Venafi, the inventor of and market leader in enterprise key and certificate management (EKCM) and the Ponemon Institute today reveal that every large UK businesses is open to £247 million in possible threat exposure due to a lack of control over cryptographic keys and certificates, the foundation of trust in the modern world of secure communications, smartphones, cloud computing and almost every digital and electronic asset.
Organisations face ever-increasing challenges with trust exploits. With advanced persistent threats (APTs), bad actors are taking advantage of every exploit and look for the weakest link in security systems. Common, well-known vulnerabilities like digitally signed malware, poor key and certificate management and weak cryptographic methods remain in many enterprises. Despite over half (51%) of UK organisations admitting that they know these to be major security issues, few are taking action. Failure to manage certificates and keys creates vulnerabilities that cybercriminals leverage to breach enterprise networks, steal data and IP and disrupt critical business operations. Every UK organisation in the survey had faced at least once of these attacks over the last 2 years.
“With every business and government department across the UK relying on cryptographic keys and certificates in order to operate, failure to manage just one can result in serious attacks or unplanned system outages, says Calum Macleod, Venafi EMEA Evangelist. “Criminals understand how difficult it is to control trust, and by failing to have the correct controls in place to manage or secure certificates and keys, businesses have opened themselves up to risk on a daily basis.”
Today the typical Global 20000 organisation has an average of 17,807 certificates and keys deployed across its infrastructure. Within the UK Fortune 500, there are likely five or six million keys and certificates in use at any one time, which creates a significant target for attack and renders manual management untenable.
The survey also highlights that 61% of UK respondents don’t know how many keys or certificates are currently in use across their infrastructure. This identifies a worrying trend that whilst half of respondents know the security impact of certificate mismanagement, the same amount (half) have no idea how many certificates are currently in action.
Macleod continues “It is extremely concerning to know that so many businesses are aware of the security impacts certificate and key oversight can have on a business, yet are still doing nothing to combat the problem. Unless organisations sit up and take notice of this growing problem the threat and the amount of money lost by organisations each year will only increase.”
Venafi Director helps enterprises reduce the risk of malicious attacks on trust. With the full lifecycle management of keys and certificates, Director provides full visibility into key and certificate inventories and end-to-end automation of processes, drastically reducing enterprises risk and providing strategies not possible before to shrink the attack surface. One of the new strategies supported in the latest release of Director is the use of fully managed self-signed certificates. A compromise now only impacts a single key and certificate, not many – such as when a CA is compromised. In the past, maintaining thousands of self-signed certificates increased both risk and operational burden on an enterprise.
Certificates must be continuously monitored to ensure that only authorized certificates are being used and errors and oversights do not lead to unplanned outages form expiration or misconfiguration. For example, Mandiant reported in its APT1 Report that multiple self-signed certificates, some purporting to be from the world’s largest IT vendors, were in use. These could have been easily discovered but went undetected in many organizations. Director enables enterprises to automate continuous monitoring and if needed, replace keys and certificates in seconds anywhere across the enterprise and in the cloud. All of this increases the ability of enterprises to prevent attacks and respond faster if needed – continuing Venafi’s success in helping organisations reduce risk from alarming attacks on trust.
Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.