Skip to content

Rethinking Trust: Advanced Security Measures for High‐Stakes Systems

Violet Hansen edited this page Nov 4, 2024 · 1 revision

Rethinking Trust: Advanced Security Measures for High-Stakes Systems

Rethinking Trust: Advanced Security Measures for High-Stakes Systems


Digital Signatures

A file or program bearing a valid digital signature should never be considered inherently secure. While it would be ideal if verifying a signature could conclusively indicate safety, the reality is far more nuanced and complex. A digital signature is an excellent preventive measure, but when it comes to exploiting or infiltrating high-value targets, numerous techniques exist to circumvent this layer of defense. Also, the security of a digital signature is only as strong as the integrity and vigilance of the individual responsible for safeguarding it.

In recent years, many certificate authorities have implemented stricter policies requiring individuals requesting a code-signing certificate to store it within a Hardware Security Module (HSM). This specialized device provides an added layer of physical security for cryptographic keys. However, like any piece of hardware, an HSM can still be stolen, making the physical security of the device—where it is stored, whether it's kept in a high-grade safe, and the security of the person's residence—critical factors in preventing unauthorized access.

Equally important is the security of the code-signing process itself. Does the certificate holder use a dedicated, isolated environment exclusively for signing? Is it meticulously maintained to be free from malware and potential compromises? Or do they insert the HSM into a system that also serves daily, multipurpose functions? In the latter scenario, where the same device is used for browsing the internet or downloading software, the risk of infection rises dramatically. A malware infection on this system could allow malicious software to access private keys from the HSM during the signing process, effectively bypassing the HSM's intended protection. From the outside, as users, we have no practical way to verify or scrutinize these practices. We are fundamentally in the dark about whether an organization or individual has taken rigorous precautions or if they are following minimal security protocols. This lack of transparency introduces an additional layer of risk; users are left trusting in a process they cannot observe or evaluate.

Another vital aspect to consider is the trustworthiness of the individual applying for the certificate. If the applicant is a malicious actor, the signature itself becomes a tool for potential harm. Unfortunately, most certificate authorities issuing code-signing or Extended Validation (EV) certificates do not conduct extensive vetting of applicants. Factors such as an applicant's criminal history, associations, travel history, or broader trustworthiness are seldom, if ever, scrutinized. This lack of rigorous background checks leaves the door open for bad actors to obtain certificates under the guise of legitimacy, turning a critical security feature into a potential vulnerability.

Application Control for Business

This article was created by me to address these vulnerabilities directly. Windows Defender Application Control (WDAC) or Application Control for Business exists precisely for this reason—it transforms the security paradigm for both attackers and defenders by embracing a real zero-trust approach. Zero trust removes assumptions from the equation, requiring that every executable be explicitly validated before being allowed to run.

In environments with highly sensitive devices or workspaces, relying solely on certificate authorities to secure your systems can be dangerously misguided. Trusting that a certificate authority has conducted rigorous due diligence when issuing code-signing certificates is a risky assumption. App Control provides a critical alternative: it enables you to define your own standards of trust, rather than leaving the responsibility in the hands of external entities who may have different criteria for assessing reliability.

Application Control is empowering. It places the control squarely in your hands, allowing you to determine precisely which files, applications, or processes are authorized to execute on your device. By leveraging this approach, you gain comprehensive oversight and a new level of security confidence, knowing that only files meeting your strict criteria are permitted to run. In an era where threats are increasingly sophisticated, this individualized control over your digital environment is not only prudent but essential.

Administrator Privilege

Exercise extreme caution with programs granted administrator privileges on your system. The User Account Control (UAC) prompt that appears, requesting permission, is more than a minor screen—it serves as a critical security checkpoint. If you inadvertently grant a malicious program administrator access, reversing the damage can be extraordinarily challenging.

When administrator privileges are granted, the program gains more than a one-time permission; it can establish persistent access by embedding itself deeply into the system. Malicious programs can create "hooks", allowing them to access your device and resources on demand. They might configure scheduled tasks to ensure persistence, execute commands with SYSTEM-level privileges, modify registry keys to enable startup scripts, or establish Windows services to maintain their foothold.

Take, for example, the legitimate use case of the Steam game client. Upon installation and initial launch, Steam requests administrator privileges to set up a necessary service that has very high privileges. Although it doesn't ask for elevated permissions again with subsequent launches, this is because it has created that service during the initial setup that allows it to run with elevated privileges even after restarts or shutdowns. While Steam's case is benign, malware can exploit the same mechanisms and others for far more harmful purposes, achieving ongoing control over your device.

Summary

In conclusion, Digital signatures are a strong security standard for most use cases, but in high-risk, high-value environments, they are merely not enough. In those situations where the stakes are highest, Application Control is the most effective way to ensure that only trusted, authorized executables are allowed to run. By defining your own standards of trust, you can protect your systems from the most sophisticated threats. Also, exercise caution when granting administrator privileges to programs, as this can lead to persistent access and it's not a one-time permission.









C#


Clone this wiki locally