2015 Retrospective Part 1: 6 Out of 8 Venafi 2015 Cybersecurity Predictions Were Accurate

• 2015 predictions scorecard: Venafi got 6 out of 8 of its 2015 cybersecurity predictions right
• Cybersecurity threats are increasing the risk of attack and compromise in today’s businesses
• Organizations are struggling with key and certificate management and security

It’s that time of the year again: security “predictions” season. But before sharing our 2016 predictions, we first want to look back at how we did with our 2015 predictions. 

What’s our score? A total of 6 out of our 8 2015 cybersecurity predictions were accurate, and of the other two, one is unknown and the other we believe will still come to pass. Take a look at the results and see how these new cybersecurity realities impact businesses today.

Also take a look at our 2015 attack summary (Part 2 of our 2015 Retrospective). We predicted there would be an overall increase in trust-based attacks in 2015 that would abuse cryptographic keys and digital certificates, and we were painfully accurate.

Here are our 2015 prediction results:

1. 2015 Prediction: SSL will be used and abused a lot more. CORRECT
   
   What Happened in 2015? 
   SSL/TLS use did increase, including the U.S. government requiring HTTPS for all public-facing government web services and many companies striving for encryption everywhere for better data privacy and protection. But this increase also spurred on cybercriminals’ use of SSL/TLS keys and certificates—to hide their nefarious activities and bypass security controls. Intel Security noted a 12% increase in SSL-based network attacks. Netcraft also found that certificate issuers Comodo, Cloudflare, GoDaddy and Symantec had issued domain-validated certificates to phishers targeting banks, PayPal, and other sites.
   
   What This Means for Businesses Today
   Cybercriminals target unprotected keys and certificates, but with key and certificate security in place, businesses can increase the use of keys and certificates for data privacy and protection without increasing the risk of attack and compromise.
    
2. 2015 Prediction: Certificate expirations and resulting outages will be recognized as major security issues. NOT YET
   
   What Happened in 2015?
   While major certificate outages did occur in 2015 with Google Gmail, Microsoft Azure, Instagram, and others, they weren't fully recognized as security concerns. Globally, an average of over 2 business systems per organization stopped working over the last 2 years due to certificate-related outages and the average impact was $15 million per outage. Although this lack of visibility and management is obviously a sign of bigger security issues, businesses are still viewing this as an operations issue.
   
   What This Means for Businesses Today
   It’s time to stop costly certificate-related outages, but it is also time to acknowledge that outages are a symptom of bigger security issues. If you’re experiencing certificate-related outages, you don’t have visibility or proper management of your certificates. Odds are you’re not seeing out-of-policy, misconfigured, or even malicious certificates in your IT environment. 
    
3. 2015 Prediction: Our security controls will be useless against half of the network attacks. CORRECT
   
   What Happened in 2015?
   Previously, Gartner predicted that 50% of all inbound and outbound network attacks would use SSL/TLS by 2017. We’re already there. According to Ponemon Institute, all (100%) of the organizations it researched responded to attacks that misuse keys and certificates in the last two years. And the impact of these attacks is increasing—currently estimated at a risk of attack of $53 million over the next 2 years (up 51% from the 2013 study). 
   
   What This Means for Businesses Today
   Most organizations don’t realize that when keys and certificates aren’t secure, cybercriminals can use them to bypass their other defenses. Bad guys understand that most security systems, like threat protection, NGFW, IDS/IPS, and DLP, either trust SSL/TLS or lack the keys to decrypt traffic. However, by protecting keys and certificates and using them to maximize SSL/TLS traffic inspection, your business will increase the effectiveness and value of your other security investments.
    
4. 2015 Prediction: Incident response teams will leave the door open for bad guys, resulting in more attacks. UNKNOWN
   
   What Happened in 2015?
   We predicted that incident response (IR) and forensics analysis teams would forget to revoke and replace keys and certificates after network breaches, allowing breaches to recur. We have no explicit examples of this occurring in 2015—but this doesn’t mean it didn’t happen. Without revoking and replacing stolen keys and certificates, bad guys can continue to gain access to networks and hide their malicious activities. 
   
   What This Means for Businesses Today
   Lazy remediation is when organizations fail to replace compromised private keys or fail to revoke old certificates, is an indication that the organizations do not understand that when private keys are exposed, everything is exposed. Organizations should establish automated certificate issuance, replacement, and revocation practices as part of incident response plans BEFORE a compromise to enable fast, complete remediation when needed. 
    
5. 2015 Prediction: Hearts will continue to bleed. CORRECT
   
   What Happened in 2015?
   In April 2015, a year after Heartbleed’s public disclosure, Venafi reported that 85% of Global 2000 public-facing servers still remained vulnerable. Even though this figure represents a 16% improvement over the number of vulnerable servers in 2014, it indicates very poor remediation performance.
   
   What This Means for Businesses Today
   Most IT teams didn’t bother to do proper Heartbleed clean up by changing the vulnerable keys and cybercriminals are still exploiting this lack of Heartbleed remediation. Are you still exposed? Learn the steps needed to fully remediate Heartbleed and ensure your business remains secure.
    
6. 2015 Prediction: Kinetic attacks will take advantage of misused certificates and keys. CORRECT
   
   What Happened in 2015?
   The Internet of Things (IoT) is exploding—according to Gartner, there is an estimated 4.9 billion IoT devices connected to the Internet today. In the IoT, keys and certificates are used for authentication, validation, and privileged access control. When these keys and certificates are exploited, they can be used in kinetic attacks—those that can actually cause physical harm to people. In just one example, weaknesses in certificate usage in several car applications enabled hackers to gain remote control of vehicles.    
   
   What This Means for Businesses Today
   As mentioned in my DarkReading article, “It’s one thing when your company gets hacked and quite another when your pacemaker, commercial airline, or traffic light control and coordination system gets pwned because of security vulnerabilities in IoT devices.” Businesses need to design IoT apps that make secure use of certificates to protect their customers.
    
7. 2015 Prediction: Compliance and security frameworks will continue to add guidance on how to protect keys and certificates. CORRECT
   
   What Happened in 2015? 
   • SANS reports
     • New Critical Security Control Guidelines for SSL/TLS Management
     • Securing SSH with the CIS Critical Security Controls
   • National Institute of Standards and Technology (NIST) report, Security of Interactive and Automated Access Management Using Secure Shell (SSH)
   • Payment Card Industry Security Standards Council (PCI SSC) selected, Cryptographic Keys and Digital Certificate Security Guidelines, as a PCI special interest group finalist for the 2nd year running (election results for the 2016 PCI SIG topic are still pending).
   
   What This Means for Businesses Today
   In the last 2 years, every enterprise surveyed failed at least one SSL/TLS audit and one SSH audit. With this additional guidance in compliance and security frameworks, auditors will have a structure to better evaluate the proper management and security of SSL/TLS keys and certificates, and SSH keys. If organizations don’t start adopting these guidelines in their ongoing business practices, they will fail more audits and endanger their business.
    
8. 2015 Prediction: The Underground Digital Certificate Marketplace is now open for bad guys. CORRECT
   
   What Happened in 2015? 
   Underground key and certificate marketization continues to be the trend and prices in this black market continue to rise—at this writing, prices had risen to $1000 per certificate. In addition, IBM Security’s X-Force research team has found that large numbers of code-signing certificates are also now hot commodities in the black market.
   
   What This Means for Businesses Today
   Businesses need to assume their keys and certificates are being targeted by cybercriminals either to use to compromise their networks and data, or for resale. Organizations must make key and certificate security a priority. 

So here you have it: 6 out of 8 isn’t bad. Although this confirms we understand the market trends around online trust, it also means that businesses are struggling with key and certificate management and security. Find out how Venafi can help.