Skip to main content
banner image
venafi logo

2015 Retrospective Part 1: 6 Out of 8 Venafi 2015 Cybersecurity Predictions Were Accurate

2015 Retrospective Part 1: 6 Out of 8 Venafi 2015 Cybersecurity Predictions Were Accurate

generic_blog_banner_image
December 7, 2015 | Kevin Bocek
Key Takeaways
  • 2015 predictions scorecard: Venafi got 6 out of 8 of its 2015 cybersecurity predictions right
  • Cybersecurity threats are increasing the risk of attack and compromise in today’s businesses
  • Organizations are struggling with key and certificate management and security

It’s that time of the year again: security “predictions” season. But before sharing our 2016 predictions, we first want to look back at how we did with our 2015 predictions

What’s our score? A total of 6 out of our 8 2015 cybersecurity predictions were accurate, and of the other two, one is unknown and the other we believe will still come to pass. Take a look at the results and see how these new cybersecurity realities impact businesses today.

Also take a look at our 2015 attack summary (Part 2 of our 2015 Retrospective). We predicted there would be an overall increase in trust-based attacks in 2015 that would abuse cryptographic keys and digital certificates, and we were painfully accurate.

Here are our 2015 prediction results:

  1. 2015 Prediction: SSL will be used and abused a lot more. CORRECT

    What Happened in 2015? 
    SSL/TLS use did increase, including the U.S. government requiring HTTPS for all public-facing government web services and many companies striving for encryption everywhere for better data privacy and protection. But this increase also spurred on cybercriminals’ use of SSL/TLS keys and certificates—to hide their nefarious activities and bypass security controls. Intel Security noted a 12% increase in SSL-based network attacks. Netcraft also found that certificate issuers Comodo, Cloudflare, GoDaddy and Symantec had issued domain-validated certificates to phishers targeting banks, PayPal, and other sites.

    What This Means for Businesses Today
    Cybercriminals target unprotected keys and certificates, but with key and certificate security in place, businesses can increase the use of keys and certificates for data privacy and protection without increasing the risk of attack and compromise.
     
  2. 2015 Prediction: Certificate expirations and resulting outages will be recognized as major security issues. NOT YET

    What Happened in 2015?
    While major certificate outages did occur in 2015 with Google Gmail, Microsoft Azure, Instagram, and others, they weren't fully recognized as security concerns. Globally, an average of over 2 business systems per organization stopped working over the last 2 years due to certificate-related outages and the average impact was $15 million per outage. Although this lack of visibility and management is obviously a sign of bigger security issues, businesses are still viewing this as an operations issue.

    What This Means for Businesses Today
    It’s time to stop costly certificate-related outages, but it is also time to acknowledge that outages are a symptom of bigger security issues. If you’re experiencing certificate-related outages, you don’t have visibility or proper management of your certificates. Odds are you’re not seeing out-of-policy, misconfigured, or even malicious certificates in your IT environment. 
     
  3. 2015 Prediction: Our security controls will be useless against half of the network attacks. CORRECT

    What Happened in 2015?
    Previously, Gartner predicted that 50% of all inbound and outbound network attacks would use SSL/TLS by 2017. We’re already there. According to Ponemon Institute, all (100%) of the organizations it researched responded to attacks that misuse keys and certificates in the last two years. And the impact of these attacks is increasing—currently estimated at a risk of attack of $53 million over the next 2 years (up 51% from the 2013 study). 

    What This Means for Businesses Today
    Most organizations don’t realize that when keys and certificates aren’t secure, cybercriminals can use them to bypass their other defenses. Bad guys understand that most security systems, like threat protection, NGFW, IDS/IPS, and DLP, either trust SSL/TLS or lack the keys to decrypt traffic. However, by protecting keys and certificates and using them to maximize SSL/TLS traffic inspection, your business will increase the effectiveness and value of your other security investments.
     
  4. 2015 Prediction: Incident response teams will leave the door open for bad guys, resulting in more attacks. UNKNOWN

    What Happened in 2015?
    We predicted that incident response (IR) and forensics analysis teams would forget to revoke and replace keys and certificates after network breaches, allowing breaches to recur. We have no explicit examples of this occurring in 2015—but this doesn’t mean it didn’t happen. Without revoking and replacing stolen keys and certificates, bad guys can continue to gain access to networks and hide their malicious activities. 

    What This Means for Businesses Today
    Lazy remediation, as described by Gartner,  when organizations fail to replace compromised private keys or fail to revoke old certificates, is an indication that the organizations do not understand that when private keys are exposed, everything is exposed. Organizations should establish automated certificate issuance, replacement, and revocation practices as part of incident response plans BEFORE a compromise to enable fast, complete remediation when needed. 
     
  5. 2015 Prediction: Hearts will continue to bleed. CORRECT

    What Happened in 2015?
    In April 2015, a year after Heartbleed’s public disclosure, Venafi reported that 85% of Global 2000 public-facing servers still remained vulnerable. Even though this figure represents a 16% improvement over the number of vulnerable servers in 2014, it indicates very poor remediation performance.

    What This Means for Businesses Today
    Most IT teams didn’t bother to do proper Heartbleed clean up by changing the vulnerable keys and cybercriminals are still exploiting this lack of Heartbleed remediation. Are you still exposed? Learn the steps needed to fully remediate Heartbleed and ensure your business remains secure.
     
  6. 2015 Prediction: Kinetic attacks will take advantage of misused certificates and keys. CORRECT

    What Happened in 2015?
    The Internet of Things (IoT) is exploding—according to Gartner, there is an estimated 4.9 billion IoT devices connected to the Internet today. In the IoT, keys and certificates are used for authentication, validation, and privileged access control. When these keys and certificates are exploited, they can be used in kinetic attacks—those that can actually cause physical harm to people. In just one example, weaknesses in certificate usage in several car applications enabled hackers to gain remote control of vehicles.    

    What This Means for Businesses Today
    As mentioned in my DarkReading article, “It’s one thing when your company gets hacked and quite another when your pacemaker, commercial airline, or traffic light control and coordination system gets pwned because of security vulnerabilities in IoT devices.” Businesses need to design IoT apps that make secure use of certificates to protect their customers.
     
  7. 2015 Prediction: Compliance and security frameworks will continue to add guidance on how to protect keys and certificates. CORRECT

    What Happened in 2015? 
    What This Means for Businesses Today
    In the last 2 years, every enterprise surveyed failed at least one SSL/TLS audit and one SSH audit. With this additional guidance in compliance and security frameworks, auditors will have a structure to better evaluate the proper management and security of SSL/TLS keys and certificates, and SSH keys. If organizations don’t start adopting these guidelines in their ongoing business practices, they will fail more audits and endanger their business.
     
  8. 2015 Prediction: The Underground Digital Certificate Marketplace is now open for bad guys. CORRECT

    What Happened in 2015? 
    Underground key and certificate marketization continues to be the trend and prices in this black market continue to rise—at this writing, prices had risen to $1000 per certificate. In addition, IBM Security’s X-Force research team has found that large numbers of code-signing certificates are also now hot commodities in the black market.

    What This Means for Businesses Today
    Businesses need to assume their keys and certificates are being targeted by cybercriminals either to use to compromise their networks and data, or for resale. Organizations must make key and certificate security a priority. 

So here you have it: 6 out of 8 isn’t bad. Although this confirms we understand the market trends around online trust, it also means that businesses are struggling with key and certificate management and security. Find out how Venafi can help.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CA Agility: What Should Security Leaders Do Next?

Maximizing Your CA Agility: Why This Issue Is So Important Right Now

new Venafi technology network

Venafi Technology Network Changes the Way Machine Identities Are Protected

About the author

Kevin Bocek
Kevin Bocek

Kevin is Vice President of Security Strategy & Threat Intelligence at Venafi. He is recognized as a subject matter expert in threat detection, encryption, digital signatures, and key management, and has previously held positions at CipherCloud, PGP Corporation and Thales.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat