As 2024 cybersecurity predictions come fast and furious this time of the year, I thought it would be interesting to look back on 2023, as there are some important lessons to be learned and some mistakes to avoid repeating.
Objectively, 2023 was not a good year for security. There were more attacks and breaches than ever, which resulted in an unprecedented amount of data and records being exposed. Trust in organizations was lost and reputations were tarnished. And on top of that, the last twelve months also saw a significant rise in malware attacks.
Why 2023 was "the year of the lost keys"
If I focus more closely on the areas around certificates and PKI, I might call 2023 “the year of the lost keys.”
One of the primary reasons malware is still installed is because it generally depends on legitimately created code signing keys that are stolen and used to sign the malware. We saw this in cases where Github, Microsoft, and Intel were the targets of abuse to sign either fake drivers or malware.
But, that is not the worst of it. In my opinion, the most serious case of a “lost key” was the compromise of a so-called “MSA Key” from Microsoft, which resulted in foreign actors gaining access to 25 organizations’ email accounts, including the US Department of State and Commerce. It’s remarkable that these keys were not stored on an HSM!
While the CA/Browser Forum introduced new measures this year to protect code signing keys by requiring them to be created and stored in hardware, there are still a number of keys that are lying around on servers and desktops that could but used to propagate malware in the next few years.
New year, new commitment to security
Let’s not make 2024 the sequel to “the year of the lost keys.” As the saying goes, prevention is often the best medicine, meaning organizations should take a close look at the keys they have, where they are stored, and how they are secured.
Common sense tells us that keeping your house keys under the front doormat (or one of those fake rocks) is not a good approach to securing your home and personal property. Similarly, if your enterprise keys are lying around, you’re just leaving the door open to trouble.
If you’d like to learn how Keyfactor can help you start the new year on securing footing, let’s connect. In the meantime, I hope you have a happy, healthy, (and secure) holiday season.
