Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, today released the results of its 2015 RSA Conference survey, gathered from nearly 850 IT security professionals during the week of April 20th in San Francisco. The survey data reveals that most IT security professionals acknowledge they don’t know how to detect or remediate quickly from compromised cryptographic keys and digital certificates, the foundation of trust in our modern, digital world.
Attacks on keys and certificates are unlike other common attacks seen today. With a compromised or stolen key, attackers can impersonate, surveil, and monitor their organizational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers unrestricted access to the target’s networks and allow them to remain undetected for long periods of time with trusted status and access.
“The results of this survey are very concerning when you look at the uptick of attacks on trust and all of the major SSL/TLS and SSH key and certificate-related vulnerabilities revealed in the past six months alone. From Heartbleed, ShellShock and POODLE, the GoGo man-in-the-middle attacks and Lenovo’s Superfish vulnerability to FREAK and now the more recent LogJam flaw, cybercriminals know unprotected keys and certificates are vulnerable and will use them to carry out their malicious website spoofing and man-in-the-middle attacks,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
The threatscape has changed and cyber criminals are able to take advantage of these new vulnerabilities because most security systems blindly trust keys and certificates. In the absence of an immune system for the internet, enterprises are unable to determine what is “self” and trusted in their networks and what is not and therefore dangerous. Not knowing what is trusted and “self” or how to detect or remediate from attacks on keys and certificates leaves organizations open to breach and compromise.
Venafi’s 2015 RSA survey revealed:
Added Bocek, “IT security professionals need to realize that keys and certificates establish trusted connections for virtually everything IP-enabled today. Just like the human immune system, when SSL/TLS and SSH keys are protected and used correctly, they identify webservers, software, mobile devices, applications and even security administrators as ’self’ and trusted and those that are misused should be identified as ‘other’ and replaced or blocked.”
“But keys and certificates are often blindly trusted, so cyber criminals use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data. Ultimately, if what our survey data says is true, and IT security professionals can’t secure and protect keys and certificates and respond more quickly to attacks that use them, online trust will continue to diminish with grave consequences, especially to the economy which relies so heavily on online trust for commerce and mission-critical business activities,” concluded Bocek.