<![CDATA[Venafi Blog]]> https://www.venafi.com/blog/ Venafi Blog EN Copyright 2016 2016-05-25T16:37:37-06:00 <![CDATA[The U.S. Federal Government’s Biggest Cybersecurity Challenge]]> https://www.venafi.com/blog/post/the-us-federal-governments-biggest-cybersecurity-challenge https://www.venafi.com/blog/post/the-us-federal-governments-biggest-cybersecurity-challenge/#When:00:12:00Z The biggest challenge facing cybersecurity professionals in Federal agencies is, well, the Federal government. There are sweeping mandates to keep agencies secure. But the funding to back that guidance is tied to factors that may not even contribute to the protection of privacy and intelligence. Budgets are driven by enforceable regulations, not necessarily by the most effective protection strategies. This leaves Federal security teams facing the unenviable choice between securing their agencies and securing their jobs. But that’s a choice that may not be entirely within your control. One breach and all hell breaks loose.

So what’s at stake?

According to the Government Accountability Office, “If information security controls are ineffective, resources may be lost, information—including sensitive personal information—may be compromised, and the operations of government and critical infrastructure could be disrupted, with potentially catastrophic effects.” The office also highlighted several weaknesses in current Federal cybersecurity practices, including lack of risk-based cybersecurity programs and access control systems, while calling for improvements in contractor oversight, incident response, and security programs at small agencies. 

There’s commitment at the top, but the middle is where it matters

However unenforceable or underfunded, cybersecurity remains a top priority for President Obama. Outlined in a White House blog, the 2016 Federal Cybersecurity Research and Development Strategic Plan calls for “new forensic capacities that reliably identify the perpetrator quickly enough to take action, without compromising free speech, or anonymity for those who are doing nothing wrong.” Again, no one is arguing that Federal agencies will not need advances in cybersecurity to remain viable. But the real question is what can you do RIGHT NOW, given current funding and regulatory limitations.

In the wake of the massive data breach at the Office of Personnel Management, which exposed the records of nearly 22 million federal workers, Federal agencies are worried. But will legislators match that concern with the cash needed to implement the required cybersecurity? Time will tell. But in the meantime, the Office of Management and Budget recently upped the ante with the Cybersecurity Strategy Implementation Plan. The plan includes recommendations for basic security upgrades to prevent infiltration and breach. It’s a smart plan. And the goals are solid, but it’s the journey to those goals that remains uncertain.

What will it to take to evolve Federal cybersecurity?

The machine of bureaucratic change is admittedly cumbersome and slow moving. The U.S. Federal government is not run like a business. It is run like the slow-moving, unwieldy superpower that it is where change is slow and hard fought. Because the government is not profit driven, there may be little formal incentive to increase productivity or reduce costs. There are, however, informal incentives to allocate funds to penalty-driven programs, expend budgets, and maintain continuity. No agency wants to do anything that would disrupt service, as illustrated in the problems that plagued the launch of the Affordable Healthcare Act. So your upgrades get deferred. Then the budget disappears. And the problems remain. But you are back where you started. It’s very much a fix it now and catch up later mentality, according to an astute article in the Daily DOT.

First focus is to overcome the problem from within

In a survey commissioned by HP, the Ponemon Institute recently found that the Federal Government may be its own worst enemy when it comes to cybersecurity. 44 percent of federal workers who responded to the survey indicated that “the biggest threat to federal cybersecurity is ‘the negligent insider’ at an agency who fails to take enough precautions while using or protecting government networks.” By comparison, only 30 percent of respondents marked nation-state hackers as the primary threat.

Enforcement is everything. Employee compliance is critical. And support must trickle down from the top to the middle. The ultimate success of Federal cybersecurity relies on getting buy-in from cabinet secretaries and mid-level managers. It’s a change of mindset that may seem a bit unrealistic. But it’s the only way that the government can truly enact critical changes in cybersecurity. In the meantime, while new systems may be slow to implement due to concern over the continuity of large government programs, agencies must lock down the proper controls that will protect them throughout the process.

Making cybersecurity a priority

Agencies still need to overcome the burdens inherent in large government to enact the changes needed for effective, up-to-date cybersecurity. The good news is that you have backing from the highest levels, i.e. the oval office. But outlining and securing the necessary funding remains a challenge, as does staffing and implementation. To have any chance of bringing cybersecurity up to code, agency teams must identify, clarify, and justify the fastest, cheapest ways to mitigate the highest risks. Automating that security is one the best ways of enforcing compliance.

At Venafi, we believe that as the foundation of cybersecurity, keys and certificates are a good place to start. Without these forms of validation and authentication, we would simply not know which systems, applications, or users to trust. Control that system of trust (or mistrust) and you control access to your critical digital assets. Venafi can help automate the protection and management of your agency’s keys and certificates. Plus, it’s a smart place to invest, especially to prevent man-in-the-middle (MITM) attacks, spoofed websites, code-signed malware, and other threats that misuse keys and certificates to bypass even the most rigorous security controls.

Talk to us today to find out how Venafi can help you eliminate blind spots to protect your agency during the planned upgrades in your cybersecurity.

<![CDATA[What Apple vs. FBI Means for the Global 5000]]> https://www.venafi.com/blog/post/what-apple-vs-fbi-means-for-the-global-5000 https://www.venafi.com/blog/post/what-apple-vs-fbi-means-for-the-global-5000/#When:23:15:00Z The Bottom Line: Global 5000 organizations must know where all keys and certificates are used, who is responsible for them, and how to continuously protect them.

In February 2016, a U.S. court ordered Apple to use its code-signing key and certificate to authorize software that would circumvent iPhone native security self-defenses. Venafi, along with many others, believe that the required access and use of Apple’s key would pose a serious threat to Internet security.

Apple’s Tim Cook contends that government access to keys and certificates, and the power they enable in providing trust and privacy, is “asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals.” Or, as Time recently describes: “the software equivalent of the secret name of God.”

Venafi views this type of government action as ultimately hijacking the expectation of privacy that exists in a digital world – the privacy and trust that cryptographic keys and digital certificates enable. At Venafi, we are serious about protecting privacy. We disagree with the government and law enforcement’s action to require disclosure. Given access to the proper data – precise awareness of all keys and certificates -  our customers can make informed decisions about their legal responsibilities as well as their responsibility to their customers, shareholders, and other stakeholders and should they decide to comply with a legal request, they will be able to do so.

Trending: Global laws are changing to bypass security and expose encrypted data

Regardless of the outcome of the U.S. court deliberations of Apple vs. FBI, the issue of law enforcement requesting keys and certificates is a growing trend in many parts of the world. Whether your organization is a bank, a retailer, an insurer, or a telco, all organizations today are software businesses that rely on keys and certificates for secure communications, commerce, computing, and mobility. In that light, Apple vs. FBI and the impact of key and certificate disclosure is a topic that is very relevant to all global organizations.

One of the reasons this issue is so serious is that a compromised, stolen, or forged key and certificate can allow bad guys to impersonate, surveil, and monitor servers, clouds, and mobile devices — acting as trusted on the network.

Venafi customers find on average over 16,500 keys and certificates that were previously unknown.

Source: TechValidate. TVID: 363-53E-598 


Keys and certificates have become high-value targets

The reality is organizations not only need to protect keys and certificates from bad guys looking to misuse them, but they also need to be completely aware of the status of every key and certificate in order to property secure them and make informed decisions about meeting global government and law enforcement requirements.

With tens of thousands of keys and certificates used in businesses today, most of them unknown and unprotected, the issue of key and certificate disclosure presents a serious risk to the Global 5000 (see Figure 1). Concerns over liability will impact CEOs, boards of directors, general counsels, and CISOs across the board.

Apple vs. FBI is part of a global trend of law enforcement seeking access to and use of keys and certificates. The most relevant of the laws of this type are those in Europe:

  • United Kingdom: The Regulation of Investigatory Powers Act’s section 49 (RIPA) enables law enforcement to gain access to cryptographic keys. Failure to provide keys requests carries a mandatory jail sentences for those involved, including those representing a business such as a managing director or board.Deliberations are now underway on updates to RIPA that would allow law enforcement to require businesses to use surrendered keys and certificates to undermine security and introduce new vulnerabilities.
  • France: Article 434-15-2 enables law enforcement to gain access to cryptographic keys and carries not only a criminal penalty of jail time of 3 years but also mandatory fine of €45,000 for each infraction. Fines increase to €65,000 and jail time to five years in cases where failure to provide the key could have prevented or limited the impact of a criminal act.

If Apple were a French or U.K. business, would Tim Cook or a Board Member be serving jail time for failing to provide access to its code signing key and certificate? It seems likely. But the potential impact doesn’t stop there. Subsequent action in these countries could still affect Apple executives and board members travelling abroad.

Action for all G5000: Detect and Protect all Keys and Certificates

Issues of key disclosure extend well beyond Apple. Because all businesses are essentially software companies, which use keys and certificates throughout, key disclosure can have a very real impact on productivity, success, and even liability. To minimize these risks, G5000 companies need to gain deeper knowledge of all aspects of protecting their keys and certificates.

Preparing for key disclosure requires a full understanding of the use and ownership of keys and certificates, especially those that IT security teams may not be aware of, including those used by marketing, engineering, and manufacturing teams. To learn what steps to take, download our Readiness Brief

How Venafi Helps You Manage Your Keys and Certificates

As the Immune System for the Internet™, Venafi protects the keys and certificates that establish trust, privacy, and confidence for your business. Venafi patrols across the network, on devices, behind the firewall, and throughout the internet to determine which SSL/TLS, SSH, WiFi, VPN, and mobile keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not. Venafi customers can download a summary on how to use their existing Venafi platform to their advantage in preparing for and dealing with disclosure-related issues.

As disclosure requirements and laws continue to evolve, having in-depth information about your keys and certificates will become a competitive advantage. Venafi gives you the information you need to help reduce risk and protect the trust and privacy that keys and certificates were designed to create.

Want to learn more? Let’s talk and see how Venafi can help your business.


Uodate March 28, 2016: FBI Drops Its Case Against Apple After Finding a Way Into the iPhone

The battle between the FBI and Apple might be on hold, but the wider war will continue to rage on. The FBI’s dropped case has by no means settled the wider issues around encryption, privacy and public safety. The fact remains that the US courts have been trying to push Apple to make a decision that could fundamentally undermine security and privacy for all. Not a good thing. 

The recent and public battle was a deliberate ploy by the US government to get its hands on the most sacred and powerful mass weapon of our times: the cryptographic keys and digital certificates that provide the foundations of all cybersecurity and trust on the internet.  As a result, keys and certificates have become the target of nation states and bad guys. Just like Apple, every enterprise uses and is dependent on keys and certificates for trust and privacy and therefore face many of the same issues.

We should also be concerned that now that an iPhone can be hacked, others will try. The iPhone has been seen as a tiny little Fort Knox that from the outside has shown how hard it is to crack and get into. Although someone helped the FBI break into the iPhone, probably in exchange for money, other people who stumble upon the same hacking technique could choose to sell to cyber criminals or other governments, which could sound the end to privacy as we know it.

<![CDATA[Making Fast IT Secure with Key and Certificate Automation ]]> https://www.venafi.com/blog/post/making-fast-it-secure-with-key-and-certificate-automation https://www.venafi.com/blog/post/making-fast-it-secure-with-key-and-certificate-automation/#When:19:46:00Z This is the first of two technical blogs that discuss FAST IT and its impact on security. We understand that the development landscape is changing rapidly and we are here to help you to keep pace with the speed of that change. We’ll post part two shortly.

In this blog, we explore how the lifecycle for critical cryptographic assets can be seamlessly and centrally governed by policy within today’s highly dynamic fast IT environments. We’ll cover a high-level use case for how the Venafi Trust Protection Platform integrates with the Chef DevOps framework using a cookbook for the procurement of X.509 certificates. The principles outlined in this use case can just as easily be incorporated into almost any other DevOps framework.

Controlling the use of keys and X.509 certificates in today’s highly dynamic world of compute, container, and micro services raises new challenges that require a new approach. In this new world which emphasizes fast delivery, security simply cannot be enforced using traditional slow IT policies and processes.

The speed of providing IT services has accelerated dramatically.

Business consumers and IT professionals are demanding new IT services and environments that are created at scale and speed. They demand Amazon AWS-'like' capabilities at similar speeds for 'internal' IT services. Gartner predicts that by 2017 three out of four enterprise organizations will be moving to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects. To facilitate this demand many organizations are implementing processes and tooling that favor short-lived virtual machines, containers, and micro-services over the more traditional long-lived computing platforms. 

While these new tools and frameworks allow for speed and scalability they do not provide centralized security services. Thus, security often falls back to the traditional slow, manual, and error-prone way of doing things. Even worse, security policies and procedures are often ignored in-lieu of just getting the job done quickly.

However, keys and certificates are the foundation for securing modern SSL/TLS-based data communications. There is nothing to replace this foundational system of trust on which the Internet is based, nor will there be any time soon - which means keys and certificates are here to stay and will continually increase in numbers.

DevOps accelerates IT services

Figure 1. Automating key and certificate support for DevOps

Venafi’s industry-leading and proven Trust Protection Platform is already helping Global 5000 organizations fully encapsulate, secure, automate, and audit entire key and certificate lifecycles across their traditional IT services and infrastructures. Through the use of the Venafi API, all of these services can be made available to the new world of fast IT.

Going fast with keys and certificates.

For DevOps, the process for procuring correctly issued certificates often falls into the ‘SlowOps’ category of legacy IT, and significantly reduces velocity. DevOps teams are often found working outside of corporate security boundaries, policies, and guidelines. This isolation helps these teams get development and new innovation done faster, at the speed of business. But it also potentially introduces security risks and bad practices within the very environments that are being created - all in favor of speed.

Here are some examples of what DevOps teams may decide to do to get around the time it normally takes to procure certificates for their environments. Examples of shortcuts include:

  • Don’t use TLS/SSL
  • Create their own certificate authorities
  • Create self-signed certificates
  • Use unapproved certificate issuers
  • Create certificates with weak signature algorithms
  • Deploy certificates with long expiration periods
  • Misinterpret or completely ignore security policies

The Venafi Platform can be configured to selectively expose some or all of its workflows and processes via easy-to-use REST APIs. These APIs can then be directly consumed by almost any DevOps, including continuous integration/delivery, automated build/deployment and container solutions such as Chef, Ansible, Puppet, SaltStack, Hashicorp, Docker, Kubernetes, UrbanCode to name a few.

Use Case - Venafi Platform integration with Chef

Figure 1 below provides an example of how the Venafi Platform easily integrates into a new or existing Chef framework. A simple sample cookbook can be used by DevOps teams as a way to get started when using Venafi’s key and certificate services.

Venafi integrates with the Chef framework

Figure 1. - Example Venafi Trust Protection Platform integration with Chef Framework

Provide fast security with fast IT

The Venafi Platform lets organizations realize the benefits of Fast IT without compromising security. Security teams can now centrally define policy through the Venafi API and enable DevOps to properly comply with security policies and best practices. Venafi makes it easy for DevOps teams to correctly apply and build in security from the beginning.

Our platform provides the following benefits to DevOps teams:

  • Unique keys and certificates are generated and issued on demand in seconds
  • Uses the same platform for DevOps as that used by existing security teams and system administrators
  • Single view of security posture and compliance with integration to Help Desk systems and SIM/SIEM environments. 
  • Automated remediation and re-enrollment as standards and policies change 
  • Automated alerts based on anomalies detected inside an organization and externally
  • Virtually infinite scalability without additional administrative overhead

NOTE: The use case depicted in this article is intended to provide a very high level example of how Venafi APIs can be used by security teams to provide key and certificate services to DevOps teams. Since most of the components fall outside the Venafi domain the solution has not been subjected to any security validation, screening, or ratification by Venafi.

<![CDATA[How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?]]> https://www.venafi.com/blog/post/how-to-remediate-drown-attacks https://www.venafi.com/blog/post/how-to-remediate-drown-attacks/#When:03:51:00Z A new OpenSSL vulnerability, DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) was announced earlier this week and it’s affecting servers using SSLv2. This is truly a huge business risk due to how easy the attack is to pull off - for less than $500 dollars. In fact, if you want to see if a site you use is vulnerable – your bank, your health insurance, your favorite online store – you can check it out easily here.

DROWN lets an attacker perform MITM attacks on TLS connections in under 1 minute by sending probes to servers that support SSLv2. The vulnerability impacts roughly 33% of webservers worldwide. Even though this number is significant, it does not account for other services that allow SSLv2, including, email servers, embedded systems, web applications and software supporting SSL/TLS.

Some are calling this Heartbleed 2.0

Like Heartbleed, there are similarities in required remediation steps. Hopefully organizations will take heed and remediate faster (and more completely) than they did for Heartbleed. Last year, a full year after Heartbleed was discovered, most of the global 2000 organizations that Venafi surveyed had still not yet remediated Heartbleed. That’s why we recommend doing more to remediate (download our DROWN remediation plan).

DROWN hits while Heartbleed still not fully remediated


Your keys and certificates are the foundation of trust

According to the Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last two years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks that leverage keys and certificates increasing, their impact is as well. The organizations surveyed by the Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.

DROWN points out the need to know what’s trusted and what’s not. That’s why we’re here to help. Download our DROWN Threat Brief and then let us know if we can be of assistance.

<![CDATA[RSA 2016: How Your Security Foundation Crumbles If Your Keys and Certificates Are Compromised]]> https://www.venafi.com/blog/post/rsa-2016-see-how-your-security-foundation-crumbles https://www.venafi.com/blog/post/rsa-2016-see-how-your-security-foundation-crumbles/#When:16:17:00Z Cybercriminals are targeting your organization with attacks that misuse keys and certificates to infiltrate your network. And you can’t detect them because they are hiding in encrypted traffic. In fact, Gartner predicts that by 2017, 50% of network attacks will use TLS. Yet, many organizations do not realize the severity of this threat. That’s why we are bringing the problem to life. Because sometimes seeing is believing.

At RSA 2016, Venafi made it real. Our gameshow - “Are You Smarter than a Bad Guy?” -  showed how your security foundation is built on a system of trust that relies on keys and certificates. Brick by security-enhanced brick, we built a wall of metaphorical security systems that rest on your keys and certificates. This wall of bricks illustrated how the smallest compromise of that foundation (a hijacked key or certificate) can cause the whole system to come tumbling down.

Venafi winners at RSA 2016

The rapid growth of keys and certificates is nearly unmanageable

Here’s why your security foundation is vulnerable. Global 5000 organizations deploy an average of 20,000+ digital keys and cryptographic certificates. That’s 20,000+ ways that cybercriminals can infiltrate your encrypted traffic every time you establish trusted connections, authenticate devices, secure applications, and authenticate code.

That’s a lot to manage, even if you are aware of all the keys and certificates that you are using. However, more than half of organizations (54%) don’t know exactly how many keys and certificates their systems use, where they are located, who owns them, who has access to them, or when they expire, On average, our customers have found more than 16K keys and certificates they didn’t know they had.

Bad guys know you are vulnerable

Even worse, your existing security systems are built on this very same foundation of trust. Because these systems trust keys and certificates they’re blind to many new threats. Even with thoughtfully layered security, you’re still exposed to man-in-the-middle attacks, spoofed websites, backdoor access, and code-signed malware attacks because they hide in encrypted traffic. And it’s only going to get worse.

Code-signed malware is growing at 75% CAGR. And cybercriminals are using SSL/TS against us, which allows the bad guys to look legitimate while they surveil networks, steal data, and stay undetected. Intel predicts the next big underground marketplace will be stolen certificates.

What you need is the ability to identify which keys and certificates are friend versus foe. You need to be able to determine the reputation (good or bad) of keys and certificates so that cybercriminals cannot use them anymore to bypass security solutions.

You can find and fix these vulnerabilities today

With Venafi, you get complete visibility and control. The Venafi Platform allows you to secure and protect all your keys and certificates while it shares a layer of services that make them work together—visibility, agents, policy, portals, workflow, reporting which integrates with hundreds of existing systems in your infrastructure.  We call ourselves the Immune System for the Internet™, because we let you know instantly which keys and certificates should be trusted and which shouldn’t, making security easy, fast and automated.

We hope you had a chance to visit us at RSA to see how your security foundation stacks up against cybercrime. If not, you can still talk to one of our experts to learn why hundreds of the world’s largest organizations use Venafi solutions to protect their foundation of trust.

<![CDATA[RSA 2016: Threats to Cybersecurity Are Making Headlines]]> https://www.venafi.com/blog/post/rsa-2016-threats-to-cybersecurity-are-making-headlines https://www.venafi.com/blog/post/rsa-2016-threats-to-cybersecurity-are-making-headlines/#When:17:29:00Z RSA 2106 did indeed shape up to be an interesting event. With a hospital in Los Angeles being held hostage by hackers with ransomware and Apple defending its operating system against the federal government’s request for a backdoor, the threats facing cybersecurity are significant and dangerous.

At the same time, we’re needing to provide faster IT—cloud, DevOps, IoT, mobility, and more. As I expected, the RSA sessions, floor, and meetings were buzzing with talk of DROWN and what we need to do to protect the things we care about while delivering more IT services, faster, and with less.

MORESee what Venafi showed at RSA and learn how to protect your security foundation

IT Security professional are entrusted with protecting the business and its critical digital assets. So we layer security controls, ensuring we have a defense-in-depth approach. With endpoint protection, advanced threat protection, next generation firewalls, IDS/IPS, VPNs, behavioral analytics, access controls, data protection, and so many others, it’s not surprising that Gartner expects information security spending to exceed $83 billion in 2016.

But with all of this protection, the bad guys are still getting in—and they are using our own security controls to do it. We use cryptographic keys and digital certificates to protect our communications and connections. However, security controls blindly trust keys and certificates, enabling cybercriminals to use stolen or forged ones to bypass security controls. When keys and certificates go unmanaged and unprotected, the foundation of cybersecurity crumbles.

As it turns out, we are the ones with visibility problems.

I think we can all agree that encryption is important. It secures our networks, online transactions, communications, and data. Even Edward Snowden agreed that nothing is as effective as encryption at safeguarding our digital assets when it is properly implemented. Unfortunately, many don’t properly manage and secure their cryptographic keys and digital certificates, leaving a gap in security. As a result, man-in-the-middle (MITM) attacks, spoofed websites, code-signed malware, and other threats that misuse keys and certificates are on the rise.

Intel predicts that the next high-ticket black-market item will be stolen digital certificates, and Gartner predicts that by 2017, 50% of all network attacks will use SSL/TLS. Unless we have deployed decryption devices that have real-time access to all keys and certificates needed for decryption, we have no way of knowing if our SSL/TLS traffic contains malicious or stolen content. And leaving our keys and certificates unprotected give the bad guy ample opportunity to steal them and use them in attacks.

But it’s not just our SSL/TLS keys and certificates we need to manage and secure—SSH keys are equally as important. For many organizations, SSH keys are left up to system administrators to manage on an ad hoc basis.

How do we expect to remain secure when can’t see the “lifecycle” of privileged access?

We bestow privileged access to our most critical systems and data without a way to see how our privileged users are leveraging this access. We have no way of telling if they have or have not shared their credentials with others, if SSH keys are stored securely, and if they are revoked when no longer used.

And, of course, there are also mobile and user certificates. As remote and traveling workers increase as well as the number of devices each of us carries, these certificates are exploding. Keys and certificates can help to secure users and devices, but when misused provide another avenue for cybercriminals to gain trusted status to access enterprise systems and data. Many don’t realize that their MDM systems do not provide sufficient control over keys and certificates.

More than half of us (54%)—and by "us" I mean information technology security professionals—have no idea exactly how many keys and certificates our systems use, where they are, who owns them, who has access to them, which CAs issued them, what key lengths or cryptographic hash types they use, when they expire, and so forth.

It's up to us to stop the bad guys. We can begin by eliminating our own blind spots.

We should have the means to decrypt and analyze both sides—inbound and outbound—of SSL/TLS traffic. If not, we’ll be missing half of the attacks by 2017, which will be using SSL/TLS traffic to hide cybercriminal’s actions. We should create and enforce clear policies for replacing certificates and keys at regular intervals, and we should automate the enforcement process, just as we have automated password-change enforcement for our users.

Similar policies should be applied to our SSH keys—without this policy enforcement SSH keys never expire, continuing to provide privileged access to critical systems and data that can be hijacked by the bad guys. And we need mobile and user certificate management that provides complete visibility as well as easy issuance and revocation to keep systems and data secure while enabling our remote workforce.

Admittedly, gaining this visibility and enforcing policies might be easier for me than it is for you. As Venafi's CISO, I use our industry-leading platform to discover everything I can know about whether or not the keys and certificates on my network are trustworthy. (With our TrustNet™ certificate reputation service, my visibility actually stretches beyond my network.)

I lean heavily on our solution because we know that if blind spots exist, the bad guys will find them. But for the 54% of you who have blind spots we all know about, see what we showed at RSA.

<![CDATA[Infographic: Crumbling Cybersecurity—CIOs Are Wasting Millions]]> https://www.venafi.com/blog/post/infographic-crumbling-cybersecurity-cios-are-wasting-millions https://www.venafi.com/blog/post/infographic-crumbling-cybersecurity-cios-are-wasting-millions/#When:12:00:00Z CIOs admit to wasting millions on inadequate security controls. Why? There is a fundamental flaw in their cybersecurity strategy that is letting cybercriminals bypass their defenses in over half of network attacks.

This infographic shows CIO survey results which reveal cybersecurity is crumbling because the foundation of cybersecurity—keys and certificates—is being left unmanaged and unprotected.

Everyone has layered security defenses—next gen firewalls, VPNs, DLP, advanced threat protection, endpoint protection, and more. With all of these investments, CEOs, CIOs, and IT security leaders should expect their security systems to know what’s trusted and safe, and what’s not. But these security controls are blind to attacks that use compromised, stolen, or forged keys and certificates to undermine network defenses.

With Gartner expecting over 50% of network attacks to use SSL/TLS to hide in encrypted traffic by 2017, enterprises have a huge gap in their cybersecurity that won’t protect them against half of attacks.

This infographic is based on a January 2016 survey conducted by Vanson Bourne, an independent technology market research provider. The survey asked 500 enterprise CIO respondents in the U.S., U.K., France, and Germany how the demand for encryption and exponential growth in cryptographic keys and digital certificates are impacting their cybersecurity efforts. 

The results show IT executives understand their cybersecurity approaches are failing and agree they are wasting money on ineffective security controls. But trust in the cybersecurity foundation can be restored by securing keys and certificates. Venafi, the Immune System for the Internet™, helps you know instantly which keys and certificates should be trusted and which shouldn’t. Learn how we can help protect your organization.

<![CDATA[CIOs Wasting Millions on Cybersecurity that Doesn’t Work: Keys and Certificates Must Be Protected]]> https://www.venafi.com/blog/post/cios-wasting-millions-on-cybersecurity-that-doesnt-work https://www.venafi.com/blog/post/cios-wasting-millions-on-cybersecurity-that-doesnt-work/#When:12:00:00Z Top CIOs acknowledge they are wasting millions (take your pick – BSPs, EURs, or USDs) on layered security defences because these technologies blindly trust keys and certificates, according to research we just completed with independent research firm, Vanson Bourne. The bad guys use unprotected keys and certificates to bypass these security defences, exploiting keys and certificates to hide in encrypted traffic, spoof websites, deploy malware, and steal data.

The research reveals CIOs understand they are wasting millions because these layered security defences like FireEye can’t stop half of the attacks. Gartner predicts that by 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls; these technologies can’t defend against any of that.

The recently released annual threat report by Dell describes the growth in SSL/TLS decryption as a “mixed bag.” In Q4 2015, SSL/TLS connections comprised an average of over 64% of web connections, and, throughout 2015, each month increased by 53% over the corresponding month in 2014, on average. Although SSL/TLS is used to secure communications and connections, it’s also used increasingly by cybercriminals as an attack vector. When discussing the Dell report, Business Wire explains, “Using SSL or TLS encryption, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and anti-malware inspection systems.”

When you consider that the market for enterprise security is worth an estimated $83 billion worldwide, that’s a lot of money being wasting on solutions that can only do their jobs some of the time.

MORE  Download Free Gartner Research: Strategies for Responding to New SSL Cybersecurity Threats

A fatal flaw in the foundation of security.

Keys and certificates are the foundation of cybersecurity, authenticating system connections and telling us if software and devices are doing what they are meant to do. But when keys and certificates are left unmanaged and unprotected, this foundation is threatened. And if this foundation collapses, the Global 5000 and federal governments will be in serious trouble. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private.

Layered security—endpoint protection, advanced threat protection, firewalls, behavioural analytics, IDS and IPS security systems, and more—are fundamentally flawed because they blindly trust keys and certificates, unable to determine which are good or bad.

In addition, most security professionals (54%) admit to not knowing where all of their keys and certificates are located, who owns them, or how they are used. Without visibility or access into all keys and certificates, security controls are unable to inspect the vast majority of encrypted network traffic, which leaves gaping holes in enterprise security defences.

Cybercriminals are taking advantage of these blind spots and are using unprotected keys and certificates not only to evade detection, but to achieve authentication and trusted status that bypasses other security controls and allows their actions to remain hidden.

Cybersecurity Is Failing

Globally, there appears to be a loss of confidence in cybersecurity.

The public markets are efficiently reflecting a loss of confidence in cybersecurity. It’s no coincidence that 90% of CIOs admit to wasting billions on inadequate cybersecurity at the same time the HACK cybersecurity fund drops by 25% since November 2015. This is well ahead of the overall market downturn with a 10% decline in the S&P500 index.

The number of keys and certificates that enterprises need to secure is exploding. In light of Encryption Everywhere plans, driven in large part by Edward Snowden’s revelations and breach of the NSA, virtually all CIOs surveyed (95%) indicated they are worried about how they will securely manage and protect all encryption keys and certificates.

And as the speed of IT increases—creating and decommissioning services based on elastic needs—keys and certificates will grow in orders of magnitude. When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organizations, 79% of CIOs said yes.

As Fast IT grows, the demand for a secure foundation increases.

Gartner predicts that by 2017, three out of four enterprise organizations will be moving to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects. Yet using agile methods and introducing DevOps is an extremely high risk and chaotic endeavour. In these new environments, security will always suffer and it will become virtually impossible to keep track of what can and can’t be trusted.

This is why businesses need the Immune System for the Internet™—Venafi. Like a human immune system, we let organizations know instantly which keys and certificates should be trusted and which shouldn’t. With trust in keys and certificates restored, the value of a business’s other security investments increases.

Get the full report at: 2016 CIO Study Results: The Threat to Our Cybersecurity Foundation. 

<![CDATA[Venafi at RSA 2016: Breaking Closed Systems with Code-Signing ]]> https://www.venafi.com/blog/post/join-venafi-at-rsa-to-learn-about-breaking-closed-systems-with-code-signing https://www.venafi.com/blog/post/join-venafi-at-rsa-to-learn-about-breaking-closed-systems-with-code-signing/#When:22:06:00Z There is an abundance of use cases in which code signing using certificates has become more critical to prove to end users that they can trust the source and the integrity of the installed code. From software distribution and updates, to mobile apps and container security (like Docker), to execution of scripts and even file distribution—they all need to have their code signed to establish trust. But with stolen or forged code-signing certificates, cybercriminals can hijack the trust granted to signed code and threaten unsuspecting businesses and consumers who will expect this code to be safe.

MORE  See what Venafi showed at RSA and learn how to protect your security foundation

Not all systems are created equal. There are open systems like Mac OS and Windows, for example, that allow end users to trust unknown publishers, and closed systems that do not. One would think that the closed systems are therefore safe, but hackers break them anyway and are able to install malware. When code-signing certificates are misused to give malware code trusted status, security controls blindly trust this dangerous code, endangering consumers and businesses.

How can enterprises effectively use code-signing to establish trust and avoid attacks that misuse code-signing? At RSA, we reviewed attacks against several open (Windows, Android, Mac OS) and closed systems (IOS, automotive operating systems). We also showed the state of the industry and how organizations are going about protecting code-signing certificates from misuse.

Code signing to establish trust in the code's source and integrity

We also gave advice how to protect your business with some proposed steps to mitigate code signing abuse and a proposal to the industry of how to detect and respond to code signing misuse quickly and easily.

How do you use code signing in your organization? What use cases would you like to learn more about?

<![CDATA[Internet Hijacked: If Hacked by Government Access Using Apple Code-signing Certificates]]> https://www.venafi.com/blog/post/internet-hijacked-if-hacked-by-government-access-using-apple-code-signing https://www.venafi.com/blog/post/internet-hijacked-if-hacked-by-government-access-using-apple-code-signing/#When:20:54:00Z The FBI wants Apple to break our system of trust

A California magistrate has ordered Apple to help the FBI gain access to an iPhone that was used by one of the terrorists in the 2015 San Bernardino shooting. To achieve this, the FBI has asked Apple to create a backdoor. Apple has refused, adamantly.  Of course Apple wants to support investigative efforts in this horrible crime. But what the FBI is asking has ramifications that extend far beyond this one case.

Venafi supports Apple’s decision to oppose the FBI’s order. Complying would break the system of trust used for over 20 years to secure the Internet. By requesting the use of Apple certificates, the government is essentially hijacking the internet, hacking users, and undermining decades of security advancements.

Not just access to one device—FBI request hijacks internet security

In a nutshell, the FBI has asked that Apple create a new version of its operating system that would bypass many security controls. The FBI wants Apple to sign the software with Apple's certificate that will then run what the FBI refers to as a “signed iPhone Software file” which would be trusted on any iPhone. This file would update the phone to the new operating system that is designed to bypass security that keeps the data on that phone confidential.

Although this has been requested to gain access to one particular device, this can’t be viewed as a mechanism to decrypt one device used by one terrorist. Once created, there is no way to ensure this software would not be used more broadly—either by the government when it decides it has other needs for this access, or by cybercriminals who will undoubtedly seek to acquire this software.

This is really about threatening the very foundation of cybersecurity on the Internet—keys and certificates. It’s about breaking the system of trust that certificates provide for all software and to the Internet! If the government gets to use Apple software authenticated with Apple code-signing certificates, it would be able to bypass the security that protects people’s personal data—contacts, financial information, health information, and so much more. Apple equates this to, “a master key, capable of opening hundreds of millions of locks.” This would let governments, and eventually cybercriminals, get control and hijack systems and data. 

It’s not just breaking encryption, it’s breaking trust

In that light, the FBI's request may set a precedent that’s not as much about breaking encryption as it is about breaking software. It's why Tim Cook responded: "The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers."

This tactic is similar to those that made the computer worm, Stuxnet, so successful. That attack used malware signed with valid certificates, which allowed the malicious software to run completely trusted.

FBI request hijacks internet security

We need to defend the foundation of cybersecurity

One of the biggest advancements that Cook refers to is the system of trust established by keys and certificates—one that is increasingly being used as an attack vector by cybercriminals. Software runs the world. And in this world, it’s the role of certificates to know what is trusted or not, friend or foe—whether using TLS or code-signing.

The breaking of the trust model of certificates is a growing threat—something cybercriminals having actively been doing since the Stuxnet blueprint. But it’s much more important than just breaking encryption on one terrorist’s smartphone. It would represent an incredible escalation in the use of certificates as weapons. Experts from Intel to industry CIOs are predicting the next big hacker marketplace to be a place where stolen certificates are sold.

I fully support the government using subpoenas and warrants to obtain access to messages, activity, and other types of data that is stored. But running blanket and broad software on a device or getting access to a key for decryption will risk everyone’s privacy and security. If Apple is forced to create this backdoor, it would continue the current trajectory of online trust violations that are getting worse by the day.  

In one hopeful turn of events, the chairman of the Senate Intelligence Committee, Richard Burr, decided against a proposal to criminalize firms that reject court orders to decrypt. However, Senator Burr is still weighing whether to propose more stringent rules around access to encrypted data—but at least this would not include criminal penalties.

Governments are hacking the internet in more ways than one

This court order is just one example of how governments are hacking the internet. Another is the Chinese CNNIC certificate authority, which was implicated in an incident in Egypt to impersonate Google—an attempt that Google and Mozilla swiftly responded to and permanently untrusted CNNIC.

However, Apple and Microsoft, with tens of billions of dollars in revenue from the Chinese market per quarter on the line, failed to take any action for months. Apple quietly decided to trust some of CNNIC certificates while Microsoft took no action.

The incident was not covered widely by the media at the FBI’s request. Unfortunately, in the case of CNNIC, unlike now, Apple was neither swift nor public in its response, leaving all the appearances of prioritizing Chinese profits over the security and privacy of all iPhone, iPad, and Mac users worldwide.

It’s a welcome change to see Apple respond so quickly to the FBI’s request and hopefully they will do the same with future threats to the security and privacy of their customers.

How this impacts enterprises

So what does this mean for Global 5000 enterprises? I'd say knowing which keys and certificates you trust, and protecting those keys and certificate becomes even more important, especially in a time when they are increasingly of interest to both governments and bad guys.

If the government gets code signed with Apple certificates on court order, it is pretty much hijacking the Internet—which is the lifeblood of your digital business. What’s next? Getting TLS keys and certificates on court order to decrypt? Internet hacked.

What do you think about the recent government actions that impact online trust? Do you agree with Apple’s refusal to comply with the court order?

<![CDATA[Venafi at RSA Conference 2016: Bringing You the Best in Internet Security]]> https://www.venafi.com/blog/post/venafi-at-rsa-conference-2016-bringing-you-the-best-in-internet-security https://www.venafi.com/blog/post/venafi-at-rsa-conference-2016-bringing-you-the-best-in-internet-security/#When:21:52:00Z We are ready to see you at RSA Conference 2016 in San Francisco. We’re bringing in the team from around the US, including our CIO/CISO Tammy Moskites, so we’re ready to talk and help you understand how you can both improve your current security efforts and strengthen your existing investment.

MORESee what Venafi showed at RSA and learn how to protect your security foundation

Here’s what we’ll be talking about:

  • If you’re building a strong global security foundation - we’ll show you how bad guys can still get in.
  • If you think your cryptographic keys and digital certificates aren’t a risk - we’ll explain why they make you vulnerable.
  • If you think you’ve got your keys and certificates under control - we’ll show you how most companies find they have more keys and certificates than they imagined and where they find them (hint: not where they thought they should be).
  • Finally, if you know you have a problem but it’s just not your priority - we’ll show you how easy it is to get started and how quickly you’ll reap the rewards and your other security investments will deliver more value.

We want to meet with you.

RSA is a noisy, exciting, busy place. We want to make sure we make your to-do list and we have several ways to do just that. Here’s how you can find us.

  • Win a $50 Amazon Gift Card: Venafi Game Show
    Are you smarter than a bad guy? Are you betting your cybersecurity?

    Every 30 minutes at Booth 1615 South Hall
    Request a meeting

  • Attend IT Security Leader Track Session - Reserve your spot
    “How Poorly Managed Keys and Certificates Impact the Trust Model”
    Wednesday March 2nd | 10:20 – 11:10 AM | Room 2005
    Stephen Jordan, SVP/Technology Area Manager, Wells Fargo & Company

  • Attend Venafi Track Session - Add to your schedule
    “Breaking Closed Systems with Code-Signing and Mitigation Techniques”
    Friday, March 4th | 9:00 AM – 9:50 AM | West | Room: 3005
    Gavin Hill, Director of Product Marketing and Threat Intelligence, Venafi

  •  Join a Cybersecurity Workshop - Reserve a spot
    “How to Get More from Your Security Investment: Protect Keys and Certificates”

    • Breakfast: 9 am – 10 am

      3/1 | Marriott Marquis, Sierra C

      3/2 | Marriott Marquis, Sierra C

    • Lunch: 12:30  – 1:30 pm

      3/1 | Marriott Marquis, Pacific C

      3/2 | Marriott Marquis, Sierra C



We look forward to discussing your security issues. And if you can’t make RSA, please take a look at our website and check out our platform architecture to understand how we can help. Then contact us to set up an appointment that works for you.

See you in San Francisco! 

<![CDATA[Using Certificates to Secure the Rising Tide of Mobile Apps]]> https://www.venafi.com/blog/post/using-certificates-to-secure-mobile-apps https://www.venafi.com/blog/post/using-certificates-to-secure-mobile-apps/#When:14:00:00Z Those who have been in the IT industry for 20 years or more will have witnessed enough changes to fill the sea twice over. Each change is necessary, but some are more interesting than others. For example, the rise of mobile applications is undoubtedly one of the biggest waves of change to hit the world of business.


Who’s responsible for mobile app security?

With consumer mobile applications such as video games and social media, it is easy to spot security vulnerabilities if you are someone with a background in the field. However, mobile app developers do not naturally possess a deep knowledge of security, which can ultimately leave their applications open to risk that hasn’t even occurred to them.

Personally, I've been involved with Public Key Infrastructure (PKI) since the start of my career, when I helped develop applications for the U.S. government. As such, security has always been my first consideration. And one of the first points I sought to clarify at the dawn of mobile applications was to find out who was responsible for distributing and managing mobile security certificates. (See this Venafi blog post for a detailed look at some of these questions: Forrester Research Uncovers Gaps in Mobile Certificate Security.)

Security issues with mobile apps are on the rise

Awareness of the mobile-app-security issue has gone mainstream in the wake of recent certificate-related incidents that have captured consumers' attention. Legions of coffee drinkers deleted the Starbucks mobile app in response to hacks that parlayed Starbucks's weak security into direct access to customers' bank and credit card accounts. Similarly, the OnStar RemoteLink app's weak certificate checks enabled hackers to track, unlock, and even start GM cars remotely, which made GM drivers think hard about using the vehicle manufacturer’s mobile app. GM fixed the issue, but many of its rivals seemed to have ignored it; recently, a hacker exploited the very same certificate weakness in iOS applications for BMW, Mercedes, and Chrysler.

Problems like these show just how crucial digital keys and certificates are; indeed, they are the foundation of security for all connected devices. Yet with even the most conservative organizations developing business applications for mobile devices, keeping track of them has become difficult. As I write this, businesses continue to expose information that was previously restricted to their own networks.

To further muddy the mobile-security waters, the Bring Your Own Device (BYOD) revolution has meant that employees are accessing business information using devices that are outside of organizational control. All this has made verifying digital certificates much more difficult. Yet until these conditions change, cybercriminals will be able to misuse digital certificates and take advantage of company or employee data residing on mobile devices, simply because it's easy to do.

Certificates to Protect Mobile App Use

Digital certificates must be secured to keep your mobile apps safe

To prevent this misuse by cybercriminals, mobile app developers must be able to secure and protect their cryptographic keys and digital certificates. Venafi has security tools available today that allow developers to discover and control certificates on mobile devices.

Just as the human immune system patrols the body to identify pathogens and anomalies, Venafi, the Immune System for the Internet®, patrols mobile devices on your network to identify certificate anomalies and risks, and to rapidly revoke problem certificates. Venafi also integrates with most mobile device management (MDM) solutions to help enforce business-established policies, which can keep you afloat on a sea of regulations and security requirements.

How does your enterprise use certificates to secure its mobile apps? What do you see as the biggest security challenges to enterprise apps and mobile device usage?

<![CDATA[Unplanned Outages Are Painful: The Unsexy Security Story that Everyone Should Care About…]]> https://www.venafi.com/blog/post/unplanned-outages-are-painful https://www.venafi.com/blog/post/unplanned-outages-are-painful/#When:15:00:00Z Say it with me—UNPLANNED OUTAGES ARE PAINFUL! 

Of course, we all know this. The question is, do we all know why they happen and how to prevent them? Most likely not. Outages, also referred to as downtime, are typically thought of as the most important security story that no one wants to talk about. So today, we are going to discuss why it doesn’t matter how sexy APTs, threat intelligence, and other trendy security topics might be; if you don’t start paying attention to outages it could destroy your brand and cost your company millions.

There are seven main causes of unplanned outages that IT security teams should keep top-of-mind:

  1. Expired Keys and Certificates: Keys and certificates keep your website running and allow a secure connection to your system/network. When they expire, this is usually a result of human error and can leave your network extremely vulnerable to outages.
  2. Software Bugs: Software bugs occur when there is an error, flaw, failure or fault in a computer program or system that causes program or system to produce an incorrect or unexpected result.
  3. Equipment Failure: Equipment is often unable to perform its requested function due to it being outdated or overused and this is a common cause of unplanned outages.
  4. High Bit Error Rates: This occurs when the number of bit errors per unit time is too high for the system/network to perform correctly.
  5. Power Failure: Many of the highly publicized network outages (See 2013 Super Bowl) are due to a system/network losing electrical power.
  6. Overload Due to Exceeding the Channel Capacity: This is when a system/network is not set up to support as much traffic as it is receiving.
  7. Cascading Failure: This is a failure in a system of interconnected parts in which the failure of one part can trigger the failure of successive parts.

Now, let’s take a deeper look at expired keys and certificates, since it is the reason behind most major service interruptions and an issue that can be easily fixed.

Digital certificates provide a crucial security function by assigning public keys to be used for cryptographic purposes, including digital signatures and encryption. The Certificate Authorities (CAs) that issue these certificates also determine how long they will be valid—weeks, months, or years—before they will need to be replaced or updated. As shown in a survey conducted by TechValidate on behalf of Venafi, most organizations (56%) used manual methods to manage their keys and certificates before turning to Venafi (Source: TechValidate. TVID: 739-CC2-CFC).

According to research by the Ponemon Institute, in the average enterprise, the total number of keys and certificates is over 23,000—so when using manual methods, it’s virtually impossible to know where all of your keys and certificates are located, how to secure and keep track of them, or know exactly when they will expire. In fact, the TechValidate survey discovered that, on average, Venafi customers found over 16,500 previously unknown keys and certificates after deploying Venafi (Source: TechValidate. TVID: 363-53E-598). With this lack of visibility, no wonder organizations are experiencing outages!

Last Fall, Venafi partnered with the Ponemon Institute to release survey results from 2,394 respondents in Global 5000 organizations, which noted that businesses are losing millions due to expired certificates and unplanned outages. To be more exact, $15 million is the average lost per outage! In the survey, the majority of the businesses even admitted to losing customers over the last two years because they failed to secure the trust established by keys and certificates.

Certificate-related Outages Cost $15 Million per Outage

Unfortunately, hackers are very aware of the vulnerabilities they can exploit with unsecured keys and certificates, and they take full advantage of them through website spoofing, server impersonation, and Man-in-the-Middle (MITM) attacks.

Knowing that e-commerce, computing, and mobility are all affected by outages, it turns what was once the unsexy story into one that all enterprises need to pay attention to in order to run their businesses smoothly and securely, and avoid becoming the next news headline.

What are you doing to prevent outages at your business while still ensuring strong security practices? I’d love to hear your recommendations and best practices.


<![CDATA[Ted Koppel Predicts “Lights Out” in U.S. While Ukraine Power Grid Goes Down]]> https://www.venafi.com/blog/post/ted-koppel-predicts-lights-out https://www.venafi.com/blog/post/ted-koppel-predicts-lights-out/#When:16:57:00Z On December 23, 2015, the power grid in the Ukraine was hit with a cyberattack. The outage left a large region of Ivano-Frankivsk without power as a substation went down. They were able to get back online manually as they continue to search for the culprits.

In a report posted on ARS Technica, this attack included the use of unsecure Secure Shell (SSH) crypto keys which give the hackers permanent, root access to infected computers.

Researchers from antivirus provider ESET have confirmed that multiple Ukrainian power authorities were infected by "BlackEnergy," a package discovered in 2007 that was updated two years ago to include a host of new functions, including the ability to render infected computers unbootable. More recently, ESET found, the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems. The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.

The threat is real; the answer is to start taking precautions immediately.

While the Ukraine was first, it’s a harbinger of the danger lurking in all our power grids – and that’s the warning coming from Ted Koppel in his new book, “Lights Out.” He predicts there will be a power grid breach in the next two years that could last anywhere from two months to two years based on the severity of the attack.

In his video about his book, he says, an attack will “plunge tens of millions of people into darkness for weeks or even months with no electric light or heat or refrigeration, no running water, no waste disposal.” His conclusions are based on a year and a half researching the topic with the best experts in and out of government. He adds, “The Internet can be used as a weapon of mass destruction and our electric power grids are a target – that’s a fact.”

Mr. Koppel spoke with the Venafi team at our annual company meeting last week, sharing his sense of urgency and concern about what might happen if the power grid goes down because of a malicious attack. Needless to say, he met with an enthusiastic audience hungry to do our best to keep the internet safe. 


Tedd Koppel Joins Venafi CEO Jeff Hudson

Venafi is committed to preventing Internet-based attacks.

At the office, we talk about keys and certificates all of the time. Our focus comes from our singular mission to protect our customers from the bad guys. We know keys and certificates can be used to encrypt malicious traffic or hide malware, creating pathways for cybercriminals to vital services (like power grids) and critical business information.

At one point, Mr. Koppel asked people in the room to raise their hands if they believed a cyberattack was imminent. About half the room raised their hands. “What about the rest of you,” Mr. Koppel asked.

“Those are the people who are already convinced we can prevent it from happening by getting all of our power companies online with Venafi,” Jeff Hudson, Venafi CEO replied. Based on the energy and dedication in the room, that’s a good bet.

Manage the threat while defeating the attackers.

While the experts debate the consequences of an attack, they agree there is a threat. In an article on CSOonline, “Carl Wright, general manager of TrapX Security, puts it like this, ‘Power plants and our energy grid remain high-risk targets. It is imperative that we find new and innovative ways to detect adversaries early, mitigate the effects and then defeat them.’”

We can help you start defeating the attackers today. By securing your digital keys and certificates, we can restore trust to your networks. We help you safely increase encryption. From preventing outages based on expired or mismanaged keys and certificates to giving you visibility throughout your network, we are your Immune System for the Internet – learning, adapting, and protecting your data and systems.

Note: There’s an earlier book that came out in Germany that speaks to the situation in Europe. Take a look at Blackout by Marc Elsberg.

<![CDATA[Internet of Things: The Dangers of Blindly Trusting Keys and Certificates]]> https://www.venafi.com/blog/post/internet-of-things-the-dangers-of-blindly-trusting-keys-and-certificates https://www.venafi.com/blog/post/internet-of-things-the-dangers-of-blindly-trusting-keys-and-certificates/#When:18:29:00Z Originally published as Rise of the Robots: How our love affair with automation could spell the end in Computer Business Review on January 13, 2016.

There's an old adage which began its life back in the 1990s - and was perfectly illustrated in a New Yorker cartoon - which says: "on the internet no-one knows you're a dog." It neatly summarizes a core cyber security problem that we still face to this day: how do we know who to trust online? For the last twenty years we have taken the same approach to this problem by using cryptographic keys and digital certificates to establish trust.

By and large the system worked: ecommerce boomed and the economy and society as we know it was transformed, all thanks to a little website padlock here and there. Worryingly though, over the past five years, we are seeing cracks in the very foundation of the internet begin to emerge.

As we hurtle towards a future powered by the Internet of Things (IoT), with automated machines playing an ever-greater role in our day-to-day lives, these cracks will split into chasms that threaten our modern world. Could internet-enabled life as we know it soon be coming to a crashing halt? How can we stop the sinkholes from emerging?

The Internet of Things and the dangers of automation
Robot photo by Humanrobo, significant changes to the original image were made. CC BY-SA 3.0

The problem with trust
Cryptographic keys and digital certificates tell us whether an entity is what it says it is. We use them to authenticate web servers, code on devices, apps, and even for enterprise VPN access. It all comes back to that binary decision that machines have to make - is this thing part of "self", trusted and safe; or not trusted, and therefore dangerous - which certificates and keys provide. It's the foundation of cyber security and the whole global economy and it's built on sand.

Over the past five years, hackers have caught on to the potentially lucrative opportunity that keys and certificates offer. We have all seen the scene in a movie where the bad guy dresses up as a painter to gain access to a building, or steals someone's swipe card; this is what is happening in the cyberworld too. Bad guys are trading keys and certificates on the dark web and using them to crack into company systems - just look at Sony, Careto, the Snowden revelations and Flame or Stuxnet. They all involved stolen or misused keys and certificates.

Read the rest of the article on Computer Business Review.

<![CDATA[Venafi Analysis of Snowden NSA Breach Confirmed – 2 Years Later ]]> https://www.venafi.com/blog/post/venafi-analysis-of-the-snowden-nsa-breach-confirmed https://www.venafi.com/blog/post/venafi-analysis-of-the-snowden-nsa-breach-confirmed/#When:15:00:00Z It's been more than two years since Venafi publicly announced our analysis that Edward Snowden used the NSA's own cryptographic keys and digital certificates to steal the agency's classified data. The Venafi team suspected the truth of this modus operandi shortly after the news of the NSA breach based on kill chain and other analysis. A leaked NSA memo confirms this analysis.

MoreDownload the solution brief, Pass SSH Audits and Secure Privileged Access

In November 2013, the Venafi team published two primary pieces of analysis that made a compelling case: "Infographic: How Snowden Breached the NSA" and "Deciphering How Snowden Breached the NSA."

However, many were skeptical that keys and certificates (the very foundation of Internet trust and security) could be misused, especially at the NSA. While many were skeptical, others came to the same conclusion as Venafi. Our analysis was ultimately published in USA Today.

Before we published our findings, we asked industry experts to vet them. And when we published them, we called on the NSA and Snowden to correct us if we were wrong. We still haven't received a reply from either party. Three months after Venafi published our analysis, validation came in the form of a leaked memo from the NSA to the U.S. House Judiciary Committee. Using social engineering, Snowden had gained access, misused, and, by implication, continued to misuse a colleague’s digital certificate that provided highly privileged access to NSANet and classified documents, the memo states. We don't know how many others he may have practiced this social engineering on and, because keys and certificates are so infrequently changed and revoked, he likely had access for an extended period. Venafi is aware of APTs that have misused keys and certificates for up to 7 years because keys were not replaced.

how Snowden breached the NSA

In looking back over more than two years and reviewing confirmation of Venafi’s analysis, we’re not looking to gloat. But, instead, remind the cybersecurity community that Snowden's successful exploit is but a symptom of a disease that began undermining the Internet's foundation of trust years before. It’s a chronic problem that is finding keys and certificates becoming the ultimate cyberweapon to gain trusted status and steal data. The consequences will only become worse with the rise of DevOps and IOT. For example, one certainty is that IOT ransomware will become a reality—keys behind networks of things will be compromised and used to take over and control devices until money is paid.

The disease continues to spread, checked only by organizations that have discovered and protected every key and certificate across their networks, devices, clouds, containers, and more—from SSL/TLS to SSH, VPN, WiFi, and mobile. (Yes, even the misuse of VPN certificates is on the rise.)

Venafi, the Immune System for the Internet™, can patrol your system, much like the human immune system, and identify all keys and certificates as either part of the system or dangerous anomalies that need to be fixed. Venafi then automates the secure lifecycle of keys and certificates, keeping our customers healthy, reducing risk, and bringing new levels of agility and speed.

It's worth noting that many experts in the security industry have come to recognize the threat misused keys and certificates pose to the Internet's security foundation. It isn't that we should stop using them. Even Snowden freely admits that properly implemented keys and certificates offer ironclad security. "Encryption works," Snowden has said. "Properly implemented strong crypto systems are one of the few things that you can rely on." He should know. Snowden used NSA’s own, unprotected keys and certificates against them to sneak classified information out of NSANet.

Download the latest NIST paperAnd we now have more guidance and recommendations on how to use keys and certificates than we did before. For example, National Institute for Standards and Technology (NIST) recently published a paper, Security of Interactive and Automated Access Management using Secure Shell (SSH), on securing SSH keys. And SANS has made it clear that organizations need to know everything about every key and certificate that resides in their networks and protect them, including automating as many processes as possible. And large organizations like Google have made it standard to reduce key and certificate lifetimes—now down to 3 months for public-facing keys and certificates—to reduce the impact of a possible compromise and resulting misuse.

What are your thoughts about the NSA breach, now over two years later? How are we doing securing keys and certificates in our organizations? How can we get better?

<![CDATA[2015 Retrospective Part 2: Venafi Was Painfully Accurate When We Predicted More Attacks on Trust]]> https://www.venafi.com/blog/post/2015-retrospective-part-2-venafi-accurate-when-we-predicted-more-attacks https://www.venafi.com/blog/post/2015-retrospective-part-2-venafi-accurate-when-we-predicted-more-attacks/#When:15:00:00Z We correctly called 6 of the 8 predictions we made for 2015, which isn't bad (see our 2015 Retrospective Part 1). But we were absolutely 100% accurate on our overall prediction that attacks impacting the foundation of online trust—cryptographic keys and digital certificates—would increase. Looking back through 2015, Venafi Labs captured data on a steady stream of cyberattacks involving the misuse of keys and certificates, threatening the underlying foundation of trust for everything that is IP-based.

More Deliver faster incident response with Venafi. Download the solution brief.

The attacks in 2015 show a continued increase in the misuse of keys and certificates. They also show how keys and certificates have become interwoven into many aspects of our business and personal lives. From airline Internet services to laptop software to government certificate authorities (CAs) to apps for your car or your fridge to Google and banking sites, keys and certificates secure all our online transactions.

Why is this important? If organizations cannot safeguard the use of keys and certificates for communication, authentication, and authorization, the resulting loss of trust will cost them their customers and potentially their business.

2015 Attack Timeline

Here is a sample of some notable security incidents the Venafi Labs threat research team followed:

  • Gogo Dished Up Man-in-the-Middle (MITM) Attacks
    To kick off the year, a Google Chrome engineer discovered that Gogo Inflight Internet service was issuing fake Google certificates. Gogo claimed it was trying to prevent online video streaming, but this practice ultimately exposed Gogo users to MITM attacks.
  • Lenovo Pre-installed Superfish Malware on Laptop
    Lenovo found that an adware program it was pre-installing on laptops was making itself an unrestricted root certificate authority, which allowed for MITM attacks on standard consumer PCs. 
  • CNNIC Got Banned by Google and Mozilla
    Google found unauthorized digital certificates for several of its domains issued by CNNIC, China’s main government-run CA, making CNNIC certificates untrustworthy and vulnerable to attack. Google, quickly followed by Mozilla, blocked all CNNIC authorized domains. In a 2015 Black Hat survey, Venafi found that IT security professionals understand the risks associated with untrusted certificates, such as those issued by CNNIC, but do nothing.
  • St. Louis Federal Reserve Bank Was Breached
    The US bank discovered that hackers had compromised its domain name register. This allowed the hackers to successfully redirect users of the bank's online research services to fake websites set up by the hackers.
  • New SSL/TLS Vulnerability Logjam Exposed Crypto Weaknesses
    Logjam exposed a problem with the Diffie-Hellman key exchange algorithm, which allows protocols such as HTTPS, SSH, IPsec, and others to negotiate a shared key and create a secure connection. Identified by university researchers, the Logjam flaw allowed MITM attacks by downgrading vulnerable TLS connections.
  • GM’s OnStar and Other Car Apps Were Hacked
    A GM OnStar system hack that locks, unlocks, starts, and stops GM cars was made possible because the GM application did not properly validate security certificates. By planting a cheap, homemade WiFi hotspot device somewhere on the car’s body to capture commands sent from the user’s smartphone to the car, hackers could break into the car’s vulnerable system, take full control, and behave as the driver indefinitely. Similar weaknesses allowed hacks in iOS applications for BMW, Mercedes, and Chrysler.
  • Major CAs Issued Compromised Certificates for Fake Phishing Websites
    Netcraft recently issued new research that found fake banking websites using domain-validated SSL certificates issued by Symantec, Comodo and GoDaddy.
  • Samsung’s Smart Fridge Was Hackable through Gmail
    A security flaw found in Samsung’s IoT smart refrigerators allowed hackers to compromise Gmail credentials using MITM attacks because the fridge was not set up to validate SSL certificates
  • Symantec Fired Employees for Issuing HTTPS Certificates for Fake Google Sites
    Several Symantec employees were fired for issuing unauthorized certificates that made it possible to fake HTTPS Google sites. The certificates were found by Google’s Certificate Transparency project.

This list of attacks that leveraged stolen, compromised, and/or unprotected cryptographic keys and digital certificates in 2015 highlights a wide range of potential impacts from attacks on trust, but is by no means a comprehensive list. In truth, many of these attacks go on undetected: cybercriminals use keys and certificates to bypass security controls and hide their actions.

Businesses need to understand that key and certificate management is not just an operations issue—it is critical to securing their networks, data, and trust relationships with customers and partners. The problem is compounded given that most Global 5000 organizations blindly trust the keys and certificates deployed on their networks and use security controls designed to trust these encryption components. There is an evil force out there in the cyber realm, lurking in the shadows that no one sees—until it’s too late. Without the ability to tell friend vs. foe, good vs. bad in the digital realm, our global economy is in a perilous situation.

And we think the misuse of keys and certificates will grow. Check out our predictions for 2016 to see how we think attacks on online trust will evolve in the upcoming year.

Want to find out your organization’s risk level from unprotected keys and certificates? Venafi can help. Contact us and we’ll set up an assessment for your business.

<![CDATA[New Data Confirms Venafi Analysis that Secretary Clinton’s Email Server Did Not Use Encryption]]> https://www.venafi.com/blog/post/new-data-confirms-venafi-analysis-on-clinton-email-server https://www.venafi.com/blog/post/new-data-confirms-venafi-analysis-on-clinton-email-server/#When:15:00:00Z Newly released emails corroborate the forensic analysis conducted by Venafi TrustNet certificate reputation service which concluded that Secretary of State Hillary Clinton did not use encryption on her email server at the beginning of her term.

Earlier this year, Venafi TrustNet, a digital certificate reputation service, identified that the email server operated for Secretary Clinton and mail.clintonemail.com appeared not to use encryption for the first 3 months of operation—leaving her email and server potentially open to hackers. During this vulnerable period without encryption, Secretary Clinton travelled to China, Egypt, Israel, South Korea, and other locations outside of the U.S. This analysis was made possible by using Venafi TrustNet—the first certificate reputation service and a database of certificates going back over 10 years.

Venafi TrustNet identified the first digital certificate issued for the server was on 29 March 2009 while Secretary Clinton was sworn in to office on 22 January 2009 and the clintonemail.com domain was registered on 13 January 2009. If the server did not use encryption, access using browsers, smartphones, and computers could have been compromised with man-in-the middle (MITM) attacks, allowing communications to be monitored. These attacks could have allowed for emails or login credentials to be captured, leading to further long-term access to Secretary Clinton’s email and calendar by adversaries.

More Download the Venafi TrustNet white paper and discover how to identify certificate misuse in real-time

First clintonemail.com digital certificate obtained in 2009 from Network Solutions
First clintonemail.com digital certificate obtained in 2009 from Network Solutions.

But over the past few months, one question continued to linger for the Venafi research team and others in the security community: Did Secretary Clinton actually use the email server during the time a digital certificate was not in use and encryption was not enabled?

With the public release of additional clintonemail.com messages, Venafi now believes it can definitively answer this question: Yes, Secretary Clinton did use the clintonemail.com server to send and receive messages while the server did not have a digital certificate installed and was not using encryption.

Email Server Use Timeline

  • Wednesday, 18 March 2009—the date of the earliest message publicly released that was sent to Secretary Clinton at clintonemail.com. 
  • Saturday, 21 March 2009—the earliest date that publicly-available email messages show the Secretary using the email address, hdr22@clintonemail.com, to send messages
  • Sunday, 29 March 2009—the date the first digital certificate for mail.clintonemail.com was acquired by Justin Cooper.

The first publicly-known email to be sent by Secretary Clinton using clintonemail.com is on Saturday, 21 March 2009.
The first publicly-known email to be sent by Secretary Clinton using clintonemail.com is on Saturday, 21 March 2009.

Venafi cannot confirm if earlier emails exist or will be made publicly available. Therefore, for at least 11 days, Venafi concludes that while in use the server did not use encryption for access by browsers, smartphones, and computers. The email sent to Secretary Clinton on 18 March is from someone outside of the State Department. This may indicate the email address was in use and known publicly before 18 March. Only public release of further emails by the State Department can confirm this. After 29 March and until the server was taken offline in 2015, the server did operate with a valid digital certificate and did use encryption for browser, smartphone, and computer access.

Venafi also identified that the mail.clintonemail.com server was operating Microsoft’s Outlook Web Access (OWA) in March 2015, meaning that access was possible not just with a smartphone or desktop application like Outlook, but using any web browser. While OWA is installed by default with Microsoft Exchange and the server was hosting the application with Microsoft IIS 7 (released by Microsoft in February 2008), Venafi cannot confirm when web browser access with Outlook Web Access was first enabled.

Outlook Web Access in use and accessible from any browser for mail.clintonemail.com in March 2015 (first date of use cannot be confirmed by Venafi).
Outlook Web Access in use and accessible from any browser for mail.clintonemail.com in March 2015 (first date of use cannot be confirmed by Venafi).

The following digital certificate forensic analysis was documented by Venafi in March 2015 to understand when encryption was used on mail.clintonemail.com. Get the full analysis.

Digital Certificate Forensics Timeline for clintonemail.com

What are your thoughts about Secretary Clinton’s use of her email server before encryption was enabled?

<![CDATA[Top 6 Venafi 2016 Cybersecurity Predictions: More Encryption Equates to More Attacks on Trust]]> https://www.venafi.com/blog/post/top-6-venafi-cybersecurity-predictions-for-2016 https://www.venafi.com/blog/post/top-6-venafi-cybersecurity-predictions-for-2016/#When:19:00:00Z What are the Venafi cybersecurity predictions for 2016? First we must take a quick look at where 2015 has brought us—there were increases in both the use of encryption and in attacks on cryptographic keys and digital certificates. In 2016, we expect both of these trends to continue. What does this mean for businesses? To maintain online trust and customer confidence, keys and certificates must be safeguarded so they can be relied upon as the foundation of online trust, used for secure communications, authentication, and authorization.

In 2015, encrypted traffic became mainstream. “HTTPS Everywhere” was a predominant theme, as enterprises came to realize that encrypted communications can no longer be optional, they must be the norm. The U.S. government also mandated the use of HTTPS for all publicly-accessible web services by the end of 2016 to ensure the authenticity and privacy of federal websites.

As the use of encryption increased, so did the attacks that misuse cryptographic keys and digital certificates, impacting everything from airline Internet services to laptop software to government certificate authorities (CAs) to apps for your car or your fridge to Google and banking sites and more (keep an eye out for our 2015 attack summary blog post coming soon).

The reality is that with more encryption comes more opportunities for the bad guys to use keys and certificates in their attacks. According to 2015 Ponemon Institute research, the average number of keys and certificates increased by 34% since 2013 to over 23,000 per enterprise. And every organization surveyed (100%) has been attacked using compromised keys and certificates for the last 4 years running. The likelihood that in 2016 most enterprises and government agencies will fall victim to an attack on trust—one that impacts cryptographic keys and digital certificates—is very high.

6 cybersecurity predictions for 2016

We can predict with strong confidence several new threats and trends for 2016:

  1. With more use of encryption in 2016, we'll see more misuse of the trust provided by keys and certificates.
    Ironically, Edward Snowden called for more encryption two years ago, and now the U.S. government has mandated the use of HTTPS for all publicly-accessible web services by the end of 2016. We expect the private sector to strive towards HTTPS everywhere as well. Yet, as a result, bad guys will use HTTPS to disguise their efforts and either forge or compromise certificates to mount effective attacks.

    Business impact: Implementing more HTTPS can create significant security gaps and operations nightmares if implemented incorrectly. Enterprises and government agencies will need SSL/TLS inspection to detect threats hidden in encrypted traffic and key and certificate lifecycle management to enforce policies and workflows and prevent outages. Organizations must also be prepared to detect the malicious use of forged, compromised, or fraudulent certificates across the Internet to stop spoofing and man-in-the-middle (MITM) attacks. If not detected, they will damage online trust and reduce customer confidence.
  2. IoT ransomware will become one of the cybercriminal’s attack vectors of choice.
    Billions of Internet of Things (IoT) devices are coming online—20 billion by 2020 according to Gartner—and they rely upon keys and certificates for authentication and privacy. But if not protected, these keys and certificates can be compromised and IoT devices hijacked, allowing cybercriminals to demand a ransom before returning control. This risk was made real when security researchers demonstrated during Black Hat 2015 that the GM Onstar system could be hacked, and this was followed by news of similar vulnerabilities in other car apps. Similarly, we saw vulnerabilities involving certificates with Samsung’s smart refrigerators.

    Using a MITM attack, cybercriminals can easily intercept traffic between the IoT device and mother ship (enterprise network), telling the IoT device to perform a malicious action (for instance, apply brakes on a car, change plane altitude, keep a coolant valve open on a power plant, apply too much morphine to a patient, etc.). Cybercriminals can also send firmware updates to brick a device or pwn the device via a malicious update.

    Business impact: Cybercriminals will take full advantage of the connected IoT world and use hijacked IoT devices to take control over entire networks for financial and other nefarious gains, using mobile devices, smart home networks, and larger connected things in the enterprise.

    These threats will necessitate stronger key and certificate security and careful use of keys and certificates in business apps to protect their customer use of these apps. As these risks become better known, businesses will start to be held accountable for damage done through their apps.
  3. Code-signing services for malicious code will become the norm.
    Signing malware code with certificates can help the malware appear trustworthy and increase the chances of fooling its victims. The IBM Security X-Force has been tracking malware code-signing-certificates-as-a-service on the underground. There are even malware tools that bundle in code-signing certificates.

    Intel Security has tracked close to 20 million unique pieces of malicious code signed and enabled by certificates. Digital certificates used by malware are also being tracked by the Common Computing Security Standards (CCSS) Forum. Overall, signed malware has grown by 50% per quarter and we expect this to continue to increase.

    Business impact: Enterprises and government agencies can no longer rely solely on security controls that are designed to blindly trust keys and certificates. They must be able to determine whether to trust a certificate and be able to block or fix a certificate when needed. Organizations also need to safeguard the integrity of their own code-signing practices to protect their certificates and their brand and ensure that customers continue to have faith in the veracity of the software they offer.
  4. The Certificate Authority (CA) model will be broken and the value of certificates will be chipped away, resulting in diminished online trust.
    More free certificates will be issued through services like “Let’s Encrypt” while CAs will continue to lose credibility as their certificates are spoofed by cybercriminals and as they issue legitimate certificates for fake websites (see Netcraft’s recent research that found fake banking websites using domain-validated SSL certificates issued by Symantec, Cloudflare, Comodo, and GoDaddy).

    Business impact: The value of a certificate will not be in its issuance cost, but will be based on the value and reputation of the issuing CA and in the certificate’s purpose. To maintain that value, organizations must limit issuance of certificates to credible CAs and ensure the integrity and security of its certificates.
  5. CAs will be ranked across the user community, also adding to the lack of trust.
    User communities as well as major browsers will start ranking CAs. For example, Google and Mozilla no longer acknowledge the China Internet Network Information Center (CNNIC) CA as a trusted root in their browsers, yet Apple and Microsoft still do. However, based on a Venafi survey conducted at BlackHat USA 2015, 24% of respondents said they removed CNNIC from their browsers as a trusted root, showing that user communities are starting to rank CAs themselves. And with research, such as that by Netcraft revealing that multiple CAs are issuing domain-validated SSL certificates for phishing sites, there will be ample reason for user communities to flag certain CAs as untrusted.

    Business impact: Businesses will need to follow suit and no longer blindly trust CAs or certificates, but instead look to their reputation. With tools like certificate reputation, whitelisting, and blacklisting, businesses can use the guidance from user communities, the major browsers, and new reputation services to better protect their organizations.
  6. Large security vendors will lose customers, revenue, and overall credibility because they cannot see attackers lurking in encrypted traffic.
    More encryption will once again grow the attack surface and leave our adversaries with more opportunities to attack by hiding in encrypted traffic.  Most enterprises won’t be able to detect APT-like attacks and those that can detect these threats will often not remediate fully by replacing and revoking compromised keys and certificates, leaving them exposed to ongoing or future attacks.

    Business impact: Enterprises will need to deploy security solutions that can decrypt and inspect traffic, both inbound and outbound, in real time. Without these capabilities they will suffer attacks that hide in encrypted traffic, have their networks and data compromised, and ultimately lose customers and revenue. Large security vendors that do not offer the ability to inspect encrypted traffic will decrease in value to their customers.

With increased use of encryption in 2016, and therefore more keys and certificates, cybercriminals will have more opportunities to carry out their attacks by hiding in encrypted traffic and conducting MITM attacks. They will also use keys and certificates to make their nefarious actions look more legitimate on phishing sites and in malware with code-signing certificates. Yet businesses can defend themselves. User communities and major browser vendors will provide guidance. And Venafi can help. Venafi is the Immune System for the Internet that constantly assesses which keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not.

What are your main security predictions for 2016? Do you agree we’ll see more attacks on trust as more and more enterprises embrace 100% encryption? 

<![CDATA[2015 Retrospective Part 1: 6 Out of 8 Venafi 2015 Cybersecurity Predictions Were Accurate]]> https://www.venafi.com/blog/post/2015-retrospective-part-1-6-out-of-8-venafi-2015-cybersecurity-predictions https://www.venafi.com/blog/post/2015-retrospective-part-1-6-out-of-8-venafi-2015-cybersecurity-predictions/#When:19:13:00Z It’s that time of the year again: security “predictions” season. But before sharing our 2016 predictions, we first want to look back at how we did with our 2015 predictions

What’s our score? A total of 6 out of our 8 2015 cybersecurity predictions were accurate, and of the other two, one is unknown and the other we believe will still come to pass. Take a look at the results and see how these new cybersecurity realities impact businesses today.

More See how Venafi predictions align with Gartner’s in this white paper.

Also take a look at our 2015 attack summary (Part 2 of our 2015 Retrospective). We predicted there would be an overall increase in trust-based attacks in 2015 that would abuse cryptographic keys and digital certificates, and we were painfully accurate.

Here are our 2015 prediction results:

  1. 2015 Prediction: SSL will be used and abused a lot more. CORRECT

    What Happened in 2015? 
    SSL/TLS use did increase, including the U.S. government requiring HTTPS for all public-facing government web services and many companies striving for encryption everywhere for better data privacy and protection. But this increase also spurred on cybercriminals’ use of SSL/TLS keys and certificates—to hide their nefarious activities and bypass security controls. Intel Security noted a 12% increase in SSL-based network attacks. Netcraft also found that certificate issuers Comodo, Cloudflare, GoDaddy and Symantec had issued domain-validated certificates to phishers targeting banks, PayPal, and other sites.

    What This Means for Businesses Today
    Cybercriminals target unprotected keys and certificates, but with key and certificate security in place, businesses can increase the use of keys and certificates for data privacy and protection without increasing the risk of attack and compromise.
  2. 2015 Prediction: Certificate expirations and resulting outages will be recognized as major security issues. NOT YET

    What Happened in 2015?
    While major certificate outages did occur in 2015 with Google Gmail, Microsoft Azure, Instagram, and others, they weren't fully recognized as security concerns. Globally, an average of over 2 business systems per organization stopped working over the last 2 years due to certificate-related outages and the average impact was $15 million per outage. Although this lack of visibility and management is obviously a sign of bigger security issues, businesses are still viewing this as an operations issue.

    What This Means for Businesses Today
    It’s time to stop costly certificate-related outages, but it is also time to acknowledge that outages are a symptom of bigger security issues. If you’re experiencing certificate-related outages, you don’t have visibility or proper management of your certificates. Odds are you’re not seeing out-of-policy, misconfigured, or even malicious certificates in your IT environment. 
  3. 2015 Prediction: Our security controls will be useless against half of the network attacks. CORRECT

    What Happened in 2015?
    Previously, Gartner predicted that 50% of all inbound and outbound network attacks would use SSL/TLS by 2017. We’re already there. According to Ponemon Institute, all (100%) of the organizations it researched responded to attacks that misuse keys and certificates in the last two years. And the impact of these attacks is increasing—currently estimated at a risk of attack of $53 million over the next 2 years (up 51% from the 2013 study). 

    What This Means for Businesses Today
    Most organizations don’t realize that when keys and certificates aren’t secure, cybercriminals can use them to bypass their other defenses. Bad guys understand that most security systems, like threat protection, NGFW, IDS/IPS, and DLP, either trust SSL/TLS or lack the keys to decrypt traffic. However, by protecting keys and certificates and using them to maximize SSL/TLS traffic inspection, your business will increase the effectiveness and value of your other security investments.
  4. 2015 Prediction: Incident response teams will leave the door open for bad guys, resulting in more attacks. UNKNOWN

    What Happened in 2015?
    We predicted that incident response (IR) and forensics analysis teams would forget to revoke and replace keys and certificates after network breaches, allowing breaches to recur. We have no explicit examples of this occurring in 2015—but this doesn’t mean it didn’t happen. Without revoking and replacing stolen keys and certificates, bad guys can continue to gain access to networks and hide their malicious activities. 

    What This Means for Businesses Today
    Lazy remediation, as described by Gartner,  when organizations fail to replace compromised private keys or fail to revoke old certificates, is an indication that the organizations do not understand that when private keys are exposed, everything is exposed. Organizations should establish automated certificate issuance, replacement, and revocation practices as part of incident response plans BEFORE a compromise to enable fast, complete remediation when needed. 
  5. 2015 Prediction: Hearts will continue to bleed. CORRECT

    What Happened in 2015?
    In April 2015, a year after Heartbleed’s public disclosure, Venafi reported that 85% of Global 2000 public-facing servers still remained vulnerable. Even though this figure represents a 16% improvement over the number of vulnerable servers in 2014, it indicates very poor remediation performance.

    What This Means for Businesses Today
    Most IT teams didn’t bother to do proper Heartbleed clean up by changing the vulnerable keys and cybercriminals are still exploiting this lack of Heartbleed remediation. Are you still exposed? Learn the steps needed to fully remediate Heartbleed and ensure your business remains secure.
  6. 2015 Prediction: Kinetic attacks will take advantage of misused certificates and keys. CORRECT

    What Happened in 2015?
    The Internet of Things (IoT) is exploding—according to Gartner, there is an estimated 4.9 billion IoT devices connected to the Internet today. In the IoT, keys and certificates are used for authentication, validation, and privileged access control. When these keys and certificates are exploited, they can be used in kinetic attacks—those that can actually cause physical harm to people. In just one example, weaknesses in certificate usage in several car applications enabled hackers to gain remote control of vehicles.    

    What This Means for Businesses Today
    As mentioned in my DarkReading article, “It’s one thing when your company gets hacked and quite another when your pacemaker, commercial airline, or traffic light control and coordination system gets pwned because of security vulnerabilities in IoT devices.” Businesses need to design IoT apps that make secure use of certificates to protect their customers.
  7. 2015 Prediction: Compliance and security frameworks will continue to add guidance on how to protect keys and certificates. CORRECT

    What Happened in 2015? 
    What This Means for Businesses Today
    In the last 2 years, every enterprise surveyed failed at least one SSL/TLS audit and one SSH audit. With this additional guidance in compliance and security frameworks, auditors will have a structure to better evaluate the proper management and security of SSL/TLS keys and certificates, and SSH keys. If organizations don’t start adopting these guidelines in their ongoing business practices, they will fail more audits and endanger their business.
  8. 2015 Prediction: The Underground Digital Certificate Marketplace is now open for bad guys. CORRECT

    What Happened in 2015? 
    Underground key and certificate marketization continues to be the trend and prices in this black market continue to rise—at this writing, prices had risen to $1000 per certificate. In addition, IBM Security’s X-Force research team has found that large numbers of code-signing certificates are also now hot commodities in the black market.

    What This Means for Businesses Today
    Businesses need to assume their keys and certificates are being targeted by cybercriminals either to use to compromise their networks and data, or for resale. Organizations must make key and certificate security a priority. 

So here you have it: 6 out of 8 isn’t bad. Although this confirms we understand the market trends around online trust, it also means that businesses are struggling with key and certificate management and security. Find out how Venafi can help.

<![CDATA[LIVE SANS Webinar—Securing SSH Itself with the Critical Security Controls ]]> https://www.venafi.com/blog/post/live-sans-webinarsecuring-ssh-itself-with-the-critical-security-controls https://www.venafi.com/blog/post/live-sans-webinarsecuring-ssh-itself-with-the-critical-security-controls/#When:15:00:00Z SANS Institute and Venafi are cohosting a live webinar this Wednesday on the Secure Shell (SSH) network protocol, its vulnerabilities, and how organizations can address these vulnerabilities using SANS Critical Security Controls (CSCs).

When I read news stories about SSH-based attacks, I always wonder if organizations are paying attention. Are they taking the news stories as cautionary tales? Or are they taking the stories as isolated incidents that don't affect them? Or are they ignoring the stories altogether?

If your organization is in either of the latter two camps, I have news for you. While SSH is a sound technology, it has its vulnerabilities—all technologies do. And because it is providing privileged access to your organization's highest-value digital assets, you should know what these vulnerabilities are and how to address them. If you don't, how can you be sure you've adequately protecting your SSH implementation from the bad guys who seek out and prey upon SSH vulnerabilities?

In other words, how can you tell if you're properly securing the technology that secures your digital wealth?

Experts agree that SSH must be secured. Read this recent blog on the new NIST paper on SSH titled, Security of Interactive and Automated Access Management using Secure Shell (SSH), which emphasizes that SSH provides access to nearly all mission-critical systems and organizations should have an active SSH key management and security initiative to ensure their SSH keys remain protected.

This Wednesday, I’m cohosting a webinar with SANS SSH expert, Barb Filkins, to give organizations precisely the information they need to implement this type of initiative. In the webinar, Securing SSH Itself with the Critical Security Controls, we’ll share how the bad guys exploit SSH vulnerabilities to give themselves privileged access to organizations' most confidential and critical data. And follow up with ways organizations can stop the bad guys cold.

SANS Webinar on Securing SSH

A few SSH vulnerabilities lie in the technology itself, but the webinar will show that most lie with a wide variety of implementation and configuration mistakes. For example, harried key administrators can inadvertently deploy authorized keys to root user accounts rather than to regular user accounts. Then when SSH keys are compromised, this opens the door to attacks where bad guys gain privileged access to everything from organizations' firewalls to their most coveted (and perhaps heavily regulated) data—costing organizations millions.

The webinar will also explain how to remediate these SSH vulnerabilities so SSH can be a strong tool for enabling and controlling access. When configured correctly, SSH keys are harder to crack, steal, or guess than are passwords.

In the webinar, you'll see how the SANS CSCs map to the National Institute of Standards and Technology (NIST) best practices for properly implementing SSH, a good complement to the new NIST paper on SSH. For example, CSC subcontrols and NIST's best practices both recommend that organizations automate key-provisioning processes, keep a complete inventory of enabled SSH identity keys, and rotate these keys regularly.

You'll also learn how, with Venafi, you can effectively implement these SANS and NIST recommendations—easily creating a complete key inventory, managing SSH keys throughout their lifecycles, and automating SSH key issuance and revocation. Venafi, as the Immune System for the Internet™, also seeks, destroys, and replaces keys that are compromised, much as the human immune system seeks and destroys cells that threaten the body.

Most enterprises do not have companywide SSH policies and management practices—instead turning to administrators to manage their own keys. This ad hoc approach to SSH key management and security doesn’t keep organizations safe. It’s time to learn how to implement effective SSH key protection that secures your critical systems and data. And, besides, you'll enjoy the webinar much more than reading a story about your organization's SSH-based data breach in the morning news.  

I hope you join me at the SSH webinar this Wednesday!

<![CDATA[The New NIST Paper on SSH Needs to Be at the Top of Your Reading List]]> https://www.venafi.com/blog/post/the-new-nist-paper-on-ssh-needs-to-be-at-the-top-of-your-reading-list https://www.venafi.com/blog/post/the-new-nist-paper-on-ssh-needs-to-be-at-the-top-of-your-reading-list/#When:15:00:00Z Virtually every enterprise uses Secure Shell (SSH) as the administrative protocol for secure, remote access to nearly all mission-critical systems. If it’s not Windows or a mainframe, then SSH is used to manage it—including Unix, Linux, routers, firewalls, network and security appliances, and more. SSH enables remote access by administrators as well as automated communications between systems.

All SSH access depends on the proper management and security of SSH keys. I cannot say this strongly enough: If your organization does not have an active SSH key management and security project, it is at risk.

More Download the Venafi solution brief, Stop Unauthorized Privileged Access

SSH is quintessentially about access control. It secures machine-to-machine access in automated systems and user-to-machine access in interactive systems. In both cases, the level of access in which this technology specializes is privileged. For example, automated access enables organizations to spin up and provision virtual machines in cloud services. And interactive access allows IT administrators to remotely configure and manage network devices such as servers, routers, and firewalls.

With SSH being responsible for securely handling communications for your organization’s most critical and valuable digital assets, it’s little wonder that cybercriminals are motivated to steal, break, or otherwise compromise the cryptographic keys upon which SSH relies. The greater the value of your assets, the greater criminals' motivation—and the greater the impact on your organization if they succeed.

What should you do if you don’t have an active SSH key project in your organization? The National Institute of Standards and Technology (NIST) recently issued a new publication, Security of Interactive and Automated Access Management using Secure Shell (SSH), which addresses several critical aspects of SSH, including its underlying technologies, inherent vulnerabilities, and best practices for managing SSH keys throughout their lifecycle. This was an interagency effort and the Venafi CTO of Server Products, Paul Turner, was a coauthor of the paper.

The publication enumerates several vulnerabilities, including, but certainly not limited to, the following:

  • Vulnerable SSH implementations, such as implementations that allow weak encryption keys or that use SSH version 1, which is no longer secure
  • Improperly configured access controls, which can inadvertently allow unauthorized access to the root accounts that underpin your entire system
  • Stolen, leaked, derived, and unterminated keys, which have obvious ramifications and can occur for a wide variety of reasons—including the practice of duplicating keys from device to device so employees can work from home or on the road, thus expanding cybercriminals' opportunities for theft
  • Pivoting, which can occur when cybercriminals successfully compromise a key and then use the tainted key to introduce malware that travels throughout your entire system using SSH as its vehicle

Pivoting Enabled by Chained SSH Trust Relationships

I could name other vulnerabilities, many of which you can find in the publication. But by now, you are probably wondering what you can do to prevent criminals from exploiting vulnerabilities in your own SSH implementation.

This is precisely where having the aforementioned active SSH management project comes in. But implementing this type of project can meet resistance.  To quote Paul Turner on this subject, “Despite the significant risk that unsecured SSH keys present, many organizations have not implemented an SSH key management and security program because of lack of SSH knowledge at the executive level and internal resistance. IT administrators are accustomed to managing their own SSH keys and individual departments believe other operational tasks take priority. Unfortunately, because many executives don’t understand the significant risk SSH poses if not properly managed, we’ve seen that many enterprises wait until they’ve experienced an SSH compromise before taking action.” To be effective, an SSH key management project needs to be conducted companywide with support from upper management.

The NIST publication outlines SSH management practices your organization should have implemented. For example, it should be maintaining a complete inventory of your organization's SSH keys, one that includes information such as the systems where they’re deployed, key lengths, encryption algorithms, and issue dates.

NIST SSH Publication

Your organization should also be using a policy-based system that manages each key's lifecycle, from access request to access termination. And it should be actively monitoring your lifecycle management system.

As for the type of SSH management approach you should use, NIST recommends automation as the only practical choice, especially considering the sheer scale of SSH deployments in most organizations, where many organizations can literally have hundreds of thousands of key instances. Implementing a manual system that keeps an accurate, up-to-date inventory, manages each key throughout its lifecycle, and provides continuous monitoring would take many man-years of effort every month. And it would introduce human error into the process—which is, ironically, one of the vulnerabilities the publication mentions by name.

I strongly suggest that you read Security of Interactive and Automated Access Management using Secure Shell (SSH) for yourself, and if you have any questions or comments about the paper or its content, I'd love to hear them.

<![CDATA[There is Security Kryptonite on Your Sticky Note]]> https://www.venafi.com/blog/post/there-is-security-kryptonite-on-your-sticky-note https://www.venafi.com/blog/post/there-is-security-kryptonite-on-your-sticky-note/#When:15:00:00Z I've had the pleasure of working with a lot of security professionals in my time with security software and there is a reoccurring trend: People have an inherent craving for simplicity and often give in to this craving in ways that are not in their best interests. I feel protective of our customers and want to help them avoid the security mistakes I see others make in their misguided efforts to simplify.

To put it bluntly, people, you shouldn't assume that just because you are dealing with security professionals from vendor companies that your passwords, private keys, and other sensitive information are safe with them. You shouldn't even assume this with your own company's security professionals. If you want to destroy any security solution, add people.

You have no idea how many passwords and plain-text encryption keys I've seen come across screens—or in the case of passwords, seen written on sticky notes and pasted in obvious locations. For example, a colleague and I were working onsite to help a customer resolve an issue. During this visit, a member of the customer's security team was having difficulty remembering a password he needed for access to something.

back of keyboard

"Check the back of your keyboard," my colleague and I joked. But when he turned over his keyboard, there it was: the 1Password password that gave access to all of their “secured” passwords. When I see such things, I fear for our customers.

Admittedly, there's a tradeoff. In the fight for security and simplicity often the first thing to be compromised is security. Most people understand passwords and we still don’t take good care of them. Imagine a certificate and/or a key. Many people really don’t understand those and so we find those spread around on file servers with no password or silly passwords. Can you say “easy brute force target”?

Please properly vet your vendors and security team members: Do all you can to make sure their reputations are spotless and that they are security minded. 1Password has attempted to help corral the mess that we make with passwords and passphrases by making a central location with some level of control. Venafi is helping add security by doing the same for keys and certificates, including policies to enforce company regulations and automation for a complex process that most of our administrators don’t fully understand.

As we just finished Halloween and National Cybersecurity Awareness Month, there are lots of current horror stories around IT security, like the Internet of Pumpkins, the Little Book of Hacking Tales, and many more—all highlighting how human error can cause security issues.

But what are the solutions? How can we take people—always the weakest link in the security chain—out of the picture, or at least limit their impact? Automated key and certificate management and security can be part of the answer.

Venafi can help—providing key and certificate management and security for SSL/TLS keys and certificates, SSH keys, and mobile and user certificates. With Venafi, the Immune System for the Internet™, you can have your simplicity and your security, obviating the need for password-protected private key files by automatically discovering certificates and keys, placing them securely under its protection and control, and managing them throughout their lifecycles. Managing your cryptographic assets can't be simpler—automating the process and taking out the risk of human error.

Venafi even reaches beyond your organization's network to the Internet, where it provides an authoritative key and certificate reputation service. But even with our solutions, you'll still need to take more care in other areas of your company's security.

We know Superman is virtually unbeatable, just like so many security software solutions claim to be, but he has kryptonite as his weakness. Don’t let your craving for simplicity be your security kryptonite. Make sure you always have security-minded people as part of your team.

What is the worst IT security horror story you’ve heard? Any other suggestions on how to avoid security kryptonite? 

<![CDATA[It’s Time to See Mobility in a New Light]]> https://www.venafi.com/blog/post/its-time-to-see-mobility-in-a-new-light https://www.venafi.com/blog/post/its-time-to-see-mobility-in-a-new-light/#When:11:00:00Z While more and more employees are using their own phones, tablets, and other mobile devices for work, these practices often keep enterprises in the dark about mobile device access to enterprise data and systems. Digital certificates can shed light on enterprise access issues but only when certificates are properly managed and secured.

One good thing about cell phones is this: You're not as likely to run into people in the dark as you were before cell phones became ubiquitous. Nearly every face you see at night is bathed in the soft blue light of a cell phone. But illuminating people's faces isn't the only good thing about the phones' ubiquity. Mobile devices have done enterprises a few good turns.

Most enterprises welcome mobile devices because they allow people to work anytime, anywhere, and enterprises benefit from this increased productivity. You could even say that mobile devices have become indispensable to enterprises.

But there's a problem lurking here: Employees use mobile devices to access enterprise systems and often store enterprise data on them. I personally have a cell phone, an iPad, and a laptop, all of which have access to our corporate email system (and other corporate systems). This abundance of connected mobile devices is not unusual.

A stack of many mobile devices

Access to enterprise networks usually involves certificates, of course, but how do the enterprises know for sure who owns the certificates? What happens if employees lose the devices or the devices get stolen? Enterprises need to be able to revoke access privileges as soon as a mobile device goes missing.

Clearly, enterprises must have some way of knowing which certificates, on which devices, belong to which employees. They must also have a means by which they can identify and remove compromised certificates, even on devices that do not belong to them. And they must have the ability to control—that is, issue or revoke—certificates at a moment's notice. For example, if I were to call our helpdesk and report that someone stole my backpack one dark night, our helpdesk would have a mechanism for immediately revoking the certificates on each of my stolen devices, thereby preventing access to corporate systems. In other words, it would have a kill switch for the certificates that are located on these devices.

Unfortunately, most enterprises do not have such capabilities. Lacking them, they are as blind and as vulnerable to hidden cyberattacks as were people strolling down dark alleys in the days before cell phones.

What is your enterprise’s BYOD policy? If employee-owned devices are allowed, how does your business shed light on and control enterprise data and system access on these devices?

<![CDATA[The Internet of Things: It’s All About Trust]]> https://www.venafi.com/blog/post/the-internet-of-things-its-all-about-trust https://www.venafi.com/blog/post/the-internet-of-things-its-all-about-trust/#When:17:37:00Z The original article was published at Dark Reading on October 16, 2015.

As billions of devices come online, it will be critical to protect the keys and certificates we use for authentication, validation, and privileged access control.

As technology becomes more interconnected with the Internet of Things, we should expect to see more insidious hacks like those demonstrated at Black Hat USA this past summer that will -- at some point in the near future -- strike close to home. It’s one thing when your company gets hacked and quite another when your pacemaker, commercial airline, or traffic light control and coordination system gets pwned because of security vulnerabilities in IoT devices.

What is the core of the problem?

There are two technologies that are foundational to enabling our world economy today. They are DNS and keys and certificates. According to Gartner, there is an estimated 4.9 billion IoT devices connected to the Internet, a number that is estimated to grow to 25 billion devices by 2020. As was so clearly displayed in the GM RemoteLink app hack at Black Hat, at the core of IoT are keys and certificates; SSL/TLS validation, or the lack of validation, was exploited as part of the hack.

As billions of devices come online, it will become all the more critical to protect the keys and certificates that are used for authentication, validation, and privileged access control.

Read the rest of the article on Dark Reading.

Graphic image of the Internet of Things

<![CDATA[Infographic: New SANS 20 Requirements for SSL/TLS Security and Management]]> https://www.venafi.com/blog/post/infographic-new-sans-20-requirements-for-ssl-tls-security-and-management https://www.venafi.com/blog/post/infographic-new-sans-20-requirements-for-ssl-tls-security-and-management/#When:17:30:00Z The SANS Institute, realizing the critical nature of security risks to SSL/TLS, has added several requirements related to SSL/TLS management to Critical Security Control 17: Data Protection. From recent vulnerabilities like Heartbleed, Shellshock, POODLE, and FREAK to the Sony and CHS breaches and other APT attacks, like APT 1 and APT 18, enterprises can no longer blindly trust SSL/TLS certificates.

This growing lack of blind trust in SSL/TLS certificates stems largely from corporate security teams’ failure to secure and manage their vast certificate and key populations properly. By following the new SANS 20 requirements for SSL/TLS certificate management, enterprises can regain trust in SSL/TSL and rely on it once again for secure communications, authentication, and authorization for applications, appliances, devices, and cloud services.

Infographic for new SANS 20 requirements for SSL/TLS Security and Management

<![CDATA[Here’s How to Secure the Internet’s Shaky Foundation]]> https://www.venafi.com/blog/post/heres-how-to-secure-the-internets-shaky-foundation https://www.venafi.com/blog/post/heres-how-to-secure-the-internets-shaky-foundation/#When:19:55:00Z The foundation of the internet, DNS and PKI-SSL, is now threatened by attacks using SSL/TLS keys and certificates. We need an Immune System for the Internet to identify and neutralize key and certificate misuse.

Key Takeaways

  • The foundation of the Internet is based on two pillars: DNS and PKI-SSL
  • Cybercriminals misuse PKI-SSL to create trusted identities and to hide in encrypted channels
  • We need a third pillar: the Immune System for the Internet™ to identify and neutralize misused certificates

Download free Gartner Research: Strategies for Responding to New SSL Cybersecurity Threats

Photo by Paulo Raquec. Unedited.
Photo by Paulo Raquec. Unedited. Flickr.

When we humans created the cyber realm known as the Internet, we based its foundation on two fundamental technology pillars: DNS (Doman Name System) and PKI-SSL (Public Key Infrastructure-Secure Sockets Layer). DNS was the Internet's first technology pillar: It functioned like an address book and postal-delivery service, providing routing tables that got electrons (that is, electronic information) from Point A through 10 or 12 hops to Point B.

For a little while, DNS's miraculous ability to move information from computer to computer was enough.

Then people realized they couldn't necessarily trust the information they received via the Internet because there was no way to truly identify the sender. Peter Steiner's 1993 New Yorker cartoon delightfully illustrated this problem. In it, a computer-savvy canine tells his cartoon pal: "On the Internet, nobody knows you're a dog."

On the Internet, nobody knows you're a dog.

The Internet is a Good Place to Hide

In 1995, Netscape's chief scientist, Taher Elgamal, spearheaded the effort to address the Internet's identity problem through the second technology pillar (SSL), and soon X.509 certificates were providing trustworthy communications to individuals and organizations everywhere. So foundational is this technology today that the New Yorker recently published a sequel to Steiner's famous cartoon—a 2015 cartoon by Kaamran Hafeez, wherein both dogs are computer savvy and the first says to the other: "Remember when, on the Internet, nobody knew who you were?"

For a little while, PKI-SSL's ability to establish trusted identities and to encrypt data was enough.

But in the last five years, many cybercriminals have successfully attacked businesses and governments that rely on the second technology pillar to provide trusted identities. And they've done it by using the pillar itself in the form of forged or stolen certificates and keys. You see: certificates and keys are powerful. They authenticate people, in this case the cybercriminals who stole or forged them, and they open the vaults to rich stores of information. They also encrypt data. So authenticated cybercriminals can use them to bring malware in, encrypted so no one can see it, and to send valuable data out, again encrypted. And  the problem is only compounded given that many of Global 5000 organizations blindly trust  the keys and certificates deployed on their networks.

The Solution has to Intelligently Adapt to Change

To fix this problem, we need a third technology pillar: We need a cyber equivalent of the human immune system. Just as the human immune system travels throughout the body using HLA (human leukocyte antigen) markers to identify what is self and what is other, the Internet needs a technology that travels throughout cyber systems and identifies certificates that are forged or stolen—and then automatically neutralizes them, just as the human immune system automatically surrounds and destroys entities that are not self.

In other words, what the Internet needs if it is to have a whole and healthy foundation is the Immune System for the Internet™. Without it, the Internet's foundation will surely crumble.  This is our mission: to provide global organizations with an intelligent, adaptive security solution that works like an immune system to secure the foundational trust that keys and certificates provide.

Check out this video on the Immune System for the Internet.

<![CDATA[Securing Online Gaming with the Immune System for the Internet]]> https://www.venafi.com/blog/post/securing-online-gaming-with-the-immune-system-for-the-internet https://www.venafi.com/blog/post/securing-online-gaming-with-the-immune-system-for-the-internet/#When:03:24:00Z The Cyber Spotlight: Securing Online Gaming 2015 event is happening on October 6th in London, UK. It is a one day event focusing on threats and solutions pertaining specifically to online gaming. Venafi is a strategic partner participating in the event.

If you are attending, check out the session by Craig McLean, an Operations Transformation Consultant who will be speaking on behalf of Venafi in the session, Certificates Are Easy. Why Managing PKI in an Agile Way Isn’t as Hard as You Might Think at 11:50 AM.

Also, take a look at the article below that is printed in the event publication on how to protect keys and certificates to prevent their misuse in cyber attacks. For more information on how to protection yourself from attacks that misuse keys and certificates, download this Gartner report.


The Security Gap that Lets Cybercriminals Breach Enterprises 

Lessons we can learn from the human immune system.

Most organisations don’t realise the role that cryptographic keys and digital certificates play in today’s cyber attacks. Keys and certificates are the foundation of security. They establish the trust on which businesses depend – securing data, keeping communications safe and private, and establishing trust between communicating parties. However, when these keys and certificates get breached, enterprises and individuals are left vulnerable to attack and compromise.

How our reliance on keys and certificates is used against us

We have increased our reliance on keys and certificates that protect communications and authorise and authenticate webservers, software, mobile devices, apps, admins and even airplanes. Virtually everything that is IP-enabled today relies on keys and certificates, from online banking and shopping to government sites. And this reliance will only increase as we expand our use of interconnected networks and physical devices and systems – also known as the Internet of Things. The Internet of Things depends on Secure Socket Layer (SSL)/Transport Layer Security (TLS) keys and certificates to authenticate devices and systems.

Graphic detailing the components of serving online games, image via Cyberspot

Other security controls, such as access control, next generation firewalls (NGFW), intrusion detection systems (IDS), intrusion prevention systems (IPS), data loss prevention (DLP), and more, are designed to blindly trust keys and certificates. But what happens when cybercriminals forge or steal unprotected keys and certificates?

Attacks weaponise these compromised or stolen keys and certificates, allowing cybercriminals to bypass security controls and use keys and certificates to impersonate, surveil and monitor their targets’ websites, infrastructure, clouds, mobile devices and system administrators, as well as decrypt communications thought to be private, and even impersonate websites, code or administrators. Today’s cybercriminals use keys and certificates to gain trusted status for unrestricted access to their victim’s network and remain undetected for extended periods of time – hiding in encrypted traffic, deploying malware and siphoning off confidential data to use for criminal ends.

What is the risk of suffering an attack using keys and certificates?

The 2015 ‘Cost of Failed Trust’ survey by the Ponemon Institute found that the average enterprise has over 23,000 keys and certificates, yet 54% of security professionals admit to not knowing where all of their keys and certificates are located, who owns them or how they are used.1 Enterprises need to understand the role keys and certificates play in today’s attacks and how to protect them to close this gap in their security.

Attacks on keys and certificates are not new – Stuxnet is the first known kinetic attack that leveraged misused keys and certificates and it was discovered in 2010. However, attacks on keys and certificates are becoming increasingly common, leaving victims open to devastating security breaches. From Heartbleed, ShellShock, POODLE, the Gogo and OnStar man-in-the middle attacks, Lenovo’s Superfish vulnerability, the MASK attack and FREAK, cybercriminals are exploiting the weaknesses in unprotected keys and certificates to carry out malicious acts.

What is the risk? In the Ponemon survey, 100% of the respondents had suffered attacks using keys and certificates within the past 24 months.1 In addition, according to market research company Gartner, 50% of all inbound and network attacks will use SSL/TLS by 2017.2 If you haven’t already been attacked using keys and certificates, you soon will be.

What are enterprises doing to protect themselves?

With keys and certificates a prime target, organisations need to prioritise protecting them. Most organisations use manual or home grown systems to manage keys and certificates and these do not provide sufficient visibility and security to ensure that keys and certificates remain secure.

In light of attacks such as Sony Pictures Entertainment last year, Venafi conducted a survey amongst IT security professionals to establish what they are doing to prevent breaches and establish greater trust online.3 Disturbingly, the data revealed that most IT professionals acknowledge they don’t know how to detect or remediate compromised cryptographic keys and digital certificates.

The survey results highlighted that 42% of respondents can’t, or don’t know how to, detect compromised keys and certificates, and the other 56% of respondents said they are using a combination of NGFW, anti-virus, IDS, IPS and sandboxes to find these types of attacks. However, attacks using forged or stolen keys and certificates bypass these security controls, which are designed to blindly trust keys and certificates. SSL/TLS decryption systems that can detect attacks hidden in encrypted traffic often do not have sufficient access to keys to provide meaningful protection.

Painfully, almost two-thirds (64%) of security professionals admitted that they are not able to respond quickly (within 24 hours) to attacks using keys and certificates, and most said it would take three or more days, or up to a week, to detect, diagnose and replace keys and certificates that have been breached.

Following a breach, more than three-quarters (78%) of those surveyed said they would only complete partial remediation, not replacing compromised keys and certificates, which would leave them open to further attacks. The vast majority of organisations are still vulnerable to Heartbleed, for example, more than a year since it was discovered.4 When asked what their organisational strategy is to protect the online trust provided by keys and certificates, only 43% of respondents said that they use a key management system.

The immune system for the internet

If most security controls are designed to blindly trust keys and certificates, how can we detect misuse of keys and certificates by cybercriminals? What if we had an immune system for the internet that, like the human immune system, would let us detect what is self and trusted, and what is not and therefore dangerous on our networks?

Computer keyboard image progressing to computers connecting to the world image progressing to diagram of the internet's current connections

Just like the human body’s HLA tags, keys and certificates serve as an identification system for the internet. However, unlike humans, there has been no immune system for the internet to search out which keys and certificates to trust and which to destroy. Not being able to identify what is trusted or how to recognise and remediate untrusted keys and certificates following an attack, leaves organisations wide open to breach and compromise.

Enterprises not only need to manage keys and certificates, and know where they are and who is responsible for them, but they also need to protect them and the trust they establish. This requires an immune system for the cyber realm that can provide constant surveillance, take immediate action when anomalies are detected, and fully automate remediation to replace old or bad keys and certificates with new ones. Also, as we move increasingly to the cloud and DevOps environments, organisations need a system in place that can scale up and tear down quickly, dynamically keeping everything safe and trusted.

One solution that can serve as an immune system for the internet and fill this security gap is certificate reputation that enables immediate blacklisting of untrusted certificates and flags them for future remediation. With global certificate reputation, companies can get an internal and internet-wide view in real-time of what’s good or bad, friend or foe, when it comes to certificates, allowing IT professionals to respond in a timely manner to the misuse of keys and certificates and protect their business and brand.

Enterprises need to be able to secure keys and certificates, because, if they don’t, online trust will be broken with dire ramifications especially to the economy that relies so heavily on the trust established by keys and certificates for commerce and mission-critical business activities. And with the Internet of Things, billions of connected devices are coming online that drive, fly, keep us safe, and keep us alive. The world will be much more dangerous and vulnerable unless we find a way to maintain the trust established by keys and certificates.

Cyberspot.com image of crowd at an event

  1. Ponemon Institute. 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. 2015.
  2. D’Hoinne, Jeremy and Hills, Adam. Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, December 9, 2013. Gartner RAS Core Research Note: G00258176.
  3. Venafi survey of nearly 850 IT security professionals during the RSA Conference USA 2015.
  4. Venafi Labs Analysis. Hearts Continue to Bleed: Heartbleed One Year Later. 2015.
<![CDATA[Why the Security Workforce Needs Qualified Women….AND Men]]> https://www.venafi.com/blog/post/why-the-security-workforce-needs-qualified-women.and-men https://www.venafi.com/blog/post/why-the-security-workforce-needs-qualified-women.and-men/#When:17:13:00Z Over the past 30 years of being in information technology and security, it has always been obvious that there is a huge need for diversity in this field. It’s a common topic that comes up often, especially in security circles. Just a few weeks ago, there was a special Black Hat panel session dedicated solely to addressing this topic: “Beyond the Gender Gap: Empowering Women in Security.” Also, certification body (ISC)2 reports that just 10 percent of information security professionals worldwide are women.

While this is an upsetting statistic to many, and I do agree that we need more women in the workforce, I firmly believe that we need to consider an even more pressing issue that I hear time and time again when I’m meeting with CISOs all over the globe: we simply do not have enough skilled security professionals to meet the need right now. (ISC)2’s latest global workforce study, sponsored by Frost & Sullivan, finds that the shortage of security professionals will reach 1.5 million within five years. That’s a startling number, and why I believe that employing qualified, skilled IT security professionals—both women and men—should be the priority.

So, how do we build the next generation of cyber warriors, both men and women?

First, we need to encourage kids to study Science, Technology, Engineering, and Mathematics (STEM) at a young age so that they will be interested in pursuing more technical degrees and certifications later on. Most high schools are offering basic computer classes, and colleges all over the globe have courses in computer science and cyber security. And even if you don’t go to college, there are great certifications and workshops you can take to obtain and learn the skills yourself. Trust me, I’ve hired a lot of security professionals over the years and the main thing I always look for is actual, real-world, hands-on experience.

We also can help lead the way by setting a good example and showing kids and teens that they can have successful and rewarding careers in IT security. In my own career, I started at the IT helpdesk and was able to work my way up the ladder into holding several leadership positions at major corporations and now Venafi. Also, security pays well! IT security professionals, on average, make $90,000 or more a year! And there’s a lot of job security in security—companies are always hiring and looking to fill jobs quickly.

As you can imagine, I have managed many security teams during the course of my career so I’m very passionate about sharing my own insights into how to grow and build successful careers and teams in IT security. In fact, I’m actually presenting on October 12 at 3pm CT at the ISSA International conference on “Diversified IT: Why the Security Workforce Needs Qualified Women...and Men.” If you’re there, definitely stop by my session!

2015 ISSA International Conference Session

While these are just a few of my thoughts, there are probably many more things that we can be doing to build up the security workforce to meet the demand. I just hope that over time, we do start to see the tables turn with a more diversified and skilled workforce. This is definitely a fight we can’t win alone!


<![CDATA[Infographic: New Ponemon Research Reveals Businesses Are Losing Customers Due to Broken Online Trust]]> https://www.venafi.com/blog/post/infographic-new-ponemon-research-reveals-businesses-are-losing-customers-du https://www.venafi.com/blog/post/infographic-new-ponemon-research-reveals-businesses-are-losing-customers-du/#When:04:05:00Z A new report, 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers, was released today by the Ponemon Institute and Venafi, and reveals the damaging impacts on global business from unprotected and poorly managed cryptographic keys and digital certificates. In March 2015, a related report (2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point) revealed the risks global business face from attacks using keys and certificates (see the infographic on this first report). Now this new report looks at how the failure to secure and manage keys and certificates is adversely impacting today’s businesses, and quantifies the direct financial impacts.

Global enterprises depend on the trust, privacy, and integrity established by keys and certificates. But when keys and certificates are unsecured, companies lose customers, suffer costly outages, fail audits, and experience breaches. The infographic below captures the extent of these impacts in today’s enterprises over the past 2 years as well as the amount of security, availability, and compliance risk over the next 2 years. The infographic then concludes with the challenges that enterprises face with securing keys and certificates and an action plan to reduce risk.

Infographic: When Trust Online Breaks, Businesses Lose Customers

<![CDATA[Businesses Are Losing Customers from the Misuse of Keys and Certificates]]> https://www.venafi.com/blog/post/businesses-are-losing-customers-from-the-misuse-of-keys-and-certificates https://www.venafi.com/blog/post/businesses-are-losing-customers-from-the-misuse-of-keys-and-certificates/#When:04:05:00Z 2015 survey results reveal that unprotected and poorly managed keys and certificates result in a loss of customers, costly outages, failed audits, and security breaches.

Key Takeaways

  • Most businesses admit to losing customers because they failed to secure keys and certificates
  • Misuse of keys and certificates continues to increase (e.g. Superfish, GoGo, FREAK, and LogJam)
  • Several unplanned outages have hit major enterprises in 2015 (e.g., Gmail, Azure, Instagram)

Today, the Ponemon Institute and Venafi released new data on how businesses are being directly impacted by unsecured cryptographic keys and digital certificates. This data has been released in a new report, 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers, and reveals how unprotected and poorly managed keys and certificates result in a loss of customers, costly outages, failed audits, and security breaches.

Download the report: 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers

In March 2015, the Ponemon Institute and Venafi published research on the risks global business face from attacks using cryptographic keys and digital certificates in the 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. The 2015 research survey used as the basis for this report was completed by 2,394 IT security professionals around the globe: 646 U.S., 499 U.K., 574 German, 339 French, and 336 Australian respondents. Consensus among the global participants was that the system of trust was at the breaking point. Now, unpublished data from the survey is included in this new report that shows businesses around the globe are suffering the damaging impacts of unsecured keys and certificates.

  • When trust online breaks, businesses lose customers: Nearly two-thirds (59%) admitted to losing customers because they failed to secure the online trust established by keys and certificates.
  • Critical business systems are failing: An average of over 2 certificate-related unplanned outages have been reported per organization over the last 2 years, with an average cost of $15 million per outage.
  • Businesses are failing audits: On average, organizations failed at least one SSL/TLS audit and at least one SSH audit within the last 2 years.

Nearly 2/3 of Businesses Admit to Losing Customers

These certificate-related outages and failed audits are symptoms of larger security issues—if you can’t manage your keys and certificates, you can’t secure and protect them, leaving your business exposed. Criminals steal and compromise keys and certificates that are not properly protected, and use them to circumvent security controls—to hide in encrypted traffic, deploy malware, and steal data.

Here is a quick summary of examples of the misuse of keys and certificates in 2015.

GoGo MITM: In early 2015, it was discovered that inflight internet service provider, GoGo, was issuing fake Google certificates. GoGo indicated that this was simply used to block online video streaming to conserve bandwidth, but breaking this security protocol has undoubtedly tainted the GoGo brand.

Superfish: Lenovo damaged customer confidence when it was caught in early 2015 installing adware on its laptops that conducted man-in-the-middle (MITM) attacks using forged digital certificates to break open SSL/TLS encryption.

FREAK: Or Factoring Attack on RSA-EXPORT Keys, is a vulnerability in SSL/TLS encryption that forces vulnerable clients and servers to use a weak key that enables attackers to break the encryption with brute-force decryption. Victims of this vulnerability might have the effectiveness of their security put into question.

LogJam: The LogJam vulnerability uses a flaw in the Diffie-Hellman (DHE) key exchange and is similar to FREAK in that it can be used to downgrade the TLS encryption. Attackers can use this vulnerability in a MITM attack to read or modify data passed over the TLS connection, which would violate customer privacy.

Outages: Certificate-related outages that cause critical services to go down can also cause customer loss. Here are some newsworthy certificate-related outages in 2015, showing that even well-established businesses can suffer crippling business interruptions due to poorly managed certificates:

  • Google Gmail experienced an outage due to an expired root certificate, which prevented millions of users from accessing their email accounts.
  • The Microsoft Azure storage cloud platform experienced a worldwide outage due to an expired SSL certificate.
  • Instagram users, when using the web interface, received either an error message saying the company’s certificate was invalid or, if using Chrome, were denied access to the Instagram site all together due to an expired SSL certificate.

The new Ponemon report also shows that these impacts from unprotected and poorly managed keys and certificates will continue with a security risk per organization of $53 million over the next 2 years and a combined availability and compliance risk of $7.2 million—showing that security risk greatly outweighs availability and compliance risk. Read the report to get an action plan to reduce these risks.

How are you reducing the risk of key and certificate misuse in your organization?

<![CDATA[Don’t Trust Blindly—Get 20/20 Vision on Your Certificates]]> https://www.venafi.com/blog/post/dont-trust-blindly-get-20-20-vision-on-your-certificates https://www.venafi.com/blog/post/dont-trust-blindly-get-20-20-vision-on-your-certificates/#When:04:05:00Z Before your view becomes 20/20 from hindsight and you are too little too late, adopt an approach that gives 100% insight. Virtually all enterprises are unaware of how many certificates they have in their organization. Visibility is critical to properly manage certificates, avoid certificate-related outages, and secure your business and brand.

Key Takeaways

  • Everyone is utilizing more certificates than they know and in ways they don't know.
  • Lack of visibility leads to outages, downtime, exploited vulnerabilities, and financial Loss.
  • Venafi TrustNet and Google CT care about your brand and you should too.

Visibility for Certificate Management

Without visibility, in today’s flooded wires of packet transfers, you will not really know how many certificates are in use within your organization. In 2015 research by the Ponemon Institute, 54% of IT security professionals admitted to not knowing where all of their keys and certificates are located. But I think this is grossly underestimated. I have never met an organization utilizing certificates who accurately knew the count of their digital certificate usage before using Venafi. Usually, we wind up finding at the least 3x what they thought they had.

Download the solution brief, Eliminate Blind Spots in Your SSL Traffic.

Yet finding all of your certificates is just the beginning. To properly manage them, you’ll need visibility into all of these aspects:

  • Who owns each of your certificates?
  • What does each certificate do?
  • Who is controlling your self-signed certificates?
  • Where do all of your wildcard certificates live?
  • Are all certificates being issued by the CAs you have approved?

Visibility to Avoid Certificate-related Outages

Another critical component to certificate visibility is the ability to identify approaching certificate expirations. At some point certificates expire, and at some point you need to renew that certificate and go replace it everywhere it belongs (1 year maximum if you are following best practices). But it’s important to do this before they expire and cause outages of critical business systems. We’ve already seen several examples of certificate-related outages in large global businesses in 2015, including in Google Gmail, Microsoft Azure, and Instagram. These outages can cost you millions. In research by the Ponemon Institute, IT security professionals set the average cost of a certificate-related outage at $15 million.

Businesses Lose $15 Million per Outage

Visibility to Protect Your Business and Brand

Visibility into your keys and certificates isn’t just crucial for management—as the foundation to online trust, it’s also critical to securing your business and protecting the privacy of your customers and partners. Here are some questions you should be able to answer:

  • Who is making sure that certificates with proper strength are being created?
  • Has anyone stood up a rogue CA on your network?
  • Are all certificates being issued by the CAs you have approved?
  • Are stolen or rogue keys and certificates being used to hijack your brand?

Enterprises need to also realize that using encryption creates security blind spots. Cybercriminals are now using SSL/TLS to hide getting malware into organizations and to hide taking sensitive data out. Gartner estimates that by 2017, 50% of network attacks will use SSL/TLS. Organizations need real-time access to keys and certificates to decrypt SSL/TLS traffic and pass the content to security devices, such as Blue Coat, for further processing, analysis, and policy administration.

When the online trust established by keys and certificates is broken, businesses lose customers. Thank goodness solutions such as Google Certificate Transparency (CT) and Venafi TrustNet™ are out there to help add some visibility to our ever expanding use of digital certificates and keys.

Recently, Thawte CA had some of its employees issue unauthorized Google certificates. Fortunately, pre-certificate data gets sent to Google CT prior to actual issuance. In this case, the Google CT team was able to raise the red flag about these unauthorized certificates and alert the proper channels, allowing immediate corrections to be made. Venafi TrustNet combines information from Google CT with information from the Venafi sensory network to provide information on certificate issuance as well as throughout the entire certificate lifecycle on all certificates used on the internet.

Businesses rightly take encryption seriously. This means they care about the CAs they use, how long certificates are valid, and what hashes, algorithms, and protocols are used. We have seen companies with very strong policies on their certificates who have removed employees when a certificate that was unauthorized showed up via our discovery. How do you know whether your policies are being followed if you can’t see? It’s time to shed some light on your certificates. You can’t fix what you can’t see, and you can’t protect a door if you don’t know it exists.

<![CDATA[Take the Guesswork and Complexity Out of Your PKI Update]]> https://www.venafi.com/blog/post/take-the-guesswork-and-complexity-out-of-your-pki-update https://www.venafi.com/blog/post/take-the-guesswork-and-complexity-out-of-your-pki-update/#When:19:18:00Z If your public key infrastructure (PKI) is like that of most companies today, it’s probably outdated. That can be a serious problem. Outdated PKI systems result in errors, missed updates, costly business interruptions, and even breaches. This is due to a lack of central visibility, consistent processes, and the refresh validation needed to streamline updates. Moreover, new security and compliance requirements and an evolving threatscape can make it costly and difficult to revamp PKIs.

Key Takeaways

  • Outdated PKI results in errors, missed updates, costly business interruptions, and even breaches
  • T stay protected, reduce certificate lifetimes, migrate to SHA-2, rely on standards, and develop remediation strategies
  • Successful PKI refreshes require visibility, enforced policies and workflows, automation, and validation

Why is it so difficult and costly to refresh an outdated PKI? There are almost 24,000 keys and certificates in today’s average enterprise and 54% of security professionals admit to being unaware of where all of their keys and certificates are located, who owns them, or how they are used. In addition, establishing new root or intermediate CAs and distributing certificates to hundreds or thousands of applications and trust stores is incredibly time consuming, expensive, and error prone. Add to the mix differing, distributed applications and administrators unfamiliar with certificates, and the challenges quickly multiply.

Check out the PKI Refresh solution brief.

PKI Update

But putting off a PKI refresh can open your business to outages and attacks. According to the Ponemon Institute, 100% of the Global 5000 surveyed have responded to attacks using keys and certificates and have had 2 or more certificate-related outages within the last 24 months. What does this mean in dollars and cents? Security professionals estimate that the total possible impact of an attack using keys and certificates is almost $600 Million and the total possible impact of a certificate-related outage is $15 Million. That’s a serious impact—even for the largest enterprises.

To stay protected from these costly and damaging incidents, you may want to consider adopting new PKI refresh standards and strategies:

  • Reduce certificate lifetimes to 3 months or less, as recommended by Google and others to reduce certificate risk exposure (but even Google recently let a certificate expire, showing that even the most security conscious organizations can struggle with key and certificate management and security)
  • Replace SHA-1 with SHA-2, due to potential attacks on SHA-1 certificates. (See NIST’s Policy on Hash Functions.)
  • Update digital certificate maintenance rules according to compliance regulations, such as the PCI DSS, and other security frameworks, such as SANS 20.
  • Develop new remediation strategies ;to apply following a CA compromise or new vulnerability (Venafi research shows that 3 out of 4 organizations still have not completely remediated the Heartbleed vulnerability).
Manage and Validate Your PKI Refresh with Confidence

How do you implement all of these standards and strategies? With today’s fast changing threatscape and increasing use of digital certificates, successful PKI refreshes require complete visibility, enforced policies and workflows, automation, and validation.

Visibility: Most don’t have complete visibility into their PKI. But for successful PKI management, you need to identify all keys, certificates, CAs, and trust stores across your enterprise networks, the cloud, and multiple CAs.

Enforcing policies and workflows: To ensure consistency while updating your PKI, you need to enforce configurable workflows capabilities for replacement, issuance, and renewal. Also, a policy-enforced, self-service portal can be used to simplify certificate requests and renewals.

Automation of PKI: Automation is critical for PKI in today’s enterprises and should cover the entire CA and certificate refresh process, including the distribution and whitelisting of new CAs in trust stores.

Validating your progress: You should be able to track your progress and completion of your PKI refresh, validating that certificates are installed and applications are running.

With all of these requirements, does a PKI refresh sound like an impossible task? Believe it or not, you can now take the guesswork and complexity out of your next PKI refresh and reduce your risk. With the right solution for your PKI refresh, you can achieve complete visibility, enforce policies and workflows, automate processes, and validate progress. But don’t put this project off—it could literally cost you millions.

What do you consider to be the most critical PKI updates needed? Please share your experiences and thoughts.

<![CDATA[Key and Certificate Security Delivered at the Speed of Business]]> https://www.venafi.com/blog/post/key-and-certificate-security-delivered-at-the-speed-of-business https://www.venafi.com/blog/post/key-and-certificate-security-delivered-at-the-speed-of-business/#When:19:19:00Z Stop keys and certificates from slowing innovation. The speed of cloud computing, the demands of internal IT services SLAs, and the explosion of IoT devices must be supported with automated key and certificate management and security.

Key Takeaways

  • Speed of IT continues to dramatically increase with cloud computing, IoT, and IT service demands
  • Manual key and certificate management, used by most organizations, is slowing IT speed
  • To meet speed demands, corners are cut in key and certificate security or it is sacrificed completely

To improve customer experience, new IT is enabling speed to business in ways that could not have been considered a few years ago. Not too long ago, QA test environments were rebuilt every week. Today they are rebuilt on a continuous basis. Previously, if you wanted to provision a webserver, it would have taken weeks, sometimes months, to secure the hardware followed by the operating system and required software.

Watch this demo to see how to support Chef with automatic key and certificate provisioning.

I remember how it was before the cloud started being adopted; one customer I worked with mentioned that it was faster for them to retrofit a Boeing 737 than it was to stand up a new webserver. How things have changed with DevOps where a new server instance can be available within seconds today. And containerization has only further increased the speed at which application stacks can be made available. One Venafi customer tears down and instantiates its entire environment every week. Think of the mammoth task—no, near impossible task—this would have been just 5 years ago!

Speed + Security in the Cloud

Without speed to market and dynamic, on-demand service delivery, your competition is going to take your customers. But speed should not come at the sacrifice of security. Think about it, keys and certificate are one of the technologies that are foundational to the internet and the way we do business. They provide authentication and authorizations for millions of systems. Yet keys and certificates, which are at the heart of IT security, often slow down dynamic IT. Most organizations are using manual methods to issue and track keys and certificates. Then when certificates are used with cloud servers, these manual methods are slowing down processes, significantly.

In results from a survey conducted by TechValidate for Venafi, we found that over half (56%) of our customers used manual certificate tracking methods before using our products.


Customer References verified by TechValidate.

What good is it to be able to instantiate cloud workloads quickly if security slows down the process or, worse yet, is skipped completely in the interest of speed.

Organizations and cloud vendors sometimes try to cut corners in key and certificate security to avoid slowing down cloud provisioning. Dell SecureWorks did a study a couple of years back and found that 1 in 5 AWS instances had rogue SSH keys included in them. You may ask yourself, why is this important? Well, it’s basically the same as buying a new car and making multiple copies of your car keys and handing them out to strangers at your local supermarket—anyone who has the key will then have access to your car!

Most cloud vendors now offer ephemeral session keys that cannot be used again. This dramatically reduces the lifespan of the key material. To support the speed benefits of cloud computing while also ensuring security, keys  need to be generated and provisioned automatically based on defined security policies. Regardless of how you provision workloads in the cloud, it is of the utmost importance to ensure that you do not re-use keys. Also make sure you have visibility into where the keys are being used, by whom, and for how long.

Speed + Security for Internal SLA of IT Services

Speed is an important factor in internal IT services Service Level Agreements (SLAs). Other departments turn to IT to deliver services, and key and certificate issuance in support of these services can significantly impact the SLAs to which the IT department can commit.

In the recent TechValidate survey, we found that over half (57%) of the respondents were able to improve their internal IT services SLA after deploying Venafi—over one-third (34%) were able to change this from days to just hours. Automated key and certificate provisioning can have a significant impact on the services SLA that IT can deliver.


Customer References verified by TechValidate.

Speed + Security for IoT

We already have a few billion Internet of Things (IoT) devices connected through the Internet. And with the additional IoT devices coming to market, supporting a multitude of use cases, that number is expected to grow dramatically.  According to Gartner, by 2020 there will be 25 billion connected “things”, all which need some way of authenticating on the network and communicating securely.

Automakers are expecting cars to be a high-value target for hackers and have already begun to put security controls in place. One such control changes the SSL/TLS certificates at least 12 times per hour—think what a PKI management nightmare that may be if you are not able to automate processes and tell whether a certificate is good or bad, friend or foe. As IoT devices increase, real-time key and certificate management will be needed to keep up with security and access demands.

Security at Speed

Although I focused on cloud, internal IT services, and IoT, there are many other examples where keys and certificates need to be provisioned or replaced very quickly to satisfy the business need. But security does not have to be sacrificed to achieve speed of deployment in any environment. The full key management lifecycle process can be automated so that security policies can be applied and the environment kept safe.

If you are interested to see how Venafi automatically provisions keys and certificates with Chef please review the following demonstration video.

How does your organization ensure your key and certificate management and security keep up with the speed demands of IT?

<![CDATA[Venafi Supports Google Certificate Transparency with CA-Agnostic Log and Monitor ]]> https://www.venafi.com/blog/post/venafi-supports-google-certificate-transparency https://www.venafi.com/blog/post/venafi-supports-google-certificate-transparency/#When:13:00:00Z Venafi is proud to announce the availability of the Venafi CT log and CT monitor.

Key Takeaways

  • Google Certificate Transparency provides safer internet browsing by allowing anyone to scrutinize the certificate issuance process.
  • Venafi supports Google Certificate Transparency (CT) with the Venafi CT log and CT monitor.
  • Venafi TrustNet uses Google CT log information in conjunction with SSL/TLS information gathered from the Venafi sensor network to identify misuse of certificates on the internet.

Download the TrustNet white paper to learn how Venafi uses Google CT in Venafi TrustNet

The Google Chrome browser requires public logging of Extended Validation (EV) SSL/TLS certificates as part of Google Certificate Transparency (CT). Any EV certificate issued after January 1, 2015 that is not logged with CT will cease to show the EV indicator “green bar” in the Chrome browser.

Google CT aims to stop unauthorized certificate issuance by providing the ability for anyone to scrutinize the issuance process. This is provided by three core components: the certificate log, a monitor, and an auditor.

A Growing Need

Cybercriminals and nation states have realized the value of misusing certificates—shown in certificate issuance practices being abused more and more frequently. Earlier this year, reports of a man-in-the-middle attack orchestrated by the China Internet Network Information Center (CNNIC) provide just one example of how certificate issuance can be used for nefarious purposes.

Google CT aims to provide safer internet browsing by detecting mis-issued certificates, malicious certificates, or rogue CAs within a few hours of conception. This is achieved due to the CT requirements that dictate how and where any certificate issued should be logged with Google CT.

Venafi Support for Google CT

Venafi is proud to announce support for Google CT with the Venafi CT log and CT monitor. As the Immune System for the Internet™, Venafi provides a CT log independent of any specific Certificate Authority (CA), welcoming any CA to publish to the Venafi CT log.

CT Log: Any CA wishing to be compliant with Google CT is required to publish certificates that they issue to at least three (3) logs. These logs are publicly auditable and cryptographically assured.   

Diagram of Venafi CT Log and Monitor

CT Monitor: Venafi also participates in the Google CT initiative by providing a monitor. Monitors watch logs for suspicious certificates and verify that all logged certificates are visible.

The Value of Google CT

Gartner got it right back in 2012 when they concluded that “no certificate can be blindly trusted.” In one good example of the value of Google CT, Google found an Extended Validation (EV) pre-certificate issued without Google’s authorization by Thawte CA. However, although CT identified the fraudulent certificate when Thawte issued the pre-certificate, CT identification is limited to the detection of certificate misuse at time of issuance only.   

Beyond Google CT

Because Venafi is CA-agnostic, providing a CT monitor allows Venafi to gain early visibility into certificate issuance practices across CAs. And Venafi TrustNet™ goes beyond certificate issuance information, using Google CT log information in conjunction with SSL/TLS information gathered from the Venafi sensor network to identify misuse of certificates on the internet throughout the certificate lifecycle.

In addition to the pre-certificate found by Google that was issued last week by Thawte, I decided to run a report utilizing Venafi TrustNet and found 20 other certificates issued to the google.com domain that are currently live and issued by some suspicious CAs that are not in the Google CT log.

To protect your organization’s brand from being misrepresented, Venafi TrustNet certificate reputation helps organizations detect and remediate certificate misuse at issuance and throughout the life of a certificate by evaluating the entire internet.  

How does your organization ensure no digital certificate is being used on the internet to misrepresent your brand?

<![CDATA[Biometrics Stolen During OPM Breach—Your Fingerprints May No Longer Be Your Own ]]> https://www.venafi.com/blog/post/biometrics-stolen-during-opm-breach https://www.venafi.com/blog/post/biometrics-stolen-during-opm-breach/#When:13:00:00Z During what is believed to be the biggest breach in U.S. history, it was reported that along with all of the other sensitive data, over 5.6 million fingerprints were also exposed to the hackers.

While you may think that spies wearing life-like masks and gloves with false fingerprints on them to commit espionage could only happen in a Mission Impossible plot, you may be shocked to know that with the biometric data that was stolen in the recent Office of Personnel Management (OPM) breach, this may now be possible.

Of course we hope these tricks will continue to only be acted out by Tom Cruise, but everyone should still be aware of the very serious fact that hackers obtained over 5.6 million fingerprints (originally estimated by the OPM at only 1.1 million, but has now grown) from the 21.5 million people whose personal data was stolen. Having these biometrics stolen is terrifying for two major reasons:

  1. There could be a brand new type of stolen goods being trafficked on the black market: biometrics.
  2. Those whose biometrics were stolen will have to deal with losing their identity for the rest of their lives.

It is still unclear what the hackers plan to do with the biometric data they have stolen, but already, impersonators are on the black market selling fake OPM-breached fingerprints. Knowing there is already a demand for them shows that biometric data may become the newest, “hot ticket data” hackers are after. This could now open up a Pandora’s Box for those impacted by the breach since your fingerprints, along with other biometric data, are exposed and easy for the taking. And the fact that you cannot change your fingerprints every few months, like you can a credit card number, is also scary because unlike stolen passwords and identity numbers, your fingerprints can’t be changed. Keeping your biometric data secure is a serious security concern that hasn’t been addressed much—at least not to-date.

Download Now - Close the Gaps in Identity and Access Management

Stolen Biometrics

Today, fingerprints are used for background checks, border crossings, workplace identification, and, more recently, unlocking smartphones. If your biometric data is stolen, being able to identify yourself by what was once the most trusted way, will no longer be an option for you. Even worse is that those U.S. diplomats and government agents whose sensitive biometric data was exposed by the OPM hack, if now stolen, could lead the hackers to even more horrifying information. It could have the potential to unlock devices that hold incredibly sensitive, current data like undercover investigations, international negotiations, and conversations that were kept secret for a reason.

In the early 1900’s, my grandmother’s brother (immigrant from Italy) was fingerprinted when he entered the U.S. He spent many years working in a brick yard—he literally burned off all of his fingerprints and always joked, “Now the government doesn’t know who I am!” Who would have thought that a century later, a cyber attack would leave millions of people in the dark wondering what hackers plan to do with their fingerprints and personal information.

Now is a really good time for the U.S. government and global companies around the world to consider better security measures around their biometric data. We simply can’t sit here and wait for another OPM-like breach to happen that leaves even more data for the taking.


<![CDATA[Untrusted Certificates—Survey Shows IT Security Pros Know the Risks but Do Nothing]]> https://www.venafi.com/blog/post/survey-shows-it-security-pros-know-the-risks-but-do-nothing https://www.venafi.com/blog/post/survey-shows-it-security-pros-know-the-risks-but-do-nothing/#When:12:00:00Z Today, Venafi released a report based on survey findings and analysis, IT Security Professionals Know the Risk of Untrusted Certificates and Issuers, but Do Nothing. The survey was conducted at 2015 Black Hat USA and gathered responses from over 300 IT security professionals. As the title suggests, the report reveals that security professionals know the risks associated with untrusted certificates, including compromises of certificate authorities (CAs), but they are currently not taking steps to protect themselves and don’t have remediation mechanisms in place to effectively mitigate a future CA compromise.

Why is it important to understand and respond to threats using untrusted certificates? The report highlights how cybercriminals are increasingly misusing keys and certificates to breach organizations, elevate their privileges, and hide activity. And although they may know the risks, most organizations are unprepared to defend against these attacks.

Watch Now - Free Ponemon Webinar on Enterprise Certificate and Keys Attacks

Security Pros Know the Risks

Here are a couple survey responses that indicate that security professionals are aware of the risks associated with untrusted certificates and compromised CAs:

  • The major issuers of online trust will be compromised, with 90% of the respondents believing a leading CA will be breached within the next two years.

  • When asked what security risks would result from an untrustworthy CA issuing certificates for their browser, application, or mobile device, 58% stated they are concerned about MITM attacks and 14% had concerns about replay attacks.

Statistics on Certificate Authority Security Risks

They Lack Visibility into the Extent of their Risk Exposure

Although security professionals understand the types of threats that can result from misused certificates, they do not grasp the extent of their risk exposure.

  • Most security professionals (63%) don’t know or falsely believe that a CA secures certificates and cryptographic keys. CAs only issue and revoke certificates—they don’t monitor their use and do not provide any security for them.

  • When asked how many CAs are trusted on mobile devices, survey responders believe it to be a median of three. On Apple iOS devices the median response was two, when in fact the number of trusted CAs is over 240.

Security Pros Aren’t Taking Action

Maybe because of the lack of insight to the extent of their risk, security professionals aren’t taking action against current threats or establishing incident response plans that will protect them in the future when a leading CA is compromised.

  • Only 26% removed CNNIC from all desktops, laptops, and mobile devices after Google and Mozilla deemed CNNIC as untrustworthy to protect Chrome and Firefox users from a MITM attack. The remaining 74% are still exposed.

  • Most (61%) would be unprepared to promptly respond to a breach of a leading CA, relying on manual procedures performed by administrators or incident response firms to remediate (including manually addressing Vulnerability Management System data).

  • Worse yet, 30% either did not know what they would do or would continue using the same CA—leaving them vulnerable

Statistic on Responding to CA Compromise

What should organizations do to protect themselves? Read the report to get a 3-point recommendation plan on how to reduce the risk and impact of fraudulent issuance and misuse of certificates. The report concludes by saying we should take a lesson from nature and use the Immune System for the Internet™ to identify good vs. bad, friend vs. foe to defend against the misuse of keys and certificates.

What are your thoughts on these survey results? Is your organization prepared for the next CA compromise? How do you remediate when your certificates and keys are misused by cybercriminals?

<![CDATA[Still Using SHA-1? It’s Time to Switch!]]> https://www.venafi.com/blog/post/still-using-sha-1-its-time-to-switch https://www.venafi.com/blog/post/still-using-sha-1-its-time-to-switch/#When:13:00:00Z Why all of the fuss?

SHA-1 was deprecated by NIST from 2011 through 2013 because of its security strength being susceptible to a collision attack. Due to ever increasing computational power, the risk of SHA-1 being broken via a collision attack in the next few years is very real. For that reason, most certificate authorities (CAs) only issue certificates using SHA-2 or above.

Google, Microsoft, and Mozilla have already started taking steps last year to aid end users in understanding the risks and have updated their policies. These policies state that sites with end-entity certificates expiring on or after 1 January 2017 that make use of SHA-1 will no longer be accepted as secure. These policies also require CAs to stop issuing new SHA-1 certificates after 1 January 2016.

More What's needed for SHA-1 migration? Download the SHA-1 Migration Guide.

What progress are we making with SHA-1 to SHA-2 migration?

It’s now well known that certificates signed with SHA-1 are not secure, but what progress are companies really making in transitioning to SHA-2? Using Venafi TrustNet certificate reputation services, I generated a report of all SHA-1 certificates that have been issued since 31 December 2013—this date is after NIST had deprecated SHA-1 usage—and filtered out any certificates that are set to expire before the 1 January 2017 deadline. The results speak for themselves as to the state of the industry!

There are over 1.5 million certificates that have been issued since 31 December 2013 with SHA-1 that are set to expire well beyond the 1 January 2017 deadline, when major browsers will stop trusting these certificates.

SHA-1 Certificate Expiration Age Beyond January 1, 2017

Although too small a percentage to show on the chart above, 330 certificates were found to be expiring in more than 100 years! I guess some security practitioners are looking out for future generations so that they don’t run into any outages related to certificate expirations, they obviously don’t believe SHA-1 will be fully exploitable by 2114—but this is at the cost of security.

What steps should you take to start your SHA-1 migration?

Certificate inventory assessment is the first step, establishing the scope and extent of your SHA-1 to SHA-2 migration. With a clear understanding of your certificate inventory and trust stores, you can determine which systems and applications may be impacted.

Revision of policies is needed to indicate that only SHA-2 certificates are generated moving forward and newly generated keys and certificates are in compliance with corporate and industry security standards.

Application and system testing is one of the very first things that needs to be performed before attempting to deploy any new certificates into the environment. You may have a legacy application that does not support SHA-2 and there is no migration plan from the vendor. If this is the case, you need to make a judgment call: migrate the application to a newer application that does support SHA-2 or live with the risk knowing full well that it’s a ticking time bomb.

Automated deployment of new certificates is recommended, especially when you consider that the average large enterprise has over 23,000 keys and certificates to manage. By automating the process you can validate the entire CA and certificate refresh process, including SHA-2 implementation.

Another recommendation is to deploy a new PKI hierarchy for SHA-2 and slowly migrate all systems and applications from the old one. In doing so, any system or application that does not support SHA-2 can be left using the old PKI hierarchy while all those that do support SHA-2 can use the new, more secure PKI environment.

Where are you in your SHA-1 to SHA-2 migration? Please share any roadblocks or successes you’re experiencing.

<![CDATA[The Wild West of Encryption: A Holdup for Keys and Certificates ]]> https://www.venafi.com/blog/post/the-wild-west-of-encryption-a-holdup-for-keys-and-certificates https://www.venafi.com/blog/post/the-wild-west-of-encryption-a-holdup-for-keys-and-certificates/#When:14:00:00Z During my time at PGP which was run by some of the most passionate security trailblazer’s of their time, part of the fight was trying to teach the world that they should encrypt their data. Time and time again, I have heard people say that they have nothing to hide so they are not worried about privacy. I love Edward Snowden’s quote “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” His quote really brings it home for me.

Philip Zimmerman went to federal court and won the right to privacy for us. For me, this is up there with the right to vote. At PGP, we taught the need to encrypt and protect your data at rest and in transit. Here at Venafi, we teach that you need to protect your encryption assets—keys and certificates. Those are the new targets, because encryption is pretty good (PGP: Pretty Good Privacy), which makes our encryption keys a target of cybercriminals to break or leverage encryption in their attacks.

Sadly, they are apparently an easy target, because in most environments, digital certificates and keys are like the Wild West. Even with a software solution from a leading company like Venafi, if you don’t put the proper level of attention to managing and securing your certificates and keys, you will be vulnerable to exploitation from, at the very least, your lack of visibility.

The Wild West of Encryption

Let’s face it; unless you have a solution in place and have dedicated the right resources, you don’t have the following:

  1. You don’t know what CAs are in your environment (we have discovered rogue CAs issuing certificates in customer environments)
  2. You don’t know where all of your wild card certificates live (we have found file shares with certificates and private keys)
  3. You don’t have any control whatsoever over self-signed certificates that anyone can issue and use
  4. You don’t know what data is being sent out of your organization to some outside entity (e.g., Edward Snowden)
  5. You don’t have any guarantee that your production will not shutdown tomorrow due to a certificate-related outage
  6. You don’t have any control over or visibility into your SSH inventory, which provides privileged access to your systems
  7. You don’t have the ability to respond quickly to a problem with CAs, keys, or certificate-related outages

There are many more specific scenarios and examples I can share. The Wild West was a dangerous place. It eventually got better as communication and response times improved and society got together to solve the problem. In the Wild West days, physical banks and trains were the targets. Intercepting a train carrying a valuable payload was pretty easy because, by the time you knew you were robbed, it was too late. Today, it is digital keys and certificates. Welcome to the Wild West of encryption.

<![CDATA[For the 2nd Year Running, PCI SSC Announces Securing Keys and Certificates a PCI SIG Finalist ]]> https://www.venafi.com/blog/post/pci-ssc-announces-securing-keys-and-certificates-a-pci-sig-finalist https://www.venafi.com/blog/post/pci-ssc-announces-securing-keys-and-certificates-a-pci-sig-finalist/#When:17:45:00Z There has been a dramatic increase in attacks that leverage keys and certificates, and the recent breadth and criticality of vulnerabilities, from Heartbleed to POODLE, underscore the importance of strong security and remediation capabilities. With the rapid growth of threats that misuse keys and certificates, it’s not surprising that the Payment Card Industry Security Standards Council (PCI SSC) announced today in its PCI Monitor weekly newsletter that Securing Cryptographic Keys and Digital Certificates is among the five finalists selected for a 2016 Special Interest Group (SIG) project in support of the Payment Card Industry Data Security Standard (PCI DSS).

This is the second year running that the PCI SSC has designated key and certificate security as a SIG finalist. Although the PCI Participating Organizations did not elect key and certificate security as a 2015 SIG last year, the PCI SSC has selected it as a finalist again—this time for the 2016 PCI SIGs—showing the council’s support for this important security and the need for a SIG in this area. Its acceptance for the second time emphasizes how critical it is for organizations to protect keys and certificates, which establish the trust on which businesses depend—securing data, keeping communications safe and private, and establishing trust between communicating parties.

This year the vulnerabilities in SSL and early TLS moved the PCI Council to eliminate their use under PCI DSS 3.1. However, to date, there has not been specific guidance on how to best implement and secure keys and certificates with detailed information on industry best practices and how these security elements interrelate for optimal protection.

Both organizations and Qualified Security Assessors (QSAs) will benefit from this SIG. We have increased our reliance on keys and certificates that protect communications and authorize and authenticate servers, devices, software, cloud, and privileged administrators and users. As for the PCI DSS, keys and certificates are critical to securing cardholder data, as well as all sensitive electronic information, and are specifically mentioned throughout the standard. But the PCI DSS requirements demand more visibility and security over keys and certificates than most organizations can deliver.

PCI SSC Special Interest Group Selection

Are you one of the doubters that don’t think you’ll become a victim? It looks like many G5000 organizations are. But odds are you’re already a victim—according to Ponemon Institute research, for the last four years running, every major enterprise has been attacked using compromised keys and certificates. So, I hope all of the doubters are getting converted to believers—the likelihood that you’ll be a victim of an attack on trust is very high and, without the right security in place, the impact even higher. Advanced Persistent Threats (APTs) that target keys and certificates such as APT 1, APT 18, Mask, POODLE, FREAK, Shellshock, and the Sony breach, as well as the Chinese certificate authority, CNNIC, involved in the issuance of malicious certificates, are just a few examples that underscore the importance of strong key and certificate security and remediation capabilities.

The open approach of the PCI DSS requirements provides flexibility to implementing organizations, which is helpful when working to secure unique business environments. But organizations subject to the PCI DSS and QSAs need more clarity on how to secure keys and certificates to establish a foundation of trust for an effective security program and a defense against today’s cyber threats.

We have two primary objectives for this SIG:

  • Develop the document PCI DSS Cryptographic Key and Digital Certificate Security Guidelines
  • Draft a compliance checklist which outlines the different security options to meet the PCI DSS requirements for keys and certificates

So what’s next? Video presentations of the selected PCI SIG finalists will presented at the 2015 PCI Community Meetings in North America (September) and Europe (November), and on the PCI SSC website. After the community meetings, an election will be held and the PCI Participating Organizations will vote. The leading 1-2 SIG topics will become PCI SIG projects for 2016.

We have several participants already committed to supporting the SIG, including QSAs, vendors, and merchants in the Global 2000. We hope that PCI Participating Organizations will follow the council’s show of support for key and certificate security for two years running and vote for this important SIG.

If you are the voting member of a PCI Participating Organization, vote for Cryptographic Key and Digital Certificate Security as a 2016 SIG and consider becoming one of the SIG participants.

<![CDATA[Research: Clueless Enterprises Miss Certificate Breaches]]> https://www.venafi.com/blog/post/research-clueless-enterprises-miss-certificate-breaches https://www.venafi.com/blog/post/research-clueless-enterprises-miss-certificate-breaches/#When:15:00:00Z This article was originally posted by IDG Connect on August 5, 2015 at: http://www.idgconnect.com/abstract/10251/research-clueless-enterprises-miss-certificate-breaches

Attacks on digital keys and certificates are very different to typical cyberattacks and are becoming increasingly common, leaving victims open to devastating security breaches.

With a compromised or stolen key, cyber criminals can impersonate, surveil, and monitor their targets, as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates give attackers unrestricted access to their victim’s network, where they may go undetected for some time with trusted access, siphoning off confidential data to use for criminal ends.

In light of attacks such as Sony Pictures Entertainment last year, Venafi conducted a survey amongst IT security professionals to garner what they do to prevent breaches and establish greater trust online? Disturbingly, the data revealed that most IT professionals acknowledge they don’t know how to detect or remediate compromised cryptographic keys and digital certificates.

The survey results highlighted that 38% of respondents can’t, or don’t know how to, detect compromised keys and certificates, and 56% of the other respondents said they are using a combination of Next Generation Fire Walls (NGFW), anti-virus, Intrusion Defense Systems (IDS), Intrusion Prevention Systems (IPS), and sandboxes to find these types of attacks.

One area in which cybercriminals are taking advantage is through Secure Sockets Layer (SSL) encrypted traffic, which is rapidly gaining momentum in enterprises. According to market research company Gartner, 50% of all inbound and network attacks will use SSL/Transport Layer Security (TLS) by 2017. Attackers are aware that most security systems either trust SSL/TLS or don’t have access to keys to decrypt traffic and search out hidden risks. These security weaknesses create blind spots that subvert critical security controls.

Broken Link in Security

Perturbingly, almost two-thirds (64%) of security professionals admitted that they are not able to respond quickly (within 24 hours) to attacks on keys, and most said it would take three or more days, or up to a week, to detect, diagnose, and replace keys that have been breached.

Following a breach, more than three-quarters (78%) of those surveyed said they would still only complete partial remediation which would leave them vulnerable to further attacks. When asked what their organisational strategy is to protect the online trust provided by keys and certificates, only 43% of respondents said that they use a key management system. Another 16% had no idea. A manual process was being used by 14%, whilst 22% placed the responsibility elsewhere in the enterprise.

The survey findings are concerning given the increase in attacks on internet trust and the major SSL/TLS and SSH key and certificate-related vulnerabilities we’ve seen over the past six months alone. From Heartbleed, ShellShock, POODLE, the Gogo man-in-the middle attacks, Lenovo’s Superfish vulnerability, FREAK and now the LogJam flaw, cybercriminals are all too aware of the vulnerabilities in unprotected keys and certificates and are using these weaknesses to carry out malicious acts.

Read the full article at: http://www.idgconnect.com/abstract/10251/research-clueless-enterprises-miss-certificate-breaches

<![CDATA[Superfish: One Step Closer to Sinking our Boat ]]> https://www.venafi.com/blog/post/superfish-one-step-closer-to-sinking-our-boat https://www.venafi.com/blog/post/superfish-one-step-closer-to-sinking-our-boat/#When:16:00:00Z Original article published at Infosecurity Magazine on August 25, 2015: http://www.infosecurity-magazine.com/opinions/superfish-one-step-closer/

Earlier this year Lenovo got caught installing Superfish adware on its laptops. Superfish breaks open SSL/TLS encryption using forged digital certificates and unwittingly allows bad guys to exploit the digital trust they provide. Unfortunately, man-in-the-middle (MITM) attacks with forged certificates are nothing new.

The SSL/TLS trust model is designed to protect communications end-to-end. But Lenovo inserted the Superfish CA certificate as trusted, meaning that all of the MITM certificates were trusted within the browser, thereby exposing users to insecure sites or interception of private communications. Whilst Lenovo admitted its mistake and claims to no longer ship adware, it is clear that the system of trust established by keys and certificates is under attack.

Keys and certificates were designed to be like the biological tags in living cells – identifying what’s safe and trusted. However, we left out one thing it seems: an immune system to keep up with what really is trusted. There’s a lot we can learn from our human immune system and apply to the cyber realm.

Read the full article at: http://www.infosecurity-magazine.com/opinions/superfish-one-step-closer/

<![CDATA[How Are We Still Talking About Broken Trust?]]> https://www.venafi.com/blog/post/how-are-we-still-talking-about-broken-trust https://www.venafi.com/blog/post/how-are-we-still-talking-about-broken-trust/#When:18:57:00Z We live in the age of technology. It is a fast-paced, break-neck ride to deliver great solutions—everything from the largest, complex integrated solution to the single, simple iPhone app. With online solutions a part of so much of our everyday lives, why are we still talking about digital certificates, the backbone of internet communication, being broken?

I will tell you why. It’s hard. Once Netscape introduced the SSL protocol used with x.509 certificates in 1994, it was obvious we needed to fix online communication and FAST. We seized the quickest solution and the use of x.509 certificates with SSL for online communications soared. With this protection, online commerce exploded with the confidence that identity and privacy could be ensured.

Well, the internet is all “grow’d up” and our SSL/TLS solution needs to be refitted. Moxie Marlinspike at Defcon 19 in 2011 told an over-packed audience of hackers at the Rio in Las Vegas that the way we establish trust needs to change; we need to take the power back from trust stores that have been force-fed into our systems and make our own intelligible decision on who or what we want to trust. Convergence Beta was then created.

I just got back from Defcon 23 and, yet again, there were several talks on exploiting digital certificate weaknesses. Besides the few sneaky hacks I saw, it was interesting to see a solution proposed to the open source community to try and help our broken trust. A couple of guys, for the love of protected communications, came up with a product called TLS Canary (warning: the content is provocative). In real time, it will check the trustworthiness of the certificate you are trying to access and tell you whether it is good or bad.

Defcon 23 Discusses Broken Online Trust

There are now several approaches to certificate trustworthiness, but we need to ensure that we’re turning to a comprehensive source. Google is running the Google CT (Certificate Transparency) project, TLS Canary has been developed, and we have the SSL Observatory. In addition, some people are trying to solve issues with certificate pinning. Good, great! Finally we have several groups out there pushing for and delivering solutions. Everyone is starting to see the issue that Venafi has been solving for years. Venafi, the Immune System for the Internet™, provides the single most comprehensive source of certificate trustworthiness.

Venafi has a platform that not only helps you establish what to trust through its TrustNet product, but will also bring order to the chaos that is your PKI (Public Key Infrastructure) and keys though the Trust Protection Platform. Technology overall has been slow to address its trust issues, and understandably, because it’s hard. But let’s heal our known broken trust issues already so we can get new, interesting topics at Defcon!

<![CDATA[Encrypt Like Everyone is Watching—Decrypt Like No One Is]]> https://www.venafi.com/blog/post/encrypt-like-everyone-is-watching https://www.venafi.com/blog/post/encrypt-like-everyone-is-watching/#When:16:20:00Z I just attended Black Hat 2015, and what a great conference it was. I learned that “hackers,” including white hats, grey hats, and black hats, are really interesting people. At Black Hat, I saw briefings on how to hack a Jeep, a smart card, android, iOS, Windows, HTTPS, and a fingerprint. Pretty much anything can be hacked. Some do it for the greater good, letting the manufacturers know so the security can be hardened down and the hacks cannot occur in the future.

The presentation on the Black Hat network was especially interesting. This year was the first year that the network operations center (NOC) was open to the attendees of Black Hat to tour. The NOC is a labor of love for a lot of IT security professionals—many even take PTO to make it happen. This is the network that is used for the training classes at Black Hat. The top websites visited, top applications used, botnets detected, and malware detected were presented.

The people that run the NOC do keep a close eye on any “egregious” hacks, but how is that defined, really? Think of what these folks, doing their labor of love, learn about the attack vectors that are coming. Wow! If the hack is being taught at a training class, then they are expecting it. However, they did state that all types of hacks were done to each other, one attendee of the conference to another.

At the conference, 80% of the traffic was encrypted this year using TLS, which is way up from past years. This is a really interesting antidote, if you think about how a hacker can go undetected in encrypted traffic.

SSL/TLS Protects Black Hat 2015 Traffic

These Black Hat sessions highlight how important it is to encrypt sensitive information properly so it isn’t available to hackers. Maybe, even more importantly, is the ability to conduct SSL/TLS inspection by decrypting the ingress and egress of traffic for your enterprise. SSL/TLS inspection ensures that there is no malware phoning home to a command and control center or a hacker, who is landing and expanding on your systems.

How are you protecting SSL/TLS in your organization? Are you using SHA-2, at least 2048 bit keys, short validity periods, and SSL/TLS 1.2 to protect your SSL/TLS sessions? Do you have visibility into where all of your SSL/TLS keys are located to prevent outages? Would you be able to find a fake certificate issued in your brand name in your enterprise or on the internet? Are you conducting SSL/TLS inspection at your organization? Overall, do you feel you are protected from hacking when you use SSL/TLS?

<![CDATA[IT Security:  ♫ It’s all About the Basics, ‘Bout the Basics, No Trouble ♫]]> https://www.venafi.com/blog/post/it-security-its-all-about-the-basics https://www.venafi.com/blog/post/it-security-its-all-about-the-basics/#When:15:03:00Z Okay—stop laughing, everyone (and I mean everyone) knows I am no singer, but IT Security professionals really need to ensure they have the basics in place and I liked the attention this title brought to light as the foundation for this blog.

As I think back over the high-profile (and some of the not so high-profile…) hacks and breaches that have occurred over the last 18 months, I asked myself:

  • How many have been the result of the smartest, most ingenious hackers in the world?
  • How many have happened because someone just did something by accident?
  • How many have happened just because they didn’t have visibility into their network and security dashboards?

As I sat down and did some research and consulted with my peers around the world, I came to this conclusion: we are truly neglecting the security basics and need to get back to them fast. So what are the basics exactly?

Step #1 Take Careful Inventory of Your Assets and Software: You can’t protect what you don’t know you have and many organizations often skip this basic but fundamental step. I’ve seen several instances of this recently while working with companies to improve their key and certificate security. Many companies simply do not have a complete inventory—they have no idea how many keys and certs they have or how they are being used or misused. In a recent survey that Venafi commissioned with the Ponemon Institute, the results revealed that the average enterprise has almost 24,000 keys and certificates and 54 percent of security professionals admit to being unaware of where all of their keys and certificates are located. This is just one example, but it underscores the reality that organizations need a good inventory of ALL IT assets, identities, hardware, keys and certs, and software.

Almost 24,000 Keys and Certificates per Enterprise

Step #2 Establish A Trusted Baseline: Organizations need to establish and update a known good state, or baseline. Baselines can be used to identify when security issues arise and provide a means to return the organization back to a known good state after a breach.

A few years back, I read an article with an analogy that struck me. Coupled with the old saying when trying to find something that seems impossible: “It’s like finding a needle in a haystack.” It was changed a bit to be more relevant and has held meaning for me ever since:“You don’t need to know what the needle(s) look like; you just have to know what the hay looks like. You take all the hay out and only the needle(s) are left.”

So how does this relate to baselining? If you take the known good out (your current baseline), then you’re left with the needle(s).  Those needles can be good or bad, but now you know about them and can take proper action, and are able to begin remediation or restore to a known good state.

Step #3 Deploy a Strong Security Foundation: Once you have a complete inventory and you know what you need to protect, the next step is to deploy a good security foundation to build upon. Today, many companies are spending money on expensive “Next-Gen” or “Threat Intel” solutions and are not putting enough emphasis on the basics. You need to know what you have in order to protect it. There are many guidelines out there such as the SANS 20 Critical Security Controls. SANS starts with an “Inventory of Authorized and Unauthorized Devices, and Inventory of Authorized and Unauthorized Software”—obviously to my earlier point, visibility into your inventory is crucial. There are many other standards, guidelines, etc. out there, and it is up to you to determine what you want to work with for the regulations that you must comply with in your industry.

Step #4 Beef Up Your Detection: We tend to become overly invested in and overly reliant on our preventative capabilities to mitigate cybersecurity threats. This is often at the cost of good detection capabilities. In addition to inventories and baselines, IT security teams need to establish strong processes and procedures in incident response plans, triage/analysis tactics, and log monitoring. When there is a breach, organizations need to be able to quickly identify anomalous behavior and remediate, and to return the systems/networks to a good, trusted state while minimizing damages, recovery time, and costs. This need for detection applies across all technical, administrative, and procedural domains regardless of whether the compromise impacts hardware, software, user IDs, privileged access, keys and certificates, or any other IT security asset.

When was the last time you tested your incident response plans? People come and go; processes are always changing, and those changes need to be taken into consideration each and every time you exercise your plans; and don’t forget to follow-up with a postmortem analysis to see what worked and what didn’t.

These are a few easy steps that security professionals should always consider when it comes to establishing the security basics. Without these foundations to build upon, how can we ever hope to keep up with the bad guys who are always two steps ahead?

Remember—It’s all about the basics, ‘bout the basics—and hopefully no trouble!


P.S. Don’t forget to follow me on my new Twitter handle: @QueenofCandor

<![CDATA[Contemplating Health Analogies in Cyber Security & Why We Need The Immune System for the Internet™]]> https://www.venafi.com/blog/post/contemplating-health-analogies-in-cyber-security https://www.venafi.com/blog/post/contemplating-health-analogies-in-cyber-security/#When:21:58:00Z Over the past 30 years, we’ve seen many health analogies used across the entire cyber security industry. If you think about it, it does make a lot of sense: just as viruses make humans sick, they too can also make computers sick and as a result, networks are disrupted or even shut down. To combat the problem of viruses, companies like Symantec and McAfee developed anti-virus solutions and a whole new industry was born.

Today, computer viruses have evolved into sophisticated malware and advanced persistent threats (APTs) that antivirus and other signature-based technologies simply cannot detect.While new markets and perimeter-based security technologies have been developed to help detect APT-like threats—IDS/IPS, NGFWs, DLP and more—hackers have upped their game and now are using the foundation of the Internet and cybersecurity—cryptographic keys and digital certificates—to evade detection, spoof websites and carry out their attacks to steal sensitive data. And keys and certificates run on everything including IoT devices, mobile phones, clouds, even airplanes and cars, and we blindly trust them. Unfortunately, certificate misuse by hackers is at an all-time high and it’s only getting worse. As we use more certificates to encrypt communications and authentication entities, bad guys will only become more interested in using them.

At Venafi, we have been saying for months that Global 5000 organizations and federal governments need The Immune System for the Internet™ because online trust is severely broken.

Humans have evolved a highly effective immune system. It’s always turned on, working to authenticate what is “self” and trusted and what is not self and dangerous. Unfortunately the same cannot be said of the cyber realm—there’s no effective immune system to defend against a new generation of cyber attacks—until now.

Websites, servers, mobile devices, and software are marked as “self” and “trusted” using cryptographic keys and digital certificates. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, mobile devices, and system administrators, and decrypt communications thought to be private. There’s no system today that constantly assesses keys and certificates to determine if they should be trusted, and that adapts to changing threats.

Just like your immune system, The Immune System for the Internet provided by Venafi learns and adapts as it works. It identifies what keys and certificates are trusted and those that need to be replaced. It keeps keys and certificates secured to your policy and replaces them automatically. It scales keys and certificates up and down to meet demand. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response, just like an immune system, that protects your network, your business, and your brand.

So while comparing and making health analogies about cyber security is not necessarily new, Venafi as The Immune System for the Internet is—because it allows us to rapidly detect what shouldn’t be trusted and respond quickly, which is exactly what our immune system does, and what we need to do to stay ahead of the cyber criminals. Venafi is The Immune System for the Internet that protects the foundation of all cybersecurity—keys and certificates—so they can’t be misused by bad guys. Let me know if you’d like to discuss details on how we can help.

<![CDATA[Meet Us at Black Hat 2015: Blue Coat and Venafi Security Experts Discuss How to Combat SSL/TLS Encry]]> https://www.venafi.com/blog/post/meet-us-at-black-hat-2015-blue-coat-and-venafi-security-experts https://www.venafi.com/blog/post/meet-us-at-black-hat-2015-blue-coat-and-venafi-security-experts/#When:15:44:00Z It’s going to be an exciting week at Black Hat USA 2015 and we are certainly looking forward to it!  Venafi is teaming up with Blue Coat to conduct a technical briefing at Black Hat on how to eliminate SSL/TLS encryption blind spots.  Gartner believes that by 2017, more than 50% of the network attacks, both inbound and outbound, will use encrypted SSL/TLS communications.  And why is that? Well, attackers today are focusing on hiding in SSL/TLS traffic because they know that most network security solutions are “blind” to SSL/TLS traffic.  The majority of organizations blindly trust encrypted communications and don’t, or can’t, decrypt traffic. This means they can’t assess and block threats that leverage SSL/TLS.

Blue Coat and Venafi at Black Hat

How bad is the problem? According to Gartner, less than 20% of organizations with a firewall, IPS, or UTM appliance decrypt SSL traffic. That means 80% of these organizations might be allowing cybercriminals to leverage SSL/TLS tunnels to sneak malware into their network, hide command-and-control traffic, and pilfer sensitive data.

The reason for this security blind spot to SSL/TLS traffic is two-fold: (1) Security systems can’t inspect encrypted traffic or their performance can’t keep up; and (2) Security systems lack the cryptographic keys and digital certificates from across the network that are needed to decrypt SSL/TLS traffic.  This inability to inspect SSL/TLS encrypted traffic undermines traditional layered defenses and increases the risk of a data breach and data loss.

What do you need to enable SSL/TLS decryption and threat inspection?  The Black Hat 2015 briefing, Your Threat Detection Strategy is Only 50% Effective,  co-presented with Blue Coat, provides guidance on how SSL/TLS impacts security controls and how you can eliminate SSL/TLS security blind spots. Go to Venafi.com/BH2015 to register for the briefing.  Together, Venafi and Blue Coat solutions maximize SSL/TLS decryption and uncover threats. 

And if you pre-register, you’ll get a $30 Amazon gift card when you attend as well as a chance to win a $100 Amazon gift card per session.

Drop me a line if you want to learn more. I hope to see you there!

<![CDATA[Black Hat Briefings on Cryptographic Keys and Digital Certificates]]> https://www.venafi.com/blog/post/black-hat-briefings-on-cryptographic-keys-and-digital-certificates https://www.venafi.com/blog/post/black-hat-briefings-on-cryptographic-keys-and-digital-certificates/#When:18:39:00Z Black Hat USA 2015 is right around the corner and it’s time to start planning which briefings to attend.

Here at Venafi, we’re interested in sessions on protecting cryptographic keys and digital certificates. Keys and certificates are the foundation of online trust, but cybercriminals, hacktivists, and nation states are misusing them to gain unauthorized access and hide their actions.

Venafi and Blue Coat security experts will be conducting cybersecurity briefings that cover 3 different cybersecurity topics and, if you register in advance for a session, you’ll receive a $30 Amazon gift card when you attend. We have also identified others sessions that impact key and certificate security. Check out these briefings we’ve added to our dance card for this year’s Black Hat.

Venafi is a BlackHat USA 2015 Sponsor

Venafi Cybersecurity Briefings

  1. Your Threat Detection Strategy is Only 50% Effective
    While SSL/TLS provides privacy and authentication, it also creates a blind spot for enterprise security. Most organizations lack the ability to decrypt and inspect SSL traffic and bad guys are taking full advantage. This session, co-presented with Blue Coat, provides guidance on how SSL/TLS impacts security controls and how you can eliminate security blind spots. Register here.

  2. Advanced Attacks, Encryption, & Certificate Reputation
    As private encryption keys are now sold on the underground marketplace for circa $1000 each, it has become easy for hackers to breach even the most security conscious organizations. This session demonstrates how certificate reputation services are designed to identify and stop certificate misuse globally. Register here.

  3. Are Certificate-related Outages Impacting Your Business?
    We rely on digital certificates and cryptographic keys for data protection and authentication. But as security instruments, certificates can, and do, expire, bringing down systems and blocking access to servers, websites, and potentially dozens of critical downstream services. Attend and learn how to eliminate outages caused by expired certificates and reduce your security risks. Register here.

All registered attendees for Venafi briefings will also have a chance to win a $100 Amazon gift card per session. To check out what else Venafi is doing at Black Hat, visit Venafi.com/BH2015.

At Black Hat, we also want to hear what other thought leaders have to say about ensuring keys and certificates remain secure and continue to enable online trust. We’re looking forward to the following sessions:

  • Back Doors and Front Doors Breaking the Unbreakable System
    Governments are demanding backdoor access to encrypted data to support criminal and national security investigations, but this is opposed by privacy advocates. This briefing discusses if government agencies could be given backdoor access to encrypted data without weakening encryption systems.

  • Breaking HTTPS with BGP Hijacking
    Many believe BGP hijacking is not a significant threat, because the resulting man-in-the-middle attack cannot decrypt or break into an encrypted connection. But this briefing will show how the trust that SSL/TLS PKI places in internet routing can be exploited and how to prevent it.

  • Faux Disk Encryption: Realities of Secure Storage on Mobile Devices
    With the number of mobile users now surpassing the number of desktop users, this briefing discusses mobile device security and how it must go beyond full-disk encryption to protect against most attacks types. The session will present other secure storage techniques for both iOS and Android.

  • Certifi-gate: Front-Door Access to Pwning Millions of Androids
    Learn how a vulnerability within the Android customization chain can be exploited to access unsecure apps and gain access to any device. This will include information on how hash collisions, IPC abuse, and certificate forging can grant malware complete control of a device.

  • TrustKit: Code Injection on iOS 8 for the Greater Good
    See how Trustkit, a new open-source library for iOS, provides universal SSL public key pinning that the developers call “drag & drop SSL pinning.” This open-source library leverages new iOS 8 rules regarding dynamic linking and will be available for deployment by attendees.

  • Bringing a Cannon to a Knife Fight
    Bulletproof yourself against China’s Great Cannon which intercepts traffic as a man-in-the-middle proxy and turns global visitors to Chinese sites into the world’s largest botnet that carries out attacks on sites deemed a threat to the Chinese Communist Party. Learn how the Great Cannon works, about the timing of its release, why it was used to attack the Github repos, and how it will change as HTTPS and DNSSEC become more widely used.

Are there other sessions at Black Hat that address cryptographic keys and digital certificates that you plan to attend? Thoughts about any of these upcoming briefings? Drop me a comment.

<![CDATA[Poor Privileged Access Management Poses Big Security Problems]]> https://www.venafi.com/blog/post/poor-privileged-access-management-poses-big-security-problems https://www.venafi.com/blog/post/poor-privileged-access-management-poses-big-security-problems/#When:20:25:00Z With endless headlines touting the latest costly security breach, you would think that enterprises would be scrupulous about guarding the “keys to their kingdom.” Think again. The keys to the enterprise kingdom I’m talking about are secure shell, or SSH, keys. SSH is a cryptographic security protocol used to connect administrators and machines, allowing users or applications to gain secure remote access to another system. The kingdom, of course, is your valuable corporate IT assets. Users bearing SSH keys have the highest level of rights and privileges. But what if those users aren’t who they say they are? And, what if those users are bent on harm?

All enterprises rely on SSH keys to authenticate and provide privileged access for administrators, applications, and virtual instances in data centers and the cloud. But even though SSH keys provide root access to critical systems, they are treated with weaker policies than those tolerated for much lower levels of access, such as passwords. A recent survey by the Ponemon Institute canvassed over 2100 security professionals working in the U.S., U.K. Germany, and Australia—countries typically considered to be in the forefront of security practices. The results were disturbing.

System Administrators SSH Keys

Most organizations have an over-reliance on system administrators, not IT security, to self-police SSH keys. As a result, organizations are unable to identify how many SSH keys they have, who uses them, and what they access. In many companies, busy department administrators are charged with deploying and protecting SSH keys on the systems owned by their department. This creates a partitioned security structure with no ability to centralize visibility, policy enforcement, or incident tracking and remediation.

In the Ponemon Institute survey, 53% of organizations admitted they lack centralized control over their SSH key usage and access policies, and 60% are unable to detect the introduction of new SSH keys into their network. This lack of visibility hinders policy enforcement and detection of SSH key security issues.

SSH keys do not expire, creating a perpetual vulnerability if not rotated. But the Ponemon survey results show a surprising 82% change their SSH keys at best every 12 months—much longer than the 60-90 day policy for passwords which have less privileged access. This weak policy enforcement is resulting in dire consequences. Over half of organizations surveyed responded to a security incident related to SSH key misuse within the last 2 years. And those were the people willing to admit it. The sad reality is that the real percentage is likely much higher.

The manual approaches and customized scripts that enterprises are using to manage their SSH keys are not protecting their businesses. In the survey, of those that use homegrown scripted solutions to manage SSH keys, 54% were still compromised by rogue SSH keys on their networks—a clear indication that these solutions cannot detect anomalies in SSH key usage.

But there’s a silver lining to this storm cloud. A Forrester Research paper, Gaps in SSH Security Create an Open Door for Attackers, provides five steps you can take right now to regain control of your SSH-based privileged access management:

  1. Centralize control and visibility for all SSH hosts in the data center and cloud to effectively enforce policies for all enterprise SSH keys.
  2. Establish a baseline of normal key usage—including where keys are located, how they are used, who has access to them, and what trust relationships have been established within your network.
  3. Regularly rotate SSH keys using lifecycle periods similar to other credentials (e.g. 60-90 day password lifecycles) to increase their security.
  4. Continuously monitor SSH key usage across the network to identify and neutralize any rogue usage.
  5. Remediate vulnerabilities by ensuring that server and SSH key configurations adhere to common best practices, such as using 2048-bit key lengths or higher as recommended by NIST.

These 5 steps represent a good starting point, but there’s a lot more you can do. You can learn more on the Venafi solution webpages at Venafi.com/PrivilegedAccess and Venafi.com/SSHAudit. Drop me a comment and let me know what other SSH security practices you’d recommend to other security professionals.

<![CDATA[The Real Big Story Behind July’s OpenSSL Vulnerability: Why Blind Trust in Certificates Needs to End]]> https://www.venafi.com/blog/post/the-real-big-story-behind-julys-openssl-vulnerability https://www.venafi.com/blog/post/the-real-big-story-behind-julys-openssl-vulnerability/#When:21:00:00Z Certificate reputation services can end the risk that certificate validation app developers face (and are not doing a good job of addressing)

The OpenSSL team has released a fix for a critical vulnerability that could allow an attacker to trick an application into trusting a forged certificate—lovingly called by some “OprahSSL” for its propensity to gift something valuable. Why is this so important? Why does it matter? The big story is not just this vulnerability: it’s the ongoing difficulty for apps to validate certificates and know what should be trusted.

FireEye found that 73% of the top 1,000 apps don’t even validate certificates. This lack of attention to checking what should be trusted and what shouldn’t got Fandago and Credit Karma a special 20-year relationship with the U.S. Federal Trade Commission (FTC). This occurred simply because their mobile apps didn’t validate certificates—meaning their mobile apps might be sharing credit card data and sensitive personal information with bad guys without a concern for the consequences. This is a problem for not just enterprise CISOs and IT security teams, but also commercial app developers, fraud prevention, and chief privacy officers (CPOs).

Native iOS apps by default can’t even identify a website with a revoked certificate
Native iOS apps by default can’t even identify a website with a revoked certificate as being non-trusted

The OpenSSL vulnerability is a clear reason why certificate reputation, now available to enterprises with Venafi TrustNet, is so important. TrustNet uses advanced algorithms as well as big data and cloud-based intelligence to validate digital certificates rather than static code that, for even advanced security professionals or developers, is confusing, at best. The complexity and vulnerabilities like this one perpetuate the “blind trust” we place in certificates today.  We’ve been validating certificates in pretty much the same way for over 20 years—what do most professionals trust in cybersecurity that’s been done the same way for just 2 years, not to mention 20? Certificate reputation services like TrustNet dramatically reduce risk.

OpenSSL’s Certificate Validation Vulnerability

For details on versions affected and patches available, get the details from OpenSSL at https://www.openssl.org/news/secadv_20150709.txt.

Unlike Heartbleed, with this vulnerability, keys and certificates are not directly exposed and do not need to be rotated. The vulnerability impacts client applications validating certificates, such as a browser, VPN, or mobile application, that use the OpenSSL libraries for SSL/TLS sessions. It also impacts server applications, like a webserver or VPN, that authenticate digital certificates presented by client applications.

This vulnerability shows again why we need to know what certificates are in use and what certificates are trusted and where.  And we need this everywhere—on our servers, desktops, and around the world on the Internet. 

Exploiting the Vulnerability

To exploit the vulnerability, an attacker needs to obtain a private key for a certificate issued from a trusted certificate authority (CA). This could be a public third-party CA trusted across browsers and the Internet, or a private CA used and trusted inside your organization. The vulnerability allows the certificate associated with the obtained key to be used as if it were a CA, even though it’s not. This means any type of certificate from a webserver to a VPN certificate could now become a trusted CA issuer.

An attacker could then forge certificates for any domain, website, or user they’d like, including you and your businesses or government. This could prove useful in executing man-in-the-middle attacks, spoofing, spear phishing, and other attacks. And it’s easy to do: OpenSSL is the perfect tool to generate keys and sign a certificate.

It’s also easy to obtain a key from a trusted CA. Depending on the end target, I might just buy a certificate from a trusted third party. If I need the certificate to chain up under a specific CA and don’t want to/can’t buy one reputability, I can easily go the underground market where stolen certificates go for $1000 or more. Or, because thousands of Trojans support the collection and extraction of keys and certificates, the job is pretty easy.

certificate reputation services - Venafi TrustNet
Native iOS apps perform little to no checking as to whether a certificate is truly valid or not, unlike certificate reputation services like Venafi TrustNet

Certificate Reputation Ends the Age of Blind Trust

Today, using Venafi TrustNet certificate reputation APIs, you can validate if a certificate should be trusted or not. This is independent of the static code or rules that might later be vulnerable, like today with OpenSSL or other libraries. Offloading these decisions to an intelligent reputation system mitigates risks of these vulnerabilities in certificate validation that are complex and difficult for even the smartest developers. The TrustNet API can be called from any application, whether a mobile app or container-based service application in the cloud. It’s one API call that takes care of all decisions about certificate chain validation, trust, validity, fraud, and vulnerabilities. Amazing! That’s the power of Venafi as the Immune System for the Internet.

Additionally, with Venafi you can discover what certificates are in use and what CAs are trusted across your organization and then whitelist or blacklist CAs. You can then enforce a policy to not trust particular CAs that your business or government finds untrustworthy, like the Chinese CA CNNIC.

All of these reasons are why Venafi as the Immune System for the Internet is critical to protecting the world’s economy today and in the future. Outside of Venafi there is no system that understands what should be trusted, what is trusted, and can fix it—whether inside the enterprise or outside across the Internet.

Like to learn more and continue the conversation? Drop me a note.