{"id":8157,"date":"2019-08-27T08:34:21","date_gmt":"2019-08-27T12:34:21","guid":{"rendered":"https:\/\/www.cscdigitalbrand.services\/blog\/?p=8157"},"modified":"2026-01-19T09:46:33","modified_gmt":"2026-01-19T14:46:33","slug":"mitigate-security-threats","status":"publish","type":"post","link":"https:\/\/www.cscdbs.com\/blog\/mitigate-security-threats\/","title":{"rendered":"Mitigate Security Threats Through Digital Certificate Policy Enforcement"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Managing digital certificates can be challenging. On average, companies spend 225 hours manually managing 50 certificates a year[1]<\/sup>. About 74% of enterprises have seen system outages due to unplanned certificate expiration[2]<\/sup>, and over 50% have a lost or rogue digital certificate[3]<\/sup>.<\/p>\n\n\n\n

It\u2019s not uncommon for a company to find they don\u2019t have a full accounting\nof all the digital certificates used within their business; for large\norganizations, an audit usually reveals the use of multiple providers. Digital\ncertificates are easily purchased online with a credit card and have a maximum\nvalidity of two years, which means keeping up with renewal notices from various\nproviders, and preventing expirations that could cause catastrophic service\noutages and data breaches becomes an uphill task.<\/p>\n\n\n\n

\n

In December 2018, millions of people in the UK woke up to ‘No Service’ alerts when a mobile provider experienced an overnight network outage. This affected a number of networks, and was traced back to an expired certificate. \u2013 BBC News[4]<\/sup><\/em><\/p>\n<\/blockquote>\n\n\n\n

\n

In 2017, a critical digital certificate that had been expired for over two months resulted in the failure of an organization\u2019s monitoring device to detect a data breach where \u00a0customer information was stolen, affecting nearly 150M people. Over half a million in fines was imposed on the breached company, and millions more have been set aside for breach payouts. \u2013 Forbes[5]<\/sup> and The Wall Street Journal[6]<\/sup><\/em><\/p>\n<\/blockquote>\n\n\n\n

Companies need a better strategy in managing their digital certificate\nportfolio. An easy, low cost, low effort mechanism is to employ the use of Certificate\nAuthority Authorization (CAA) Records. However, our sample analysis of 2,000 global\ncompanies\u2019 domains reveal only 3% are actively using CAA records.<\/em><\/strong><\/p>\n\n\n\n

At a 3% adoption rate, companies may not be capitalizing on this\ntechnical control due to:<\/p>\n\n\n\n

    \n
  1. Lack of awareness<\/li>\n\n\n\n
  2. Complexity in implementation between the
    different domain name system (DNS) and digital certificate providers they use<\/li>\n<\/ol>\n\n\n\n

    So, what\u2019s a CAA record?<\/strong><\/p>\n\n\n\n

    A CAA record is a resource record held on a zone file that allows the\ndomain owner to indicate which Certificate Authorities (CAs) are authorized to\nissue a certificate for a given domain name. <\/p>\n\n\n\n

    \n CAA record added<\/strong>\n <\/td>\n Digital certificate requested<\/strong>\n <\/td>\n Implications<\/strong>\n <\/td><\/tr>
    \n Yes\n <\/td>Request matches record. <\/td>Certificate issued according to record. <\/td><\/tr>
    \n Yes\n <\/td>Request does not match record. <\/td>Certificate not issued, preventing unauthorized certificates from being issued. <\/td><\/tr>
    \n No\n <\/td>No record exists for matching. <\/td>Certificate issued according to requests, including unauthorized ones. <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Better digital certificate\nmanagement<\/strong><\/p>\n\n\n\n

    By adding CAA records, you are able to control the CAs that your\ncompany uses. This exercise supports the consolidation of your providers and\nreduces the overall cost of management that comes with multiple disparate\nproviders, also greatly reducing the risk of an expiration.<\/p>\n\n\n\n

    Enforce your company\u2019s policy<\/strong><\/p>\n\n\n\n

    A CAA record ensures that only your chosen provider can issue a\ncertificate for your domain names. This is an essential technical control\nallowing for policy enforcement, as employees will not be able to purchase\nadditional certificates from non-authorized CAs. Importantly, you can create a\nCAA record which will report any attempted policy violations to a chosen email\naddress.<\/p>\n\n\n\n

    Ensure the use of high\nvalidation digital certificates<\/strong><\/p>\n\n\n\n

    In the future*, apart from defining your preferred CA, you\u2019ll be able\nto stipulate the level of validation acceptable when adding a digital\ncertificate. The higher the level of validation, the more confidence it gives\nsite visitors that they are accessing a legitimate site. With domain validation\n(DV) certificates increasingly used by cyber criminals to falsely portray\nlegitimacy, CSC recommends using CAA records to stipulate the use of\norganization validation (OV) and extended validation (EV) certificates where\nnecessary. *date to be confirmed<\/em><\/p>\n\n\n\n

    Mitigate cyber threat<\/strong><\/p>\n\n\n\n

    The existence of a CAA record will add a layer of security that\nprevents cyber criminals from adding encryption or HTTPS with free, low\nvalidation digital certificates that do not match your records on a site to\nfool targets in a domain shadowing attack.<\/p>\n\n\n\n

    CAA records improve the management of digital certificates at the\npolicy and operation levels, as well as thwart the advances of cyber criminals;\nthey play an important role in developing a multi-layered defense-in-depth\napproach that every company\u2019s domain security should consider.<\/p>\n\n\n\n

    Partner with an enterprise-class provider who understands your business\npriorities, is able to consolidate your digital assets, and has the tools to:<\/p>\n\n\n\n