Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/8/2015
04:40 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

New Survey Reveals Limited Enterprise Ability to Respond to Attacks on the Trust Provided by Keys and Certificates

RSA Survey of Nearly 850 IT Security Professionals Finds They Don't Know How to Detect and Respond to Key and Certificate Vulnerabilities

SALT LAKE CITY, UT – JUNE 8TH, 2015

Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, today released the results of its 2015 RSA Conference survey, gathered from nearly 850 IT security professionals during the week of April 20th in San Francisco. The survey data reve­als that most IT security professionals acknowledge they don’t know how to detect or remediate quickly from compromised cryptographic keys and digital certificates, the foundation of trust in our modern, digital world.

Attacks on keys and certificates are unlike other common attacks seen today. With a compromised or stolen key, attackers can impersonate, surveil, and monitor their organizational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers unrestricted access to the target’s networks and allow them to remain undetected for long periods of time with trusted status and access.

“The results of this survey are very concerning when you look at the uptick of attacks on trust and all of the major SSL/TLS and SSH key and certificate-related vulnerabilities revealed in the past six months alone. From Heartbleed, ShellShock and POODLE, the GoGo man-in-the-middle attacks and Lenovo’s Superfish vulnerability to FREAK and now the more recent LogJam flaw, cybercriminals know unprotected keys and certificates are vulnerable and will use them to carry out their malicious website spoofing and man-in-the-middle attacks,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

The threatscape has changed and cyber criminals are able to take advantage of these new vulnerabilities because most security systems blindly trust keys and certificates. In the absence of an immune system for the internet, enterprises are unable to determine what is “self” and trusted in their networks and what is not and therefore dangerous. Not knowing what is trusted and “self” or how to detect or remediate from attacks on keys and certificates leaves organizations open to breach and compromise.

Venafi’s 2015 RSA survey revealed:

  • Respondents are ill informed on how to remediate a Sony-like breach involving theft of keys and certificates.Following a breach, over three-quarters (78 percent) of those surveyed would still only complete partial remediation that would leave them vulnerable to further attacks. They would conduct standard practices such as re-imaging servers, reviewing logs, removing malware, installing patches and changing user passwords. However, only 8 percent indicated they would fully remediate against a Sony-like attack by replacing potentially compromised keys and certificates to prevent further access.
  • IT security professionals simply don’t know how to protect keys and certificates and their organizations have no clear understanding or strategy for doing so. When asked what their organizational strategy is to protect the online trust provided by keys and certificates, only 43 percent of respondents reported that they are using a key management system. Another 16 percent have no idea at all, 14 percent said they are using a manual process to try and manage them, and 22 percent placed the responsibility elsewhere. Without a strategy and implemented security controls to protect keys and certificates, attackers can gain and maintain extensive access to the target’s networks and remain undetected for long periods of time with trusted status.
  • Many IT security professionals can’t or don’t know how to detect compromised keys and certificates. The survey results show that 38 percent of respondents can’t or don’t know how to detect compromised keys and certificates and 56 percent of the other respondents said they use a combination of next generation firewalls, anti-virus, IDS/IPS and sandboxes to detect these types of attacks. Both groups leave themselves open to additional attacks. According to Gartner, 50 percent of all inbound and outbound network attacks will use SSL/TLS by 2017. Bad actors understand that most security systems either blindly trust SSL/TLS or lack access to the keys to decrypt traffic and find hidden threats. These shortcomings create blind spots and undermine critical security controls like sandbox threat protection, NGFW, IDS/IPS, and DLP.
  • More than half of IT security professionals admit that they cannot quickly respond to an attack on SSH keys.Almost two-thirds (64 percent) of security professionals admit that they are not able to respond quickly (within 24 hours) and most said it would take 3 or more days, or up to a week, to detect, diagnose and replace keys on all hosts if breached. Cybercriminals are exploiting the lack of visibility and control over SSH keys, which are used to authenticate administrators, servers, and clouds. Because SSH keys never expire, cybercriminals and insiders alike gain almost permanent ownership of systems and networks by stealing SSH keys.

Added Bocek, “IT security professionals need to realize that keys and certificates establish trusted connections for virtually everything IP-enabled today. Just like the human immune system, when SSL/TLS and SSH keys are protected and used correctly, they identify webservers, software, mobile devices, applications and even security administrators as ’self’ and trusted and those that are misused should be identified as ‘other’ and replaced or blocked.”

“But keys and certificates are often blindly trusted, so cyber criminals use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data. Ultimately, if what our survey data says is true, and IT security professionals can’t secure and protect keys and certificates and respond more quickly to attacks that use them, online trust will continue to diminish with grave consequences, especially to the economy which relies so heavily on online trust for commerce and mission-critical business activities,” concluded Bocek.

About Venafi

Venafi is the market leading cybersecurity company in Next Generation Trust Protection (NGTP). As aGartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to secure cryptographic keys and digital certificates that every business and government depends on for secure communications, commerce, computing, and mobility. With little to no visibility into how the tens of thousands of keys and certificates in the average enterprise are used, no ability to enforce policy, and no ability to detect or respond to anomalies and increased threats, organizations that blindly trust keys and certificates are at increased risk of costly attacks, data breaches, audit failures and unplanned outages.

As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™ and Venafi TrustForce™ help organizations regain control over trust in the cloud, on mobile devices, applications, virtual machines and network devices by protecting Any Key. Any Certificate. Anywhere™. Venafi prevents attacks on trust with automated discovery and intelligent policy enforcement, detects and reports on anomalous activity, and remediates errors and attacks by automatically replacing misconfigured and compromised keys and certificates. Venafi Threat Center provides primary research and threat intelligence for trust-based attacks.

Selected as a 2013 FiReStarter and Red Herring Top 100 company, Venafi customers are among the world's most demanding, security-conscious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, manufacturing, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation CapitalPelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3317
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
CVE-2013-2512
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
CVE-2021-3165
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
CVE-2021-1070
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
CVE-2021-1071
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...