Venafi Predicts: 100% of Mobile Malware To Misuse Compromised Digital Certificates By the End of 2014
Salt Lake City, UT
January 22, 2014
IT Security ‘Achilles Heel’ Will Emerge; Certificate Authorities Will Become More Transparent
Venafi, the leading provider of Next-Generation Trust Protection, today released predictions for cybersecurity market trends in 2014. Key predictions provide insights into how cybercriminals and nation-backed operators will continue to exploit trust-infrastructure security vulnerabilities to launch advanced attacks to compromise networks, inject malware, and steal valuable data and IP. These attacks on trust adversely impact the financial and business stability of targeted organizations, the majority of which are unaware of this new threat vector.
These IT-security-related predictions provide timely warning for chief information security officers (CISOs) about how bad actors will dramatically increase attacks that leverage poorly secured cryptographic keys and certificates on mobile devices, applications, servers and clouds to inject malware that is difficult to detect with traditional security controls and solutions. Additional predictions include insights into changes to be made in the Certificate Authority (CA) market, the impact Edward Snowden will have on enterprise security, and how major 2013 breaches such as the one that affected as many as 110 million Target payment-card customers will cause C-level executives to recognize the value IT security brings to the business.
Tweet this: @Venafi 2014 #predictions: 100% of #mobile #malware will misuse #certificates by 2015. #protectyourcerts
Prediction 1: 100 percent of mobile malware will misuse digital certificates
In 2013, cybercriminals and nation-backed operators used digital certificates to authenticate 27 percent of all mobile malware, making it appear as legitimate code. This represents growth from zero percent during the previous year. Venafi expects 100 percent of mobile malware attacks will use digital certificates by the end of 2014. This represents massive growth in the misuse of certificates and poses significant risk to enterprise security. Bad actors have learned that the easiest, fastest and most effective way to inject malware that resides undetected on mobile devices and supporting networks for extended periods is by signing the malware with compromised or stolen digital certificates. Attackers know that most global organizations cannot detect or respond to anomalous certificates that authenticate systems and users on their networks, devices and applications.
Prediction 2: Certificate Authorities (CAs) will need to provide full transparency
Some of the largest trust-based breaches to date have occurred as a result of certificate compromises that took advantage of weak CA issuance processes. Enterprises recognize that CA reliability is key to securing trust on the Internet and will demand transparency into how certificates are issued and what steps are taken to ensure they are properly protected. To provide greater, objective transparency, a governing body will emerge that enables CAs to prove that their processes can be trusted and that their digital certificates can be used to reduce the risk of certificate-enabled compromises.
Prediction 3: In the wake of Edward Snowden, inability to detect anomalous digital certificates and encryption keys will emerge as the Achilles heel of enterprise security
Edward Snowden showed the world that with the right combination of personal trust and basic security technical prowess, even the most secure networks can be compromised and remain so without detection. Learning from Snowden's methods, cybercriminals and nation-backed operators will take advantage of global enterprises' inability to detect anomalous and rogue certificates and keys to gain undetected access to systems, applications and data. In 2014, the next-generation of insiders will emerge. Compromised certificates and SSH keys will be used to infiltrate networks and access, steal and to exfiltrate data without detection. As more and more enterprises begin to suffer the financial and reputational effects of these trust-based attacks, they will realize that unprotected keys and certificates provide nefarious actors unfettered, privileged access and seek to remediate the problem with automated solutions.
Prediction 4: The era of the internet-enabled human will bridge the gap between cybercrime and the physical world
2013 saw the introduction of wearable Internet-enabled devices such as Google Glass and Samsung Galaxy Gear. 2014 is set to see more innovation in this space, with IP-enabled contact lenses and other wearable technology. The rapid adoption of wearable devices will drive the increased usage of certificates to ensure they are securely authenticated to the network. This rapid adoption also dramatically increases the attack surface for cybercriminals to hack systems and networks. We may see the first cyberattack to impact a human physically because it compromises a digital certificate. For example, incorrect information provided to a wearable device may result in an accident and cause bodily harm.
Prediction 5: PRISM revelations and cybercriminal cloaking attacks will drive need for more intelligent SSL use
The BBC has dubbed 2014 as the year of encryption. We will see increased usage and broader deployment of SSL as organizations install more encryption to avoid snooping from government bodies. Leading global organizations like Yahoo and Twitter have already announced plans to deploy more certificates and keys to increase security. However, this also creates an opportunistic environment for cybercriminals. Even with current security solutions and next-generation firewalls, most organizations have a blind spot, since the encrypted traffic they inherently trust cannot be monitored for either Trojans or stolen data. The result will be an increase in malicious activity over encrypted channels; this activity uses keys and certificates as the preferred attack vector and provides hackers an ideal cloaking method. Organizations will seek detection and protection solutions.
According to the McAfee (Intel Security) Q3 Threats Report, there was a 1,600 percent increase in certificate-signed malware between Q1'12 and Q3'13. Forrester recently found that 44 percent of all enterprises have already experienced attacks on keys and certificates, and 60 percent cannot respond to such attacks within 24 hours.
"Traditionally, organizations have viewed keys and certificates as an operational problem and, for the most part, used encryption key management solutions to ensure their maintenance," said Kevin Bocek, vice president of product marketing and threat research at Venafi. "Yet cybercriminals have taken advantage of poorly protected keys and certificates and used them as an attack vector. Since Stuxnet, the abuse of keys and certificates has grown astronomically. Global enterprises must take steps to secure the trust that keys and certificates establish in our modern world of payment cards, smartphones and cloud computing."