A Venafi Survey of Nearly 850 IT Security Professionals Finds Gaps in Detection and Response to Key and Certificate Vulnerabilities
Attacks on keys and certificates are unlike other common cyber attacks seen today. With a compromised or stolen key, attackers can impersonate, surveil, and monitor their organizational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers with unrestricted access to the target’s networks and allow them to go undetected for long periods of time with trusted status and access.
And we’ve seen many recent instances of these types of attacks. From the GoGo man-in-the-middle (MITM) attacks to Lenovo’s Superfish vulnerability to FREAK and now the more recent LogJam flaw, cybercriminals know unprotected keys and certificates are vulnerable and will use them to carry out their malicious deeds.
The bad guys are able to take advantage of these new vulnerabilities, because most security systems blindly trust keys and certificates. In the absence of an immune system for the internet, enterprises are unable to determine what is “self” and trusted in their networks and what is not and therefore dangerous. Not knowing what is trusted and “self” or how to detect or remediate from attacks on keys and certificates keeps organizations open to breach and compromise.
In light of recent attacks on trust, Venafi conducted a survey of nearly 850 IT security professionals during the RSA 2015 Conference to see what they were doing to stave off breaches and establish better trust online. The data reveals that most IT security professionals acknowledge they don’t know how to detect or remediate quickly from compromised cryptographic keys and digital certificates—the foundation of trust in our modern online world.
Here are other important findings from the Venafi RSA study:
- Respondents are ill informed on how to remediate a Sony-like breach involving theft of keys and certificates. Following a breach, more than three-quarters (78 percent) of those surveyed would still only complete partial remediation that would leave them vulnerable to further attacks. They would conduct standard practices such as re-imaging servers, reviewing logs, removing malware, installing patches, and changing user passwords. However, only 8 percent indicated they would fully remediate against a Sony-like attack by replacing potentially compromised keys and certificates to prevent further access.
- IT security professionals don’t know how to protect keys and certificates and their organizations don’t have a clear understanding or strategy for doing so. When asked what their organizational strategy is to protect the online trust provided by keys and certificates, only 43 percent of respondents reported that they are using a key management system. Another 16 percent have no idea, 14 percent said they are using a manual process to try to manage them, and 22 percent placed the responsibility elsewhere. Without a strategy and implemented security controls to protect keys and certificates, attackers can gain and maintain extensive access to the target’s networks and remain undetected for long periods of time with trusted status.
- Many IT security professionals can’t or don’t know how to detect compromised keys and certificates. The survey results showed that 38 percent of respondents can’t or don’t know how to detect compromised keys and certificates and 56 percent of the other respondents said they are using a combination of next generation firewalls, anti-virus, IDS/IPS, and sandboxes to detect these types of attacks. Both groups leave themselves open to additional attacks. According to Gartner, 50 percent of all inbound and outbound network attacks will use SSL/TLS by 2017. Bad actors understand that most security systems either trust SSL/TLS or lack access to the keys to decrypt traffic and find hidden threats. These security shortcomings create blind spots and undermine critical security controls like sandbox threat protection, NGFW, IDS/IPS, and DLP.
- More than half of IT security professionals admit that they cannot quickly respond to an attack on SSH keys. Almost two-thirds (64 percent) of security professionals admit that they are not able to respond quickly (within 24 hours) to attacks on SSH keys, and most said it would take three or more days, or up to a week, to detect, diagnose, and replace keys on all hosts if breached. Cybercriminals are exploiting the lack of visibility and control over SSH keys, which are used to authenticate administrators, servers, and clouds. Because SSH keys never expire, cybercriminals and insiders alike gain almost permanent ownership of systems and networks by stealing SSH keys.
The results of this study underscore what we at Venafi have been saying all along: IT security pros can no longer place blind trust in keys and certificates. We must realize that the keys and certificates we rely upon to establish trusted connections for everything IP-enabled today are in major jeopardy as attackers continue to misuse them to gain trusted status.
Just like the human immune system, Venafi learns and adapts as it works. Venafi identifies what keys and certificates are trusted and those that need to be replaced. It keeps keys and certificates secured to your policy and replaces them automatically. It scales keys and certificates up and down to meet demand. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects enterprise networks and brands.
Ultimately, if what our survey data says is true, and IT security professionals can’t secure and protect keys and certificates and respond more quickly to attacks that use them, online trust will continue to diminish with grave consequences, especially to the economy which relies heavily on online trust for commerce.