Vulnerabilities / Threats
7/26/2013
03:49 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Honoring Black Hat's Sweet 16, Venafi Report Chronicles 16 Years of Attacks, Offers Advice On Defending Against Advanced Threats

Chronicled in the report are the different eras of attacks and attackers, with factual examples of attacks and exploits from each period

SALT LAKE CITY, UT--(Marketwired - Jul 24, 2013) - Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) security solutions, is celebrating Black Hat's "Sweet 16" with the release of its latest report, "16 Years of Black Hat - 16 Years of Attacks: A Historical Overview of the Evolving Cyberattack Landscape." The report chronicles the last 16 years of attacks, threats and exploits, and analyzes how they've evolved and intensified over time. The report also offers advice to enterprises on how to better defend against a new era of attacks that increasingly leverage unprotected cryptographic keys and digital certificates -- the security technologies that form the foundation of IT security and online trust.

Report readers will learn about the history and evolution of attacks and the changing faces of attackers. They will also realize that criminals have used every weapon in their arsenal -- from malware and Trojans to attacks on trust -- in order to make a name for themselves, disrupt business, and steal data and state secrets. The report shows that as enterprises have responded, advanced attackers have had to develop new and more resistant attack and evasion methods. More recent persistent and targeted attacks demonstrated a range or attack methods and provided powerful blueprints for more common cybercriminals.

"State-backed and organized cybercriminals learned from early hackers that their vast resources could be used for a variety of nefarious, disruptive or lucrative activities. Common criminals looking for the path of least resistance have mimicked advanced attack methods. This, coupled with organizations' failure to secure and protect keys and certificates has left the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want," said Jeff Hudson, Venafi CEO.

"Organizations must stop blindly trusting keys and certificates, and take steps to understand how these attacks work and what they can do to defend against them. Otherwise, they are a vulnerable target to anyone with a cause, computer and Internet connection."

Chronicled in the report are the different eras of attacks and attackers, with factual examples of attacks and exploits from each period, including overviews of the CIH computer virus, Melissa, Code Red, MD5, Aurora, Stuxnet and Flame. Historical eras include:

1997-2003: VIRUSES, WORMS AND A LITTLE DENIAL

2004-2005: THE BIRTH OF FOR-PROFIT MALWARE

2007-2009: THE RISE OF APTS

2010-PRESENT: ASSAULT ON TRUST USING KEY AND CERTIFICATE-BASED ATTACKS

To access "16 Years of Black Hat - 16 Years of Attacks: A Historical Overview of the Evolving Cyberattack Landscape," visit: www.venafi.com/sweet16

About Venafi

Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) security solutions. Venafi delivered the first enterprise-class solution to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys -- from the datacenter to the cloud and beyond -- built specifically for encryption management interoperability across heterogeneous environments. Venafi products reduce the unquantified and unmanaged risks associated with encryption deployments that result in data breaches, security audit failures and unplanned system outages. Venafi customers include the world's most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.