Question 619 - CISA discussion

The greatest concern to an IS auditor reviewing an organization's method to transport sensitive data between offices is that the method relies exclusively on the use of public key infrastructure (PKI).PKI is a set of tools and procedures that are used to create, manage, and revoke digital certificates and public keys for encryption and authentication1. PKI can provide secure and trustworthy communication over the internet, but it also has some limitations and risks that need to be considered.

One of the main limitations of PKI is that it depends on the trustworthiness and security of the certificate authority (CA), which is the entity that issues and verifies the digital certificates2. If the CA is compromised or malicious, it can issue fake or fraudulent certificates that can be used to impersonate legitimate parties or intercept sensitive data.For example, in 2011, a hacker breached the CA DigiNotar and issued hundreds of rogue certificates for domains such as Google, Yahoo, and Microsoft3.This allowed the hacker to conduct man-in-the-middle attacks and spy on the online activities of users in Iran3.

Another limitation of PKI is that it requires a complex and costly infrastructure to maintain and operate.PKI involves multiple components, such as servers, software, hardware, policies, and procedures, that need to be configured, updated, and monitored regularly1.PKI also requires a high level of technical expertise and coordination among different parties, such as users, administrators, CAs, and registration authorities (RAs)1. PKI can be vulnerable to human errors or negligence that can compromise its security or functionality. For example, in 2018, a software bug in Apple's macOS High Sierra caused the system to accept any certificate as valid without checking its validity period. This could have allowed attackers to use expired or revoked certificates to bypass security checks.

Therefore, an IS auditor should be concerned if an organization relies exclusively on PKI for transporting sensitive data between offices. PKI can provide a high level of security and trust, but it also has some inherent risks and challenges that need to be addressed. An IS auditor should evaluate whether the organization has implemented adequate controls and measures to ensure the reliability and integrity of its PKI system. An IS auditor should also consider whether the organization has alternative or complementary methods for securing its data transmission, such as using symmetric encryption algorithms or digital signatures.Symmetric encryption algorithms use the same key for both encryption and decryption, which can offer faster performance and lower overhead than asymmetric encryption algorithms used by PKI4.Digital signatures use cryptographic techniques to verify the identity and authenticity of the sender and the integrity of the data5.