A study (PDF), released Thursday by the Ponemon Institute and underwritten by Venafi, included the responses of 2,300 individuals in Germany, France, Australia, the UK and the U.S.
I have provided a summary of the Cyber Risk’s identified in the study.
“Over the last two years, the average number of SSL/TLS and SSH keys and certificates has grown 34% to at least 23,922,” the report said. “This growth is driven from an increasing number of needs: from more focus on privacy following Edward Snowden’s NSA revelations… to Google ranking sites with SSL/TLS and digital certificates more highly in its search results algorithm. As the number of keys and certificates grows, IT security teams are unable to keep up with what’s trusted and what’s not.”
- Both Risk and the number of keys and certificates are growing at the same pace.
- There is more uncertainty about what can be trusted
- Trust required to operate as a business is threatened
” Description of Attack Type Example of Real-world Attack Server Certificate Misuse To impersonate public websites and decrypt encrypted traffic, attackers steal keys and certificates.”
“The theft of data on 4.5M healthcare patients in 2014 started with the exploit of Heartbleed to steal an SSL/TLS key and certificate that encrypted sensitive data.”
- Code-signing Certificate Issue Attackers digitally sign malicious code to have it trusted and run.
- The $1B theft by Carbanak operators was enabled by signed malware that looked like trusted software.
- SSH Key Misuse Bad guys seeking to gain access to the most sensitive systems and data compromise SSH credentials. APT operators like The Mask stole SSH keys and used their privileged access to compromise networks for over seven years.
- Man-in-the-middle (MITM) Attack Cyber criminals compromise Certificate Authorities (CAs) or forge new certificates to trick users and monitor communications. APT operators like Dark Hotel used a malicious CA and website certificates to get in and target executive communications.
- Weak Cryptographic Exploit Adversaries target weak cryptography to create trusted keys and certificates.
- As part of the Flame malware, Microsoft’s software update service was spoofed by exploiting MD5-based signatures
- Enterprise Mobility Certificate Misuse Misuse of these credentials provides access to Wi-Fi, VPN, or data protected by MDM/EMM systems. An emerging threat that security professionals believe needs to be watched closely.