<![CDATA[Venafi Blog]]> https://www.venafi.com/blog/ Venafi Blog EN Copyright 2015 2015-08-31T07:11:10-06:00 <![CDATA[How Are We Still Talking About Broken Trust?]]> https://www.venafi.com/blog/post/how-are-we-still-talking-about-broken-trust https://www.venafi.com/blog/post/how-are-we-still-talking-about-broken-trust/#When:18:57:00Z We live in the age of technology. It is a fast-paced, break-neck ride to deliver great solutions—everything from the largest, complex integrated solution to the single, simple iPhone app. With online solutions a part of so much of our everyday lives, why are we still talking about digital certificates, the backbone of internet communication, being broken?

I will tell you why. It’s hard. Once Netscape introduced the SSL protocol used with x.509 certificates in 1994, it was obvious we needed to fix online communication and FAST. We seized the quickest solution and the use of x.509 certificates with SSL for online communications soared. With this protection, online commerce exploded with the confidence that identity and privacy could be ensured.

Well, the internet is all “grow’d up” and our SSL/TLS solution needs to be refitted. Moxie Marlinspike at Defcon 19 in 2011 told an over-packed audience of hackers at the Rio in Las Vegas that the way we establish trust needs to change; we need to take the power back from trust stores that have been force-fed into our systems and make our own intelligible decision on who or what we want to trust. Convergence Beta was then created.

I just got back from Defcon 23 and, yet again, there were several talks on exploiting digital certificate weaknesses. Besides the few sneaky hacks I saw, it was interesting to see a solution proposed to the open source community to try and help our broken trust. A couple of guys, for the love of protected communications, came up with a product called TLS Canary (warning: the content is provocative). In real time, it will check the trustworthiness of the certificate you are trying to access and tell you whether it is good or bad.

Defcon 23 Discusses Broken Online Trust

There are now several approaches to certificate trustworthiness, but we need to ensure that we’re turning to a comprehensive source. Google is running the Google CT (Certificate Transparency) project, TLS Canary has been developed, and we have the SSL Observatory. In addition, some people are trying to solve issues with certificate pinning. Good, great! Finally we have several groups out there pushing for and delivering solutions. Everyone is starting to see the issue that Venafi has been solving for years. Venafi, the Immune System for the Internet™, provides the single most comprehensive source of certificate trustworthiness.

Venafi has a platform that not only helps you establish what to trust through its TrustNet product, but will also bring order to the chaos that is your PKI (Public Key Infrastructure) and keys though the Trust Protection Platform. Technology overall has been slow to address its trust issues, and understandably, because it’s hard. But let’s heal our known broken trust issues already so we can get new, interesting topics at Defcon!

<![CDATA[Encrypt Like Everyone is Watching—Decrypt Like No One Is]]> https://www.venafi.com/blog/post/encrypt-like-everyone-is-watching https://www.venafi.com/blog/post/encrypt-like-everyone-is-watching/#When:16:20:00Z I just attended Black Hat 2015, and what a great conference it was. I learned that “hackers,” including white hats, grey hats, and black hats, are really interesting people. At Black Hat, I saw briefings on how to hack a Jeep, a smart card, android, iOS, Windows, HTTPS, and a fingerprint. Pretty much anything can be hacked. Some do it for the greater good, letting the manufacturers know so the security can be hardened down and the hacks cannot occur in the future.

The presentation on the Black Hat network was especially interesting. This year was the first year that the network operations center (NOC) was open to the attendees of Black Hat to tour. The NOC is a labor of love for a lot of IT security professionals—many even take PTO to make it happen. This is the network that is used for the training classes at Black Hat. The top websites visited, top applications used, botnets detected, and malware detected were presented.

The people that run the NOC do keep a close eye on any “egregious” hacks, but how is that defined, really? Think of what these folks, doing their labor of love, learn about the attack vectors that are coming. Wow! If the hack is being taught at a training class, then they are expecting it. However, they did state that all types of hacks were done to each other, one attendee of the conference to another.

At the conference, 80% of the traffic was encrypted this year using TLS, which is way up from past years. This is a really interesting antidote, if you think about how a hacker can go undetected in encrypted traffic.

SSL/TLS Protects Black Hat 2015 Traffic

These Black Hat sessions highlight how important it is to encrypt sensitive information properly so it isn’t available to hackers. Maybe, even more importantly, is the ability to conduct SSL/TLS inspection by decrypting the ingress and egress of traffic for your enterprise. SSL/TLS inspection ensures that there is no malware phoning home to a command and control center or a hacker, who is landing and expanding on your systems.

How are you protecting SSL/TLS in your organization? Are you using SHA-2, at least 2048 bit keys, short validity periods, and SSL/TLS 1.2 to protect your SSL/TLS sessions? Do you have visibility into where all of your SSL/TLS keys are located to prevent outages? Would you be able to find a fake certificate issued in your brand name in your enterprise or on the internet? Are you conducting SSL/TLS inspection at your organization? Overall, do you feel you are protected from hacking when you use SSL/TLS?

<![CDATA[IT Security:  ♫ It’s all About the Basics, ‘Bout the Basics, No Trouble ♫]]> https://www.venafi.com/blog/post/it-security-its-all-about-the-basics https://www.venafi.com/blog/post/it-security-its-all-about-the-basics/#When:15:03:00Z Okay—stop laughing, everyone (and I mean everyone) knows I am no singer, but IT Security professionals really need to ensure they have the basics in place and I liked the attention this title brought to light as the foundation for this blog.

As I think back over the high-profile (and some of the not so high-profile…) hacks and breaches that have occurred over the last 18 months, I asked myself:

  • How many have been the result of the smartest, most ingenious hackers in the world?
  • How many have happened because someone just did something by accident?
  • How many have happened just because they didn’t have visibility into their network and security dashboards?

As I sat down and did some research and consulted with my peers around the world, I came to this conclusion: we are truly neglecting the security basics and need to get back to them fast. So what are the basics exactly?

Step #1 Take Careful Inventory of Your Assets and Software: You can’t protect what you don’t know you have and many organizations often skip this basic but fundamental step. I’ve seen several instances of this recently while working with companies to improve their key and certificate security. Many companies simply do not have a complete inventory—they have no idea how many keys and certs they have or how they are being used or misused. In a recent survey that Venafi commissioned with the Ponemon Institute, the results revealed that the average enterprise has almost 24,000 keys and certificates and 54 percent of security professionals admit to being unaware of where all of their keys and certificates are located. This is just one example, but it underscores the reality that organizations need a good inventory of ALL IT assets, identities, hardware, keys and certs, and software.

Almost 24,000 Keys and Certificates per Enterprise

Step #2 Establish A Trusted Baseline: Organizations need to establish and update a known good state, or baseline. Baselines can be used to identify when security issues arise and provide a means to return the organization back to a known good state after a breach.

A few years back, I read an article with an analogy that struck me. Coupled with the old saying when trying to find something that seems impossible: “It’s like finding a needle in a haystack.” It was changed a bit to be more relevant and has held meaning for me ever since:“You don’t need to know what the needle(s) look like; you just have to know what the hay looks like. You take all the hay out and only the needle(s) are left.”

So how does this relate to baselining? If you take the known good out (your current baseline), then you’re left with the needle(s).  Those needles can be good or bad, but now you know about them and can take proper action, and are able to begin remediation or restore to a known good state.

Step #3 Deploy a Strong Security Foundation: Once you have a complete inventory and you know what you need to protect, the next step is to deploy a good security foundation to build upon. Today, many companies are spending money on expensive “Next-Gen” or “Threat Intel” solutions and are not putting enough emphasis on the basics. You need to know what you have in order to protect it. There are many guidelines out there such as the SANS 20 Critical Security Controls. SANS starts with an “Inventory of Authorized and Unauthorized Devices, and Inventory of Authorized and Unauthorized Software”—obviously to my earlier point, visibility into your inventory is crucial. There are many other standards, guidelines, etc. out there, and it is up to you to determine what you want to work with for the regulations that you must comply with in your industry.

Step #4 Beef Up Your Detection: We tend to become overly invested in and overly reliant on our preventative capabilities to mitigate cybersecurity threats. This is often at the cost of good detection capabilities. In addition to inventories and baselines, IT security teams need to establish strong processes and procedures in incident response plans, triage/analysis tactics, and log monitoring. When there is a breach, organizations need to be able to quickly identify anomalous behavior and remediate, and to return the systems/networks to a good, trusted state while minimizing damages, recovery time, and costs. This need for detection applies across all technical, administrative, and procedural domains regardless of whether the compromise impacts hardware, software, user IDs, privileged access, keys and certificates, or any other IT security asset.

When was the last time you tested your incident response plans? People come and go; processes are always changing, and those changes need to be taken into consideration each and every time you exercise your plans; and don’t forget to follow-up with a postmortem analysis to see what worked and what didn’t.

These are a few easy steps that security professionals should always consider when it comes to establishing the security basics. Without these foundations to build upon, how can we ever hope to keep up with the bad guys who are always two steps ahead?

Remember—It’s all about the basics, ‘bout the basics—and hopefully no trouble!


P.S. Don’t forget to follow me on my new Twitter handle: @QueenofCandor

<![CDATA[Contemplating Health Analogies in Cyber Security & Why We Need The Immune System for the Internet™]]> https://www.venafi.com/blog/post/contemplating-health-analogies-in-cyber-security https://www.venafi.com/blog/post/contemplating-health-analogies-in-cyber-security/#When:21:58:00Z Over the past 30 years, we’ve seen many health analogies used across the entire cyber security industry. If you think about it, it does make a lot of sense: just as viruses make humans sick, they too can also make computers sick and as a result, networks are disrupted or even shut down. To combat the problem of viruses, companies like Symantec and McAfee developed anti-virus solutions and a whole new industry was born.

Today, computer viruses have evolved into sophisticated malware and advanced persistent threats (APTs) that antivirus and other signature-based technologies simply cannot detect.While new markets and perimeter-based security technologies have been developed to help detect APT-like threats—IDS/IPS, NGFWs, DLP and more—hackers have upped their game and now are using the foundation of the Internet and cybersecurity—cryptographic keys and digital certificates—to evade detection, spoof websites and carry out their attacks to steal sensitive data. And keys and certificates run on everything including IoT devices, mobile phones, clouds, even airplanes and cars, and we blindly trust them. Unfortunately, certificate misuse by hackers is at an all-time high and it’s only getting worse. As we use more certificates to encrypt communications and authentication entities, bad guys will only become more interested in using them.

At Venafi, we have been saying for months that Global 5000 organizations and federal governments need The Immune System for the Internet™ because online trust is severely broken.

Humans have evolved a highly effective immune system. It’s always turned on, working to authenticate what is “self” and trusted and what is not self and dangerous. Unfortunately the same cannot be said of the cyber realm—there’s no effective immune system to defend against a new generation of cyber attacks—until now.

Websites, servers, mobile devices, and software are marked as “self” and “trusted” using cryptographic keys and digital certificates. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, mobile devices, and system administrators, and decrypt communications thought to be private. There’s no system today that constantly assesses keys and certificates to determine if they should be trusted, and that adapts to changing threats.

Just like your immune system, The Immune System for the Internet provided by Venafi learns and adapts as it works. It identifies what keys and certificates are trusted and those that need to be replaced. It keeps keys and certificates secured to your policy and replaces them automatically. It scales keys and certificates up and down to meet demand. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response, just like an immune system, that protects your network, your business, and your brand.

So while comparing and making health analogies about cyber security is not necessarily new, Venafi as The Immune System for the Internet is—because it allows us to rapidly detect what shouldn’t be trusted and respond quickly, which is exactly what our immune system does, and what we need to do to stay ahead of the cyber criminals. Venafi is The Immune System for the Internet that protects the foundation of all cybersecurity—keys and certificates—so they can’t be misused by bad guys. Let me know if you’d like to discuss details on how we can help.

<![CDATA[Meet Us at Black Hat 2015: Blue Coat and Venafi Security Experts Discuss How to Combat SSL/TLS Encry]]> https://www.venafi.com/blog/post/meet-us-at-black-hat-2015-blue-coat-and-venafi-security-experts https://www.venafi.com/blog/post/meet-us-at-black-hat-2015-blue-coat-and-venafi-security-experts/#When:15:44:00Z It’s going to be an exciting week at Black Hat USA 2015 and we are certainly looking forward to it!  Venafi is teaming up with Blue Coat to conduct a technical briefing at Black Hat on how to eliminate SSL/TLS encryption blind spots.  Gartner believes that by 2017, more than 50% of the network attacks, both inbound and outbound, will use encrypted SSL/TLS communications.  And why is that? Well, attackers today are focusing on hiding in SSL/TLS traffic because they know that most network security solutions are “blind” to SSL/TLS traffic.  The majority of organizations blindly trust encrypted communications and don’t, or can’t, decrypt traffic. This means they can’t assess and block threats that leverage SSL/TLS.

Blue Coat and Venafi at Black Hat

How bad is the problem? According to Gartner, less than 20% of organizations with a firewall, IPS, or UTM appliance decrypt SSL traffic. That means 80% of these organizations might be allowing cybercriminals to leverage SSL/TLS tunnels to sneak malware into their network, hide command-and-control traffic, and pilfer sensitive data.

The reason for this security blind spot to SSL/TLS traffic is two-fold: (1) Security systems can’t inspect encrypted traffic or their performance can’t keep up; and (2) Security systems lack the cryptographic keys and digital certificates from across the network that are needed to decrypt SSL/TLS traffic.  This inability to inspect SSL/TLS encrypted traffic undermines traditional layered defenses and increases the risk of a data breach and data loss.

What do you need to enable SSL/TLS decryption and threat inspection?  The Black Hat 2015 briefing, Your Threat Detection Strategy is Only 50% Effective,  co-presented with Blue Coat, provides guidance on how SSL/TLS impacts security controls and how you can eliminate SSL/TLS security blind spots. Go to Venafi.com/BH2015 to register for the briefing.  Together, Venafi and Blue Coat solutions maximize SSL/TLS decryption and uncover threats. 

And if you pre-register, you’ll get a $30 Amazon gift card when you attend as well as a chance to win a $100 Amazon gift card per session.

Drop me a line if you want to learn more. I hope to see you there!

<![CDATA[Black Hat Briefings on Cryptographic Keys and Digital Certificates]]> https://www.venafi.com/blog/post/black-hat-briefings-on-cryptographic-keys-and-digital-certificates https://www.venafi.com/blog/post/black-hat-briefings-on-cryptographic-keys-and-digital-certificates/#When:18:39:00Z Black Hat USA 2015 is right around the corner and it’s time to start planning which briefings to attend.

Here at Venafi, we’re interested in sessions on protecting cryptographic keys and digital certificates. Keys and certificates are the foundation of online trust, but cybercriminals, hacktivists, and nation states are misusing them to gain unauthorized access and hide their actions.

Venafi and Blue Coat security experts will be conducting cybersecurity briefings that cover 3 different cybersecurity topics and, if you register in advance for a session, you’ll receive a $30 Amazon gift card when you attend. We have also identified others sessions that impact key and certificate security. Check out these briefings we’ve added to our dance card for this year’s Black Hat.

Venafi is a BlackHat USA 2015 Sponsor

Venafi Cybersecurity Briefings

  1. Your Threat Detection Strategy is Only 50% Effective
    While SSL/TLS provides privacy and authentication, it also creates a blind spot for enterprise security. Most organizations lack the ability to decrypt and inspect SSL traffic and bad guys are taking full advantage. This session, co-presented with Blue Coat, provides guidance on how SSL/TLS impacts security controls and how you can eliminate security blind spots. Register here.

  2. Advanced Attacks, Encryption, & Certificate Reputation
    As private encryption keys are now sold on the underground marketplace for circa $1000 each, it has become easy for hackers to breach even the most security conscious organizations. This session demonstrates how certificate reputation services are designed to identify and stop certificate misuse globally. Register here.

  3. Are Certificate-related Outages Impacting Your Business?
    We rely on digital certificates and cryptographic keys for data protection and authentication. But as security instruments, certificates can, and do, expire, bringing down systems and blocking access to servers, websites, and potentially dozens of critical downstream services. Attend and learn how to eliminate outages caused by expired certificates and reduce your security risks. Register here.

All registered attendees for Venafi briefings will also have a chance to win a $100 Amazon gift card per session. To check out what else Venafi is doing at Black Hat, visit Venafi.com/BH2015.

At Black Hat, we also want to hear what other thought leaders have to say about ensuring keys and certificates remain secure and continue to enable online trust. We’re looking forward to the following sessions:

  • Back Doors and Front Doors Breaking the Unbreakable System
    Governments are demanding backdoor access to encrypted data to support criminal and national security investigations, but this is opposed by privacy advocates. This briefing discusses if government agencies could be given backdoor access to encrypted data without weakening encryption systems.

  • Breaking HTTPS with BGP Hijacking
    Many believe BGP hijacking is not a significant threat, because the resulting man-in-the-middle attack cannot decrypt or break into an encrypted connection. But this briefing will show how the trust that SSL/TLS PKI places in internet routing can be exploited and how to prevent it.

  • Faux Disk Encryption: Realities of Secure Storage on Mobile Devices
    With the number of mobile users now surpassing the number of desktop users, this briefing discusses mobile device security and how it must go beyond full-disk encryption to protect against most attacks types. The session will present other secure storage techniques for both iOS and Android.

  • Certifi-gate: Front-Door Access to Pwning Millions of Androids
    Learn how a vulnerability within the Android customization chain can be exploited to access unsecure apps and gain access to any device. This will include information on how hash collisions, IPC abuse, and certificate forging can grant malware complete control of a device.

  • TrustKit: Code Injection on iOS 8 for the Greater Good
    See how Trustkit, a new open-source library for iOS, provides universal SSL public key pinning that the developers call “drag & drop SSL pinning.” This open-source library leverages new iOS 8 rules regarding dynamic linking and will be available for deployment by attendees.

  • Bringing a Cannon to a Knife Fight
    Bulletproof yourself against China’s Great Cannon which intercepts traffic as a man-in-the-middle proxy and turns global visitors to Chinese sites into the world’s largest botnet that carries out attacks on sites deemed a threat to the Chinese Communist Party. Learn how the Great Cannon works, about the timing of its release, why it was used to attack the Github repos, and how it will change as HTTPS and DNSSEC become more widely used.

Are there other sessions at Black Hat that address cryptographic keys and digital certificates that you plan to attend? Thoughts about any of these upcoming briefings? Drop me a comment.

<![CDATA[Poor Privileged Access Management Poses Big Security Problems]]> https://www.venafi.com/blog/post/poor-privileged-access-management-poses-big-security-problems https://www.venafi.com/blog/post/poor-privileged-access-management-poses-big-security-problems/#When:20:25:00Z With endless headlines touting the latest costly security breach, you would think that enterprises would be scrupulous about guarding the “keys to their kingdom.” Think again. The keys to the enterprise kingdom I’m talking about are secure shell, or SSH, keys. SSH is a cryptographic security protocol used to connect administrators and machines, allowing users or applications to gain secure remote access to another system. The kingdom, of course, is your valuable corporate IT assets. Users bearing SSH keys have the highest level of rights and privileges. But what if those users aren’t who they say they are? And, what if those users are bent on harm?

All enterprises rely on SSH keys to authenticate and provide privileged access for administrators, applications, and virtual instances in data centers and the cloud. But even though SSH keys provide root access to critical systems, they are treated with weaker policies than those tolerated for much lower levels of access, such as passwords. A recent survey by the Ponemon Institute canvassed over 2100 security professionals working in the U.S., U.K. Germany, and Australia—countries typically considered to be in the forefront of security practices. The results were disturbing.

System Administrators SSH Keys

Most organizations have an over-reliance on system administrators, not IT security, to self-police SSH keys. As a result, organizations are unable to identify how many SSH keys they have, who uses them, and what they access. In many companies, busy department administrators are charged with deploying and protecting SSH keys on the systems owned by their department. This creates a partitioned security structure with no ability to centralize visibility, policy enforcement, or incident tracking and remediation.

In the Ponemon Institute survey, 53% of organizations admitted they lack centralized control over their SSH key usage and access policies, and 60% are unable to detect the introduction of new SSH keys into their network. This lack of visibility hinders policy enforcement and detection of SSH key security issues.

SSH keys do not expire, creating a perpetual vulnerability if not rotated. But the Ponemon survey results show a surprising 82% change their SSH keys at best every 12 months—much longer than the 60-90 day policy for passwords which have less privileged access. This weak policy enforcement is resulting in dire consequences. Over half of organizations surveyed responded to a security incident related to SSH key misuse within the last 2 years. And those were the people willing to admit it. The sad reality is that the real percentage is likely much higher.

The manual approaches and customized scripts that enterprises are using to manage their SSH keys are not protecting their businesses. In the survey, of those that use homegrown scripted solutions to manage SSH keys, 54% were still compromised by rogue SSH keys on their networks—a clear indication that these solutions cannot detect anomalies in SSH key usage.

But there’s a silver lining to this storm cloud. A Forrester Research paper, Gaps in SSH Security Create an Open Door for Attackers, provides five steps you can take right now to regain control of your SSH-based privileged access management:

  1. Centralize control and visibility for all SSH hosts in the data center and cloud to effectively enforce policies for all enterprise SSH keys.
  2. Establish a baseline of normal key usage—including where keys are located, how they are used, who has access to them, and what trust relationships have been established within your network.
  3. Regularly rotate SSH keys using lifecycle periods similar to other credentials (e.g. 60-90 day password lifecycles) to increase their security.
  4. Continuously monitor SSH key usage across the network to identify and neutralize any rogue usage.
  5. Remediate vulnerabilities by ensuring that server and SSH key configurations adhere to common best practices, such as using 2048-bit key lengths or higher as recommended by NIST.

These 5 steps represent a good starting point, but there’s a lot more you can do. You can learn more on the Venafi solution webpages at Venafi.com/PrivilegedAccess and Venafi.com/SSHAudit. Drop me a comment and let me know what other SSH security practices you’d recommend to other security professionals.

<![CDATA[The Real Big Story Behind July’s OpenSSL Vulnerability: Why Blind Trust in Certificates Needs to End]]> https://www.venafi.com/blog/post/the-real-big-story-behind-julys-openssl-vulnerability https://www.venafi.com/blog/post/the-real-big-story-behind-julys-openssl-vulnerability/#When:21:00:00Z Certificate reputation services can end the risk that certificate validation app developers face (and are not doing a good job of addressing)

The OpenSSL team has released a fix for a critical vulnerability that could allow an attacker to trick an application into trusting a forged certificate—lovingly called by some “OprahSSL” for its propensity to gift something valuable. Why is this so important? Why does it matter? The big story is not just this vulnerability: it’s the ongoing difficulty for apps to validate certificates and know what should be trusted.

FireEye found that 73% of the top 1,000 apps don’t even validate certificates. This lack of attention to checking what should be trusted and what shouldn’t got Fandago and Credit Karma a special 20-year relationship with the U.S. Federal Trade Commission (FTC). This occurred simply because their mobile apps didn’t validate certificates—meaning their mobile apps might be sharing credit card data and sensitive personal information with bad guys without a concern for the consequences. This is a problem for not just enterprise CISOs and IT security teams, but also commercial app developers, fraud prevention, and chief privacy officers (CPOs).

Native iOS apps by default can’t even identify a website with a revoked certificate
Native iOS apps by default can’t even identify a website with a revoked certificate as being non-trusted

The OpenSSL vulnerability is a clear reason why certificate reputation, now available to enterprises with Venafi TrustNet, is so important. TrustNet uses advanced algorithms as well as big data and cloud-based intelligence to validate digital certificates rather than static code that, for even advanced security professionals or developers, is confusing, at best. The complexity and vulnerabilities like this one perpetuate the “blind trust” we place in certificates today.  We’ve been validating certificates in pretty much the same way for over 20 years—what do most professionals trust in cybersecurity that’s been done the same way for just 2 years, not to mention 20? Certificate reputation services like TrustNet dramatically reduce risk.

OpenSSL’s Certificate Validation Vulnerability

For details on versions affected and patches available, get the details from OpenSSL at https://www.openssl.org/news/secadv_20150709.txt.

Unlike Heartbleed, with this vulnerability, keys and certificates are not directly exposed and do not need to be rotated. The vulnerability impacts client applications validating certificates, such as a browser, VPN, or mobile application, that use the OpenSSL libraries for SSL/TLS sessions. It also impacts server applications, like a webserver or VPN, that authenticate digital certificates presented by client applications.

This vulnerability shows again why we need to know what certificates are in use and what certificates are trusted and where.  And we need this everywhere—on our servers, desktops, and around the world on the Internet. 

Exploiting the Vulnerability

To exploit the vulnerability, an attacker needs to obtain a private key for a certificate issued from a trusted certificate authority (CA). This could be a public third-party CA trusted across browsers and the Internet, or a private CA used and trusted inside your organization. The vulnerability allows the certificate associated with the obtained key to be used as if it were a CA, even though it’s not. This means any type of certificate from a webserver to a VPN certificate could now become a trusted CA issuer.

An attacker could then forge certificates for any domain, website, or user they’d like, including you and your businesses or government. This could prove useful in executing man-in-the-middle attacks, spoofing, spear phishing, and other attacks. And it’s easy to do: OpenSSL is the perfect tool to generate keys and sign a certificate.

It’s also easy to obtain a key from a trusted CA. Depending on the end target, I might just buy a certificate from a trusted third party. If I need the certificate to chain up under a specific CA and don’t want to/can’t buy one reputability, I can easily go the underground market where stolen certificates go for $1000 or more. Or, because thousands of Trojans support the collection and extraction of keys and certificates, the job is pretty easy.

certificate reputation services - Venafi TrustNet
Native iOS apps perform little to no checking as to whether a certificate is truly valid or not, unlike certificate reputation services like Venafi TrustNet

Certificate Reputation Ends the Age of Blind Trust

Today, using Venafi TrustNet certificate reputation APIs, you can validate if a certificate should be trusted or not. This is independent of the static code or rules that might later be vulnerable, like today with OpenSSL or other libraries. Offloading these decisions to an intelligent reputation system mitigates risks of these vulnerabilities in certificate validation that are complex and difficult for even the smartest developers. The TrustNet API can be called from any application, whether a mobile app or container-based service application in the cloud. It’s one API call that takes care of all decisions about certificate chain validation, trust, validity, fraud, and vulnerabilities. Amazing! That’s the power of Venafi as the Immune System for the Internet.

Additionally, with Venafi you can discover what certificates are in use and what CAs are trusted across your organization and then whitelist or blacklist CAs. You can then enforce a policy to not trust particular CAs that your business or government finds untrustworthy, like the Chinese CA CNNIC.

All of these reasons are why Venafi as the Immune System for the Internet is critical to protecting the world’s economy today and in the future. Outside of Venafi there is no system that understands what should be trusted, what is trusted, and can fix it—whether inside the enterprise or outside across the Internet.

Like to learn more and continue the conversation? Drop me a note.

<![CDATA[New PCI DSS v3.1 SSL/TLS Requirements—But Many Aren’t Compliant with PCI DSS v3.0]]> https://www.venafi.com/blog/post/new-pci-dss-v3.1-ssl-tls-requirementsbut-many-arent-compliant-with-pci-dss https://www.venafi.com/blog/post/new-pci-dss-v3.1-ssl-tls-requirementsbut-many-arent-compliant-with-pci-dss/#When:22:30:00Z The Payment Card Industry Data Security Standard (PCI DSS) version 3.1 was released in April 2015. Yet, many organizations are still not compliant with the PCI DSS version 3.0, which went into effect on January 1, 2015. Both versions introduced new requirements for cryptographic keys and digital certificates. While businesses may have a variety of reasons for not meeting the compliance requirements pertaining to keys and certificates, it certainly isn’t because the dangers have subsided. In fact, they’re on the rise.

In a recent Poneman Institute report, 100% of the organizations surveyed said they responded to attacks using keys and certificates within the last 2 years. In response to the growing threat, the Payment Card Industry Security Standards Council (PCI SSC) has introduced stringent rules governing the security and management of keys and certificates.

PCI DSS non-compliance creates security risks

PCI DSS v. 3.1

Just months after PCI DSS v3.0 went into effect, the new PCI DSS v3.1 was released requiring that SSL and early versions of TLS be replaced to prevent man-in-the-attacks like POODLE. Organizations are no longer allowed to use SSL or early TLS with new systems, but have until June 30, 2016 to transition existing ones. This new mandate impacts the PCI DSS requirements that address encryption used to protect card holder data and requires an enterprise-wide transition to TLS version 1.1 and higher on in-scope systems. The process for migration to TLS 1.1 and higher can be summarized in two steps:

Step 1: Search and Triage

  • Find online applications. Can be performed by scanning network ranges on known ports.
  • Find applications that operate intermittingly. Can require searching systems for cryptographic keys and digital certificates and mapping back to applications.

Once applications and how cardholder data is processed are known, risk can be established and migration for specific applications can be prioritized. 

Step 2: Migration

Migrating to TLS 1.1 and higher will require at least updating the configuration of affected applications. It may also require updating the application to a version that operates only with TLS 1.1 and 1.2.

As migration proceeds, teams should update scans to validate migration. These scans demonstrate progress and compliance, showing SSL, early TLS, and TLS 1.1 and higher usage.

PCI DSS v. 3.0

However, most organizations still need to address the new key and certificate requirements in PCI DSS v3.0 as well. Here are the top regulations with a description of the impact to your organization’s security resources:

  • New requirement 2.4: Maintain an inventory of all in-scope system components.
    This includes all in-scope keys and certificates. But research by the Ponemon Institute shows that 54% of organizations don’t know where all of their keys and certificates are located, who owns them, or how they are used. On average, an enterprise has over 23,000 certificates floating around their network. Hunting down lost keys and certificates can be a long, painful, manual process.

  • Revised requirement 5 and new requirement 5.1.2: Protect all systems against malware and review periodically to see if protection has become necessary.
    PCI SSC wants to stress that even systems not commonly impacted by malware should be periodically assessed to determine if protection has become necessary. Organizations may view keys and certificates as uncommonly impacted by malware, but in truth, keys and certificates have become the attack method of choice. There has been a 700% growth in certificate-enabled malware from 2012 to 2015 according to Intel Security. Without first knowing where your certificates are located, it becomes impossible to protect them from misuse. A centralized platform, inventory, policy enforcement, continuous monitoring, and automated management are needed to keep keys and certificates secure.

  • New requirement 8.6: Certificates for authentication must be assigned to an individual account, not shared.
    Certificates enable strong authentication and PCI SSC wants to ensure their use and access are restricted. This regulation requires that organizations have strict usage policies in place to prevent the ambiguity of overlapping ownership and use.

  • Business as Usual (BaU) Processes: Security controls for compliance should also be part of the BAU security strategy.
    This is the PCI SSC’s way of ensuring that organizations maintain compliance on an ongoing basis. For keys and certificates, this requires that organizations adopt a centralized management and security platform with automated, ongoing monitoring and policy enforcement. Unfortunately, many organizations use legacy, error-prone, manual approaches or home grown scripts that make it difficult, if not impossible, to meet the new PCI DSS requirements governing visibility and security over keys and certificates—at best eating up weeks of time and taking significant resources.

Learn how Venafi is designed to make meeting the new PCI DSS requirements for keys and certificates easy at Venafi.com/PCI.

Last year, Securing Cryptographic Keys and Digital Certificates was a PCI SSC 2015 Special Interest Group (SIG) Finalist. This topic was not selected for 2015, but has been resubmitted for consideration as a 2016 PCI SSC SIG. Want key and certificate security as a PCI SIG? Let the PCI SSC know you’re interested! And drop me a comment if you’d like to participate.

<![CDATA[Why Strategic Investors Support Venafi as the Immune System for the Internet With $39M New Funding]]> https://www.venafi.com/blog/post/why-were-so-passionate-about-protecting-global-5000-customers https://www.venafi.com/blog/post/why-were-so-passionate-about-protecting-global-5000-customers/#When:10:00:00Z Today we are announcing that Venafi has received $39M in new funding from strategic investors: Intel Capital, Silver Lake Waterman, QuestMark Partners, Foundation Capital, Pelion Venture Partners, and Mercato Partners. These are a mix of new and existing investors who believe in and are passionate about the Venafi vision and support our mission to restore trust online by protecting the Global 5000 as the Immune System for the Internet.

Over the past 10 years, enterprises have become more complex and connected, and their security challenges have grown with them. The bad guys are ahead in this race. But Venafi helps enterprises defend against the bad guys and has continued to grow, from a 14-person startup to an international organization working from development centers and offices around the world.

Today, Venafi protects

  • 4 of the top 5 U.S. banks
  • 8 of the top 10 U.S. health insurance companies
  • 4 of the top 7 U.S. retailers

All of whom rely on Venafi as mission-critical security to protect their keys and certificates from misuse. We are their immune system for their cyber realm.

We pioneered the first and only technology to secure keys and certificates—the foundation of all cybersecurity—and protect them from bad guys, and we have continued to evolve as the market leader. We’ve also developed the world’s largest talent of subject matter experts who know how attackers are going after keys and certificates within the Global 5000. Their expertise lets us understand how the bad guys use keys and certificates to gain trusted status and steal valuable data without detection, and how to protect against those threats.

We’ve built a technology stack that secures keys and certificates, whether in the cloud, on mobile devices, inside the firewall and/or in the Internet of Things. During the last 12 months, the most significant vulnerabilities and breaches, including Heartbleed, POODLE, Shellshock, and the attacks on Sony Pictures and others, demonstrate how unsecured keys and certificates provide the trusted status cybercriminals need to go undetected for long periods. Once authenticated with a stolen or forged key or certificate, the bad guys can further hide their activities by encrypting the malware they use against their targets and data they want to steal and exfiltrate from them.

The new funding allows us to accelerate development of the Venafi Trust Protection Platform™ to better support our fast growing customer base worldwide. The investment also demonstrates our investors’ understanding of the size of the problem and their commitment to helping solve it for the Global 5000. You can get perspective from Intel Capital’s Ken Elefant, who blogged about the funding announcement in a new posting “Why Intel Capital Believes in Securing the Foundation of Trust.”

We’ve also built an incredible leadership team with the vision and expertise to make a lasting impact on how the world approaches cybersecurity. And, like our leadership team, our current investors see that the world is changing. They know that the way that we used to think about Internet security and layering defenses isn’t enough anymore, and they want to be alongside Venafi as we develop new ways to secure and protect global enterprises.

The Immune System for the Internet: Protect Keys and Certificates

Venafi is the Immune System for the Internet. Just as humans have evolved a highly effective immune system that is constantly working to establish what is “self” and trusted, and what is “not self” and dangerous, this too must be applied to security. The human body tags all cells that belong. The human immune system continuously finds those that are not tagged and disables them. The Internet uses keys and certificates to tag what belongs. But before Venafi, there was no immune system to find those that don’t belong and disable them. This fundamental missing piece—the equivalent of an immune system—has allowed the bad guys to do amazing damage. Modern security solutions must be adaptive and responsive. They must operate like a living organism, always scanning for new threats and attacks, detecting that which doesn’t belong, and responding to keep the Internet and our intellectual property (IP) safe.

Unfortunately, as Gartner says, “We live in a world without trust,” and haven’t had an effective way to defend against a new generation of cyber attacks—until now. With Venafi as the Immune System for the Internet—continually identifying what keys and certificates are trusted and those that aren’t—we can secure and protect Global 5000 organizations from the most prevalent attacks today—attacks on the very trust provided by keys and certificates. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, business, and brand—and by doing so, we’re able to protect e-commerce, intellectual property, and sensitive data that underlays all the largest enterprise organizations in operation today.

It’s an enormous task, but one that we meet enthusiastically. We’ll utilize this new investment to expand the Immune System, grow into new global markets, and to help Global 5000 enterprises continue to fight attacks on trust that are increasing exponentially each day.

Enterprises can no longer expect static defense mechanisms to protect them from the dynamic attacks that are launched against us every day. We must evolve. We must get smarter and stronger. We must implement an Immune System for the Internet—and we must do it now.

<![CDATA[4 Ways to Arm Your Incident Response Team for Rapid Key and Certificate Remediation]]> https://www.venafi.com/blog/post/arm-your-incident-response-team-for-rapid-key-and-certificate-remediation https://www.venafi.com/blog/post/arm-your-incident-response-team-for-rapid-key-and-certificate-remediation/#When:16:00:00Z Your network has been attacked and your security is compromised. Your incident response (IR) team goes to work trying to discover the cause of the breach and restore your organization’s equilibrium—the faster the better. Just how fast and how thorough that process is has a lot to do with the tools your IR team uses, particularly when it comes to cryptographic key and digital certificate security.

Most security controls blindly trust keys and certificates, allowing cybercriminals to use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data. The 2015 Cost of Failed Trust Report, published by the Ponemon Institute, confirmed just how widespread the problem is. Every Global 5000 company in the survey had responded to an attack involving keys and certificates within the last 24 months.

Breaches using keys and certificates put sensitive data in the wrong hands and damage corporate reputations. They also consume staff hours and result in lost operational and development time. IT security professionals who responded to the Ponemon Institute estimate the total impact of attacks using keys and certificates at almost $600 million. They also estimate a total risk for each organization of $53 million over the next two years.

Incident Response teams also have to respond to outages. With the increased use of keys and certificates, there are also more outages—all organizations surveyed had 2 or more certificate-related outages over the last 2 years with a total possible impact of $15 million per outage.

The Ponemon Institute report revealed other surprising facts. The average enterprise has over 23,000 keys and certificates, but 54% of security professionals admit that they don’t know where their keys and certificates are located, who owns them, or how they are used. With this lack of visibility it’s not surprising that 100% of organizations responded to attacks using keys and certificates as well as certificate-related outages. And when they respond to incidents, most companies try to get by with issuing new certificates but not issuing new keys, which leaves an organization open to continued breaches, outages, and exploitation.

Keys and certificates in incident response plans.

Without key and certificate security built into your IR plan, your IR team won’t be able to act quickly to determine the extent of the attack and bring your organization back to a trusted, secure state. Here are 4 ways to strengthen IR with key and certificate security controls.

  1. Ensure complete visibility
    • Identify all keys and certificates across networks, cloud instances, CAs, and trust stores.
    • Map user access to servers and applications
    • Establish a baseline to identify misuse
  2. Enforce policies and workflows
    • Implement policy criteria for strong cryptography and key and certificate rotation
    • Enforce configurable workflow capabilities for replacement, issuance, and renewal
    • Track response progress with real-time dashboards and reports
    • Terminate access when needed, revoking all certificates associated to a user
  3. Automate management and security
    • Automate and validate the entire issuance and renewal process
    • Replace certificates in seconds, and remediate across thousands of certificates within hours following a certificate authority compromise or a new vulnerability such as Heartbleed
  4. Establish certificate reputation insight.
    • Use global certificate reputation to identify certificate misuse such as stolen certificates used for spoofed websites
    • Remediate immediately through certificate whitelisting and blacklisting

Just like the human immune system, Security Operations and Incident Response teams need to be able to identify what is “self” and trusted and what is not and therefore dangerous. When key and certificate security is added to your incident response plan, you can identify which keys and certificates are trusted, protect those that should be trusted, and fix or blocks those that are not. With this security in place, you can quickly return the network to a trusted state while minimizing damages, downtime, outages, recovery time, and costs—all while protecting your network, your business, and your brand.

Has your IR team recently responded to attacks using keys and certificates? What approaches has your team found helpful to return to a secure, trusted state after these attacks?

<![CDATA[Businesses Need to Act Fast to Regain Online Trust]]> https://www.venafi.com/blog/post/businesses-need-to-act-fast-to-regain-online-trust https://www.venafi.com/blog/post/businesses-need-to-act-fast-to-regain-online-trust/#When:19:40:00Z The Internet is the life blood for today’s business. Billions of dollars in market capitalization have been built on the back of innovation and productivity gains from the Internet and connected computing. However, the idea that security professionals believe online trust is near its breaking point will probably come as a bewildering thought to many companies going about their daily business, quietly confident the Internet’s system of trust is working.

The truth is that businesses need to take their blinders off and face online security issues head on, instead of burying their heads in the sand. Shockingly, 100% of surveyed organizations have admitted being at the receiving end of multiple attacks on unsecured cryptographic keys and digital certificates in the past two years alone. Keys and certificates are the foundation of security and were put in place to attempt to solve the first Internet security problems twenty years ago: what can I trust online and can I have private communications. But, we’ve lacked an immune system to keep them safe, know what’s trusted, and find and replace them when they’re not. If businesses do not take action, they’ll be unprepared for what security experts call a ‘Cryptoapocalypse’—when a discovered cryptographic weakness becomes the ultimate cybercriminal weapon, sending business into chaos.

We’ve already seen the warning signs. Last year, for example, Russian cybercriminals stole an SSL/TLS certificate from a top-five global bank. This enabled the cyber gang to impersonate the bank and steal 80 million customer records. In another case, SSL/TLS keys and certificates enabled hackers to steal data from 4.5 million healthcare patients. Leading industry researchers have identified the misuse of keys and certificates as a key part of an Advanced Persistent Threat (APT) and at the epicenter of cybercriminal operations.

The dire reality of the situation was uncovered in the 2015 Cost of Failed Trust Report, released by the Ponemon Institute. It is the first report of its kind to examine the Internet’s system of trust and what happens when this system breaks down. The report found that half of respondents acknowledged that the trust established by keys and certificates, the technology used to underscore trust and privacy online, is in jeopardy. What is more worrying is the other half who are eschewing the issue of trust altogether.

Half of IT security professionals believe online trust is in jeopardy.

Can you find your keys and certificates?

With 54% of businesses unaware of the location of their keys and certificates, or how they are being used, it is easy to see how they, their customer base, and partners, fail to establish any trust online. Take away the trust created by keys and certificates, used for everything from online shopping and mobility, to banking and government, and we can see the Internet being hurtled right back into the ‘stone age’, where users have no way of knowing if a website or mobile application is actually secure. How much faith would that give you in doing business online?

The potential liability can’t be underestimated. Over the next two years, the prospective financial risk facing business from attacks on keys and certificates is expected to hit at least $53 million.

Take action now.

With the growing number of attacks on keys and certificates, businesses must see this as a wake-up call and realize that they can’t place blind trust in keys and certificates that are open to exploitation by cybercriminals. We’ll need an immune system to know what’s ours, trusted, or not. And as we move more and more to the cloud and DevOps environment, we need an immune system to scale up fast and tear down even faster, to keep everything safe and trusted.

The total number of keys and certificates used by the average business is over 23,000—up 34% from two years ago, thanks to an increase in deployment on web servers, network devices, and cloud services.

Over 23,000 keys and certificates in the average organization.

With no alternatives to keys and certificates available, the first priority is to make sure they are adequately protected. Businesses must make sure they know exactly where their keys and certificates are, fix any vulnerabilities, and make sure they are changed and replaced automatically.

Organizations need to put strict policies in place to know who they can, and cannot, trust. Before a certificate is issued a business should make sure it knows exactly how it will be used, who will own it internally, and if it fits into the existing security policy. And with more cloud and DevOps environments, we can only accomplish this with an immune system that’s machine-based to scale up and down in seconds.

Businesses must not forget to include enterprise mobile certificates in their cyber security policy. The misuse of these for applications such as WiFi, VPN and MDM/EMM is a growing concern, especially with an increase in mobile employees and the adoption of BYOD (Bring Your Own Devices). Security professionals indicated that attacks using mobile certificates have the largest impact of all attacks using keys and certificates with a total possible impact of $126 million.

Businesses should sweep the Internet regularly to see if there are any ‘spoofed’ or stolen certificates out there claiming to belong to them. Stolen certificates are now being sold for $1000 and more. This is such a big problem that Intel believes it will be the next big hacker marketplace. Each business’s immune system for its cyber realm should detect these issues and rapidly respond to anomalies as well as know how to fix and replace vulnerable keys and certificates quickly.

It is critical that organizations put broad cyber security controls in place. It’s not possible just to focus in on one type of security control. And, it’s critically important that the foundational elements for security, like keys and certificates, be secured first. Cybercriminals won’t question the size or sector of a business when they attack.

<![CDATA[Examining the Impact of the OMB and Congress’ Moves to Add More Encryption and Address the CAs]]> https://www.venafi.com/blog/post/examining-the-impact-of-congress-moves-to-add-more-encryption https://www.venafi.com/blog/post/examining-the-impact-of-congress-moves-to-add-more-encryption/#When:15:00:00Z On the heels of the U.S government’s Office of Personnel Management (OPM) breach last week and other recent examples of cyber attacks involving the malicious use of keys and certificates, it's not that surprising to see two major developments this week to increase encryption use and improve website security in general.

This week, the U.S. Office of Management and Budget (OMB) announced it would require federal agencies to use HTTPS. A day later, House Energy & Commerce Committee sent letters to Apple, Microsoft, Google and Mozilla, asking them what they can do to limit or constrain certificate authorities (CAs) issuing certificates outside of their home domains. While they may seem unrelated, these two initiatives go hand in hand. 

While the intentions for more encryption are good (and ironically what Edward Snowden publically called for two years ago) to ensure the authenticity and privacy of federal websites, the OMB’s announcement to increase the use of HTTPS has significant gaps if not properly implemented with an immune system to protect the cryptographic keys and digital certificates. More encrypted traffic will require bad guys to use HTTPS and either forge or compromise certificates to mount effective attacks.

https encryption

First, this means that all federal agencies must be inspecting inbound traffic for threats as they move toward 100 percent encryption. At this point, no traffic can go un-inspected because cybercriminals will hide there for months, even years, completely undetected (can anyone say Careto?).

Second, agencies must be prepared to detect the malicious use of forged, compromised, or fraudulent certificates across the Internet to stop spoofing and man-in-the-middle (MITM) attacks.

In its directive, OMB has yet to specify or mandate any type of key or certificate management system to ensure their proper care and protection. And there was no reference to or mention of the government’s NIST guidance issued two years ago for preparing for a CA compromise. That’s why it was interesting to see Congress’ letter to the browsers about limiting or constraining certain CAs.   

At Venafi, we've been saying for months that governments should be very concerned about who is trusted in our browsers and if we can trust that any website is secure. That's why we applauded Mozilla and Google for blocking CNNIC, the Chinese CA, back in April.

At this point, any CA in the world, through fraud or compromise, could issue malicious certificates for .gov domains (as well as .com and others). We need to be able to ensure that CAs cannot mis-issue certificates or issue malicious ones that might end up being used as a weapon against the U.S. or its allies. While Google Certificate Transparency (CT) helps it only covers the high-level extended validation (EV) certificates, and doesn’t help with compromise and misuse after issuance. This is why Certificate Reputation is becoming increasingly popular.

What the U.S. OMB and Congress have done is important, and are most certainly positive steps in the right direction, the reality is that now we're only going to have more encrypted traffic which makes the U.S. an even bigger target for cybercriminals who can hide and take on trusted status. In the meantime, unless we use an Immune System for Internet—one that can identify certificates, safely deliver them for use with SSL/TLS inspection, and detect and stop the misuse of certificates for governments and enterprises—we will remain extremely vulnerable to these types of attacks that are increasing at an alarming rate (remember CHS, Sony, Heartbleed, POODLE and Shellshock?). What are your thoughts on the U.S. government’s attempts to better secure government websites and web services?

<![CDATA[Security Pros (Blindly) Trust Keys and Certificates]]> https://www.venafi.com/blog/post/security-pros-blindly-trust-keys-and-certificates https://www.venafi.com/blog/post/security-pros-blindly-trust-keys-and-certificates/#When:12:00:00Z A Venafi Survey of Nearly 850 IT Security Professionals Finds Gaps in Detection and Response to Key and Certificate Vulnerabilities

Attacks on keys and certificates are unlike other common cyber attacks seen today. With a compromised or stolen key, attackers can impersonate, surveil, and monitor their organizational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers with unrestricted access to the target’s networks and allow them to go undetected for long periods of time with trusted status and access.

And we’ve seen many recent instances of these types of attacks. From the GoGo man-in-the-middle (MITM) attacks to Lenovo’s Superfish vulnerability to FREAK and now the more recent LogJam flaw, cybercriminals know unprotected keys and certificates are vulnerable and will use them to carry out their malicious deeds.

The bad guys are able to take advantage of these new vulnerabilities, because most security systems blindly trust keys and certificates. In the absence of an immune system for the internet, enterprises are unable to determine what is “self” and trusted in their networks and what is not and therefore dangerous. Not knowing what is trusted and “self” or how to detect or remediate from attacks on keys and certificates keeps organizations open to breach and compromise.

RSA Conference 2015 USA

In light of recent attacks on trust, Venafi conducted a survey of nearly 850 IT security professionals during the RSA 2015 Conference to see what they were doing to stave off breaches and establish better trust online. The data reveals that most IT security professionals acknowledge they don’t know how to detect or remediate quickly from compromised cryptographic keys and digital certificates—the foundation of trust in our modern online world.

Here are other important findings from the Venafi RSA study:

  • Respondents are ill informed on how to remediate a Sony-like breach involving theft of keys and certificates. Following a breach, more than three-quarters (78 percent) of those surveyed would still only complete partial remediation that would leave them vulnerable to further attacks. They would conduct standard practices such as re-imaging servers, reviewing logs, removing malware, installing patches, and changing user passwords. However, only 8 percent indicated they would fully remediate against a Sony-like attack by replacing potentially compromised keys and certificates to prevent further access.

  • IT security professionals don’t know how to protect keys and certificates and their organizations don’t have a clear understanding or strategy for doing so. When asked what their organizational strategy is to protect the online trust provided by keys and certificates, only 43 percent of respondents reported that they are using a key management system. Another 16 percent have no idea, 14 percent said they are using a manual process to try to manage them, and 22 percent placed the responsibility elsewhere. Without a strategy and implemented security controls to protect keys and certificates, attackers can gain and maintain extensive access to the target’s networks and remain undetected for long periods of time with trusted status.

  • Many IT security professionals can’t or don’t know how to detect compromised keys and certificates. The survey results showed that 38 percent of respondents can’t or don’t know how to detect compromised keys and certificates and 56 percent of the other respondents said they are using a combination of next generation firewalls, anti-virus, IDS/IPS, and sandboxes to detect these types of attacks. Both groups leave themselves open to additional attacks. According to Gartner, 50 percent of all inbound and outbound network attacks will use SSL/TLS by 2017. Bad actors understand that most security systems either trust SSL/TLS or lack access to the keys to decrypt traffic and find hidden threats. These security shortcomings create blind spots and undermine critical security controls like sandbox threat protection, NGFW, IDS/IPS, and DLP.

  • More than half of IT security professionals admit that they cannot quickly respond to an attack on SSH keys. Almost two-thirds (64 percent) of security professionals admit that they are not able to respond quickly (within 24 hours) to attacks on SSH keys, and most said it would take three or more days, or up to a week, to detect, diagnose, and replace keys on all hosts if breached. Cybercriminals are exploiting the lack of visibility and control over SSH keys, which are used to authenticate administrators, servers, and clouds. Because SSH keys never expire, cybercriminals and insiders alike gain almost permanent ownership of systems and networks by stealing SSH keys.

The results of this study underscore what we at Venafi have been saying all along: IT security pros can no longer place blind trust in keys and certificates. We must realize that the keys and certificates we rely upon to establish trusted connections for everything IP-enabled today are in major jeopardy as attackers continue to misuse them to gain trusted status.

Just like the human immune system, Venafi learns and adapts as it works. Venafi identifies what keys and certificates are trusted and those that need to be replaced. It keeps keys and certificates secured to your policy and replaces them automatically. It scales keys and certificates up and down to meet demand. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects enterprise networks and brands.

Ultimately, if what our survey data says is true, and IT security professionals can’t secure and protect keys and certificates and respond more quickly to attacks that use them, online trust will continue to diminish with grave consequences, especially to the economy which relies heavily on online trust for commerce.

<![CDATA[Are Your Partners Creating a Hole in Your Security?]]> https://www.venafi.com/blog/post/are-your-partners-creating-a-hole-in-your-security https://www.venafi.com/blog/post/are-your-partners-creating-a-hole-in-your-security/#When:12:30:00Z No matter how secure your environment, cybercriminals will bypass your security defenses, making how quickly you can detect the breach and respond to mitigate the damage a critical component of your enterprise’s cyberdefense. But there’s a challenge—it’s not only your security you need to be concerned about, but your business partners’ as well.

One method that is growing dramatically in popularity with cybercriminals is compromising a target’s business partners. Your business partners may not have security practices that are as good as your organization’s defenses. Cybercriminals use a compromised business partner as a backdoor into your organization via an already trusted channel like a VPN. The Target breach last year is a good example of this approach.

To compromise businesses, cybercriminals are increasingly using keys and certificates to elevate their privileges and hide activity. By the end of 2014, attacks using SSL comprised 12% of network-based attacks according to Intel Security, and Gartner estimates that 50% of network attacks will use SSL by 2017. Using SSL enables cybercriminals to cloak their activities. This helps support Mandiant’s findings that most organizations do not internally discover they’ve been compromised—nearly 70% of victims are notified by an external entity that they have been breached.

But how are cybercriminals compromising business partners and how can organizations quickly detect and remediate these breaches? To better understand cybercriminal attack methods, Venafi teamed up with Raxis, an independent penetration testing firm, to reconstruct a current real-world attack that targeted and compromised a Global 100 bank with techniques that can be used effectively to breach many organizations today.

hacker walking through the open door

The breach reconstruction provides full details on how a large hacking group used a stolen private key that was purchased on the underground as part of a multi-chained attack to ultimately steal millions of customer records. The white paper provides details about the thriving underground marketplace where you can buy almost anything needed to compromise networks. It also provides an explanation on how the attack was architected and executed as well as guidance on how the breach could have been quickly detected and mitigated.   

Read the full report here: Venafi.com/BankAPTAnalysis

For the last four years, Ponemon Institute has found that 100% of Global 5000 enterprises surveyed across 5 regions were impacted by attacks using keys and certificates. How does your organization detect and respond to attacks that use keys and certificates to elevate privileges and hide activity? How does your organization detect if a certificate is being used to misrepresent your brand on the internet?

<![CDATA[Heal Your Broken Online Trust with an Immune System]]> https://www.venafi.com/blog/post/heal-your-broken-online-trust-with-an-immune-system https://www.venafi.com/blog/post/heal-your-broken-online-trust-with-an-immune-system/#When:20:00:00Z In 2014, Keren Elazari, an expert Cyber Security Researcher, started speaking to us via her TED talk about how hackers are like the internet’s immune system. She has led the way in this concept and explained how they help and hurt, yet ultimately lead to a healthier, stronger network.

Assisting our immune system like inoculations, hackers give us a taste of a potentially larger problem and help us overcome the illness before it becomes unmanageable.

Venafi recently released a product called Venafi TrustNet. It was released to help monitor and measure the healthiness of the internet, supporting encrypted traffic and authentication. Certificate misuse is at an all-time high. As we use more x.509 certificates to encrypt communications and authentication entities, bad guys will only become more interested.

We’ve blindly trusted certificates, because we’ve lacked an immune system for the cyber realm to know what’s trusted or not. Now Venafi provides a way through TrustNet to establish a baseline of normal certificate use online and alert affected organizations if that baseline is broken, indicating potential certificate misuse. TrustNet allows immediate remediation through blacklisting. Then, as part of the Venafi Trust Protection Platform, organizations can use TrustAuthority to replace and revoke untrusted certificates and TrustForce to automatically complete the certificate and key lifecycle.

If you own a certificate that is being misused, revoke it. If someone is misusing a certificate, blacklist it. Just like Keren Elazari has mentioned, hackers are like our immune system by demonstrating illness. Venafi is the Immune System for the Internet™ that allows us to rapidly detect what shouldn’t be trusted and respond quickly. Hackers have repeatedly demonstrated that we have to do something right now to fix trust online, which is near the breaking point.

What are your thoughts about the Immune System for the Internet?

<![CDATA[Automate Key and Certificate Management for Optimized Application Delivery]]> https://www.venafi.com/blog/post/automate-key-and-certificate-management-for-optimized-application-delivery https://www.venafi.com/blog/post/automate-key-and-certificate-management-for-optimized-application-delivery/#When:21:33:00Z Businesses rely heavily upon SSL/TLS certificates to encrypt data and authenticate systems and applications – both inside and outside the corporate network. The use of keys and certificates will continue to grow as businesses need to ensure appropriate access across servers and applications. In fact, the Ponemon Institute’s 2015 Cost of Failed Trust Report reveals that over the last two years, the number of keys and certificates deployed on network appliances, web servers, and cloud servers grew over 34% to an average of almost 24,000 per enterprise. This leaves enterprise IT environments challenged to secure and keep up with rising key and certificate deployments in the data center.

24,000 keys and certificates on average per company

To ensure successful management of keys and certificates, organizations must gain visibility into every SSL/TLS key and certificate present, including those on network infrastructure solutions such as Application Delivery Controllers (ADCs). When strategically deployed throughout the data center, ADCs enable applications to be highly available, accelerated, and secure. However, most ADCs need to be manually configured to discover thousands of certificates in the network. System administrators need to generate keys and request certificates, as well as oversee installation and configuration. And with so many other network devices like NGFWs, IDS/IPS systems, and servers requiring access to keys and certificates, this process is burdensome, error prone, and can cause certificates to expire which lead to network outages. Manual processes and the lack of a centralized key and certificate management system can limit operational efficiency and also leave gaps in security.

What do you need to do optimize your ADCs and reduce your SSL/TLS security risk?

A10 Networks and Venafi have partnered to create a joint solution with the A10 Thunder ADC line and Venafi Trust Protection Platform that helps organizations automate the management and security of the entire certificate lifecycle process. Here’s how the Venafi and A10 Networks joint solution can help:

  • Avoid Outages with Complete Visibility
    When digital certificates expire, it disrupts the very systems they were installed to protect. These expirations often occur from a lack of visibility and 54% of enterprises admit to being unaware of how many certificates they have in use, where they are used, and who is responsible for them. The certificate expirations create outages which lower productivity and cause a loss in revenue, profits, and customers.

    To avoid certificate expirations and outages, Venafi TrustAuthority detects and monitors all keys and certificates across enterprise networks, the cloud, and multiple CAs. Having complete visibility can also provide a baseline to flag anomalies, policy violations, and misuse.

  • Enforce Policies and Workflows
    Venafi TrustAuthority provides automated workflows for issuance, renewal, installation, and validation to enable rapid, secure deployment of SSL/TLS keys and certificates. These policies and workflows also enable distribution of keys and certificates to your A10 Thunder deployments across the data center.

  • Automate Management and Security
    Venafi TrustForce enables automation with full end-to-end certificate provisioning and lifecycle control for complex ADC and load-balanced encryption environments such as your A10 Thunder ADC deployments. This lifecycle automation for A10 devices includes provisioning processes such as key generation, certificate signing request (CSR) generation, CSR submission, certificate authority (CA) approval, issued certificate retrieval, certificate installation, private key backup, and certificate renewal.

Want to learn how to leverage Venafi and A10 Thunder ADC to simplify certificate management? Check out our joint technology partner solution brief. Or you can watch the A10 Networks and Venafi joint webinar to find out how to optimize your ADCs and reduce SSL/TLS security risk.

<![CDATA[Take the Guesswork and Complexity Out of Your PKI Update]]> https://www.venafi.com/blog/post/take-the-guesswork-and-complexity-out-of-your-pki-update https://www.venafi.com/blog/post/take-the-guesswork-and-complexity-out-of-your-pki-update/#When:19:00:00Z If your public key infrastructure (PKI) is like that of most companies today, it’s probably outdated. That can be a serious problem. Outdated PKI systems result in errors, missed updates, costly business interruptions, and even breaches. This is due to a lack of central visibility, consistent processes, and the refresh validation needed to streamline updates. Moreover, new security and compliance requirements and an evolving threatscape can make it costly and difficult to revamp PKIs.

Why is it so difficult and costly to refresh an outdated PKI? There are almost 24,000 keys and certificates in today’s average enterprise and 54% of security professionals admit to being unaware of where all of their keys and certificates are located, who owns them, or how they are used. In addition, establishing new root or intermediate CAs and distributing certificates to hundreds or thousands of applications and trust stores is incredibly time consuming, expensive, and error prone. Add to the mix differing, distributed applications and administrators unfamiliar with certificates, and the challenges quickly multiply.

PKI Update

But putting off a PKI refresh can open your business to outages and attacks. According to the Ponemon Institute, 100% of the Global 5000 surveyed have responded to attacks using keys and certificates and have had 2 or more certificate-related outages within the last 24 months. What does this mean in dollars and cents? Security professionals estimate that the total possible impact of an attack using keys and certificates is almost $600 Million and the total possible impact of a certificate-related outage is $15 Million. That’s a serious impact—even for the largest enterprises.

To stay protected from these costly and damaging incidents, you may want to consider adopting new PKI refresh standards and strategies:

  • Reduce certificate lifetimes to 3 months or less, as recommended by Google and others to reduce certificate risk exposure (but even Google recently let a certificate expire, showing that even the most security conscious organizations can struggle with key and certificate management and security)
  • Replace SHA-1 with SHA-2, due to potential attacks on SHA-1 certificates. (See NIST’s Policy on Hash Functions.)
  • Update digital certificate maintenance rules according to compliance regulations, such as the PCI DSS, and other security frameworks, such as SANS 20.
  • Develop new remediation strategies ;to apply following a CA compromise or new vulnerability (Venafi research shows that 3 out of 4 organizations still have not completely remediated the Heartbleed vulnerability).
Manage and Validate Your PKI Refresh with Confidence

How do you implement all of these standards and strategies? With today’s fast changing threatscape and increasing use of digital certificates, successful PKI refreshes require complete visibility, enforced policies and workflows, automation, and validation.

Visibility: Most don’t have complete visibility into their PKI. But for successful PKI management, you need to identify all keys, certificates, CAs, and trust stores across your enterprise networks, the cloud, and multiple CAs.

Enforcing policies and workflows: To ensure consistency while updating your PKI, you need to enforce configurable workflows capabilities for replacement, issuance, and renewal. Also, a policy-enforced, self-service portal can be used to simplify certificate requests and renewals.

Automation of PKI: Automation is critical for PKI in today’s enterprises and should cover the entire CA and certificate refresh process, including the distribution and whitelisting of new CAs in trust stores.

Validating your progress: You should be able to track your progress and completion of your PKI refresh, validating that certificates are installed and applications are running.

With all of these requirements, does a PKI refresh sound like an impossible task? Believe it or not, you can now take the guesswork and complexity out of your next PKI refresh and reduce your risk. With the right solution for your PKI refresh, you can achieve complete visibility, enforce policies and workflows, automate processes, and validate progress. But don’t put this project off—it could literally cost you millions.

What do you consider to be the most critical PKI updates needed? Please share your experiences and thoughts.

<![CDATA[$600 Million Dollar Question: Is Your Company’s IAM MIA?  ]]> https://www.venafi.com/blog/post/600-million-dollar-question-is-your-companys-iam-mia https://www.venafi.com/blog/post/600-million-dollar-question-is-your-companys-iam-mia/#When:22:00:00Z Today, an increasing number of Identity and Access Management (IAM) strategies include the cryptographic keys and digital certificates for SSL/TLS, SSH, mobile WiFi, and VPN access that authenticate and authorize servers, devices, software, cloud, and privileged administrators and users.

This move to expand the enterprise security perimeter is laudatory because it closes the gap between the authentication and authorization established by keys and certificates and the protection provided for other credentials, such as usernames and passwords. But, without proper management and oversight, cryptographic keys and digital certificates could break that security perimeter wide open. For many companies, their IAM for keys and certificates may be missing in action (MIA).

Unlike passwords and user IDs, which are controlled with layers of automated monitoring policies, certificates and keys have been blindly trusted with inadequate, siloed processes. In many companies, there is no centralized visibility, policy enforcement, or incident tracking and remediation.

average enterprise has almost 24,000 keys and certificates according to Ponemon Institute

According to the 2015 Cost of Failed Trust Report, published this year by the Ponemon Institute and Venafi, an average enterprise has almost 24,000 keys and certificates in circulation. But 54 percent of corporate security professionals surveyed in the report admitted that they have no idea where all of their keys and certificates are located. As a result, thousands of certificates go missing in action every year, a recipe for disaster. Those certificates establish trusted access to critical servers, applications, mobile devices and cloud instances at the highest level of privilege, creating a situation ripe for exploitation.

Ask yourself these questions:

Would your organization tolerate a security situation where 24,000 passwords and user IDs were floating around the company without any awareness, policies, or control? Probably not. But your organization may be doing just that when it comes to keys and certificates. Just like passwords and user IDs, policies and automated controls need to be applied to keys and certificates such as rotation, validity periods, ownership, timely provisioning, and revocation.  Instead, outdated approaches limit visibility and policy enforcement and increase the risk of misuse, exposing enterprises to compliance failures and costly data breaches.

So if you were an enterprise hacker, where would you focus your attack efforts? Cybercriminals have already answered this question for you. In the Ponemon research, security professionals estimated the total possible impact per organization for all attacks using keys and certificates to be almost $600 million and this is up 50% from 2013.

It’s time to apply the same diligence we devote to usernames and passwords to keys and certificates, by deploying enterprise-wide policies and automated controls. Try these best practices:

  • Protect
    • Create visibility by inventorying the certificates you have in use today and verifying their ownership
    • Establish enterprise-wide use policies
  • Detect
    • Monitor and detect for anomalies
    • Enforce policies and establish management control
  • Respond
    • Automate key and certificate issuance, renewal, and installation
    • Replace keys and certificates based on a regularly scheduled inventory and review process
    • Remediate by replacing keys and certificates in the event of a CA compromise or new vulnerability such as Heartbleed

The six steps should give you a good starting point, but there’s plenty more you can do. You can read the Venafi solution brief, Close the Gaps in Identity and Access Management, or drop me a line if you’d like to learn how.

<![CDATA[Data Protection Begins and Ends with Trusted Keys and Certificates]]> https://www.venafi.com/blog/post/data-protection-begins-and-ends-with-trusted-keys-and-certificates https://www.venafi.com/blog/post/data-protection-begins-and-ends-with-trusted-keys-and-certificates/#When:18:50:00Z According to Gartner, encrypted traffic now comprises 15%-25% of total web traffic today. But for many businesses, it’s over 50%. The adoption of Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL), to protect web traffic has contributed to our exploding reliance on the Internet for personal use and commercial business.

Our dependence on SSL/TLS continues to rise. Growing concerns and regulations over data privacy as well as the surge in cyberattacks are increasing use of SSL/TLS to encrypt data transmission and authenticate web servers, application servers, load balancers, and other applications.

In addition, Google has called for “HTTPS Everywhere.” As part of this effort, Google is prioritizing search results for sites that provide this secure, encrypted connection. With HTTPS providing better search ranking, even marketing departments across all types of industries are promoting an increase in SSL/TLS use.

But this upsurge in SSL/TLS usage could also be leading to business downfall. Why? Because this growth has also increased the misuse of SSL/TLS keys and certificates, resulting in cyberattacks and network outages. The hard truth is that pervasive SSL/TLS use is only effective if the SSL/TLS keys and certificates themselves are securely managed and protected.

The 2015 Cost of Failed Trust Report, published by the Ponemon Institute, analyzed the impact of attacks on digital trust. It reveals that today’s average enterprise holds almost 24,000 keys and certificates, but the real issue is 54% are unaware of how many keys and certificates they have in use, where they are used, and who owns them. As the use of SSL/TLS increases, this lack of visibility also causes an increase in certificate-related outages—disrupting the systems these certificates were meant to protect. These outages lower productivity and cause lost revenue, profits, and customers.

Here’s another startling fact from the Ponemon report: for four years running, 100 percent of the companies surveyed said they had responded to multiple attacks using keys and certificates. Gartner estimates that by 2017, 50% of cyberattacks will use SSL/TLS to sneak past enterprise security defenses. Unfortunately, many businesses have made it easy for the bad guys to use a company’s own defensive weapons, SSL/TLS keys and certificates, against it. The bad guys understand that organizations are struggling to enforce and automate policies and can’t keep track of what is trusted. If left unprotected, keys and certificates can be usurped by cybercriminals to evade detection and keep their activities cloaked.

Even with this evidence of increased outages and breaches, you can safely expand and rely on SSL/TLS to achieve data security and privacy—with the right key and certificate management and protection. Make it a priority to learn how to automate SSL/TLS key and certificate security and validation to ensure that your data and network resources stay safe. Here are a few steps you can take in the right direction:

  • Understand the data protection issues of increasing SSL/TLS usage 
  • Learn the necessary tasks to address SSL/TLS key and certificate challenges
  • Develop key and certificate management and security strategies that ensure trust in your SSL/TLS systems

You can learn more about safely using SSL/TLS on our data protection solution page, or drop me a comment if you’d like to learn more about SSL/TLS key and certificate management and security solutions.

<![CDATA[Are You Smarter than a Hacker? Show Off Your Knowledge on Trust-based Attacks]]> https://www.venafi.com/blog/post/are-you-smarter-than-a-hacker-show-off-your-knowledge-on-trust-based-attack https://www.venafi.com/blog/post/are-you-smarter-than-a-hacker-show-off-your-knowledge-on-trust-based-attack/#When:20:15:00Z This is the 4th year running that Venafi has hosted a game show at the annual RSA Conference. Participants get a chance to show off their knowledge of today’s threatscape and the latest methods of protection.

It’s been such a huge success that the RSA Conference site highlights last year’s game show on this year’s Expo and Sponsors web page.

So what are we doing this year? We’re holding the game show, “Are You Smarter than a Hacker?”

Venafi at RSAC 2015 Booth S1615

This is 15 minutes of dynamic fun with short videos and a real-time quiz. The bad guys have figured out how to misuse keys and certificates to elevate their privileges and hide their activity. However, most organizations are not equipped to detect or respond to these types of attacks. Do you know how they do it? Test your knowledge for a chance to win a $50 Amazon gift card awarded at every session.

Venafi RSAC 2015 Game Show Winner 1 Venafi RSAC 2015 Game Show Winner 2

We are also showcasing our new certificate reputation service called Venafi TrustNet. Stop by the booth and see how TrustNet is able to stop TLS/SSL-based attacks in a live demonstration.

When is your next chance to win? Visit us at booth #S1615 or check out the RSAC 2015 Venafi Event Schedule for upcoming game show and TrustNet demonstration times.

<![CDATA[Is Your SSL/TLS Encryption Creating Security Blind Spots?]]> https://www.venafi.com/blog/post/is-your-ssl-tls-encryption-creating-security-blind-spots https://www.venafi.com/blog/post/is-your-ssl-tls-encryption-creating-security-blind-spots/#When:19:40:00Z Businesses are increasing their use of SSL/TLS. This is being driven by the growth of cyberattacks as well as concerns and regulations over data privacy. Also, Google is prioritizing search results for sites using HTTPS, driving marketing teams across all types of businesses to support the expansion of encryption. While this increase in SSL/TLS provides privacy and authentication, it also creates a blind spot for enterprise security.

Gartner predicts 50% of network attacks will use SSL/TLS by 2017. Most organizations lack the ability to decrypt and inspect SSL traffic, which I highlighted in my earlier blog, Is Your SSL Traffic Hiding Attacks? This means your NGFW and threat detection won’t be able to see or protect against 50% of attacks. That’s a huge blind spot for enterprise security—and cybercriminals are taking advantage of this.

How does using SSL/TLS benefit the bad guys? Cybercriminals are using encryption against enterprises to conceal malware delivery, eavesdrop on communications, and exfiltrate data undetected—undermining layered security defenses. With the increase in SSL/TLS encryption, the ability to ensure every key and certificate is available for decryption, and then decrypt and inspect SSL/TLS traffic in real time, has become critical.

What do you need to do to eliminate this security blind spot? During the RSA Conference 2015, we’re spotlighting our partnership with Blue Coat. Together our solutions maximize decryption and uncover threats.

Blue Coat and Venafi

Here’s how the solutions work together in a nutshell:

  • Venafi TrustForce automates key and certificate provisioning and replacement
  • Venafi TrustForce automatically adds keys and certificates to the secure key store within Blue Coat SSL Visibility Appliance
  • Blue Coat SSL Visibility Appliance uses the keys and certificates for policy-enforced SSL traffic inspection
  • Venafi TrustForce ensures keys and certificates have strong authentication, are rotated regularly, and are replaced quickly in the event of a compromise

Having access to all keys and certificates for decryption means one less place for the bad guys to hide, infiltrate your network, and steal data. . With Venafi, businesses maximize the amount of inbound encrypted traffic that can be decrypted and inspected by Blue Coat SSL Visibility Appliance and eliminate blind spots that are hiding in encrypted traffic.

Want to learn more about the protection this partnership provides? See our RSAC 2015 event schedule for upcoming times for the demonstration, Venafi / Blue Coat Remove SSL Blind Spots, at this year’s RSA Conference or read the technology partnership solution brief as part of the Venafi conference collateral at Venafi.com/RSAC2015.

<![CDATA[Introducing the Immune System for the Internet]]> https://www.venafi.com/blog/post/introducing-the-immune-system-for-the-internet https://www.venafi.com/blog/post/introducing-the-immune-system-for-the-internet/#When:18:15:00Z We humans have evolved a highly effective immune system. It’s always working to establish what is “self” and trusted and what is not and dangerous. We need the same protection for the cyber realm. But we haven’t had an effective immune system to defend against a new generation of cyberattacks—until now. At RSA Conference 2015, Venafi introduces the Immune System for the Internet.

Humans have one…

The human body evolved to survive in a world of threats. Inside of all of us is an identification system where HLA tags are attached to every cell. They are unique to each person. Our immune system uses these tags to identify what is self and what isn’t, what to trust and what to destroy. It learns to adapt in a world of ever-changing, complex threats.

But the Cyber Realm doesn’t…

The Internet was engineered with an identification system too: cryptographic keys and digital certificates. Just like HLA tags, these uniquely identify webservers, software, mobile devices, apps, admins, and even airplanes. But keys and certificates are blindly trust. So bad guys use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data.

Venafi: The Immune System for the Internet

Just like your immune system, Venafi learns and adapts as it works. Venafi identifies what keys and certificates are trusted and those that need to be replaced. It keeps keys and certificates secured to your policy and replaces them automatically. It scales keys and certificates up and down to meet demand. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, your business, and your brand.




To learn more about the Immune System for the Internet, visit us at Venafi.com/RSAC2015 for the Venafi conference event schedule and conference collateral.

<![CDATA[Still Bleeding One Year Later—Heartbleed 2015 Research]]> https://www.venafi.com/blog/post/still-bleeding-one-year-laterheartbleed-2015-research https://www.venafi.com/blog/post/still-bleeding-one-year-laterheartbleed-2015-research/#When:10:00:00Z Early last year the BBC dubbed 2014 to be the year of encryption. How right they were—not only for the increased use of encryption, but also for the 2014 threats that leveraged cryptographic keys and digital certificates in their attacks. Encryption and keys and certificates were hurdled to the forefront of the media on multiple occasions. To name a few, Heartbleed, Cupid, Open SSL CSS, Shellshock, and POODLE, impacted the entire world. Very quickly cybercriminals mobilized themselves to take advantage of these exploits based on vulnerabilities that many were not remediating.

At Venafi, we reviewed how well organizations have remediated Heartbleed since it was first discovered. The research focused on the largest global organizations in the world (Global 2000), and the results are not very comforting. In last year’s Venafi Labs report, a staggering 76% of Global 2000 organizations with public-facing, Heartbleed-vulnerable systems were still vulnerable. We would have expected to see a significant improvement this year. Unfortunately that’s not the case. There is only a 2% improvement in the number of Global 2000 organizations that have remediated Heartbleed.


  2014 2015
Vulnerable Incomplete Remediation 76% 74%
Remediation Complete 24% 26%


In last year’s Venafi Q3 Heartbleed Threat Research Analysis we found that 97% of Global 2000 public-facing servers previously susceptible to Heartbleed had still not been fully remediated. The University of Maryland performed similar analysis in November 2014 and found that 87% of the susceptible servers had still not been fully remediated. Now a year after Heartbleed’s public disclosure, 85% of Global 2000 public-facing servers still remain vulnerable. Even though that’s a 16% improvement over 2014, it is still very poor performance, leaving the door open to cybercriminals.

The surprising part from the research findings this year is that the Heartbleed remediation steps that were taken weren’t actually driven by Heartbleed remediation efforts—this was just a secondary benefit. Instead, they were the result of impending certificate expirations. An astounding 65,000 certificates were re-issued with new private keys simply because of impending expirations. Although it is a good practice to keep short key and certificate rotation cycles, organizations should be replacing all keys and certificates to remediate Heartbleed. Industry experts from Bruce Schneier to Gartner’s Erik Heidt made it clear that to fully contain and remediate Heartbleed, SSL keys and certificates needed to be replaced.

Why so many are still susceptible to Heartbleed

It would seem based on the trend of replacing keys only for impending certificate expirations that organizations have either given up on trying to fully remediate this massive vulnerability or simply don’t grasp the gravity of the situation. I believe that there are two additional reasons for such poor Heartbleed remediation. As described by Gartner, “lazy” remediation—when organizations fail to replace the private key or fail to revoke the old certificate—shows that organizations do not understand that once the private key is exposed, everything is exposed. Another probable reason for the lack of Heartbleed remediation is that organizations simply don’t see the impact yet. According to Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last 2 years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks which leverage keys and certificates increasing, their impact is as well. The organizations surveyed by Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.

Remediating Heartbleed

Remediating Heartbleed goes beyond simply patching the OpenSSL vulnerability. Just like user IDs and passwords are assumed compromised after a breach, so too should keys and certificates.    

To remediate Heartbleed 4 steps are required:

  1. Patch the OpenSSL vulnerability
  2. Generate new keys
  3. Issue and install new certificates
  4. Revoke old certificates
It’s only the beginning

Using kill chain analysis we see exactly how keys and certificates are used throughout an attack. Since last year, there has been a significant increase in hijacked VPNs used to maintain access to victim’s environments. Intel Security noted a 12% increase in SSL-based network attacks—up from 0% in 2013. And Gartner estimates, by 2017 that 50% of network-based attacks will use SSL/TLS.

If organizations do not secure their keys and certificates and enable fast rotation when breached, we could be heading towards a cryptoapocalypse. This phrase was coined by researchers in their Black Hat 2013 presentation and is a scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited, allowing bad guys to spoof or surveil all Internet communications. 

What is your organization’s response plan to handle potentially compromised keys and certificates when breached? Does your organization treat keys and certificates like user ID passwords and replace them when a breach is suspected? I would love to hear from you.

The full analysis on our 2015 Heartbleed research can be found here.

<![CDATA[4 Common Tactics Used in Recent Healthcare Breaches]]> https://www.venafi.com/blog/post/4-common-tactics-used-in-recent-healthcare-breaches https://www.venafi.com/blog/post/4-common-tactics-used-in-recent-healthcare-breaches/#When:12:15:00Z Last month, Anthem reported that they had been breached, affecting more than 80 million customers’ personal information. This month, Premera Blue Cross disclosed they too have been breached, resulting in medical and financial data for 11 million customers being stolen. Both organizations discovered the breach in January of this year.

4 common tactics used in recent healthcare breaches

Besides the fact that all these breaches were in the healthcare industry, there are similarities in the tactics employed. We can learn from these tactics to protect organizations, not only in healthcare, but from all industries.

Blind Spot

It’s believed that attackers in the mentioned breaches gained a foothold within the enterprise networks at around the same time (April-May 2014). Even though Anthem and Premera were said to have been breached around the same time that Heartbleed was discovered there is no confirmation that Heartbleed was used. However, if the attackers that breached Anthem and Premera gained access to private keys stolen via Heartbleed, they would have assuredly used them to perform man-in-the-middle (MITM) attacks on VPN’s. According to Mandiant, last year VPN hijacking was the highest they have ever seen. It’s no surprise that it took Anthem and Premera 8-9 months before identifying the breach. Most organizations are blind to attackers on their networks who misuse keys and certificates, enabling these attackers to establish encrypted sessions that disguise malicious traffic phoning home to the command and control (C2). Research published by the Ponemon Institute shows that for the last 2 years, and now for 4 years running, 100% of large enterprises have had to respond to attacks using keys and certificates.

Spoofed Websites

Phishing attacks are the most common attack methods used today. Why, you ask? Quite simply because there is always a human that can be easily tricked into disclosing information. One very common technique seen in both the Anthem and Premera breaches is known as URL hijacking and it involves registering a domain with specific typographical errors to misrepresent the original domain. The purpose of this technique is to make the domain look like, or spoof, the well-known, legitimate business and use it in attacks like spear-phishing campaigns. Domains like we11point[.]com and prennera[.]com were both used as parts of these attacks for spear-phishing and malware hosting. It is challenging to identify this type of brand misrepresentation without scanning the entire internet on a periodic basis. In fact, only 30% of victims discover the breach themselves—most are notified by external third parties.

Digitally-signed Malware

According to Intel Security, digitally-signed malware has been doubling every quarter since 2012 and shows no sign of slowing down. The primary driver to sign malicious code with a valid certificate is to avoid detection from security solutions and ensure the victim does not receive any error messages from the operating system. In the Anthem breach, the malware signed with a legitimate certificate was found to be hosted on the site prennera[.]com.

One Common Attack Vector

In all three breaches, there is one common attack vector—keys and certificates. Although keys and certificates are designed to create trust and assurance, when they are used against you, it becomes very difficult to know what can and cannot be trusted. To do this, we need to be able to understand the reputation of the mechanism that is being used to establish the trust—the certificate. By understanding the reputation of the certificate, we can decide whether or not to trust the session or application using the certificate. One example would be scanning the internet for certificates that are used to misrepresent a brand like the we11point[.]com and prennera[.]com examples.

Scanning the entire internet on a regular basis to identify spoofed websites or even rogue certificates is no small undertaking. Even Microsoft took multiple years to recover rogue TLS certificates and revoke them. But revocation lists have been proven to be easily defeated since 2009. Even new initiatives like Google Certificate Transparency still rely on certificate revocation.

Venafi helps solve this problem with the introduction of Venafi TrustNet—a global certificate reputation service designed to detect the misuse of certificates on the internet and enable you to take immediate action by blacklisting certificates with a bad reputation. TrustNet is the single most comprehensive and accurate source of certificate trustworthiness. Regardless of where a certificate is used on the Internet, TrustNet provides you with its reputation in real time. With TrustNet, you can stop the bad guys from misusing certificates and keys and protect your business and brand. Find out more about TrustNet at Venafi.com/TrustNet.

Venafi TrustNet

How does your organization detect the misuse of certificates on the internet that are used to misrepresent your companies’ brand?

<![CDATA[Well-Designed RFP Crucial for Enterprise Key and Certificate Management]]> https://www.venafi.com/blog/post/well-designed-rfp-crucial-for-enterprise-key-and-certificate-management https://www.venafi.com/blog/post/well-designed-rfp-crucial-for-enterprise-key-and-certificate-management/#When:17:46:00Z So, you’ve decided to select a vendor solution for your enterprise key and certificate management. You’ve made a wise decision—manual tracking methods or limited internal scripts cannot effectively manage and secure the number of keys and certificates in an average enterprise. But to get the most of your investment dollars and ensure that the vendor solution you choose will meet your needs now and in the future, you need to create a clear and comprehensive request for proposal (RFP).

An RFP is a formal statement of your requirements and is worth every effort you put into it. In many cases, companies view RFPs as a burden. But when projects fail, they often do so due to inadequately defined requirements that lead to the purchase of the wrong solution for what the company needs.

The clearer and more comprehensive your RFP, the greater your chances of getting vendor responses that lead to a successful outcome. The exercise of writing the RFP forces you and your team to work through the tradeoffs between cost, convenience, flexibility, security, scalability, compliance, and ease of use. To create an effective RFP, I recommend these 3 steps:

  1. Ask your end users for input. All too often, the people who actually use the system have no say in the system design. Instead, IT develops a system based how they think things should work. Not only are important issues missed as a result, but it is harder to gain user acceptance down the road. Your users may have some excellent suggestions, such as:
    1. Can the issuance and renewal process be automated?
    2. Is there a web-based, self-service portal for certificate requests and renewals?
    3. Can certificate ownership be assigned by an individual or group to assist with renewals?
  2. Involve members of your company’s compliance or legal department. With the myriad of overlapping industry and government regulations out there, it pays to have a compliance expert on the RFP team. For example, he or she may ask you to consider the following:
    1. What is the process for quickly identifying the misuse of keys and certificates?
    2. What is the process for enforcing policies and workflows for security and compliance?
    3. How does the solution prevent certificate-based outages?
    4. Is there an automated key and certificate replacement process for fast remediation if there is a CA compromise or vulnerability like Heartbleed?
  3. Finally, involve the primary project manager. Make sure the person responsible for managing the RFP and the point of contact for the vendor is part of the RFP team. He or she has a vested interest in making sure that ongoing management is efficient and easy for users to adopt and may ask you to include the following:
    1. How does the solution help you gain control of your key and certificate environment with visibility and fast remediation?
    2. What is the process for compiling a complete inventory and central management of keys and certificates?
    3. What is the validation process for proper installation and configuration?
    4. Is there flexible criteria for certificate management, such as lifetime, authorized CA, and so on?
    5. Is there a robust policy framework for controlling workflow processes as well as for controlling attributes such as key lengths, validity periods, and cryptographic hash types?
  4. Once your team has created a comprehensive set of RFP requirements, you’re armed and ready to approach leading vendors. Perhaps you’ve already done some basic market research during the RFP creation process, but now it’s time to get serious. For additional input, I recommend the KuppingerCole report, Leadership Compass: Enterprise Key and Certificate Management.

    Enterprise Key and Certificate Management

    Has your company drafted a successful RFP for a key and certificate management and security project? Were their particular requirements that you included in your RFP that would help others with their project planning? Let me know what worked for you.

    ]]> 2015-03-19T17:46:00+00:00 <![CDATA[Clinton Email Server Only One Example of Convenience Over Security]]> https://www.venafi.com/blog/post/clinton-email-server-only-one-example-of-convenience-over-security https://www.venafi.com/blog/post/clinton-email-server-only-one-example-of-convenience-over-security/#When:19:18:00Z Earlier this week, I shared my thoughts on why CISOs need a seat at the table with the Board of Directors. Equally important, CISOs need to be able to set security policies and guidelines that are followed by all employees, including executives. Often employees will use personal phones, computers, and email accounts to conduct business—ignoring company security policies and protocols, and often at the risk of compromised data.

    These security policy violations are frequently conducted in the interest of convenience with the belief that the increase in productivity outweighs the risk. Another motivator is privacy. Some executives use personal email accounts to keep certain communications “private” from the broader company. This tendency is mentioned in a recent Wall Street Journal article (requires subscription to view). However, using these methods often violate both internal and regulatory governance standards.   Many companies, especially if they are in litigation, require a legal hold of all of their executive email (regardless of the company email retention policy).

    Often those that are violating the policies do not understand the full extent of the risks they are taking especially because personal accounts are typically more susceptible to hackers and can result in legal consequences.

    The recent discussions around the use and configuration of former Secretary of State Hillary Clinton’s personal email server help to highlight how convenience and privacy are often pursued in lieu of security in both our enterprises and governments. While Clinton was in office as the Secretary of State, she used her personal email account to conduct all State business. In a press conference on March 10, Clinton said she used her personal email account for convenience—she wanted to carry just one device for both her work and personal emails (by the way, I carry two devices!).

    On Wednesday, March 11, Venafi announced and released its TrustNet certificate reputation service and by using TrustNet, we were able to evidence that there was a 3-month gap before encryption was enabled on Clinton’s email server.  In January 2009, eight days before Secretary Clinton was confirmed by the U.S. Senate, the domain, clintonemail.com, was registered. Then 3 months later, in March 2009, mail.clintonemail.com was enabled with a Network Solutions’ digital certificate and encryption for web-based applications. Although we do not know if it was compromised during this 3-month gap, Secretary Clinton stated in her recent press conference, that her email account had never been compromised. But honestly, she can’t know that!


    During the 3 months without a digital certificate, access to the server was not encrypted or authenticated. Throughout that time, the account would have been easy to compromise, allowing others to eavesdrop on both incoming and outgoing communications. It could also have been spoofed, using the account for phishing or to send malware.  Another concern is that credentials could have been compromised during this time, especially given her travel to China and elsewhere. This could open the door, as we've seen with so many other breaches, to long term, under-the-radar compromise by adversaries. This is an example of how the person taking the risk didn’t know the full ramifications of his or her actions and policy was not enforced.

    Organizations need to partner and rely on their security professionals, and ultimately their CISOs, to set security policies that consider the risk to the company.  Noting however, it is imperative for the CISO to partner with the business and compliance teams to ensure that what policies are set forth in turn address the necessity of those controls. 

    We all know that in some cases policies/guidelines must be flexible to enable business, but we always must assess the acceptable risk to the company.  It is important, however, that the business as well as your company as a whole understand and accept the risk through a formal Risk Acceptance process. This process must be documented, including mitigating controls, and kept current through formal documented security reviews with the business.

    Although the CISO is charged with balancing security with privacy, productivity and flexibility, as well as industry and governmental compliance regulations, when creating communication policies, they cannot be created in a vacuum.  They should be a done in a collaborative nature to ensure business enablement while still ensuring the least amount of acceptable risk as possible. Therefore, when these policies are designed to support the overall business using a comprehensive risk analysis, all employees should be informed of these policies at least annually through formal security awareness training and then abide by these policies to keep their organizations safe.

    Again, I hope my comments spark a discussion. Has your organization’s CISO provided clear security policies for business communications that include the use of personal phones, laptops, and email accounts? What about the use of social media? Do you feel these policies support productivity? Do they address risk? Do your employees adhere to these policies?   Let’s hear your thoughts….

    As always, I am interested in hearing from you!!!

    <![CDATA[Infographic: Trust Online is at the Breaking Point]]> https://www.venafi.com/blog/post/infographic-ponemon-research-finds-trust-online-is-at-the-breaking-point https://www.venafi.com/blog/post/infographic-ponemon-research-finds-trust-online-is-at-the-breaking-point/#When:13:00:00Z Can cryptographic keys and digital certificates still be trusted?

    Today, the Ponemon Institute and Venafi released the 2015 Cost of Failed Trust Report, the first update to the 2013 study and the only global research to analyze the impact of attacks on the system of Internet trust established by cryptographic keys and digital certificates. You can download your copy of the report and see the research highlights in the Infographic included below.

    What many may find surprising is that for the fourth consecutive year, every organization that participated in the survey – 100 percent of more than 2,300 IT security professionals from the U.S., United Kingdom, Australia, France, and Germany – reported that they had responded to multiple attacks on keys and certificates in the past two years.

    The report’s findings show that IT security professionals believe we’re at a breaking point: more than half of the respondents reported that the technology behind the trust online that their business requires to operate is in jeopardy.

    Online Trust is at the Breaking Point Infographic

    These concerns about trust online are hardly surprising given that some of the largest and most dangerous breaches to date – Heartbleed, Community Health Systems, Dark Hotel, and more – have involved the keys and certificates that are required to establish trust. In just the last months we’ve seen multiple abuses of keys and certificates via the Lenovo/Superfish certificate authority debacle and the FREAK vulnerability – and those incidents hadn’t even been reported yet when this research was completed in January 2015. No doubt the sense of urgency for regaining trust is now greater than ever before. And with stolen certificates now fetching almost $1,000 on the black market, CISOs and other IT professionals can be assured that this problem will only continue to grow.

    Learn how Venafi helps organizations regain trust and stay protected at venafi.com. For help today, please contact us.

    <![CDATA[Digital Certificate Forensics: What Venafi TrustNet Tells Us about the Clinton Email Server]]> https://www.venafi.com/blog/post/what-venafi-trustnet-tells-us-about-the-clinton-email-server https://www.venafi.com/blog/post/what-venafi-trustnet-tells-us-about-the-clinton-email-server/#When:13:00:00Z 3-month gap before encryption enabled for browsers, smartphones, and tablets starting in 2009

    Venafi TrustNet is the world’s first enterprise certificate reputation service. TrustNet can identify certificate misuse, perform forensic analysis, and predict vulnerabilities that need to be fixed to protect the Global 5000 and governments. To achieve this, TrustNet has acquired, maintains, and is continuously adding to the world’s largest database of digital certificates and associated metadata. TrustNet is able to go back in time and identify how digital certificates were used in the past, providing a new type of forensics capability to the IT security community.

    Digital certificates and their corresponding cryptographic keys are incredibly powerful. They solved the biggest barriers to using the Internet: how do I know that a website is what it says it is and that communications with the site are private?  But this is also why certificates are so interesting to bad guys for misuse. It’s also why cybersecurity experts, like Intel, predict stolen certificates will be the next big hacker marketplace. With this increasing misuse by attackers, how do we keep certificates safe? Venafi protects the trust established by keys and certificates for the Global 5000 and governments.

    Digital certificate analysis for clintonemail.com

    In the past week, there have been questions about the level of security, use, and configuration of former Secretary of State Hillary Clinton’s personal email server. Specifically, there have been concerns that the server may have been vulnerable to eavesdropping and compromise. TrustNet found that at least 3 digital certificates were used with clintonemail.com since 2009. Operators of clintonemail.com obtained these certificates so the site could be uniquely distinguished (another clintonemail.com would not show as being secured without the certificate) and the site would use strong encryption to keep data transmissions private. These certificates were obtained validly and enabled web-based encryption for applications. Based on TrustNet analyst, Venafi can conclude clintonemail.com was enabled for browser, smartphone, and tablet encryption since 2009 and can operate using encryption through at least 2018. However, for the first 3 months of Secretary Clinton’s term, access to the server was not encrypted or authenticated with a digital certificate. During this time, Secretary Clinton travelled to China, Egypt, Israel, South Korea and other locations outside of the U.S.

    Note: All data in this report was obtained by non-intrusive Internet scanning routinely performed throughout the IT security community to protect the safety and health of the Internet.

    Digital Certificate Forensics for clintonemail.com

    Venafi TrustNet Analysis
    January – March 2009
    No certificates found –
    no encryption enabled
    March 2009
    Issued by: Network Solutions
    Valid to: September 2013
    Download certificate file
    February 2012
    Issued by: Network Solutions
    Valid to: February 2013
    Download certificate file
    September 2013
    Issued by: GoDaddy
    Valid to: September 2018
    Download certificate file



    First clintonemail.com digital certificate obtained in 2009 from Network Solutions

    First clintonemail.com digital certificate obtained in 2009 from Network Solutions


    Starting in late March 2009, mail.clintonemail.com was enabled with a Network Solutions’ digital certificate and encryption for web-based applications like Outlook Web Access. This was 3 months after Secretary Clinton took office. The clintonemail.com domain was registered with Network Solutions in January 2009 – 8 days before Secretary Clinton was confirmed by the U.S. Senate. Therefore, from January to end of March 2009 access to clintonemail.com did not use encryption.

    Once the digital certificate was installed in March 2009,  all access with a desktop web browser, smartphone, or table was encrypted, even on government networks designed to inspect traffic. However, this doesn’t mean that email sent to/from the account would be encrypted – just accessing the server.


    Replacement clintonemail.com digital certificate obtained in 2013 from GoDaddy

    Replacement clintonemail.com digital certificate obtained in 2013 from GoDaddy


    The first certificate obtained for clintonemail.com was set to expire on 15 September 2013. It was replaced a few days before this expiration with a new certificate from GoDaddy set to expire in 2018. This is the certificate that remains running on the server in March 2015. Microsoft Outlook Web Access and Microsoft IIS were confirmed by Venafi to be running on the server. At the time of inspection, communications between the server and applications were being authenticated and encrypted.


    Certificate for SSL VPN service run from clintonemail.com that was issued in February 2012

    Certificate for SSL VPN service run from clintonemail.com that was issued in February 2012


    As reported elsewhere, the server also appears to have run an SSL VPN – an authenticated and encrypted tunnel through which other web pages on other servers could be accessed. TrustNet found the sslvpn.clintonemail.com certificate. It was issued in 2012 and expired in 2013. Venafi could not confirm the continued operation of an SSL VPN or the sites to which it may have gated access.

    Security Implications

    Online banking, shopping, and confidential government communications wouldn’t be possible without the trust established by digital certificates. Hundreds of billions of dollars in trade around the world also depends on it, as does the future of secure communications and computing. From airplanes to cars to our smartphones, all of these technologies are dependent on the trust digital certificates and their associated cryptographic keys provide. And, they are being used more and more every day. It’s also why bad guys are ferociously going after them. Threat research from FireEye, Intel, Kaspersky, and Mandiant consistently identifies the misuse of keys and certificates as an important part of APT and cybercriminal operations. And Gartner expects by 2017 that 50% of network attacks will be using SSL/TLS.

    Clintonemail.com operated for 3 months without a digital certificate. This means that during the first 3 months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed – allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information.

    Obtaining the cryptographic key and digital certificate for clintonemail.com would be an important step for attackers seeking to compromise Secretary of State Clinton or others that might access the server.  With them, bad guys could masquerade as the legitimate site or decrypt what was thought to be private communications. As a standalone Microsoft Windows Server, the site is very vulnerable. In 2013, over 800 trojans were known to steal keys and certificates – and that number has swelled since then.  The use of digital certificates on clintonemail.com provides users with the confidence that they are connecting to the real site and communications cannot be inspected. But when on government networks, anyone accessing the site and depending on the certificate needs to be highly suspicious. The site has received tremendous attention and its contents and certificate are likely targets for compromise and misuse. 

    Venafi will continue to observe this situation and provide updates if new information becomes available. Venafi TrustNet operates 24x7 to secure and protect Venafi customers, is constantly monitoring the status of certificates around the world, and provides real-time updates to subscribers. Organizations interested in learning how TrustNet can help can contact Venafi for more information.

    I want to offer a special thank you to Hari Nair, Gavin Hill, and the Venafi TrustNet product team who contributed to this research and analysis.

    <![CDATA[Global Certificate Reputation to Protect Your Business and Brand]]> https://www.venafi.com/blog/post/global-certificate-reputation-to-protect-your-business-and-brand https://www.venafi.com/blog/post/global-certificate-reputation-to-protect-your-business-and-brand/#When:13:00:00Z Imagine for a minute what would happen if you could not trust any transaction on the Internet. Not too long ago you would not have ever considered buying something online—simply because there were no guarantees of privacy or security on the internet. The popular cartoon published by the New Yorker in 1993 shows a dog surfing the internet with the caption, “on the internet, nobody knows you’re a dog.” That all changed with the use of digital certificates to help drive trust on the internet. With digital certificates one is able to ensure digital transactions are both confidential and unaltered.

    Fast forward to today where the average American adult spends 11 hours per day with electronic media, and it becomes critical to be able to establish confidentially and integrity of Internet data at all times. Keys and certificates are intertwined into our everyday lives so much so that taking advantage of the trust established by them is the perfect attack vector. Unfortunately this is exactly what has happened!

    Cybercriminals understand that by taking advantage of a trust mechanism like keys and certificates, it once again becomes very difficult to identify with whom you are exchanging information—all of a sudden we are back in 1993. In the last 6 months, we’ve seen large organizations like Sony and Anthem fall victim to breach through the misuse of keys and certificates. Keys and certificates are quickly becoming the preferred attack vectors for cybercriminals, and the problem is so large that Gartner predicts by 2017, 50% of network attacks will use SSL due to the trusted channel it provides. Moreover, it’s not only cybercriminals that misuse certificates, corporations like Lenovo and GoGo both used certificates to perform man-in-the-middle (MITM) attacks to inject adds or manipulate traffic.

    Combating Certificate Misuse with Certificate Reputation

    Like reputation services for URLs, email, and files, certificate reputation was born out of necessity to help enterprises detect new threats. Cybercriminals are increasingly misusing digital certificates in malicious campaigns and going undetected for extended periods of time.

    Phishing is one of the most common practices used to steal credentials and banking information. To support this, cybercriminals use fraudulent or stolen certificates. The challenge is that there are over 1.2 billion websites online right now. How would your organization scan the internet to identify the misuse of certificates to spoof your organization’s brand? Certificate reputation is designed to determine whether or not a digital certificate can or cannot be trusted.

    Venafi Trust Protection Platform now includes Venafi TrustNet

    Venafi is proud to announce our new Venafi TrustNet certificate reputation service that is available with the launch of Venafi Trust Protection Platform, version 15.1. TrustNet is a global authoritative key and certificate reputation service that identifies rogue or anomalous key and certificate usage. TrustNet offers the most comprehensive collection of key and certificate intelligence.

    TrustNet employs a global sensor network to identify certificate misuse on the internet. There are no limitations to specific browsers or operating systems. Subscribers to the service can take advantage of the native integration with Venafi products to provide alerts on any anomalous certificate behavior identified for certificates issued by the enterprise that are forged or misused on the internet. For security vendors that want to take advantage of the reputation feed integrated into security gateways, a public API is provided for integration with any application.

    Once a certificate anomaly has been identified, it is imperative to take immediate action. TrustNet provides global whitelisting for trusted CAs and certificates, and blacklisting for untrusted ones.

    Using TrustNet, enterprises can more easily mitigate new and emerging threats:

    • Detect certificate misuse globally
    • Increase threat detection rates
    • Accelerate incident response time
    • Protect brand reputation

    To learn more about Venafi TrustNet, you can read the datasheet here: Venafi.com/TrustNetDS

    <![CDATA[CISO’s Need a Seat at the Table]]> https://www.venafi.com/blog/post/cisos-need-a-seat-at-the-table https://www.venafi.com/blog/post/cisos-need-a-seat-at-the-table/#When:19:56:00Z Cyber breach headlines are on the increase and underscore the need for security awareness at the very highest levels of an organization. In 2014 alone, hundreds of millions of records were stolen and tens of millions of dollars were spent on investigations, fines and lawsuits. I was wondering... in how many cases did the CISO have access to the Board of Directors? It is without a doubt, so important to ensure awareness; Chief Information Security Officers (CISO’s) need to be an active and engaged part of board of director meetings. In addition, Board members should not only know their CISO’s views on cyber security, they should have his or her cell phone number on speed dial.

    It wasn’t long ago that corporate security meant blocking and tackling to prevent viruses from getting on your systems and making sure that nefarious people did not gain access to internal networks. But as we all know as executive leaders, the environment is ever changing and the attack vectors are many. Today’s CISOs grapple with a much wider, deeper, and more complex set of responsibilities—going beyond just keeping the bad guys out and deploying security that also enables the business. It is vital that board members understand the importance of cyber security and its potentially catastrophic impact on their organization’s brand, reputation, bottom line, and stock price when not implemented effectively. To make that happen, we as CISOs need to better promote our role and educate board members that cyber security is a high priority and should be a top concern. It now influences every aspect of the business.

    executive board

    To sell the value of our contribution to the company to board members, CISOs must be able not only to market their role more strategically—but they must act more strategically. The new generation of security officers must possess strong business acumen and have the ability to think long term and not be afraid to wear many hats. They need to know how the company operates, its top business goals, and its appetite for risk when developing and implementing a security framework. They must also communicate their knowledge in business-benefit terms that resonate with a wider range of audiences. They must be able to enable the business while ensuring that risks are mitigated, acceptable risks are completely understood and must have strong controls to support them. The protection of their data is vital to business operations.

    The CISO of today must also be extremely collaborative, with good listening and communication skills, because the heightened visibility of this critical executive role brings with it the responsibility of ensuring that cyber security becomes top of mind across the entire organization, from the boardroom to departmental employees. A seasoned security leader with a strategic business perspective should be comfortable developing and communicating a security vision and positioning the needed resources and talent to translate that vision into a reality.

    At the same time, board members should see the value of having the CISO in board meetings. Board members need to learn why it is vital to keep abreast of the cyber security landscape and its impact on corporate initiatives such as mobility, social media usage, and global expansion. They should discuss with their CISO the need for an effective crisis management program and know what their role is if there is a security incident. In fact, because of the critical nature of cyber security today, qualified CISOs should also be encouraged to join the boards of other companies as well.

    Of course there is so much more I would like to say in this blog—but then it will become a short story...

    I hope my comments spark a discussion. What role does the CISO play in your organization? Does he or she regularly address your board of directors on the importance of compliance and security directives? What changes would you like to see to better align security with the business of your company?

    As always, I am interested in hearing from you!!!



    <![CDATA[Infographic: How an Attack by a Cyber-espionage Operator Bypassed Security Controls]]> https://www.venafi.com/blog/post/infographic-cyber-espionage-operator-bypassed-security-controls https://www.venafi.com/blog/post/infographic-cyber-espionage-operator-bypassed-security-controls/#When:22:00:00Z Chinese cyber-espionage operator, APT 18, has proven it can breach enterprises by undermining critical security controls when enterprises fail to protect digital certificates and cryptographic keys. As reported by Time, Bloomberg, and others, APT 18 used keys and certificates to compromise a Fortune 200 American health services organization and stole data on 4.5 million patients.

    RaxisRaxis, an independent penetration testing firm, reconstructed the APT 18 attack in a simulated enterprise environment. Raxis demonstrated how the bad guys were able to bypass security controls like threat detection, data protection, firewalls, VPNs, DLP, privileged access, and authentication systems that enterprises expect will mitigate threats.

    Why did Chinese cybercriminals want to breach an American health services company? Perhaps they were hoping to resell personal data or learn how to operate distributed hospital systems for profit. More likely, this was a test—a proof-of-concept attack that was vastly successful in stealing data by undermining the security controls of this Fortune 200 business. Having now proven the attack vector, APT 18 will decide when and where to use the attack on other targets.

    How did they do it? This exclusive new infographic highlights the 4 attack stages used by many threats that rely on compromised keys and certificates to bypass existing enterprise security controls. Learn these stages and find out how to ensure your enterprise is not the next headline.

    Want to learn more about the Raxis reconstruction of the APT 18 attack with a detailed look at how they bypassed security controls? Watch the on-demand webinar, Keys to the Kingdom.

    undermining security infographic

    <![CDATA[The Need for Certificate Transparency]]> https://www.venafi.com/blog/post/the-need-for-certificate-transparency https://www.venafi.com/blog/post/the-need-for-certificate-transparency/#When:13:53:00Z An inherent weakness in the Internet’s Public Key Infrastructure (PKI) is the ‘equivalency of trust’ that is placed on trusted Certificate Authorities (CA)s. Any CA that is trusted by a browser, operating system, or application-specific trust store can issue a certificate for any domain. As a result, in the event of CA compromise, it is possible for a CA to issue counterfeit certificates for any domain without the knowledge and approval of HTTPS site operators.

    Technical controls to detect and possibly prevent this scenario have been proposed by extensions to DNS, such as Certificate Authority Authorization (CAA) and DNS-based Authentication of Named Entities (DANE). However, these controls require all DNS clients to be updated in order to support the new extensions, making deployment in the short term infeasible.

    Google Certificate Transparency

    In 2013, Google started an industry-wide initiative to address this issue, called Certificate Transparency or CT. With CT, public logs will be used to record issuance of publicly-trusted EV (Extended Validation) certificates. These logs can then be monitored by site operators to look for rogue instances of their domains. If duplicate certificates for the same domain are discovered by site operators in the logs, the site operator can take action to resolve the issue.

    As part of the CT design, Google anticipates that one or more organizations would act as CT log monitors. These log monitors would periodically search through CT logs to detect possible mis-issuance events.

    As a market leader in Next Generation Trust Protection, Venafi recognizes the value of the CT initiative as another important step to ensure online trust for certificates issued. Therefore, Venafi will be launching a public CT log that will satisfy the much needed Google CT log operator requirements of three public CT log servers. This public CT log can be used by any publicly-trusted CA and site operator to publish issued certificates. Furthermore, any organization that acts as a log monitor is free to use the Venafi public CT log to support their efforts.

    Venafi is proud to support the Google CT initiative and looks forward to providing enhanced security for all public CA customers.

    <![CDATA[Forrester Research Uncovers Gaps in Mobile Certificate Security]]> https://www.venafi.com/blog/post/forrester-research-uncovers-gaps-in-mobile-certificate-security https://www.venafi.com/blog/post/forrester-research-uncovers-gaps-in-mobile-certificate-security/#When:22:55:00Z The increasing reliance on mobile devices and applications is driving the need for mobile certificates to ensure that devices and applications are secure, authenticated, and encrypted for enterprise users. But failing to protect mobile certificates—to whom they are issued and when they need to be revoked—opens the door to unauthorized access, data leakage, and intellectual property theft.  The fact is that keys and certificates of all kinds, including mobile certificates, are being targeted to initiate and continue attacks every single day.

    However, research published by Forrester Research uncovers that IT security professionals are not fully aware of the implications of what is required to protect mobile certificates. This creates gaps in understanding how to perform the most critical functions necessary for securing mobile certificates.

    IT Security’s Role in Protecting Mobile Certificates

    Forrester Research: Protecting Mobile Certificates

    A study by Forrester Research found that a majority of IT security decision makers rely on digital certificates to secure their mobile applications and systems, such as VPN, Mobile Device Management (MDM), email, WIFI, SSL/TLS mobile applications, and Mobile Application Management (MAM). Nearly 80% of IT security professionals acknowledge they own the responsibility for protecting mobile certificates. And two-thirds or more of IT security decision makers believe they should own responsibility for security functions, including certificate issuance, policy, updates, deployment, and revocation.

    Gaps in Security Awareness

    Although most agree that they are responsible, 77% of IT security professionals who responded to the survey said that they have very little visibility into the applications, users, use cases, and security of mobile certificates, and 71% said they do not have full control.  But what’s even more shocking, one of the most important functions—detecting anomalies—is a task that IT security is not prepared to perform.  Only 38% claim they have the ability to detect mobile certificate anomalies, such as duplicate certificates, or active certificates issued to terminated employees, both of which can be used for unauthorized access.

    IT Security Visibility of Mobile Certificates

    IT Security Does Not Have Full Visibility or Control of the Use of Mobile Certificates.
    Source: Forrester Research – IT Security’s Responsibility: Protecting Mobile Certificates


    Closing the Gaps

    So what can you do to close the gaps that exist in mobile certificate security?  Forrester Research recommends the following steps that enterprise organizations should take to protect mobile certificates:

    • Establish common policy across applications and desktops, laptops, tablets, and phones
    • Identify all sources of certificates
    • Map all found certificates to a single user and establish a baseline
    • Enforce policy for all mobile certificates
    • Detect anomalies like duplicate certificates or unrevoked certificates for terminated employees
    • Respond quickly to anomalies with kill-switch-like revocation
    • Prepare to quickly remediate when incidents like Heartbleed occur that require all certificates to be rekeyed, reissued, and revoked

    To learn more, read the Forrester Research study, IT Security’s Responsibility: Protecting Mobile Certificates.

    <![CDATA[2015: Get Ready for More Attacks on Trust]]> https://www.venafi.com/blog/post/2015-get-ready-for-more-attacks-on-trust https://www.venafi.com/blog/post/2015-get-ready-for-more-attacks-on-trust/#When:14:29:00Z Over the past few years, the threatscape has changed more than some realize. Cyberattackers want trusted status and they are misusing the very technologies that create trust for their nefarious purposes.

    So, you may ask, what exactly creates trust? Every mobile app, every cloud platform, every website—virtually anything that’s software, hardware, or Internet-enabled—relies upon digital certificates and cryptographic keys to create trust and define whether a source is good (trusted) or bad (untrusted). And the bad guys are going for these “keys to the kingdom” like never before!

    How do hackers get keys discussed on CNN

    Unfortunately, 2014 saw a significant rise in attacks that misused the keys and certificates that create trust in our digital kingdoms (businesses and governments). Let’s look at a few important examples:

    1. In January, Kaspersky Labs revealed details on The Mask, an APT operator that had been misusing keys and certificates for years. As reported by Kaspersky, The Mask’s Windows malware was digitally signed with a valid certificate.
    2. In April, a major vulnerability in OpenSSL called Heartbleed was widely reported and companies all over the world were warned to take action to protect their networks, including replacing and revoking compromised certificates and keys. Experts from Bruce Schneier to Gartner stated clearly that SSL/TLS keys and certificates must be replaced. Several months later, not surprisingly, a key and certificate that were not replaced were compromised to breach Community Health Systems, a Fortune 500 company.
    3. In July, IoActive researchers released a report on vulnerability in the U.S. Emergency Alert System, where a publicly available SSH key made it possible to hijack the nation’s warning system.
    4. In September, news of Shellshock, a flaw in the Bash shell, was reported that showed hackers could create long-term backdoors by inserting SSH keys and running critical shell commands on affected machines.
    5. In November, DarkHotel was reported, showing that a very effective APT campaign that tricked traveling executives using hotel WiFi networks was enabled by dozens of misused digital certificates.
    6. And finally, this December, Sony’s SSH keys and code-signing certificates were leaked as part of a massive breach, allowing the attackers to gain authorized access into Sony’s network and causing even more damage.

    So while 2014 saw more attacks misusing SSL/TLS keys and certificates, along with SSH keys, these aren’t exactly new threats; in fact, they go back to Flame and Stuxnet years ago. These actually created blueprints and sophisticated designs of attacks that can now arm nation-state attackers, APT operators, and common industry criminals with tools on how to use weaponized malware. The problem is that good guys have not been paying attention to the impact of misused certificatess and keys until just recently.

    In fact, in its latest threat report, McAfee Labs referred to 2014 as “The Year of Shaken Trust.” The report discussed attempts to exploit the Internet trust model, dramatic rise in misuse of digital certificates, growth in underground marketplaces selling compromised certificates, and the impact of SSL vulnerabilities such as Heartbleed and BERserk. Cisco also released its mid-year security report that said “compromised, secure encrypted connections” (aka SSL/TLS) are a major threat to enterprises. And recent University of Maryland research published in November 2014 validated findings by Venafi about non-remediation of Heartbleed, whereby 97 percent of Global 2000 SSL certificates were still vulnerable to Heartbleed several months after it was initially reported.

    Organizations need to be prepared for rampant rise in attacks on trust. We predict the following major developments in 2015:

    1. SSL will be used and abused a lot more. With the bad guys attacking and stealing data, there will be a need to use more SSL/TLS.  We’ve seen CloudFlare and the “Let’s Encrypt” teams now giving away free SSL certificates, and this is a great thing—more SSL/TLS protects data and privacy. But more certificates, and especially those that might not protect and continuously monitor, will create more criminal interest and activity. In fact, we’ve already seen the first free certificates misused by bad guys.
    2. Certificate expiration and outages will be recognized as a major security issues. It’s a fact: digital certificates expire, costing millions of dollars every year. But that’s not just a major operations issue; it’s a huge security issue—because it’s clear that if a certificate expires and users ignore this, the organization is being blindly trusted. At that point, what’s the difference between an organization’s expired certificates and those that are out-of-policy, misconfigured, or even malicious? But expirations also bring down services. We’ve already seen some recognize certificate expirations and outages as a major security issue following a major payments terminal outage.
    3. Our security controls will be useless against half of the network attacks. Gartner predicts that 50 percent of all inbound and outbound network attacks will use SSL/TLS by 2017. By the end of the year, we’ll likely already be there. Bad guys understand that most security systems either trust SSL/TLS or lack the keys to decrypt traffic and find their hidden threats. This undermines a whole slew of critical security controls like sandbox threat protection, NGFW, IDS/IPS, and DLP.
    4. Incident response teams will leave the door open for bad guys, resulting in more attacks. We also predict that incident response (IR) and forensics analysis teams will increasingly be called in to determine the root cause of breaches—i.e., to understand the forensics of the malware, where it is, what data was stolen and what parts of the network were infected with it. They will be able to bring these breached networks back to a good, trusted state, but breaches will still recur. Why? Because IR teams will forget to revoke and replace the certificates.
    5. Our hearts will continue to bleed. The Community Health Systems breach was likely just a proof-of-concept, and a sign of more exploits to come. Because of the lack of remediation—replacing keys and certificates—the impact of Heartbleed isn’t going away anytime soon.
    6. Kinetic attack will go through misused certificates and keys. Stuxnet is the first known kinetic attack that leveraged misused keys and certificates, but it won’t be the last. All sorts of interconnected networks and physical devices and systems—also known as the Internet of Things—are authenticated using SSL/TLS keys and certificates. Bad guys seeking to compromise these devices or misuse them in their attacks will look to keys and certificates as a means to an end.
    7. Compliance and security frameworks will continue to add guidance on how to protect keys and certificates. This past year, the SANS 20 critical security controls added multiple control checks on how to protect SSL/TLS keys and certificates and they are now including this in SANS trainings. This is a good step in the right direction. We expect to see more compliance and security frameworks do the same in 2015, especially now that the PCI Security Standard Council considered key and certificate security for a Special Interest Group (SIG).
    8. The Underground Digital Certificate Marketplace is open now for the bad guys. New underground marketplaces are developing for cybercriminals where they are selling keys and certificates for profit, because they know how valuable they are to undermining and circumventing critical security controls. Intel researchers expect this to be the next big cybercriminal market and we’re seeing compromised certificates sold for more than $900.

    Given all that, it looks like 2015 will also be the year when we look to not just manage keys and certificates, but also protect them and the trust they establish. I like to call it Next Generation Trust Protection. It requires constant surveillance, immediate detection of misuse (whether a policy violation or possibly malicious), and fully automated remediation to replace old or bad keys and certificates with new ones and get trusted keys and certificates out to more security systems like SSL decryption, sandbox threat protection, NGFW, IDS/IPS, DLP, and other security systems.

    This year one of Forrester’s top data protection predictions for 2015 pointed out that “Attackers who compromise trust end up with the keys to the kingdom.” We need to update our playbook when it comes to SSL/TLS keys and certificates, SSH keys, and keys and certificates used for VPN, WiFi, MDM, and more. The bad guys are attacking trust. It’s time for the good guys to defend it.

    <![CDATA[Turn Your 2015 New Year’s Compliance and Audit Resolutions into Revelations]]> https://www.venafi.com/blog/post/2015-new-years-compliance-and-audit-resolutions-into-revelations https://www.venafi.com/blog/post/2015-new-years-compliance-and-audit-resolutions-into-revelations/#When:14:52:00Z Instead of making the general New Year’s Resolution to decrease the risk in your company’s information security, let’s apply what we learned in 2014 about today’s threatscape and develop New Year’s Revelations.

    In the past year, lots of breaches have occurred that can be tied to the theft of private cryptographic keys. Some of the top threats of 2014, (e.g. Heartbleed, Shellshock, POODLE, and Gotofail) exposed private keys. Solutions using key and or certificates can no longer be blindly trusted. This affects solutions such as SSL, VPN, multi-factor authentication, privileged access (SSH), code signing, and mobile computing. Information Security experts are predicting that attacks and breaches using private keys will only continue to increase in 2015.

    2015 New Year’s Compliance and Audit Resolutions

    The use of digital certificates and cryptographic keys has skyrocketed. Every person in your organization uses one or more digital certificates and/or cryptographic keys, multiple times, daily—without even knowing it. Keys and certificates are meant to secure our communications and provide privacy, authentication, integrity, and non-repudiation. But when stolen, they can jeopardize the very things they are meant to protect. These “keys to the kingdom” give attackers the access they need to your sensitive information and allow their activities to go undetected. Therefore, it is necessary to consider what is fundamental to the confidentiality, integrity and availability of your companies’ sensitive data. How do you protect against inappropriate access, modification, and downtime through the use of stolen keys and certificates?

    Let’s consider the threat in more detail. What are vulnerabilities that affect private keys? They include software bugs, the use of deprecated hashing or cryptographic algorithms, and long validity periods for certificates. Does the Information Security Policy in your organization include policies to protect against these vulnerabilities? Are your policies backed up by standards, guidelines, and solutions for implementing compliance to the policies? The clarity of having these in place, allows for efficient risk assessment and gap analysis. This ultimately feeds into the risk management process and audit and compliance quarterly and annual reporting. All of this reporting is based on the adherence to your Information Security Policy in your organization.

    One important consideration is how your policies on securing your keys and certificates impact the rest of your Information Security practices. The ISO27002, section 10.1.2 states that, “A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.” If there are gaps in protecting your keys anytime in their lifecycle, attackers can compromise those keys and bypass the other security controls used by your organization. This means this one ISO27002 statement is fundamental to ensuring that the rest of your security controls in place in your organization are performing the way they should. Broken key security undermines all of your other security technologies and access controls.

    Stealing keys is a real threat and the proper people, processes, and technology must be put in place to ensure that cryptographic keys are managed through their entire lifecycle, including generating, storing, archiving, retrieving, distributing, retiring, and destroying keys. How do you think the current state of your certificate and key visibility and security increases the risk of these threats to your organization? How do you think your stockholders, board members, audit and compliance staff would feel if your certificates and keys were compromised and your organization breached? The revelation I hope you’re having for 2015 is that, if you’re not securing your private keys and certificates, then you are not secure.

    So as we kick off 2015, does your Information Security Policy need to be updated to protect against today’s attacks that target keys and certificates? As you get started, realize that the problem begins with a lack of visibility. Most organizations lack a complete inventory of SSH keys, SSL keys, and other keys and certificates in their organizations. They are unaware of where their keys and certificates are across their network, how they are used, and who owns them.

    You can get more visibility into the current state of your key and certificate vulnerabilities in your organization by running a report from the Venafi Threat Center for your organization. With this report you can see what certificate vulnerabilities exist. Once armed with more insight, you can see what other revelations you can make for better key and certificate security in Information Security Self Assessments, Gap Analysis, Action Planning, Risk Management, Internal Audit, Material Audit, compliance initiatives, and more for 2015.

    <![CDATA[3 Opportunities to Learn from the Sony Breach]]> https://www.venafi.com/blog/post/3-opportunities-to-learn-from-the-sony-breach https://www.venafi.com/blog/post/3-opportunities-to-learn-from-the-sony-breach/#When:14:08:00Z In a threat bulletin published on our blog in December, we explored the details of the major breach at Sony Pictures Entertainment orchestrated by the “Guardians of Peace” (also known as #GOP). The attack resulted in the release of much more than gigabytes of valuable data, including dozens of digital certificates and SSH and SSL private keys—keys that could allow privileged-user access to the entire internal network of Sony. Once on the network, using these compromised keys, the bad guys likely remained undetected for weeks, months, or even years and had unfettered access to systems and data. And now that these private keys are in the wild, more bad guys could further infiltrate Sony.

    Since the news initially broke there have been multiple updates and discoveries, and I suspect there will continue to be more. This is a huge, complex breach that would have been very difficult to stop—but within it are a few important lessons for other enterprises to take to heart.

    3 Opportunities to Learn from the Sony Breach

    1. The threatscape has changed. Cybercriminals are (and have been) looking to compromise cryptographic keys and certificates, and this Sony breach is just the latest in a series of several incidents using the same exploit. Looking back to April 2011, Sony’s PlayStation Network (PSN) suffered a significant breach that exposed names, addresses, and credit card data belonging to 77 million user accounts and shut down the PSN for several weeks. The breadth of the data exposed in that attack indicated that data which should have been encrypted was not.

      Many believe attackers obtain keys to allow data or transmissions to be decrypted, but they do more than that. We’re now seeing again that bad guys gain access to private keys, allowing access to a treasure trove of sensitive internal data such as payroll and financial management, which was the case for Sony. And because one key in this breach was for Audible Magic, an entertainment service that identifies stolen digital media, this could have been one of the ways the to-be-released movies were accessed.

    2. Incident response must involve replacing all key and certificates. The incidents at Sony should sound familiar: we’ve seen cybercriminals from Mask, Crouching Yeti, APT18 and others misuse SSL certificates and SSH keys. In these cases and others, attackers can gain unauthorized access to a system with elevated privileges using a compromise certificate or SSH key (like Edward Snowden), expand their attack by gaining more data or misusing a compromised system, gain access to continually more systems, and leave behind backdoors as we’ve seen with Shellshock.

      The only way to remediate this is to change out all keys and certificates. Otherwise, bad guys retain the presence and p0wning of networks. Advice from Erik Heidt at Gartner on responding to incidents like Heartbleed provides a good template: new keys must be generated, new certificates issued, old certificates revoked, and the replacement of new keys and certificates validated. Getting back to a known, good state can’t mean relying on the same keys and certificates that are increasingly being misused.

      So why hasn’t Sony simply replaced these keys yet? Well, that’s much harder to do than it sounds. The first problem is that most enterprises aren’t aware of all of the keys and certificates they have, where and how they are used, and who is responsible for them—from SSL and SSH to code signing, VPN, WIFI and more. Most organizations use many Certificate Authorities (CAs) and there are increasingly more applications, devices, and cloud services that need to use keys and certificates.

      The second issue is that many security teams don't know how to detect which keys and certificates are being misused. The Ponemon Institute found that in the average Global 2000 organization there were on average more than 17,000 SSL keys and certificates, including those from internal CAs and self-signed.

      Finally, security teams don’t have the means to automate remediation. Security and response teams haven’t been tooled to generate new keys, issue new certificates, and revoke old ones—just look at the poor level of remediation from Heartbleed. Venafi research from 2014 found that Heartbleed remediation for 97% of the vulnerable G2000 SSL certificates had not been completed. In addition, University of Maryland research published in November 2014 validated this widespread non-remediation. At any one time, enterprises need to know all of the keys and certificates that are in use and then be able to respond quickly to replace and revoke them when needed.

    3. This is another clear example proving keys and certificates must be secured and protected. Here’s a case of history doomed to repeat itself as long as the same attack pattern continues to work (and it does): get the keys and own the kingdom. As recent breaches have proved—and as the Cost of Failed Trust research revealed almost two years ago—all it takes is one compromised key or vulnerable certificate to cause millions of dollars in damages. Failing to continuously surveil all keys and certificates, enforce a policy, detect misuse and anomalies, and respond and remediate by replacing them with good keys and certificates means that security will continue to be undermined. By misusing keys and certificates bad actors can undermine and circumvent many of the most critical security controls, including strong authentication, DLP, sandboxing and privileged access management.

    So while many IT security pros and incident response teams continue to focus on who was behind the Sony breach, what their intention was, and what data was stolen or exposed, let’s take this opportunity to learn an important lesson. We should start 2015 by working to better secure and protect SSL keys and certificates, SSH keys, and the range of keys and certificates increasingly being used for VPN, WIFI, and MDMs.

    Forrester research on how cybercriminals are misusing keys and certificates and some common sense recommendations to protect your business is a good place to start.

    <![CDATA[Is Your SSL Traffic Hiding Attacks?]]> https://www.venafi.com/blog/post/is-your-ssl-traffic-hiding-attacks https://www.venafi.com/blog/post/is-your-ssl-traffic-hiding-attacks/#When:13:52:00Z Encrypted traffic is growing fast and becoming mainstream. According to Gartner, SSL traffic comprises 15-25% of the total web traffic, making it a significant percentage. The use of SSL varies by industry, but often helps to securely transmit sensitive or confidential information.

    So what’s the problem? While SSL provides confidentiality and security for an individual session, it can also create a problem for enterprise security. Cybercriminals can use SSL to hide their exploits from an organization’s security devices, like firewalls, Intrusion Prevention System (IPS), Unified Threat Management (UTM), secure web gateways, Data Loss Prevention (DLP), anti-malware solutions, and more. Cybercriminals are well aware of SSL/TLS encryption blind spots and they are using SSL/TLS to hide malicious content, evade detection, and bypass critical security controls.

    The results of a Gartner survey show that, “Less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.” Therefore, in over 80% of the organizations that use these security devices, cybercriminals can bypass the organizations’ existing security controls by leveraging SSL tunnels to sneak malware into the corporate network, hide command and control traffic, and exfiltrate data. This is a serious threat.

    Gartner believes that by 2017 more than 50% of the network attacks targeting enterprises will use SSL encryption. For this majority of organizations that do not decrypt data, most lack the ability to decrypt and inspect encrypted communications to assess these threats. This blind spot undermines traditional layered defenses and increases the risk of information breach and data loss.

    Security professionals know that visibility into and control over SSL traffic is a necessity. And just as importantly, failing to find, use, and secure ALL keys and certificates for decryption undermines existing critical security controls. These tasks are critical:

    • Have access to keys and certificates that can decrypt inbound traffic
    • Secure the volumes of keys and certificates necessary to enable inspection

    Failing to decrypt traffic and maximize decryption with ALL keys and certificates means that by 2017, 50% of the network attacks will be able to bypass your existing security investments.

    Having automatic, secure access to all enterprise keys and certificates maximizes the amount of decrypted traffic, enables inspection of SSL traffic, and eliminates blind spots that are otherwise hidden in encrypted traffic. So when it comes down to it, every extra key and certificate available for decryption means one less place for nefarious actors to hide threats in SSL encrypted sessions.

    Blue Coat and Venafi have partnered to help organizations uncover blind spots from malicious SSL/TLS threats that are obscured by encrypted traffic. The Blue Coat SSL Visibility Appliance and Venafi TrustForce integration maximizes the amount of traffic that can be decrypted and inspected to eliminate blind spots. Venafi TrustForce delivers keys and certificates to Blue Coat SSL Visibility Appliances securely and efficiently, thereby eliminating manual maintenance and reducing administrator burden.

    You can view the Solution Brief to learn more about the Blue Coat SSL Visibility Appliance and Venafi TrustForce integration.

    <![CDATA[Sony Breach—The Gift That Keeps on Giving (Sony Certificate Used for Destover Malware)]]> https://www.venafi.com/blog/post/sony-breach-the-gift-that-keeps-on-giving https://www.venafi.com/blog/post/sony-breach-the-gift-that-keeps-on-giving/#When:14:05:00Z In the season of giving, the Sony breach has given hackers around the world the gift that keeps on giving—keys and certificates that can be used as part of malicious campaigns for as long as Sony keeps them active. In the last week, the media has been abuzz about the malware Destover that’s digitally signed with a valid Sony certificate—part of the treasure trove successfully exfiltrated during the Sony breach last month.

    New Version of Destover Malware Signed by Stolen Sony Certificate

    Even though the signing of a variant of Destover was apparently a joke between Kaspersky researchers, the biggest concern should be that Sony has still not yet revoked any of the certificates compromised last month. The main motivation for cybercriminals to sign malware with valid digital certificates is to deliver seemingly valid content and avoid detection by critical security controls like antivirus, sandboxing solutions, or operating system security policies. By not revoking its certificates, Sony is providing cybercriminals with the ability to bypass these security controls.

    The misuse of keys and certificates as part of malicious campaigns is at an all-time high. For many years, cybercriminals have been signing malicious code to avoid detection. McAfee’s 2014 Q3 threat report shows a dramatic increase in maliciously signed code with no indications of slowing down. In fact, McAfee describes the misuse of certificates to sign malware as “unabated since we began tracking it in 2007.”

    Wake-Up Call

    If anything, the Sony breach should be a wake-up call to every organization, showing the power keys and certificates provides to attackers. There are thousands of examples in which cybercriminals continue to misuse keys and certificates—Mask, Crouching Yeti, and APT18 are but a few commonly known examples.

    Although 2014 was dubbed the “Year of Encryption,” it has turned out to be the “Year of Encryption Vulnerability.” Organizations have a blind spot when it comes to securing keys and certificates that enables cybercriminals to bypass critical security controls while syphoning data without being detected. Gartner estimates, by 2017, 50% of network-based attacks will  be using SSL to disguise activity.

    3 Steps You Can Take to Avoid a Sony-like Breach
    • First, rotate keys and certificates.
    • Second, establish a baseline.
    • Third, remediate quickly.

    First, we know that cybercriminals go after keys and certificates to gain trusted status, elevate privileges and avoid detection. So, like password, keys and certificates should be protected and rotated on a frequent basis to avoid their successful use by cybercriminals.

    Second, one cannot distinguish a good key or certificate from a bad one—there is no such thing. Unlike malware, keys and certificates are not malicious. However, they can, and are, used in malicious campaigns. Therefore, it is imperative that you establish a baseline of normal behavior of your keys and certificates in your IT environment. By establishing a baseline of normal usage, anomalous key and certificate usage can be identified.

    Third, when you have been breached—and you are going to be—the time it takes to respond and how you respond will make all the difference. In the case of the Sony breach, the certificate used to sign Destover should have been revoked the day Sony discovered that it had been stolen. In the case of all the SSH keys that were stolen, they too should also be rotated to avoid providing future backdoor access to cybercriminals.

    Find out how Venafi helps organizations mitigate attacks on trust that misuse keys and certificates.

    <![CDATA[Attack on Trust Threat Bulletin: Sony Breach Leaks Private Keys, Leaving Door Open]]> https://www.venafi.com/blog/post/attack-on-trust-threat-bulletin-sony-breach https://www.venafi.com/blog/post/attack-on-trust-threat-bulletin-sony-breach/#When:15:55:00Z The Breach

    On 24 November news of a major breach at Sony Pictures Entertainment was reported. An organization self-described as the Guardians of Peace (also known by #GOP) claimed responsibility. The group released compressed archives of over 217MB that the organization claims contains Sony data. Those able to access the data reported dozens of SSH private keys were included in the exfiltrated data. This appears to be only a sample of the data stolen as later upcoming Sony movies were leaked online.

    Message Displayed When Employees Logged into the Company Network

    hacked by the #GOP

    This breach is significant for at least three reasons:

    1. It is one more example that bad guys are looking for and obtaining SSL and SSH keys like we’ve seen with Mask, Crouching Yeti, APT18, and others.
    2. Theft of private keys means attackers can have access to an unknown number of systems with elevated privileges, enabling them to obtain more unpublished keys and certificates.
    3. Until keys and certificates are replaced following the breach, attackers maintain their foothold—retaining elevated privileges, having the ability to decrypt sensitive data in transit, and spoofing systems and administrators.

    Below is some of the content that was stolen from Sony, including SSH keys in the PuTTY SSH client .PPK format.

    reddit post on content stolen from Sony

    Sony now joins the at least 44% of organizations Forrester Research found to have already had keys and certificates compromised.


    An anonymous source was quoted in a The Next Web (TNW) article as saying, “a single server was compromised and the attack was spread from there.” With stolen SSH keys, an attacker can gain unauthorized access to a system with elevated privilege, like Edward Snowden. Attackers then expand their attack by gaining more data or misusing a compromised system, gain access to more systems, and leave behind backdoors as we’ve seen with Shellshock.

    Attackers also target SSL/TLS private keys. When attackers gain access to these keys, they have the ability to spoof trusted services. Bad guys can also launch man-in-the-middle (MITM) attacks to decrypt encrypted communications. The threat is amplified when SSL/TLS keys used for mobile applications are compromised because many mobile applications lack the additional validation checking that many browsers provide.


    After realizing that private keys and other sensitive information was revealed, Sony’s initial response was to go dark to prevent further access. In the reports about the Sony breach, Sony was said to have taken their corporate network offline and disabled the VPN. Insiders also shared that Sony asked employees to turn off their computers and disable WIFI on their mobile devices.

    But Sony’s business cannot be sustained with their corporate systems down. What does Sony need to do to remediate this breach? The examples of stolen content show that SSH keys were stolen, including SSH keys to the ADP payroll system. But Sony should not stop with the private keys shared by attackers. Like with Heartbleed, Sony must assume that all keys and certificates were compromised.

    Until incident response teams fully remediate keys and certificates, adversaries retain unauthorized access and the ability to execute spoofing and MITM attacks. Remediation requires not only that servers, virtual machines, and network segments be brought back to a known good state, but also that new keys be generated and then certificates be re-issued, installed, and validated, and old ones revoked.

    Furthermore, if Sony fails to remediate their keys and certificates, the bad guys can exploit this to undermine other security controls, from strong authentication to privileged access to behavioral analysis. When attackers have the trusted status of valid keys and certificates, they can authenticate and cloak their malicious activities.

    Recommended Remediation

    If Sony is like most Global 2000 organizations, the IT team is not even aware of all of the digital certificates and cryptographic keys that support trusted communications and authentication in the network. To effectively remediate this type of breach, organizations must know how all keys and certificates are used to establish trust (from SSL and SSH through to POS and mobile devices), where they are located, and who is responsible for them.

    Only once a baseline inventory is known can organizations then respond to incidents by replacing keys and certificates. However, most organizations then rely on manual methods that keep organizations vulnerable for extended periods of time. APT operators, from Mask to Crouching Yeti, have been known to exploit stolen keys over periods of up to 7 years.

    Remediation that is automated can close doors on attackers in minutes versus days, weeks, or months that it may take organizations to remediate manually. Until keys and certificates are replaced, your network, intellectual property, and customer data is still vulnerable.  Time is of the essence.

    Being Prepared

    This breach is a problem not just for Sony. Organizations are breached every day but are not aware keys and certificates are being stolen for misuse and do not remediate by changing keys and certificates.

    Venafi recommends customers use the Venafi Trust Protection Platform in preparation to respond to increasing incidents of attackers compromising keys and certificates with the following actions:

    Securing SSH Keys
    1. Determine trusted relationships and map privileged access
      • Detect all SSH keys across all servers, virtual machines, cloud instances, and administrator workstations with Venafi TrustAuthority
      • Understand trust relationships and access with TrustMap reporting
    2. Reduce exposure to misuse by rolling SSH keys more often by policy
      • Use TrustAuthority to establish lifetime policies for SSH keys
      • Use TrustForce to automate the replacement of SSH keys
    3. Detect possible misuse and remediate automatically
      • Detect all changes to SSH trust relationships with TrustAuthority
      • Automate remediation by removing keys from authorized key lists with TrustForce
    4. Respond quickly to incidents by replacing SSH keys
      • Force new keys to be generated
      • Ensure certificates are reissued, installation confirmed, and authorized key lists updated with TrustForce
    5. Validate and report on remediation
      • Use the shared reporting services of the Trust Protection Platform to identify progress in reducing risk
      • Turn to the Venafi support team for more information and examples
    Securing SSL/TLS Certificates and Keys
    1. Establish a baseline of keys and certificates and continuously surveil to detect new ones with Venafi TrustAuthority
      • Scan networks to identify SSL/TLS certificates
      • Use Venafi Aperture portal to establish ownership of keys and certificates
      • Surveil for new keys and certificates continuously with scheduled discoveries
    2. Reduce exposure to misuse by limiting key and certificate lifetimes with TrustAuthority and TrustForce
      • Set policy to limit lifetimes for keys and certificate similar to Google’s lifetime policies, which is now down to 3 months
      • Generate and securely distribute new keys and certificates regularly with TrustAuthority
      • Replace keys and certificates automatically using TrustForce
    3. Respond quickly to incidents by replacing keys and certificates
      • Force new keys to be generated
      • Ensure certificates are reissued, installation confirmed, and old certificates revoked with TrustForce
    4. Validate and report on remediation
      • Use the shared reporting services of the Trust Protection Platform to identify progress in reducing risk
      • Turn to the Venafi support team for more information and examples

    Venafi CISO, Tammy Moskites, has prepared guidance’s for CISO and their team on why organizations need to prepare to respond to more incidents involving the compromise and misuse of keys and certificates.

    Please contact Venafi support with any questions or for help with remediation.

    Additional Resources
    <![CDATA[2014: The Year of Encryption (Vulnerability)]]> https://www.venafi.com/blog/post/2014-the-year-of-encryption-vulnerability https://www.venafi.com/blog/post/2014-the-year-of-encryption-vulnerability/#When:14:30:00Z Looking back a year ago, when writers published blogs and articles predicting what 2014 would have in store for us, many were calling it the “Year of Encryption.” This was largely due to the NSA/Snowden revelations, which lit a raging privacy vs. security fire, with the widespread use of encryption as the by-product. Google, Microsoft, Yahoo!, and many other eGiants began encrypting everything, everywhere, not only to combat government surveillance programs, but most importantly to protect against attacks from a litany of cyber adversaries.

    What we didn’t count on was 2014 ultimately being the “Year of Encryption Vulnerability.”

    That’s exactly what happened. And for enterprise security warriors waging a daily war against multitudes of cyber adversaries, from solo hackers to well-funded nation-states, it couldn’t have happened at a worst time. There was Heartbleed, then Shellshock, then POODLE, and many more along the way, which didn’t make the headlines. Remediating these vulnerabilities presented different challenges, yet the common thread between them all was they threatened the veracity of encryption keys and digital certificates. Security teams found themselves spending massive amounts of time and resources remediating, ironically the very same encryption “trust instruments” which they deployed in the first place, to keep them safe. The enterprise PKI, designed to surround sensitive data like an impenetrable brick wall, turned out in some cases to be full of hidden trap doors.

    hidden trap doors

    So where do we go from here? That’s a question we must all ask ourselves, and answer correctly, because the use of encryption will only continue to exponentially increase, regardless of how well or poorly we manage it. When it comes to a hyper-connected world in which privacy and security is ever more important, our businesses must be in a position of strength when it comes to encryption, so that we can actually trust encryption to do its’ job and protect sensitive data everywhere it’s employed. If we don’t, trust itself could get undermined to the point where the internet could revert back to the e-commerce of 1990’s, where hardly anyone trusted it to perform financial or otherwise sensitive transactions online. When I read articles stating that the German Spy Agency wants to buy zero-day vulnerabilities in order to undermine SSL security, that’s literally what I envision.

    From a security perspective, I believe we are at a point where it’s become absolutely mandatory that all encryption keys and digital certificates are secured and managed with the right technology, people and processes. In other words, we must now treat all keys and certificates as if they are the most privileged set of credentials that exist in the enterprise.

    That means we must be in position to immediately and effectively remediate encryption vulnerabilities when they inevitably come to light. When the next Heartbleed hits, we must be able to quickly find every single affected key and certificate, and then automatically revoke, replace, and reissue. Our businesses and brands can’t afford to have incomplete remediation when it comes to trust-based vulnerabilities.

    More importantly, as malicious cyber operations (nation-state and others) continue to use encryption more and more to evade detection and silently siphon off massive volumes of sensitive data from businesses, we must adapt to this new reality and be in position to fight back. The ever-expanding digital universe certainly holds much promise for the world. Yet the future of securing sensitive, private and financial data within this universe largely depends upon our ability to secure and properly manage the encryption assets we all rely upon to make trust online possible.

    <![CDATA[A Week to Remember: When All the Cookies, Keys, and Certificates Crumble ]]> https://www.venafi.com/blog/post/a-week-to-remember-when-all-the-cookies-keys-and-certificates-crumble https://www.venafi.com/blog/post/a-week-to-remember-when-all-the-cookies-keys-and-certificates-crumble/#When:04:00:00Z If there’s one thing I’ve learned from being in the field of cybersecurity for nearly two decades, it’s that there is never, ever a dull moment. But in the past week, something different seemed to happen in cyberland. And it’s really quite disconcerting. We saw four major stories about how adversaries’ campaigns and methods hit the web with one common theme: the trust established by cryptographic keys and digital certificates is being misused everywhere. It’s not exotic anymore, nor is it hypothetical. It’s a real threat and happening with increased frequency. It’s also a high risk that threatens to undermine most, if not all, critical security controls.

    Why? Because keys and certificates provide the foundation of trust for every app, website, and cloud today. And they are consistently being misused and compromised by attackers now. In their top 2015 predictions (also published in the last week), Forrester explained why bad guys are so interested: “Attackers who compromise trust end up with the keys to the kingdom.” Those keys to the kingdom are the keys and certificates on which we run our businesses everyday but spend very little time protecting.

    So what actually happened last week?

    • First, Kaspersky released a report on DarkHotel—a very effective APT campaign enabled by dozens of misused digital certificates used to target traveling executives using hotel Wi-Fi networks. These executives thought they were transmitting data privately, in an authenticated way, but the malware operators that were used compromised certificates to get in between unsuspecting executives and their businesses.
    • Then researchers at the University of Maryland issued interesting research on Heartbleed that verified what we at Venafi have been saying all along: you have to change all the keys and certificates. These UMD researchers found that within 3 weeks of the Heartbleed incident, at least 87% of certificates had not been fully remediated: keys changed, certificates reissued, and bad ones revoked. It’s not an option to ignore Heartbleed any longer. The Community Health Systems breach subsequently demonstrated how exploiting Heartbleed and compromised certificates is not theoretical and attackers will chose when and where to use their exploits. What are people waiting for?
    • Next came the news of WireLurker, a malware Trojan targeting iOS where the keys and certificates used to sign apps for an iOS enterprise app store were compromised. With this new threat, attackers can load software onto an Apple device that isn’t jailbroken. This is no surprise to anyone watching changes in the threatscape. Intel Security has been raising this issue for some time: “The rapid escalation of malicious signed binaries quarter-over-quarter and year-over-year bring into question the viability of the Certificate Authority model.” This is a concern researchers at Intel Security have raised time and time again since 2013.
    • Finally, news broke earlier this month that, for a mere $0.65, researchers (and guaranteed the bad guys) can perform collisions needed to compromise a digital certificate using an Amazon Web Services EC2. In this instance, the crypto attack was against the widely used MD5 algorithm. And it only took 10 hours using a single instance. Remember Flame? The exploit of the Windows update service using a compromised certificate? Unfortunately, this is not just a problem for Microsoft. In every Global 2000 organization Venafi works with, we still find vulnerable MD5 certificates leaving the door open to very powerful spoofing and man-in-the-middle attacks.

    All of these news stories should be a serious wake-up call for the infosec industry: the threatscape has changed, and attackers need trusted status, and they know they can get it by misusing keys and certificates. What else does this mean? Unfortunately, it means almost every single security control that you’ve spent millions on to protect your network, apps, and data, can be undermined and circumvented.

    Why? Because hackers know they can get around your strong authentication with spoofing and man-in-the-middle attacks. They know you can’t decrypt all incoming SSL traffic and can’t see their new attack because your threat detection systems don’t have all of the keys to decrypt traffic. They know you’re privileged access management systems don’t know the difference between a good and rogue SSH key. They know all of your data protection systems can be foiled with the compromise of just one SSL key and certificate that won’t be changed for years.

    Now, it may appear that the world is coming to an end. The foundation of trust of our digital systems—from banking, to the cloud, to mobile apps, to your business—is all based on keys and certificates and is under attack. Some have wondered, is the cryptoapolcalypse upon us? No, it’s not. But the threatscape has changed and we all need to respond. Edward Snowden’s comment from earlier this year is just one example of how we’re waking up to this problem: to circumvent security like encryption, the best method is to “try to steal their keys and bypass the encryption. That happens today and that happens every day. That is the way around it.”

    I know many CISOs, security architects, and security operations teams will continue to spend more money on strong authentication, DLP, threat detection, SSL traffic decryption, privileged access management, and more. However, if we continue to blindly trust keys and certificates—don’t know how many we have, don’t know what they’re used for, can’t enforce policy, can’t detect anomalous certificates, can’t safely deliver them to threat detection systems to inspect traffic, and can’t replace one or many in seconds not weeks (incident response teams: remember Heartbleed?)—then we’ll continue to undermine all other critical security controls. It’s why the SANS20 Critical Security list has been updated to now include guidance on securing keys and certificates. It’s why the PCI Security Standards Council considered it a high priority in 2015 Special Interest Group selection to improve security for cardholder data.

    Over the last month I’ve met with CISOs and their teams from Berlin to Sydney. The message is the same: the threatscape has changed and the risk posed by the misuse of keys and certificates is very high. CISOs, security architects, and security operations teams need to wake up and realize the root of the problem: you simply can no longer blindly trust certificates. Gartner’s Neil MacDonald simply described this as “living in a world without trust”—a reality that security professionals cannot tolerate if we expect to stay ahead of the bad guys and defend our businesses and customers.

    <![CDATA[Payments and Private Key Protection, Part 2]]> https://www.venafi.com/blog/post/payments-and-private-key-protection-part-2 https://www.venafi.com/blog/post/payments-and-private-key-protection-part-2/#When:13:50:00Z Since last month’s blog where I started to discuss the importance of protecting private keys in payment networks, even more retailers have made the news for credit card data breaches. I also personally received a new debit card because of these high-profile retailer data breaches. This is a cause for concern for both retailers and consumers. When cardholder data is stolen, it costs a lot of money to replace the credit and debit cards and refund the money to the cardholder for purchases they did not make. This cost could be passed along to the consumer via paying more for goods and services due to higher merchant interchange rates. So, protecting the private keys that keep the payment card systems data from being disclosed, modified, or unavailable is very important.

    PCI DSS requirements

    While proper compliance to all of the applicable requirements of the Payment Card Industry Data Security Standard (PCI-DSS) to your cardholder data environment will ultimately help protect your private keys and secure your cardholder data, here I want to cover the requirements specific to managing and securing keys. The first step in this process is to know where the private keys are on the cardholder data network. (PCI-DSS req. 2.4) Organizations can accomplish this by providing an inventory of their private keys and where they are located. Once private key locations are known, the rest of the requirements involved in securing keys can be met. 

    Requirement 3 of the PCI-DSS addresses securing encryption keys with the intent to protect keys so that the cardholder data is not exposed. These requirements use the words exposed or disclosed. When I see this language, I think of confidentiality—one of the pillars of information security. Confidentiality, through using encryption, keeps data from being exposed or disclosed, when it should not be, and is a form of access control. There are several steps to securing the keys during their lifecycle, including access control, proper approvals, and any policies that have to be applied around key length, signing algorithms, validity period, and trusted third parties, if applicable. Norms must be established, and continuous monitoring and reporting must occur, as well as continuous inventory, so that protecting cardholder data is achieved.

    Requirements 3 in the PCI-DSS addresses key security as follows:

    • Render the Primary Account Number (PAN) unreadable via the use of strong cryptography, including the associated key management processes and procedures. (3.4)
    • Document and implement procedures for protecting keys so that cardholder data is not disclosed and misused. (3.5)
    • Secure private keys either with a key-encrypting key, within a secure cryptographic device, or by using two full-length key components. (3.5.2)
    • Document and implement key management processes and procedures for cryptographic keys. (3.6)
    • Do not allow keys to expire. (3.6.4)
    • Change the keys when they expire—do not just renew the validity period. (3.6.5)
    • Archive, destroy, or revoke the key when the integrity of the key has been or is suspected to have been compromised. (3.6.5)

    Although these requirements are applied to data at rest in requirement 3, QSAs apply these same key management requirements to section 4, data in transit, over open, public networks. SSL is currently the technology of choice to achieve this. As in section 3, keys cannot expire and the server certificate must use strong cryptography, for example, 2048-bit keys, not 1024-bit. Other items of note, are verifying that certificates are issued from a trusted source and the TLS configuration on the server has been done properly to ensure integrity of the secure connection. Run a Venafi Labs vulnerability report to determine if these certificate or TLS configuration vulnerabilities exist in your network.

    On cardholder data networks, private keys provide the base of trust and confidentiality, protecting against disclosure of personal account numbers and sensitive authentication data. Using strong cryptography and implementing good people, process, and technology around keys will keep the underlying infrastructure of trust protected in your cardholder data network. Cryptographic keys are the foundation of trust in any system.

    <![CDATA[PCI SIG Voting Now Open—Vote for Securing Keys and Digital Certificates Proposal]]> https://www.venafi.com/blog/post/pci-sig-voting-now-openvote-for-securing-keys-and-digital-certificates https://www.venafi.com/blog/post/pci-sig-voting-now-openvote-for-securing-keys-and-digital-certificates/#When:14:00:00Z I know that meeting and maintaining PCI DSS compliance is a major undertaking for fellow CISOs and teams, and our collective efforts to do so improve the overall security of our organizations. Yesterday, the PCI SSC opened the voting for the 2015 PCI special interest group (SIG) projects and PCI Participating Organizations can vote through October 24. These PCI SIGs are an opportunity to gain clarity on meeting the PCI DSS requirements more effectively and efficiently, increasing security. Let’s vote for the topics that will provide the most value.

    An important proposal addresses the need to better protect digital trust called, Securing Cryptographic Keys and Digital Certificates. This protection has become critical for merchants, financial institutions, and payment processors. Keys and certificates authorize and authenticate servers, devices, software, cloud, and privileged administrators and users—establishing the trust on which our businesses depend. But as we’ve come to rely more heavily on keys and certificates, cybercriminals have made them more of a target. They use unprotected keys and certificates as weapons that authenticate and evade detection, bypassing other security controls.

    Controlling requirements for cryptographic keys and digital certificates are contained throughout the PCI DSS for data at rest, data in transit, authorization and authentication. But beyond providing guidance on meeting these requirements, the SIG can provide direction on how to maintain security within particular use cases, including remediating vulnerabilities like Heartbleed and defending against increasing trust-based attacks (think Snowden, the Mask Operation, APT1, and more ). The PCI DSS includes general security requirements for keys and certificates, but organizations also need to know how to defend against real-world threats.

    This PCI SIG is an opportunity to pull together the knowledge from merchants, financial institutions, payment processors, QSAs, and security experts to provide invaluable guidance on securing keys and certificates to preserve our trust in digital business communications. To learn more and show your support for the PCI DSS SIG on Security Cryptographic Keys and Digital Certificates, visit www.protecttrust.org and vote in the PCI SSC SIG election today.



    <![CDATA[Budget for Key and Certificate Security as a Critical Security Control ]]> https://www.venafi.com/blog/post/budget-for-key-and-certificate-security-as-a-critical-security-control https://www.venafi.com/blog/post/budget-for-key-and-certificate-security-as-a-critical-security-control/#When:14:00:00Z In the recent blog post on Allocating 2015 Budget for Key and Certificate Security, by Tammy Moskites, the CISO and CIO of Venafi, she emphasizes how unsecure keys and certificates can undermine critical security controls. This is certainly true. A lack of key and certificate security undermines a minimum of 40% of the Critical Security Controls (CSCs) listed by the SANS Institute. But key and certificate security should also be considered a critical security control, in and of itself—not just a function that impacts them.

    The latest version of The Critical Security Controls for Effective Cyber Defense by the SANS Institute now includes requirements for securing keys and certificates in Section 17 on Data Protection. These changes recognize that data protection must go beyond Data Loss Prevention (DLP) and Data Classification solutions, which cannot see encrypted traffic—creating a security gap (as mentioned in Tammy’s blog). But folding in these new key and certificate security requirements elevates key and certificate security to a Critical Security Control. Below are examples of the key and certificate security now listed under Data Protection.

    New Key and Certificate Security in SANS20 CSC Version 5, Requirement 17: Data Protection
    • CSC 17-2: Verify that cryptographic devices and software are configured to use publicly-vetted algorithms.
    • CSC-17-3: Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls.
    • CSC 17-10: Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise. Review and verify each CAs Certificate Practices Statement (CPS) and Certificate Policy (CP).
    • CSC 17-11: Perform an annual review of algorithms and key lengths in use for protection of sensitive data.
    • CSC 17-14: Define roles and responsibilities related to management of encryption keys within the enterprise; define processes for lifecycle.

    An effective data protection framework must close gaps by securing cryptographic keys and digital certificates to protect the trust behind secure, authenticated, and encrypted communications.

    Key and certificate security is explicitly mentioned under Data Protection, but also directly impacts many of the other SANS critical security controls that address authentication, access control, vulnerability assessment, and defense against trust-based attacks.

    SANS 20 Critical Security Controls

    SANS 20 Critical Security Controls

    Like Tammy, I also urge you to budget for key and certificate security in 2015, if not earlier with remaining 2014 funds. Tammy and others in Venafi have been working with many of the top global enterprises to help them plan key and certificate security, often folding this in with other important security and compliance projects. We’ve taken what we’ve learned from these successful engagements and captured them in a budget recommendation brief, as well as a more detailed white paper, Budgeting for Next Generation Trust Protection.

    These materials emphasize why securing keys and certificates is critical when protecting against today’s threatscape, how this protection complements your planned security and compliance projects, and how to position and estimate budget. Of course, Tammy and the rest of us at Venafi are happy to help you customize your budget efforts.

    Too often we take the trust established by keys and certificates for granted, but without key and certificate security we leave an open door to trust-based attacks, breach, and compromise.

    <![CDATA[Malicious Security—Can You Trust Your Security Technology? ]]> https://www.venafi.com/blog/post/can-you-trust-your-security-technology https://www.venafi.com/blog/post/can-you-trust-your-security-technology/#When:14:00:00Z In my previous post, I discussed the first three steps of four showing how a typical trust-based attack can be broken up into the following: 1) theft of the key, 2) use of the key, 3) exfiltration of data, and 4) expansion of its foothold on the network. This post focuses on step 4 while outlining some examples of the actions trust-based attacks perform and how bad actors use keys and certificates to maintain their foothold in the enterprise network.

    keys and certificates used throughout the attack chain

    When reviewing the security architecture for any enterprise network, the majority of the time you will hear security architects talk about defense-in-depth strategies. This equates to the layering of multiple best-of-breed security solutions to stop an attacker from getting in to the network and data leaking out of the network. But what happens when every security solution deployed as part of the enterprise security strategy can be bypassed? This is exactly the case when it comes to trust-based attacks. Security solutions are inherently designed to trust keys and certificates as part of the security stack.

    The result is catastrophic. Organizations that invest millions of dollars and hundreds of man-hours in security solutions are constantly being breached because their security controls are undermined as a result of inadequate key and certificate security—they have no visibility into the use of their keys and certificates or ability to respond to an attack. Using these keys and certificates, attackers are able to bypass the organizations’ other security controls unnoticed due to the trusted status granted.

    In step 4 of a typical trust-based attack, bad actors will use the stolen keys and certificates to maintain and strengthen their foothold on the network. As part of this process, the malware that was installed in step 3 is used to steal additional credentials, including keys and certificates. Common examples like Mask Operation and Crouching Yeti were successful for up to 7 years, showing just how long APT operators can go undetected.

    Once inside the corporate network the name of the game is remain undetected for as long as possible. For cybercriminals, the use of encryption and keys and certificates provides the perfect cover. At the same time, it’s important for cybercriminals to collect additional keys and certificates to be used for future access and malicious campaigns while maintaining privileged access.

    A good example of a massive security hole in most organizations is SSH. Forrester research identified almost three-quarters (73%) of organizations hardly ever rotate SSH keys. Public key authentication is one of the more popular authentication deployments of SSH. Unfortunately, it also requires adequate security of the private key. However, more than 50% of organizations don’t even know how many keys and certificates are in use in the network and have no security controls for these keys and certificates.


    When authenticating via SSH, privileged identity management (PIM) solutions are bypassed. This is by no means an impediment of PIM solutions: it’s the design of SSH. The majority of security solutions have no visibility into the use of SSH and other keys and certificates on the network. It’s no wonder cybercriminals are taking advantage of them at an ever increasing rate, undermining current security controls.

    Keys and certificates are critical for secure communication across the Internet, but when a security method is used for malice, something needs to be done about it. Enterprises need to start by knowing where all of the keys and certificates are on the network, how they are used on the network, who has access to them, and how they are configured. Organizations can get direction from security standards, like SANS 20, that provide very specific guidance on key and certificate security. These standards show promise in their recognition that trust-based attacks need to stopped.

    <![CDATA[Allocating 2015 Budget for Key and Certificate Security]]> https://www.venafi.com/blog/post/allocating-2015-budget-for-key-and-certificate-security https://www.venafi.com/blog/post/allocating-2015-budget-for-key-and-certificate-security/#When:14:00:00Z Right now many enterprises are in final stages of their 2015 budget cycles and many are allocating budget for one of the most important problems and highest areas of risk: protecting the trust established by keys and certificates. Trust is a top-of-mind issue for CEOs and boards. Thousands of keys and certificates—many unknown to security teams—create the trust on which businesses run. If any one key or certificate is compromised, tampered with, or forged, brand reputation suffers, intellectual property can be stolen, and customer privacy breached. The consequences of failing to secure trust are considerable and can significantly damage business.

    Why is securing keys and certificates so important now? As we have come to rely more heavily on keys and certificates, cybercriminals have made them more of a target. They want to use keys and certificates to be authenticated and evade detection, bypassing other security controls and keeping their actions cloaked.

    Organizations layer security controls to create a defense-in-depth approach to protecting their business. But a lack of key and certificate security undermines the Critical Security Controls (CSCs) listed by the SANS Institute. For example, according to Gartner, 25% to 50% of all traffic in organizations is encrypted. Most security controls, like malware, boundary defenses, and data protection, do not decrypt data, but instead rely on keys and certificates to determine trust.

    Secure Key and Certificates Improve critical security controls

    The challenge is that security technologies are still designed to trust encryption. When attackers use encryption, they securely bypass your other security controls and hide their actions. The strength of your security program depends on the trust established by keys and certificates and how well you protect that trust. If your top 2015 priorities are data security, privileged access, data loss prevention, PCI DSS v3, advanced threat mitigation, or mobility, then securing keys and certificates is critical to your team’s success.

    If you have not already included key and certificate security in your 2015 budget, I encourage you to include this essential Next Generation Trust Protection as a top priority. Since Heartbleed, CEOs, Board of Directors, and even Audit Committees are asking their CISOs what they are doing about better securing keys and certificates—especially when hackers used the Heartbleed vulnerability to breach a behind-the-firewall system at Community Health Systems that affected an estimated 4.5 million patients! If keys and certificates are not replaced, exploits of Heartbleed can steal intellectual property, breach customer privacy, and irreparably damage reputation.

    With these consequences, it’s incredibly surprising that so many have not fully remediated Heartbleed: in research from July 2014, Venafi Labs found 97% of public-facing G2000 servers are still vulnerable because keys and certificates hadn’t been changed—and this doesn’t include the behind-the-firewall systems that have been a low priority for remediation.

    I know firsthand that CISOs are always being asked to do more with less and have to prioritize many important projects during budget cycles. I joined Venafi earlier this year to help other CISOs and CIOs fortify their strategies and defend their businesses. Since I joined Venafi, I’ve worked with over 150 CISOs and CIOs to help them understand the problem and begin budgeting now. I can do the same for you by sharing a budget recommendation brief that summarizes the information gathered from these CISO meetings.

    Effective key and certificate security can complement your current priorities and improve the effectiveness of your critical security controls. Enterprises need to make key and certificate security a top priority in 2015, or an opportunity to get started with any left over 2014 funds. Without key and certificate security, there are security gaps that bypass critical security controls. And Heartbleed is just one of numerous vulnerabilities and attacks on trust—these are increasing in frequency and severity, continually threatening the trust that is the foundation of business.

    I am personally committed to helping my fellow CISOs secure their businesses against trust-based attacks and welcome them to reach out to me directly to help them put together a plan to protect their keys and certificates and secure their business.

    <![CDATA[Payments and Private Key Protection]]> https://www.venafi.com/blog/post/payments-and-private-key-protection https://www.venafi.com/blog/post/payments-and-private-key-protection/#When:13:44:00Z There have been a lot of retailers making headlines for payment system breaches, where millions of credit card numbers have been stolen. After a breach, the retailer has to take a hard look at the people, processes, and technology that are in place in their Information Security organization. How the organization complies with their own Information Security policies, standards, and guidelines must be analyzed and the gaps in infrastructure and applications must be identified and prioritized so that risk can be greatly reduced.

    Payment Card Industry Data Security Standard High-Level Requirements

    For any organization that processes, stores, and transmits cardholder data, the Payment Card Industry Data Security Standard (PCI-DSS) helps keep cardholder data secure. There are 6 objectives supported by 12 high-level requirements and over 200 detailed requirements. The number of requirements that apply to an entity that is storing, transmitting, or processing cardholder data depends on the number of transactions processed, the cardholder data flow, and if there has been an egregious violation. Egregious violations occur when the following is present on a network: a Primary Account Number (PAN) stored in the clear in a database, a PAN transmitted in the clear over an open public network, or stored sensitive authentication data. This authentication data includes full track data from the magnetic stripe or chip, the 3- or 4-digit code on the front or back of the credit card (CAV2/CVC2/CVV2/CID), or personal identification numbers (PINs/PIN blocks). So even a merchant with low transaction volumes could have all 239 requirements apply if they have not properly scoped or implemented the network and cardholder data handling.

    Requirements three and four fall under the objective, Protect Cardholder Data, and define critical protection methods that use cryptography. The cryptography has to be implemented in a secure manner to keep intruders out. “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.” (PCI-DSS, pg. 34) So there are a lot of requirements, but underlying the security of the entire PCI-DSS is the application of strong cryptography in the right places and the assurance that the private keys are protected. Private keys must stay private. Failure to do so undermines all of the other security controls that are in place.

    So how does one protect a private key? The PCI-DSS requirement 3.5.2 goes into detail on this, and I will blog about this next month. For now, I want to highlight the physical security requirements under requirement 9, Restrict Physical Access to Cardholder Data. To do this I want to share my experience in having implemented a Certification Authority (CA). Five tiers of physical security, were implemented to secure the Root CA, which was an offline CA, and four for the online CAs:

    • Tier 1: Employees
      Operating policies and procedures including employee screening
    • Tier 2: Building
      7X24X365 guard force with a central control station, photo ID access, intrusion detection system, and closed circuit TV
    • Tier 3: CA Facility
      Structural protection, controlled access system, and self-contained UPS power system
    • Tier 4: CA Secure Rooms
      Walls with steel mesh, two-person access with biometric control, closed circuit TV, and motion alarms
    • Tier 5: Root Private Key
      Class 5 dual drawer safe with dual locks on each drawer
    • Additionally, all of Requirement 9 was met

    I know you’re not all protecting Certification Authority keys, however, the care taken to protect CA keys, should be thought about for the private keys on the payment network. In order to protect private keys there has to be physical and network defense in depth present. I could argue that all 239 PCI-DSS requirements should be in place to protect private keys. But I bet most organizations do not give private encryption keys much thought, and therefore, do not know what private keys are on their network, who put them there, if they have been rotated, if they are accessible by only the key custodians or by any administrator, and if they are exposed to the internet because of zero-day malware or other Trojans that have gone undetected.

    There are numerous current attacks on private keys. Yes, I know some are because the X.509 standard was not implemented properly, and this was taken advantage of by intruders and malicious individuals. But in your organization, can you be sure that the wrong people don’t have your private keys, that an intruder has not replaced them, and that you have all the proper controls in place to ensure this?

    <![CDATA[Attacks on Trust Driving Compliance Evolution]]> https://www.venafi.com/blog/post/attacks-on-trust-driving-compliance-evolution https://www.venafi.com/blog/post/attacks-on-trust-driving-compliance-evolution/#When:14:00:00Z When it comes to cybersecurity, any new regulatory compliance measure or guidance is typically driven by a significant expansion of associated real-world threats and incidents. For example, in October 2005, the Federal Financial Institutions Examination Council (FFIEC) issued very pointed guidance requiring a second factor of authentication in an Internet banking environment. This effectively replaced the initial FFIEC Internet banking authentication guidance of 2001. The updated FFIEC guidance came as a result of these real-world instances:

    1. The massive growth of Internet banking (from 2001-2005), and
    2. The increase in the number and sophistication of threats to Internet banking authentication

    Each financial services enterprise then proceeded to come up with a plan to technologically require users to employ a second factor of authentication (beyond a password) that would be as minimally intrusive as possible to the customer’s online experience. Fast-forward to present day, and this is why risk-based and behavioral scoring occurs behind the scenes at any bank’s login page, serving as that least intrusive, yet valid, second factor of authentication.

    Compliance Evolution

    New risk areas and new real-world incidents drive the evolution of information security audit and compliance.

    Similar to user IDs and passwords, encryption keys and digital certificates provide trusted authentication (along with trusted encryption of the data transmitted), whether between two machines or a machine and a user. However, if cybercriminals compromise, for example, SSH keys that provide root-level access to critical Linux systems, they’ll get away with a whole lot more than a few hundred dollars from a user’s checking account. When it comes to protecting keys and certificates, the stakes are much, much higher for the enterprise.

    Malicious use and compromise of keys and certificates is no longer a theoretical threat. In 2013, even prior to the discovery of Heartbleed, an analysis by the Ponemon Institute of over 2000 large, global enterprises showed that ALL had experienced and responded to an attack on keys and certificates in the previous 24 months. In this same study, IT security professionals estimated the impact of an attack on trust to total on average almost $35 million.

    Add to this equation the fact that enterprise usage of keys and certificates is growing at rates similar to the adoption of online banking in the early 2000s. It then becomes very apparent that risks associated with keys and certificates (and thus trust online) can easily spiral out of control if Global 2000 organizations don’t act now.

    From a compliance perspective, encryption keys and digital certificates are now where online banking user IDs and passwords were in 2005. Attackers are expanding their efforts to breach their targets via weaknesses in keys and certificates, as they know many organizations’ PKI are silently rife with vulnerability. This is why many Global 2000 industry compliance bodies are more and more insisting that all enterprise encryption keys and digital certificates be protected in a similar manner to all other privileged access credentials at an organization.

    Industry Compliance Involving Keys and Certificates

    Requirements around the protection of keys and certificates (Next Generation Trust Protection) have been added directly or indirectly to nearly all major regulatory compliance bodies.

    Failing to protect trust can result in serious regulatory and business consequences for the enterprise, ranging from failed audits and fines to irreversible brand reputation damage. Our mission here at Venafi is to prevent this from happening to our customers. Given that enterprise keys and certificates provide trusted communication, implementing a program to protect enterprise keys and certificates is now more commonly referred to as “Next Generation Trust Protection.”

    The collective risks involved with unprotected keys and certificates are at an all-time high, and regulatory compliance bodies are now evolving to address them. This is a point of convergence for Next Generation Trust Protection, where the risk and real-life threats to keys and certificates drive widespread regulatory and security framework evolution. The Venafi Trust Protection Platform secures trust by protecting enterprise keys and certificates and is well positioned to meet industry best practice needs around Trust Protection. By instituting a Next Generation Trust Protection program, you’re not only better securing the enterprise brand and dramatically cutting costs, but you’re also staying ahead of the evolving information security compliance curve.

    <![CDATA[Failing to Protect Customers’ Trust Will Impact Your Business]]> https://www.venafi.com/blog/post/failing-to-protect-customers-trust-will-impact-your-business https://www.venafi.com/blog/post/failing-to-protect-customers-trust-will-impact-your-business/#When:14:00:00Z In my last blog on “SSL Vulnerabilities in Your Mobile Apps: What Could Possibly Go Wrong?” I reported on the latest threats facing many enterprises today, because enterprises are failing to secure the trust in the mobile apps they’re developing for their end users. Researchers discovered that many of the popular mobile apps developed by reputable companies often do not implement SSL validation correctly, making them vulnerable to active man-in-the-middle (MITM) attacks. In MITM attacks an attacker can substitute a legitimate SSL certificate with one under his control and view and/or manipulate private information submitted by the user.

    Failing to Protect Customers’ Trust Will Impact Your Business

    As a follow-up to my previous blog, I’d like to focus on the business impacts that these mobile app security vulnerabilities have on enterprises and why CISOs should keep them in mind.

    Customer Privacy Breached

    Adopting an app-based strategy for your customers is not easy and it comes with significant risks. As mentioned above, the SSL vulnerabilities found in mobile apps are prone to MITM attacks that trick users into leaking sensitive data. And these leaks are particularly threatening because consumers are using mobile apps to access banking records, healthcare benefit plans, and retail accounts. This creates security risks for enterprises because it requires them to expose backend systems and data via APIs, which means that consumers’ sensitive information is being placed at risk of compromise. Attackers exploit mobile apps that do not check the validity of SSL certificates by using fake unassigned certificates to attack end users. Attackers can intercept traffic on wireless networks used by mobile devices and insert the fake SSL certificates, inject malicious information-stealing code directly into the apps, and divert users to compromised sites to conduct fraudulent transactions without most users noticing the difference.

    Brand Reputation Damage

    When an attacker finds an exploit or flaw in your mobile apps that leaks your customers’ private information, be prepared for a PR nightmare, because this will surely make a very large splash in the media. Security and privacy issues can have a major impact on customer adoption of your mobile apps, damage your company's brand reputation, and even negatively impact revenue. Keep in mind that you will not always get a second chance to get it right with your customers.

    Audit Failure

    Fandango and Credit Karma mobile apps failed to secure SSL and validate certificates and exposed consumers’ sensitive personal information. Both were heavily penalized by the FTC and should serve as a reminder of the seriousness behind failing to secure and validate SSL certificates. By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app and exposed consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses, passwords, credit scores, and other credit report details such as account names and balances.

    It is the responsibility of IT security teams and CISOs to ensure that they protect customers’ privacy and safeguard them from fraudulent or malicious activities. And to do this, organizations need to ensure their apps are not leaking private information, ensure trusted connections to services, and have the right intelligence to ensure trust between the business and the customer.