Current security controls at most enterprises are being undermined at this very moment and their security teams might not even know it. Compromised digital keys and certificates weaken the protective capabilities of data loss prevention, next-generation firewalls, strong authentication, sandboxing and other security systems. And most importantly, key and certificate misuse, whether malicious or accidental, can damage the trust that is essential in today’s digital world.
Mobile apps, cloud platforms, websites and virtually anything that’s software, hardware or Internet enabled—including the Internet of Things—rely on digital certificates and cryptographic keys to create the trust that is the foundation of our global economy. When SSL/TLS certificates are forged or compromised, they undermine controls that secure the data of millions of people on the Internet, during online transactions or when transmitting confidential information.
Recent attacks on global enterprises demonstrate the devastating impact a certificate-based breach can have on an organization—from lost productivity and revenue to lawsuits and a loss of trust. To gain access to valuable information, attackers mask their true identities using keys and certificates and hide their actions within encrypted data. Once they attain stolen SSL/TLS certificates, cybercriminals are free to perform spoofing, man-in-the-middle (MITM) attacks, surveillance, and other exploits that result in stolen data.
SSL/TLS traffic comprises a significant percentage of the total web traffic today, and it’s growing fast. In fact, 25% to 35% of all enterprise network traffic is encrypted with SSL/TLS, and experts believe that figure is growing at a rate of 20% per year. With the continuing adoption of open-source SSL-Everywhere, that percentage is expected to rise exponentially.
Cybercriminals steal these digital certificates from companies using malware such as Trojans or buy stolen certificates on the black market. In a single month in 2013, security vendor Symantec found over 800 different Trojans designed to steal keys and certificates. When Mask malware was discovered in 2014, it had already been stealing keys and certificates for more than seven years—and this is just one example of the thousands of malware variants designed for this purpose.
As the availability of stolen certificates grows, so will the problem of these attacks. Stolen certificates are fetching up to $980 each in Russian underground markets—400 times the value of a stolen credit card number. According to Intel, stealing certificates is becoming the next big underground market.
Armed with these trusted SSL/TLS digital certificates, cyber thieves undermine enterprise security controls to spoof servers and divert traffic to their computers, eavesdrop on sensitive communications, and launch Man-in-the-Middle attacks. By the time an enterprise discovers and prevents one avenue of attack, thieves have moved onto another.
These attacks are growing in number because of a lack of effective digital key and certificate management. According the Ponemon Institute, enterprises typically have in excess of 17,000 encryption keys and certificates. Yet most of these organizations lack visibility into how their digital certificates are used or abused within their networks.
Today’s cybercriminals take many forms, but those using digital certificates and keys are financially motivated and are targeting proprietary information. For the most part, skilled professionals are behind the latest SSL/TLS-related security threats. They range from commercially interested cybercriminals who may be part of a larger crime syndicate to espionage perpetrators intent on collecting information that can be used for business purposes.
These intelligence-collection campaigns can also support state intelligence priorities that may be gathering information to provide political, economic, diplomatic, and military advantages. Other players behind key and certificate misuse are motivated by various ideologies, religions, and regional sentiments. Whatever their motivation, all of these players pose a significant threat to enterprise trust and security.