In March 2015, the Ponemon Institute and Venafi published research on the risks global business face from attacks using cryptographic keys and digital certificates in the 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. The 2015 research survey used as the basis for this report was completed by 2,394 IT security professionals around the globe: 646 U.S., 499 U.K., 574 German, 339 French, and 336 Australian respondents. Consensus among the global participants was that the system of trust was at the breaking point. Now, unpublished data from the survey is included in this new report that shows businesses around the globe are suffering the damaging impacts of unsecured keys and certificates.
When trust online breaks, businesses lose customers: Nearly two-thirds (59%) admitted to losing customers because they failed to secure the online trust established by keys and certificates.
Critical business systems are failing: An average of over 2 certificate-related unplanned outages have been reported per organization over the last 2 years, with an average cost of $15 million per outage.
Businesses are failing audits: On average, organizations failed at least one SSL/TLS audit and at least one SSH audit within the last 2 years.
These certificate-related outages and failed audits are symptoms of larger security issues—if you can’t manage your keys and certificates, you can’t secure and protect them, leaving your business exposed. Criminals steal and compromise keys and certificates that are not properly protected, and use them to circumvent security controls—to hide in encrypted traffic, deploy malware, and steal data.
Here is a quick summary of examples of the misuse of keys and certificates in 2015.
GoGo MITM: In early 2015, it was discovered that inflight internet service provider, GoGo, was issuing fake Google certificates. GoGo indicated that this was simply used to block online video streaming to conserve bandwidth, but breaking this security protocol has undoubtedly tainted the GoGo brand.
Superfish: Lenovo damaged customer confidence when it was caught in early 2015 installing adware on its laptops that conducted man-in-the-middle (MITM) attacks using forged digital certificates to break open SSL/TLS encryption.
FREAK: Or Factoring Attack on RSA-EXPORT Keys, is a vulnerability in SSL/TLS encryption that forces vulnerable clients and servers to use a weak key that enables attackers to break the encryption with brute-force decryption. Victims of this vulnerability might have the effectiveness of their security put into question.
LogJam: The LogJam vulnerability uses a flaw in the Diffie-Hellman (DHE) key exchange and is similar to FREAK in that it can be used to downgrade the TLS encryption. Attackers can use this vulnerability in a MITM attack to read or modify data passed over the TLS connection, which would violate customer privacy.
Outages: Certificate-related outages that cause critical services to go down can also cause customer loss. Here are some newsworthy certificate-related outages in 2015, showing that even well-established businesses can suffer crippling business interruptions due to poorly managed certificates:
The Microsoft Azure storage cloud platform experienced a worldwide outage due to an expired SSL certificate.
Instagram users, when using the web interface, received either an error message saying the company’s certificate was invalid or, if using Chrome, were denied access to the Instagram site all together due to an expired SSL certificate.
The new Ponemon report also shows that these impacts from unprotected and poorly managed keys and certificates will continue with a security risk per organization of $53 million over the next 2 years and a combined availability and compliance risk of $7.2 million—showing that security risk greatly outweighs availability and compliance risk. Read the report to get an action plan to reduce these risks.
How are you reducing the risk of key and certificate misuse in your organization?