The Internet is the life blood for today’s business. Billions of dollars in market capitalization have been built on the back of innovation and productivity gains from the Internet and connected computing. However, the idea that security professionals believe online trust is near its breaking point will probably come as a bewildering thought to many companies going about their daily business, quietly confident the Internet’s system of trust is working.
The truth is that businesses need to take their blinders off and face online security issues head on, instead of burying their heads in the sand. Shockingly, 100% of surveyed organizations have admitted being at the receiving end of multiple attacks on unsecured cryptographic keys and digital certificates in the past two years alone. Keys and certificates are the foundation of security and were put in place to attempt to solve the first Internet security problems twenty years ago: what can I trust online and can I have private communications. But, we’ve lacked a system to keep them safe, know what’s trusted, and find and replace them when they’re not. If businesses do not take action, they’ll be unprepared for what security experts call a ‘Cryptoapocalypse’—when a discovered cryptographic weakness becomes the ultimate cybercriminal weapon, sending business into chaos.
We’ve already seen the warning signs. Last year, for example, Russian cybercriminals stole an SSL/TLS certificate from a top-five global bank. This enabled the cyber gang to impersonate the bank and steal 80 million customer records. In another case, SSL/TLS keys and certificates enabled hackers to steal data from 4.5 million healthcare patients. Leading industry researchers have identified the misuse of keys and certificates as a key part of an Advanced Persistent Threat (APT) and at the epicenter of cybercriminal operations.
The dire reality of the situation was uncovered in the 2015 Cost of Failed Trust Report, released by the Ponemon Institute. It is the first report of its kind to examine the Internet’s system of trust and what happens when this system breaks down. The report found that half of respondents acknowledged that the trust established by keys and certificates, the technology used to underscore trust and privacy online, is in jeopardy. What is more worrying is the other half who are eschewing the issue of trust altogether.
With 54% of businesses unaware of the location of their keys and certificates, or how they are being used, it is easy to see how they, their customer base, and partners, fail to establish any trust online. Take away the trust created by keys and certificates, used for everything from online shopping and mobility, to banking and government, and we can see the Internet being hurtled right back into the ‘stone age’, where users have no way of knowing if a website or mobile application is actually secure. How much faith would that give you in doing business online?
The potential liability can’t be underestimated. Over the next two years, the prospective financial risk facing business from attacks on keys and certificates is expected to hit at least $53 million.
With the growing number of attacks on keys and certificates, businesses must see this as a wake-up call and realize that they can’t place blind trust in keys and certificates that are open to exploitation by cybercriminals. We need to know what’s ours, trusted, or not. And as we move more and more to the cloud and DevOps environment, we need to scale up fast and tear down even faster, to keep everything safe and trusted.
The total number of keys and certificates used by the average business is over 23,000—up 34% from two years ago, thanks to an increase in deployment on web servers, network devices, and cloud services.
With no alternatives to keys and certificates available, the first priority is to make sure they are adequately protected. Businesses must make sure they know exactly where their keys and certificates are, fix any vulnerabilities, and make sure they are changed and replaced automatically.
Organizations need to put strict policies in place to know who they can, and cannot, trust. Before a certificate is issued a business should make sure it knows exactly how it will be used, who will own it internally, and if it fits into the existing security policy. And with more cloud and DevOps environments, we can only accomplish this with a solution that’s machine-based to scale up and down in seconds.
Businesses must not forget to include enterprise mobile certificates in their cyber security policy. The misuse of these for applications such as WiFi, VPN and MDM/EMM is a growing concern, especially with an increase in mobile employees and the adoption of BYOD (Bring Your Own Devices). Security professionals indicated that attacks using mobile certificates have the largest impact of all attacks using keys and certificates with a total possible impact of $126 million.
Businesses should sweep the Internet regularly to see if there are any ‘spoofed’ or stolen certificates out there claiming to belong to them. Stolen certificates are now being sold for $1000 and more. This is such a big problem that Intel believes it will be the next big hacker marketplace. Each business’s security infrastructure should detect these issues and rapidly respond to anomalies as well as know how to fix and replace vulnerable keys and certificates quickly.
It is critical that organizations put broad cyber security controls in place. It’s not possible just to focus in on one type of security control. And, it’s critically important that the foundational elements for security, like keys and certificates, be secured first. Cybercriminals won’t question the size or sector of a business when they attack.