Skip to main content
banner image
venafi logo

Untrusted Certificates—Survey Shows IT Security Pros Know the Risks but Do Nothing

Untrusted Certificates—Survey Shows IT Security Pros Know the Risks but Do Nothing

generic_blog_banner_image
September 9, 2015 | Gavin Hill

Today, Venafi released a report based on survey findings and analysis, IT Security Professionals Know the Risk of Untrusted Certificates and Issuers, but Do Nothing. The survey was conducted at 2015 Black Hat USA and gathered responses from over 300 IT security professionals. As the title suggests, the report reveals that security professionals know the risks associated with untrusted certificates, including compromises of certificate authorities (CAs), but they are currently not taking steps to protect themselves and don’t have remediation mechanisms in place to effectively mitigate a future CA compromise.

Why is it important to understand and respond to threats using untrusted certificates? The report highlights how cybercriminals are increasingly misusing keys and certificates to breach organizations, elevate their privileges, and hide activity. And although they may know the risks, most organizations are unprepared to defend against these attacks.

Security Pros Know the Risks

Here are a couple survey responses that indicate that security professionals are aware of the risks associated with untrusted certificates and compromised CAs:

  • The major issuers of online trust will be compromised, with 90% of the respondents believing a leading CA will be breached within the next two years.

  • When asked what security risks would result from an untrustworthy CA issuing certificates for their browser, application, or mobile device, 58% stated they are concerned about MITM attacks and 14% had concerns about replay attacks.

Statistics on Certificate Authority Security Risks

They Lack Visibility into the Extent of their Risk Exposure

Although security professionals understand the types of threats that can result from misused certificates, they do not grasp the extent of their risk exposure.

  • Most security professionals (63%) don’t know or falsely believe that a CA secures certificates and cryptographic keys. CAs only issue and revoke certificates—they don’t monitor their use and do not provide any security for them.

  • When asked how many CAs are trusted on mobile devices, survey responders believe it to be a median of three. On Apple iOS devices the median response was two, when in fact the number of trusted CAs is over 240.

Security Pros Aren’t Taking Action

Maybe because of the lack of insight to the extent of their risk, security professionals aren’t taking action against current threats or establishing incident response plans that will protect them in the future when a leading CA is compromised.

  • Only 26% removed CNNIC from all desktops, laptops, and mobile devices after Google and Mozilla deemed CNNIC as untrustworthy to protect Chrome and Firefox users from a MITM attack. The remaining 74% are still exposed.

  • Most (61%) would be unprepared to promptly respond to a breach of a leading CA, relying on manual procedures performed by administrators or incident response firms to remediate (including manually addressing Vulnerability Management System data).

  • Worse yet, 30% either did not know what they would do or would continue using the same CA—leaving them vulnerable

Statistic on Responding to CA Compromise

What should organizations do to protect themselves? Read the report to get a 3-point recommendation plan on how to reduce the risk and impact of fraudulent issuance and misuse of certificates. The report concludes by saying we should take a lesson from nature and use the Immune System for the Internet™ to identify good vs. bad, friend vs. foe to defend against the misuse of keys and certificates.

What are your thoughts on these survey results? Is your organization prepared for the next CA compromise? How do you remediate when your certificates and keys are misused by cybercriminals?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

shutter

3 Steps that Stop the Speed of DevOps from Introducing Security Risk

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

generic_blog_banner_image

Venafi at RSA 2016: Breaking Closed Systems with Code-Signing

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat