government, both used the lack of PKI management to disguise and Trojanized their attacks.
To put into some form of assembly, the criticality of authentication, and encryption has been eroded at every turn, not just by, let's call it human error, but by lack of knowledge, or of course, complicit behaviour. This includes many CA's themselves who are continually getting it so, so wrong.
This discussion will try and bring awareness as well as a far better understanding of PKI and the criticality of website, server and internet security as without these areas being secure, every single £ spent will be undermined...
Chief Executive Officer, Cybersec Innovation Partner
Manager, FS Club, Z/Yen Group