Research: Clueless enterprises miss certificate breaches

This is a contributed piece by Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi

Attacks on digital keys and certificates are very different to typical cyberattacks and are becoming increasingly common, leaving victims open to devastating security breaches.

With a compromised or stolen key, cyber criminals can impersonate, surveil, and monitor their targets, as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates give attackers unrestricted access to their victim’s network, where they may go undetected for some time with trusted access, siphoning off confidential data to use for criminal ends.

In light of attacks such as Sony Pictures Entertainment last year, Venafi conducted a survey amongst IT security professionals to garner what they do to prevent breaches and establish greater trust online?  Disturbingly, the data revealed that most IT professionals acknowledge they don’t know how to detect or remediate compromised cryptographic keys and digital certificates.

The survey results highlighted that 38% of respondents can’t, or don’t know how to, detect compromised keys and certificates, and 56% of the other respondents said they are using a combination of Next Generation Fire Walls (NGFW), anti-virus, Intrusion Defense Systems (IDS), Intrusion Prevention Systems (IPS), and sandboxes to find these types of attacks.

One area in which cybercriminals are taking advantage is through Secure Sockets Layer (SSL) encrypted traffic, which is rapidly gaining momentum in enterprises. According to market research company Gartner, 50% of all inbound and network attacks will use SSL/Transport Layer Security (TLS) by 2017.  Attackers are aware that most security systems either trust SSL/TLS or don’t have access to keys to decrypt traffic and search out hidden risks. These security weaknesses create blind spots that subvert critical security controls.

Perturbingly, almost two-thirds (64%) of security professionals admitted that they are not able to respond quickly (within 24 hours) to attacks on keys, and most said it would take three or more days, or up to a week, to detect, diagnose, and replace keys that have been breached.

Following a breach, more than three-quarters (78%) of those surveyed said they would still only complete partial remediation which would leave them vulnerable to further attacks. When asked what their organisational strategy is to protect the online trust provided by keys and certificates, only 43% of respondents said that they use a key management system. Another 16% had no idea. A manual process was being used by 14%, whilst 22% placed the responsibility elsewhere in the enterprise.

The survey findings are concerning given the increase in attacks on internet trust and the major SSL/TLS and SSH key and certificate-related vulnerabilities we’ve seen over the past six months alone.  From Heartbleed, ShellShock, POODLE, the Gogo man-in-the middle attacks, Lenovo’s Superfish vulnerability, FREAK and now the LogJam flaw, cybercriminals are all too aware of the vulnerabilities in unprotected keys and certificates and are using these weaknesses to carry out malicious acts.

Who can you trust?

Cybercriminals take advantage of these vulnerabilities as they appear because most security systems blindly trust keys and certificates. With no immune system for the internet, enterprises are unable to work out what is trusted, and what is not, on their networks. 

Just like the human body’s HLA tags, the internet has been designed with its own identification system made up of cryptographic keys and digital certificates.  These uniquely identify webservers, software, mobile devices, apps, admins, and even airplanes. Unlike us humans, however, there is no immune system to protect it and search out what to trust and what to destroy. Not being able to identify what is trusted or how to recognise and remediate following an attack on keys and certificates leaves organisations wide open to attack.

IT security professionals must understand that keys and certificates establish trusted connections for virtually everything that is IP-enabled today, from online banking and shopping to government sites.  When SSL/TLS and SSH keys are protected and utilised properly, they identify webservers, software, mobile devices, applications and security administrators as ‘self’ and are trusted. Those that are misused and look like intruders are replaced or blocked.  Unfortunately keys and certificates are often blindly trusted, so cyber criminals use them to hide in encrypted traffic, produce spoof websites, deploy malware and steal data.

Secure and Protect

Digital certificates expire and counterfeit certificates can be very easily created. Enterprises not only need to manage keys and certificates, know where they are and who is responsible for them, but also protect them and the trust they establish. This requires an immune system that can provide constant surveillance, take immediate action when anomalies are detected, and fully automate remediation to replace old or bad keys and certificates with new ones. As we move increasingly to the cloud and DevOps environments, organisations need a system in place that can scale up and tear down quickly, keeping everything safe and trusted.

IT professionals must learn to secure and protect certificates and respond in a timely manner to any attack.  If they don’t, online trust will be broken, with dire ramifications especially to the economy which relies so heavily on online trust for commerce and mission-critical business activities.


« Insult & anger: The fight for the most open laptop


Japan joins the race for cybersecurity leader »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail