Closed Bug 1830088 Opened 1 year ago Closed 29 days ago

Sectigo: Late termination of privileged access to Certificate Systems

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: martijn.katerbarg, Assigned: martijn.katerbarg)

Details

(Whiteboard: [ca-compliance] [policy-failure])

1. How your CA first became aware of the problem

During our weekly WebTrust audit update call, we were notified of a discrepancy found in the privileged access termination evidence.

As we do not want to call out specific names, we will be referencing the employee whose access has been terminated as Employee X.

2. Timeline

November 18, 2022
The contract of Employee X is set to expire at the end of his/her business day (20:00 ET).

November 21, 2022 – 19:03 UTC
HR sends out an email to our internal termination distribution list requesting that the accounts of Employee X be disabled.

November 22, 2022 – 10:04 UTC
We disable the account access to Certificate Systems for Employee X.

April 20, 2023 – 14.00 UTC
Our weekly audit update call starts. We are notified of the discrepancy found in account termination.

April 20, 2023 – 15.41 UTC
We complete our internal investigation into this matter and confirm the finding. We determine that the notification of termination has been sent on a next-business-day schedule, falling outside of the requirement set in the NSRs due to a weekend.

April 21, 2023 – 15:00 UTC
We discuss the finding with our HR department. Effective immediately we update the procedures for account termination to include an early notice to stakeholders required to disable account access to Certificate Systems, notifying them of an upcoming but not yet to be executed account termination.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem.

N/A

4. Summary of the problematic certificates

N/A

5. Affected certificates

N/A

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now

The contract of Employee X was set to expire on a set date. Employee X received a new to-be-signed contract in order to continue employment with the company. However it was requested to start the new contract 2 weeks after the existing contract expired. As such, the current access should have been terminated in a timely manner.

As employees of the local office’ HR department ended their shift prior to Employee X, they sent out the termination email the next business day, which due to the weekend, was not within the allowed 24 hours by the NSRs.

Our ongoing internal audits verify if all accounts are indeed terminated. However, the current scope is based on a 1 business day cadence that does not include checking if they were terminated within 24 hours in every case.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future

We have recently automated parts of our internal audit checks and have now planned to include checking if all accounts are also terminated within the allowed 24 hours.

We have also updated the procedures for terminations that are in place to send out early notices prior to the actual termination to be performed, so that stakeholders can plan the account terminations. We are also raising awareness within the company, especially with the stakeholders of account terminations as to why this must be completed within 24 hours.

Assignee: nobody → martijn.katerbarg
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance]

We have no additional comments at this time. We are monitoring this bug for any questions or comments.

On top of our remediation effort, we have also included verifying timestamps of terminations in our internal audits.

We are tracking this bug for any comments and / or questions.

Our complete internal investigation into this matter revealed a few more cases where termination emails were sent out later than they should have. Again, we will not state specific names in this public report, respecting the privacy of the individuals.

All these cases occurred prior to our remediation steps listed in comment 0. This also concludes our investigation into this incident.

We have completed remediation and investigation of this incident.

Ben, as there appear to be no further questions or comments, we’d like to request closing this bug.

Flags: needinfo?(bwilson)

We will keep monitoring this bug for any further questions and/or comments.

I'll close this bug tomorrow, 2-June-2023, unless there are further questions or comments.

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED

Despite our updated terminations procedures and the increased awareness within our company of the importance of adhering to them, we had a recurrence of this incident earlier this month.

We have been keeping a close watch on the process and account closures since the moment this incident was originally opened and have continued to do so after the incident was closed.

This continued monitoring enabled us to spot the recurrence of this incident swiftly.

We are reopening this bug to keep track of our continued efforts for complete mitigation. We will provide more details within the next 7 days.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [ca-compliance] → [ca-compliance] [policy-failure]

Since our last update we have had several discussions with stakeholders within the company regarding this bug.

We’re looking into restructuring our offboarding process as well as identifying any potential weak spots or single points of failure that we may have regarding timely account disablements.

As we are further digging into this, we’d like to request a next-update of October 6th.

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [policy-failure] → [ca-compliance] [policy-failure] Next update 2023-10-06

We’ve so far identified where our immediate weak spots are and are addressing these in the short term.

Long term, we are planning to overhaul our entire onboarding and offboarding process and invest in a system to aid in this.

Ben, we’d like to keep this bug open until we’ve solidified our plans for completely overhauling our on- and offboarding procedures, which we estimate will not be completed for at least the next 3 months. Could we set a longer next-update of January 31st, 2024?

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [policy-failure] Next update 2023-10-06 → [ca-compliance] [policy-failure] Next update 2024-01-31

Phase 1 of our overhaul has been completed early January.

Phase 2, which is setting up a new platform for internal service tickets, is currently underway. Once completed, we’re able to add more automation into the internal offboarding process. Our planned Phase 3 plans to setup automation, including monitoring and internal SLAs.

Ben, we’d like to request a new Next Update for 2024-03-31 to keep track of this.

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-compliance] [policy-failure] Next update 2024-01-31 → [ca-compliance] [policy-failure] Next update 2024-03-31

Phase 2 of our overhaul has been completed. As next steps, we plan on adding further automation, however we believe we’re in a state where this does no longer affect our bug.

Ben, as there have not been any further questions or comments, we would like to request closing this bug.

Flags: needinfo?(bwilson)

I'll close this on Wed. 27-Mar-2024, unless there are any further questions.

Whiteboard: [ca-compliance] [policy-failure] Next update 2024-03-31 → [ca-compliance] [policy-failure]
Status: REOPENED → RESOLVED
Closed: 11 months ago29 days ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.