CS Mar-Apr 2020
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
expert view<br />
CEOS IN THE FIRING LINE<br />
WHY YOU CAN'T RELY ON OTHERS TO GET YOUR PUBLIC KEY<br />
INFRASTRUCTURE IN ORDER - AND WHAT HAPPENS IF YOU<br />
DON'T. ANDREW JENKINSON, GROUP CEO, CYBERSEC<br />
INNOVATION PARTNERS, OFFERS HIS INSIGHTS<br />
In the past months, no fewer than three<br />
US government agencies have put out<br />
warnings about the Microsoft Windows<br />
10 vulnerability and still no one seems to<br />
be aware how long the vulnerability was<br />
there before those alerts were issued.<br />
CVE-<strong>2020</strong>-0601 can exploit and<br />
undermine Public Key Infrastructure (PKI)<br />
trust. According to Neal Ziring, technical<br />
director of the NSA Cybersecurity<br />
Directorate, "this kind of vulnerability<br />
may shake our belief in the strength of<br />
cryptographic authentication mechanisms<br />
and make us question if we can really<br />
rely on them". The problem that creates<br />
such a weakness with Windows 10 is that<br />
attackers are able to disguise a malicious<br />
executable binary, so that it appears like<br />
a Windows system binary; worryingly, it<br />
could remain undetected by anti-virus<br />
and other perimeter defences. This allows<br />
attackers to install it, and potentially<br />
achieve command and control.<br />
Unequivocally, PKI can never be assumed<br />
to be trustworthy. Without constant<br />
and continuous monitoring, it will<br />
unquestionably cause business continuity<br />
issues, and enable infiltration and<br />
nefarious activities. Service outages,<br />
malware and data breaches are as a result<br />
of weaknesses in PKI management and<br />
controls, and used as easy access.<br />
The Windows 10 situation is serious, due<br />
to its magnitude and the ubiquitous use of<br />
the software. It has been a shocking start<br />
to the new decade for Microsoft, as one<br />
global issue is disclosed by the NSA and<br />
now hot on its heels is a second, in the<br />
form of a critical browser Zero Day issue<br />
identified by the CISA.<br />
The CISA warning is of a zero-day<br />
vulnerability that is being exploited<br />
without a fix in Microsoft's Internet<br />
Explorer and, although IE represents a<br />
small percentage of overall internet use,<br />
it can corrupt memory, so that an attacker<br />
can gain the same user rights as the owner<br />
- ie, take over command and control.<br />
And it doesn't stop there. This gives rise<br />
to huge opportunities for cyber criminals.<br />
14<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk