A software company has two concurrent security crises: (1) Users have been tricked into installing malware disguised as the company's legitimate application β attackers created convincing fake download sites. (2) A database breach exposed 2 million user passwords stored as unsalted MD5 hashes β 800,000 have already been cracked by the attacker. Design remediation for both problems.
Immediate: Implement code signing. Generate a key pair for the company, obtain a code-signing certificate from a trusted CA (DigiCert, Sectigo). Sign all release binaries with the private key. Users' OS now displays "Verified Publisher: Company Name" β unsigned or differently-signed executables trigger a warning.
Ongoing: (1) Submit software to Certificate Transparency monitoring β get alerted if anyone obtains a certificate for your domain. (2) Publish SHA-256 hashes of all releases on a separate, secured page. (3) Instruct users to download only from official URLs and verify the publisher signature before executing. (4) Submit fake sites to Google Safe Browsing / phishing takedown services.
Problem 2 β Unsalted MD5 password breach:
Immediate: Force password reset for all 2 million accounts β assume every password is compromised, not just the 800K cracked so far. Notify users per breach notification regulations (GDPR 72-hour window, state laws). Revoke all active sessions.
Remediation: Re-hash all passwords using bcrypt (work factor 12+) or Argon2id with unique per-user salts. On next login, hash the entered password with the new algorithm and replace the old MD5 hash. After a transition period, expire any accounts that haven't logged in (old hashes removed).
Long-term architecture: Never store passwords reversibly. Use bcrypt/Argon2 exclusively. Enable MFA to reduce impact of future credential compromise. Monitor for credential stuffing attacks (same breached passwords tried on other sites).
A company has 300 internal servers all using self-signed certificates. Employees constantly click through "Your connection is not private" warnings, and the security team suspects employees now ignore all certificate warnings reflexively β a dangerous habit. The CISO wants to deploy a proper internal PKI and implement revocation. Design the architecture and rollout strategy.
Root CA: Deploy an offline Root CA (Windows Server AD CS or open-source). Generate the Root CA key pair on an air-gapped machine. Store the Root CA private key on an HSM and in secure offline backup. The Root CA will be used only to sign Intermediate CA certificates β it is powered off between ceremony events.
Intermediate CA(s): Deploy one or more online Intermediate CAs for day-to-day certificate issuance. If one Intermediate CA is compromised, revoke it and issue a replacement from the Root CA β the Root CA trust anchor is unaffected. Sign the Intermediate CA certificate with the Root CA during a key ceremony.
Trust distribution: Push the Root CA certificate to all employee devices via Group Policy (Windows) or MDM (macOS/iOS/Android). Once installed, all certificates issued by the Internal PKI will show as trusted β eliminating certificate warnings for legitimate internal servers.
Revocation: Configure OCSP responder on the Intermediate CA for real-time revocation checking. Enable OCSP Stapling on all internal servers β servers pre-fetch their revocation status and include it in TLS handshakes. This eliminates per-client OCSP latency and works even during brief OCSP responder outages.
Rollout strategy: (1) Stand up PKI in test environment. (2) Issue test certificates, verify trust chain on pilot machines. (3) Push Root CA cert via GPO to all machines. (4) Begin replacing self-signed certs server by server, starting with the most-visited internal services. (5) After 90 days, configure browsers to reject self-signed certs on internal networks β employees can no longer bypass warnings. (6) Audit quarterly.
Warning fatigue: Communicate to employees that "you should now NEVER see a certificate warning on internal sites β if you do, report it immediately as a potential MITM attack." This converts the warning from ignored noise back into a meaningful security signal.