Cybercriminals have discovered a new attack vector: Exploiting the trust that keys and certificates establish. By using keys and certificates, hackers are able to go about their business on your network, authenticated, and with legitimate access.
For all the security technology investments the NSA makes, the agency did not detect or prevent Edward Snowden’s attack. Like many of the attackers responsible for cyber-threats, Snowden took advantage of the trust established by cryptographic keys and digital certificates, and used them to disguise his unauthorized activity, to elevate his privileges and to exfiltrate classified information.
Fears about the punishing ramifications of security breaches and concern about new policies and regulations have driven organizations to broadly deploy encryption. But deploying encryption alone isn’t enough. Organizations must have a clear picture of proper encryption management. A critical starting point in any management strategy is to create a comprehensive inventory of all certificates and their locations, followed by a detailed analysis of the inventory and its compliance status.
Many companies exert themselves to protect their brand but overlook how much the company’s reputation relies on data security. Yet inadequately managed encryption keys and certificates pose critical risks to a company’s reputation.
Unexpected system downtime translates to dissatisfied employees and customers, decreased productivity and a damaged reputation—and fully $1M in losses per-hour for large enterprises.
Despite the operational and financial risks of inaction, companies often neglect encryption disaster recovery planning, daunted by vast key and certificate deployments. Inadequate key and certificate management prolongs Certificate Authority (CA) Compromise recovery efforts.
Most IT security professionals understand the critical role that encryption plays in complying with regulations such as PCI DSS 2.0, SOX, GLBA, HIPAA, the European Directive of 1995 and more. However, some fail to realize that the security of the actual encryption assets is subject to audit as well. Compliance with these mandates require the effective management of symmetric, asymmetric (digital certificates) and SSH keys.
Organizations devote valuable resources to developing information security policies because those policies ensure that company practices align with business objectives and relevant government regulations. However, policies are only words on a page unless administrators have the tools to implement and enforce them. Only an automated and policy-based enterprise key and certificate management solution offers these tools.
In a world where data is the new currency, industry standards and regulatory mandates drive companies to deploy encryption broadly using the latest, proven algorithms. But the reality of the situation is that encryption means nothing if the keys securing that data are not managed appropriately. Only best key and certificate management practices, made possible and painless by an automated solution, truly protects a company’s most vital assets.
The recently discovered Flame malware demonstrates how MD5-based certificates can be exploited to perform man-in-the-middle and other attacks.
Flawlessly manage each process in the SSL certificate lifecycle, thus reducing the risk of breach, failed audits and unplanned system downtime.
The shift toward Bring Your Own Device (BYOD) has led to the rapid use of hundreds of thousands of mobile certificates, increasing the risk of unauthorized access to critical networks, applications, and data. Although a remote wipe of a device mitigates data loss, it does not remove potentially orphaned or compromised mobile certificates. Today, IT security has no visibility into the mobile certificates users have access to and lacks a “kill switch” to quickly respond to mobile certificate-based anomalies and attacks.