Postbank, the banking division of South Africa’s Pat Office, recently reported that a rogue employee stole 36-digit master keys used to protect the bank’s systems. The result: 25,000 fraudulent charges valued at 56 million Rand (3.2 million US dollars) and 1 billion Rand (58 million US dollars) to replace all credit and ATM cards issued by the bank.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This event serves as a great reminder of the catastrophic consequences even a single compromised key can cause for an organization.
Most organizations lack the tools, focus, skillsets and budget to effectively manage cryptographic keys. However, every organization needs to be looking for every key so that it can be managed and audited. Rarely do breaches and compromises happen to assets that are constantly monitored and watched; it’s those assets not being managed that most commonly lead to breach.
Proper key management has risen past the level of simply serving as a checkbox on a security questionnaire. It is, and will continue to be, a business-critical, strategic initiative. Put simply: the investment in key management is a drop in the bucket compared to the business, brand and financial cost of a breach or compromise.