Over the years, we have seen many instances of unprotected and poorly managed keys and certificates resulting in consequences, such as in a loss of customers, costly outages, failed audits and security breaches.
Several years ago, the cost of poor certificate management was categorized in a study, where the Ponemon Institute and Venafi released data on how businesses are being directly impacted by the unsecured cryptographic keys and digital certificates that result in comprised machine identities. Their joint 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers reveals how unprotected and poorly managed keys and certificates can result in a loss of customers, costly outages, failed audits and security breaches.
Months before those findings came out, the Ponemon Institute and Venafi published research on how global business faces risks from attacks using cryptographic keys and digital certificates in their 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. That survey, which served as the basis for the second report, incorporated the responses of 2,394 IT security professionals from around the globe: 646 U.S., 499 U.K., 574 German, 339 French and 336 Australian respondents. These participants together agreed that the system of trust was at a breaking point.
Unpublished data from the survey is now included in this new report. This information shows the adverse effect that unsecured keys and certificates have on businesses around the globe.
These certificate-related outages and failed audits are symptoms of larger security issues—if you can’t manage your keys and certificates, you can’t secure and protect them, leaving your business exposed. Criminals steal and compromise keys and certificates that are not properly protected. They then use them to circumvent security controls—to hide in encrypted traffic, steal data or even deploy malware.
That’s exactly what happened in the summer of 2018. Researchers at ESET identified a malware campaign passing along several suspicious files. Further analysis revealed that digital attackers had signed the files with a stolen D-Link Corporation code-signing certificate to evade detection and distribute Plead malware. ESET notified D-Link Corporation about the campaign; in response, the networking equipment manufacturing company revoked the certificate on July 3.
Certificate-related outages that cause critical services to go down can also spell trouble for a buisiness. Here are some newsworthy certificate-related outages that recently made news:
Looking back, the Ponemon report forecasted that these and other impacts from unprotected and poorly managed keys and certificates would continue with a security risk per organization of $53 million over the next two years and a combined availability and compliance risk of $7.2 million. This estimate demonstrates that security risk greatly outweighs availability and compliance risk.
Read the report to get an action plan to reduce these risks.
How are you reducing the risk of key and certificate misuse in your organization?
This blog was originally posted by Kevin Bocek on September 29, 2015.