Skip to main content
banner image
venafi logo

Venafi CISO/CIO, Tammy Moskites, Discusses with Decrypted Tech How Trust Has Changed in the Last Year

Venafi CISO/CIO, Tammy Moskites, Discusses with Decrypted Tech How Trust Has Changed in the Last Year

August 11, 2016 | Elizabeth Ireland, Venafi CMO
Key Takeaways
  • Decrypted Tech published an article based on Black Hat discussions with Tammy Moskites, Venafi CISO/CIO
  • Over the last year, misuse of certificates has enabled more breaches and diminished online trust
  • Some developers and systems engineers are taking security short cuts, leaving businesses vulnerable
  • Organizations need a security mindset, shifting the conversation from technology to risk

Our Venafi CISO/CIO, Tammy Moskites, spoke with Decrypted Tech at both Black Hat USA 2015 and 2016, which resulted in the article, We Meet Venafi's Tammy Moskites to See What Has Changed About Trust in a Year (reposted below).

 

 

“Last year at Black Hat we had an interesting conversation with Tammy Moskites from Venafi. Although Tammy is both the CIO and CISO of Venafi the conversation did not focus on that company or the product as a whole. Instead we talked at length about trust and controlling the keys to data and devices. This conversation is still a very important one as continue to see attacks and vulnerabilities in the systems that control access to and the encryption of important data.

Fortunately since last year the message is getting out and people are starting to take notice. Sadly, this awareness has come due a large jump in breaches where data was removed. The message has also highlighted an area than many security professionals often overlook; code development and system implementation. The idea that some developers (not all) and systems engineers are cutting corners by using WMI and self-signed certificates for systems that have access into sensitive data is a sobering one. However, it happens more than most would like to admit and there have not really been any good tools to find and remediate this.

The use of these types of certificates is a serious concern as they are easy to capture and spoof. This leaves many of those systems open to attack and also allow a potential attacker to appear as a trusted system if something like Group Policy is used to push trust of these certificates out to a larger group. This is only compounded by the bad habit of using wild card certificates for internal systems and web servers. Once again these certificates are not all that hard to grab from a server and then gain access to the private keys behind them. You can imagine what can happen from there. So it seems that even though the message is getting out there, we still have a very, very long way to go.

Companies still need to get a handle on what they have in their environments and not just from a certificate and key aspect. Most companies do not have a complete list of the system (workstation or other) in their environments and this is also an issue. During our conversation Tammy mentioned that there needs to be a push to education IT and security leadership about this to help push this out to the technicians doing the actual work. The security mind set is no longer an option or an add-on to the network or sysadmin’s job. It really is a requirement and until this shift happens things are not going to get better.


Venafi, as a company, is helping to get a handle on the trust side of things by ensuring there is a secure lifecycle management of the inventory, control, and management of certificates and keys though their Trust Protection Platform, but this is just part of the conversation that needs to take place in IT. The rest is going to be up to individual companies. As Tammy put it, they will need to shift the conversation from the technology used to the risks faced and align their thinking and policies with this.

We hope that when we catch up with Tammy next year more companies will have gotten the message and have started to have the right conversations to clean up the mess that is inventory and trust in most organizations.”

Article originally posted on Decrypted Tech, on August 9, 2016.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Elizabeth Ireland, Venafi CMO
Elizabeth Ireland, Venafi CMO
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat