Skip to main content
banner image
venafi logo

Are Your Private Keys and Digital Certificates a Risk to You?

Are Your Private Keys and Digital Certificates a Risk to You?

generic_blog_banner_image
May 13, 2013 | Gavin Hill

Last month I wrote about the use of digital certificates and encryption keys used nefariously against organizations. In the time it takes you read this blog, 1388 new malicious programs would have been submitted to AV-Test for analysis. With a percentage of these malicious programs stealing private keys and digital certificates, it’s imperative that you understand where and how these assets are being used within your organizations. In one month of malware analysis Symantec found over 800 samples that had been designed to steal keys and certificates. The growth rate of malware using digital keys and certificates is staggering. Compared to the growth rate of apps submitted to Apple every day, digital certificates used in malware is 5 times that – in the last year by 600%.

The question that needs to be answered, why would an attacker steal private keys and digital certificates? Simply put, to gain access to your data more easily. Signed malware with a stolen digital certificate, in many cases, will be executed without any error from operating systems. In the month that Symantec specifically tracked malware that steals encryption keys and digital certificates, the US alone accounted for more than half of all infections worldwide.

Attackers haven’t ignored Secure Shell (SSH) keys either. Stolen SSH keys are used to break into systems and expand within the network. As an organizations you should prioritize in understanding where SSH keys are being used, who has access to them or for what purpose in order to reduce your attack surface. Take for example the FreeBSD servers that were hacked late last year as a result of a stolen SSH key – which was being used by a developer. Had the SSH private key been assigned a password, the attack would probably not have been successful, or at least made more difficult.

Most organizations have been hacked at one time or another; according to FireEye, 95% are already breached. In fact, one in five global 2000 organizations expect to be compromised in the next two years due to weak or legacy cryptography. Organizations do not look at, or understand how many keys and certs—51% according to Ponemon—are in use that have access to their data. Compared to traditional network perimeter security, you would not expose external facing ports to internal only traffic with no monitoring. Why then allow keys and certificates to be used within the organization without appropriate control. Organizations need to understand where the security gaps that expose the network to exploits which take advantage of keys and certificates are?

The first thing you learn in any offensive strategy is to look for your opponents weak areas. It is no different for cyber-criminals. Organizations no longer deal with securing company data behind the proverbial four walls. With the cloud computing, employee owned device, and very soon the “internet of things", the attack surface cyber-criminals can exploit has increased exponentially. To add to the problem, organizations need to maintain control over, and respond to attacks on a global basis as employees become more mobile.

Strategies to reduce your risk

Trust but verify: The average global 2000 organization has in excess of 17,000 encryption keys that they need to deal with – most of the time manually. The first step in self-defense is to know thy self. Your organization is inept to defend itself against trust exploits if there is not a clear understanding of the encryption key and certificate inventory. One of the concepts in the Forrester Zero Trust model is that all resources should be accessed securely regardless of location. Cybercriminals can easily collect unencrypted data within the network, therefore internal data should be protected in the same manner in which external data is—encrypted. The entire encryption keys lifecycle should be securely managed with an enterprise key and certificate management solution.

Control: Nearly 60 percent of RSA 2013 survey respondents stated that they were concerned about the issuance of certificates to mobile devices outside of IT control. The same percentage of respondents were also perturbed that system administrators, who are not security experts, were responsible for encryption keys and certificates, which can result in security breaches, unplanned outages, or audit and compliance failures. Only with well-defined policies can you mitigate against this risk. By enforcing long key lengths, strong algorithms, frequent rotation of keys, along with short validity periods for certificates, can you increase your ability to reduce the threat surface.

Automate: How long would it take you to respond to an attack related to SSH key or digital certificate theft? That is, the length of time it would take your organization to replace the keys and certificates to protect the data? Sixty percent of attendees at RSA2013 said it would take one or more days to respond to an attack that took advantage of encryption keys or certificates. Only through automated processes can you respond fast enough to a compromise, and rotate out encryption keys and certs that have been compromised.

The Venafi Platform provides Enterprise Key and Certificate Management enabling organizations to gain insight and control over their keys and certificates in the datacenter, on desktops and mobile devices, and in the cloud. Director is a vendor-agnostic platform that reduces organizations’ threat surface and response time to targeted attacks with full key and certificate lifecycle control spanning across the widest range of certificate authorities (CA). The Director platform enables organizations to rapidly develop an accurate key and certificate inventory to quickly identify security risks associated with trust exploits, operational and compliance risks. Enterprises can quickly establish consistent policies and automate operations across the organization and in to the cloud. As a result, organizations can successfully prevent security breaches, eliminate unplanned outages, and achieve audit success and compliance.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

shutter

3 Steps that Stop the Speed of DevOps from Introducing Security Risk

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

generic_blog_banner_image

Venafi at RSA 2016: Breaking Closed Systems with Code-Signing

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat