As 2016 comes to a close, it’s a great time to reflect on the events of the past year. From the Apple vs. FBI debate, to the Yahoo! Breach and distrust of WoSign, the past twelve months brought an unprecedented number of new vulnerabilities and damaging cyber attacks connected with the misuse of encryption. Before we look ahead to 2017, let’s look back at our predictions from 2015.
A year ago, Venafi made the following forecast for 2016:
With more use of encryption in 2016, we'll see more misuse of the trust provided by keys and certificates.
IoT ransomware will become one of cyber criminals’ attack vectors.
Code-signing services for malicious code will become the norm.
The Certificate Authority (CA) model will be broken and the value of certificates will diminish.
CAs will be ranked across the user community, adding to the lack of trust.
Large security vendors will lose customers, revenue, and credibility because they cannot see attackers lurking in encrypted traffic.
Did any these predictions come true? In 2016, we saw code-signing services for malicious code become common—Intel is currently tracking 22 million pieces of malware that use code signing certificates. The traditional CA model was disintermediated with the introduction of free certificate offerings and scandals like the GlobalSign glitch and Google’s decision to distrust WoSign/StartCom. IoT DDoS attacks and ransomware were common.
Overall, not a bad scorecard!
Looking ahead to 2017, we see a number of new threats and emerging trends. Here are the first five:
As Certificate Authorities are pushed to do more and go faster, they will make more mistakes.
GlobalSign, the Belgium-based security certificate provider botched a clean-up of some of their root certificates in 2016, causing secure websites to appear insecure and freezing hundreds of thousands of websites. Business process errors like this can be managed but they will never be completely avoidable. And as CAs try to keep up with the agility and speed demands of DevOps and Fast IT projects, this type of business process error will occur more often.
The reality is that failures like GlobalSign are already becoming more frequent. The impact of these errors is completely unacceptable—you can’t have your website appear to be untrusted or taken offline until your CA is able to remediate a problem. The potential revenue loss and reputation damage for impacted businesses could run into the millions of dollars. Because these kinds of scenarios are already happening, businesses need a backup plan. They can’t afford to be at the mercy of any specific CA. So when CA errors occur, firms need to be able to automatically change out affected certificates.
IoT ransomware will become one of the cyber criminals' attack vectors of choice.
In 2016 hospital operations were held ransom by cyber criminals. Ransomware was used to force many organizations to pay extortionate fees or suffer crippling data loss. The Tesla hack demonstrated the power and danger of poorly secured IoT devices. IoT ransomware hasn’t become mainstream yet, but the Dyn DDoS attack came close, and it was just a step away from ransomware. As the frequency and sophistication of ransomware and IoT attacks increase, we should expect to see the two threats merge, making IoT ransomware a devastating threat in 2017.
IoT manufacturers will take code signing more seriously.
We saw malicious code signing services become the norm in 2016, and we’re now seeing a plethora of devices that either don’t use or fail to enforce code signing. As attacks like the Dyn DDoS use Internet-connected devices such as printers, IP cameras, and residential gateways to perpetrate attacks, device manufacturers will take concrete steps to better enforce code signing in order to more effectively secure their devices.
The number of publicly trusted free certificates issued will outnumber those that are paid for.
As the value of certificates continues to drop, we’ll see the business models of Certificate Authorities in free fall. We expect to see widespread use of free certificates, even in businesses. Broader use of encryption is a positive step that improves data privacy. However, making certificates widely available allows anyone in the enterprise to request them. This rapid increase in free, unmonitored certificates presents a huge target for cyber criminals.
Cyber criminals with easy access to keys and certificates can use them to hide inside of encrypted traffic and can’t be detected by most security controls. This attack vector is fast becoming the default for cyber attackers—which almost counteracts the whole purpose of adding more encryption. In fact, we’ve already seen free certificates misused by cyber criminals, including a malvertising campaign that used certificates issued from Let’s Encrypt.
2017 will see the first approved use of Let’s Encrypt or other free services within the Fortune 500.
As free certificate offerings become more widely accepted, we’ll see a surge in organizations taking advantage of free services like that of Let’s Encrypt. The value of a certificate will not be in its issuance cost, instead it will be based on the value and reputation of the issuing CA and the purpose of the certificate. This shift from paid for to free certificates will bring about a rise in certificate management solutions as organizations look for ways to maintain the integrity and security of their certificates. Organizations must also remain agile enough to add, change or remove a CA quickly and easily if business conditions require it.