Certificates expired? Why?

VPN and Secure Shell access to BNT Networks and Servers is allowed only to systems that have a valid certificate installed. The certificates are configured to expire after a period of time (usually one year.) Why is that?

Historically, there have been relatively few cases where a technical problem resulted in a security failure. Bugs in software, for example, were rarely exploited in order to gain unlawful access to a system. Instead, criminals have instead focused on exploiting failures in human processes.

Things have changed slightly in recent times. A new generation of crackers is running automated scans through the internet against any services that they find exposed. As a result of these scans we see more technical attacks against systems and more of them are successful. However, it's important to keep in mind that these attacks are often made by crackers who have no specific interest in the service they are cracking - they rarely know, for example, about your company's intellectual property. In most cases, these attacks are designed to hijack network resources for use by the cracker. It's a problem that we are forced to deal with but it's not the most pressing issue we face.

As a result, crackers on the internet are not the most serious threat to most companies; the risks tend to be more local:

  • Disgruntled former employees
  • Disgruntled current employees
  • Employees who wish to use the company network in ways that are not permitted by company policy
  • The curious children of employees
  • Competitors looking for information they can use to gain advantages in contract negotiations (by looking at confidential bids and other information,)
  • Competitors looking for information they can use to gain advantages in research and development (by taking the results of your hard work.)

If there are serious flaws in the technology that we use to protect our network-connected services, criminals will exploit those flaws. However, it is possible these days to keep track of such issues and manage them. As a result, technology tends to be relatively difficult to crack. Criminals often find that it is much easier to exploit failures in human processes.

The most obvious of these exploitable processes is the handling of passwords and certificates.

Probably the biggest issue that we see at BNT Solutions revolves around employees who have changed jobs. BNT Solutions customers rarely call to ask for an account to be suspended when a member of their staff has moved on. Instead, we ask about the existing employees when asked to create accounts for new employees. Only then do we find out that some of the staff is no longer working with that customer. As a result there may be unused accounts on our servers - each of which is a potential threat.

The only realistic solution to the problem, the only way to protect a company from the many risks that it might face, is to expire the passwords and certificates on a monthly basis. Unfortunately, our customers and their employees would all be very unhappy if this was done.

Out of necessity, BNT Solutions respects the wishes of our customers; we do not expire passwords. However, we do limit the life of a certificate to one year. This has the effect of limiting the damage that criminals can cause if a certificate falls into their hands. Once it expires it becomes useless to the person who holds it.