Skip to main content
banner image
venafi logo

Businesses Are Losing Customers from the Misuse of Keys and Certificates

Businesses Are Losing Customers from the Misuse of Keys and Certificates

misuse of keys and certificates
November 23, 2018 | David Bisson

Over the years, we have seen many instances of unprotected and poorly managed keys and certificates resulting in consequences, such as in a loss of customers, costly outages, failed audits and security breaches.

Several years ago, the cost of poor certificate management was categorized in a study, where the Ponemon Institute and Venafi released data on how businesses are being directly impacted by the unsecured cryptographic keys and digital certificates that result in comprised machine identities. Their joint 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers reveals how unprotected and poorly managed keys and certificates can result in a loss of customers, costly outages, failed audits and security breaches.
 

Are cyber criminals hiding in your encrypted tunnels? Find out. 
 

Months before those findings came out, the Ponemon Institute and Venafi published research on how global business faces risks from attacks using cryptographic keys and digital certificates in their 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. That survey, which served as the basis for the second report, incorporated the responses of 2,394 IT security professionals from around the globe: 646 U.S., 499 U.K., 574 German, 339 French and 336 Australian respondents. These participants together agreed that the system of trust was at a breaking point.

Unpublished data from the survey is now included in this new report. This information shows the adverse effect that unsecured keys and certificates have on businesses around the globe.

  • When trust online breaks, businesses lose customers:Nearly two-thirds (59%) admitted to losing customers because they failed to secure the online trust established by keys and certificates.
     
  • Critical business systems are failing:Organizations reported an average of over two certificate-related unplanned outages between 2013 and 2015, with an average cost of $15 million per outage.
     
  • Businesses are failing audits:Generally, organizations failed at least one SSL/TLS audit and at least one SSH audit between 2013 and 2015.

These certificate-related outages and failed audits are symptoms of larger security issues—if you can’t manage your keys and certificates, you can’t secure and protect them, leaving your business exposed. Criminals steal and compromise keys and certificates that are not properly protected. They then use them to circumvent security controls—to hide in encrypted traffic, steal data or even deploy malware.

That’s exactly what happened in the summer of 2018. Researchers at ESET identified a malware campaign passing along several suspicious files. Further analysis revealed that digital attackers had signed the files with a stolen D-Link Corporation code-signing certificate to evade detection and distribute Plead malware. ESET notified D-Link Corporation about the campaign; in response, the networking equipment manufacturing company revoked the certificate on July 3.

Certificate-related outages that cause critical services to go down can also spell trouble for a buisiness. Here are some newsworthy certificate-related outages that recently made news:

  • HelloSign’s browsers and API integrations went offline on June 6, 2017 for nearly a half hour as a result of an expired SSL certificate, thereby preventing customers from accessing their information.
  • A few months later, one of LinkedIn’s SSL certificates expired, which kept millions of users from accessing the platform. The outage also prevented those who were already logged in from navigating the website with a secure connection.
  • A certificate linked to Oculus Rift devices expired in early March 2018, causing users to see a “Can't Reach Oculus Runtime Service" error when they attempted to boot up.

Looking back, the Ponemon report forecasted that these and other impacts from unprotected and poorly managed keys and certificates would continue with a security risk per organization of $53 million over the next two years and a combined availability and compliance risk of $7.2 million. This estimate demonstrates that security risk greatly outweighs availability and compliance risk.

Read the report to get an action plan to reduce these risks.

How are you reducing the risk of key and certificate misuse in your organization?

This blog was originally posted by Kevin Bocek on September 29, 2015.


Learn more about machine identity protection. Explore now.  

 

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man shrugging his shouldders, torso shot, dressed in business attire

Jury Out on Whether Reducing Certificate Lifetimes Would Actually Improve Security

Elizabeth Warren image Corporate Executive Accountability Act

Can Encryption Save Execs from Blame in Breaches? [Ask Infosec Pros]

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat