Are your services and applications properly configured and secure for your business and customers? When more and more companies and services are starting to automate the renewal process of the security certificates, using providers like, Let’s Encrypt it is more important than ever to ensure your X.509 security certificates are properly configured and installed.
The attackers pulled data out of the network in encrypted form undetected for months because Equifax had crucially failed to renew an encryption certificate on one of their internal security tools.
March 2017. Equifax data breach
“The attackers were able to gain access to multiple Equifax databases containing information on hundreds of millions of people. But how were they able to remove all that data without being noticed?
Like many cyberthieves, Equifax’s attackers encrypted the data they were moving in order to make it harder for admins to spot; like many large enterprises, Equifax had tools that decrypted, analyzed, and then re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. But in order to re-encrypt that traffic, these tools need a public-key certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew one of their certificates nearly 10 months previously — which meant that encrypted traffic wasn’t being inspected.
The expired certificate wasn’t discovered and renewed until July 29, 2019, at which point Equifax administrators almost immediately began noticing all that previously obfuscated suspicious activity; this was when Equifax first knew about the breach.” http://bit.ly/equifax-securitybreach
A simple example, how such large organization, like Equifax failed to notice and maintain application basic security configuration – X.509 certificate expiration, something no one was really paying attention to, which allowed the attackers to penetrate even deeper in the infrastructure, without being noticed for months.
How Kronometrix helps
To help you run your business securely in the cloud or private network, Kronometrix continuously monitors the validity of X.509 security certificates of all your applications or services. When one of your security certificate approaches the expiration date, an alarm will be issued to notify your operation personnel.
Kronometrix checks several metrics for each X.509 security certificate to ensure the certificate is valid, that it is properly installed and that it is operational. Expired, missing or unavailable data from a X.509 security certificate will automatically raise an alarm. All information is displayed visually using a Kronometrix application, called CertCheck, which offers access to all your certificates, including the following information:
- total number of X.509 certificates
- certificates already expired
- certificates which will expire in the next 30 days
- valid number of certificates
In this way, Kronometrix will automatically keep track of your X.509 security certificates, across all your services and applications without supplementary manual labour work, additional software licenses or 3rd parties applications.
How it works
From data recording to visualization and reporting, Kronometrix provides a complete unified solution to ensure all your enterprise security certificates are never out of date. A data recorder, called certrec, which is part of Kronometrix Data Recording will collect from all your services and applications the X.509 certificate data. A transport utility will convert raw data, into Kronometrix data messages and will deliver the results to a backend system for analysis and alarms.
This is a standard feature of Kronometrix, available as a service or for on-premises installations. If you have any questions or need more information about this, please visit Kronometrix Distributed Data Fabric, or contact us.