Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, today released the results of its 2015 Black Hat USA survey, gathered from over 300 IT security professionals during the week of August 3rd in Las Vegas, NV. The survey data reveals that most IT security professionals understand and acknowledge the risks associated with untrustworthy certificates and keys, which act as the foundation of all cybersecurity, but take no action. The survey also reveals that some information security pros don’t understand what security services certificate authorities (CAs) do and do not provide.
By design, cryptographic keys and digital certificates are natively trusted by servers and other security applications to provide authentication and authorization for everything that is IP-based today, including servers, clouds, applications, and Internet of Things (IoT) devices. Yet this blind trust is being misused against organizations by cybercriminals so they can monitor and impersonate their targets to steal data. Recent examples include the General Motors (GM) RemoteLink application hack where lack of SSL/TLS validation facilitated the hack and The Federal Reserve Bank of St. Louis, whose inconsistent use SSL/TLS and multiple CAs (including GoDaddy) made it easy for attackers to setup fake websites, redirect visitors, and target Fed users.
There are hundreds of CAs issuing digital trust across the globe and the average organization has over 23,000 keys and certificates, according to Ponemon Institute research. When a major CA is breached, or when a CA fraudulently issues unauthorized certificates for an organization, attackers can impersonate, surveil, and monitor their organizational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers trusted access to the target’s networks and allow them to remain undetected for long periods of time.
Venafi’s 2015 Black Hat USA survey revealed:
“The results of this survey are disturbing given the number of IT security professionals who recognize the threats posed by CAs and misused certificates, but lack the knowledge, understanding and automaton to solve the problem and reduce the risk of attack,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “From the DigiNotar breach to MCS Holdings and Google, organizations continue to blindly trust certificates and lack the ability to efficiently respond and develop future protections. Cybercriminals know the major impact of fraudulent issuance and misuse of keys and certificates and will continue to leverage them for APT-style attacks because they know they are effective.”
Added Bocek, “Ultimately, if what our survey data says is true, and IT security professionals do understand the risks of untrusted CAs like CNNIC but do nothing about them, we will continue to see more and more MITM attacks and certificate-related breaches. Unfortunately, we live in a world without trust today because there is no immune system to detect keys and certificates that do not belong and are being misused as the bad guys accelerate their attacks. As a whole, global organizations and IT security and operations teams need to wake up and take the steps necessary to secure their keys and certificates and realize that the CAs just can’t help with that. As billions of devices come online and more IoT devices are widely adopted, it will become all the more critical to protect the keys and certificates that are used for authentication, validation, and privileged access control.”
A full copy of Venafi’s 2015 Black Hat survey report is available at Venafi.com/BH2015.