Also, take a look at the article below that is printed in the event publication on how to protect keys and certificates to prevent their misuse in cyber attacks. For more information on how to protection yourself from attacks that misuse keys and certificates, download this Gartner report.
The Security Gap that Lets Cybercriminals Breach Enterprises
Lessons we can learn from the human immune system.
Most organisations don’t realise the role that cryptographic keys and digital certificates play in today’s cyber attacks. Keys and certificates are the foundation of security. They establish the trust on which businesses depend – securing data, keeping communications safe and private, and establishing trust between communicating parties. However, when these keys and certificates get breached, enterprises and individuals are left vulnerable to attack and compromise.
How our reliance on keys and certificates is used against us
We have increased our reliance on keys and certificates that protect communications and authorise and authenticate webservers, software, mobile devices, apps, admins and even airplanes. Virtually everything that is IP-enabled today relies on keys and certificates, from online banking and shopping to government sites. And this reliance will only increase as we expand our use of interconnected networks and physical devices and systems – also known as the Internet of Things. The Internet of Things depends on Secure Socket Layer (SSL)/Transport Layer Security (TLS) keys and certificates to authenticate devices and systems.
Other security controls, such as access control, next generation firewalls (NGFW), intrusion detection systems (IDS), intrusion prevention systems (IPS), data loss prevention (DLP), and more, are designed to blindly trust keys and certificates. But what happens when cybercriminals forge or steal unprotected keys and certificates?
Attacks weaponise these compromised or stolen keys and certificates, allowing cybercriminals to bypass security controls and use keys and certificates to impersonate, surveil and monitor their targets’ websites, infrastructure, clouds, mobile devices and system administrators, as well as decrypt communications thought to be private, and even impersonate websites, code or administrators. Today’s cybercriminals use keys and certificates to gain trusted status for unrestricted access to their victim’s network and remain undetected for extended periods of time – hiding in encrypted traffic, deploying malware and siphoning off confidential data to use for criminal ends.
What is the risk of suffering an attack using keys and certificates?
The 2015 ‘Cost of Failed Trust’ survey by the Ponemon Institute found that the average enterprise has over 23,000 keys and certificates, yet 54% of security professionals admit to not knowing where all of their keys and certificates are located, who owns them or how they are used.1 Enterprises need to understand the role keys and certificates play in today’s attacks and how to protect them to close this gap in their security.
Attacks on keys and certificates are not new – Stuxnet is the first known kinetic attack that leveraged misused keys and certificates and it was discovered in 2010. However, attacks on keys and certificates are becoming increasingly common, leaving victims open to devastating security breaches. From Heartbleed, ShellShock, POODLE, the Gogo and OnStar man-in-the middle attacks, Lenovo’s Superfish vulnerability, the MASK attack and FREAK, cybercriminals are exploiting the weaknesses in unprotected keys and certificates to carry out malicious acts.
What is the risk? In the Ponemon survey, 100% of the respondents had suffered attacks using keys and certificates within the past 24 months.1 In addition, according to market research company Gartner, 50% of all inbound and network attacks will use SSL/TLS by 2017.2 If you haven’t already been attacked using keys and certificates, you soon will be.
What are enterprises doing to protect themselves?
With keys and certificates a prime target, organisations need to prioritise protecting them. Most organisations use manual or home grown systems to manage keys and certificates and these do not provide sufficient visibility and security to ensure that keys and certificates remain secure.
In light of attacks such as Sony Pictures Entertainment last year, Venafi conducted a survey amongst IT security professionals to establish what they are doing to prevent breaches and establish greater trust online.3 Disturbingly, the data revealed that most IT professionals acknowledge they don’t know how to detect or remediate compromised cryptographic keys and digital certificates.
The survey results highlighted that 42% of respondents can’t, or don’t know how to, detect compromised keys and certificates, and the other 56% of respondents said they are using a combination of NGFW, anti-virus, IDS, IPS and sandboxes to find these types of attacks. However, attacks using forged or stolen keys and certificates bypass these security controls, which are designed to blindly trust keys and certificates. SSL/TLS decryption systems that can detect attacks hidden in encrypted traffic often do not have sufficient access to keys to provide meaningful protection.
Painfully, almost two-thirds (64%) of security professionals admitted that they are not able to respond quickly (within 24 hours) to attacks using keys and certificates, and most said it would take three or more days, or up to a week, to detect, diagnose and replace keys and certificates that have been breached.
Following a breach, more than three-quarters (78%) of those surveyed said they would only complete partial remediation, not replacing compromised keys and certificates, which would leave them open to further attacks. The vast majority of organisations are still vulnerable to Heartbleed, for example, more than a year since it was discovered.4 When asked what their organisational strategy is to protect the online trust provided by keys and certificates, only 43% of respondents said that they use a key management system.
The immune system for the internet
If most security controls are designed to blindly trust keys and certificates, how can we detect misuse of keys and certificates by cybercriminals? What if we had an immune system for the internet that, like the human immune system, would let us detect what is self and trusted, and what is not and therefore dangerous on our networks?
Just like the human body’s HLA tags, keys and certificates serve as an identification system for the internet. However, unlike humans, there has been no immune system for the internet to search out which keys and certificates to trust and which to destroy. Not being able to identify what is trusted or how to recognise and remediate untrusted keys and certificates following an attack, leaves organisations wide open to breach and compromise.
Enterprises not only need to manage keys and certificates, and know where they are and who is responsible for them, but they also need to protect them and the trust they establish. This requires an immune system for the cyber realm that can provide constant surveillance, take immediate action when anomalies are detected, and fully automate remediation to replace old or bad keys and certificates with new ones. Also, as we move increasingly to the cloud and DevOps environments, organisations need a system in place that can scale up and tear down quickly, dynamically keeping everything safe and trusted.
One solution that can serve as an immune system for the internet and fill this security gap is certificate reputation that enables immediate blacklisting of untrusted certificates and flags them for future remediation. With global certificate reputation, companies can get an internal and internet-wide view in real-time of what’s good or bad, friend or foe, when it comes to certificates, allowing IT professionals to respond in a timely manner to the misuse of keys and certificates and protect their business and brand.
Enterprises need to be able to secure keys and certificates, because, if they don’t, online trust will be broken with dire ramifications especially to the economy that relies so heavily on the trust established by keys and certificates for commerce and mission-critical business activities. And with the Internet of Things, billions of connected devices are coming online that drive, fly, keep us safe, and keep us alive. The world will be much more dangerous and vulnerable unless we find a way to maintain the trust established by keys and certificates.
Ponemon Institute. 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. 2015. ↩
D’Hoinne, Jeremy and Hills, Adam. Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, December 9, 2013. Gartner RAS Core Research Note: G00258176. ↩
Venafi survey of nearly 850 IT security professionals during the RSA Conference USA 2015. ↩
Venafi Labs Analysis. Hearts Continue to Bleed: Heartbleed One Year Later. 2015. ↩