E-Guide
SECURITY
CERTIFICATE
THREATS AND
CRYPTOGRAPHIC
KEYS IN PERIL
SearchSecurity
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
growing number of cryptographic keys and security certificates are
being abused and the security industrys
blind trust may result in a new wave of
security threats caused by fake SSL certificates, including man-inthe-middle and DNS attacks.
PA G E 2 O F 1 1
xperts say a
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
STUDY WARNS SECURITY CERTIFICATES, CRYPTOGRAPHIC KEYS ARE IN PERIL
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
Maxim Tamarov
According to a new study from the Ponemon Institute, rampant abuse of security certificates and cryptographic keys has pushed online trust to the breaking
point.
The study, titled the2015 Cost of Failed Trust Report,focuses on the growing enterprise use ofcryptographic keysand securitycertificates, as well as the
increasing threats and risks associated with those trust measures.
Underwritten by Venafi Inc., a cybersecurity firm based in Salt Lake City,
the reported surveyed more than 2,300 global security professionals and
showed that the majority are greatly concerned about the condition of basic
trust measures likeSSLand enterprise certificates.
"More than half of the respondents of the survey say the security trust they
rely on to run their businesses is in jeopardy," said Kevin Bocek, vice president
of security strategy and threat intelligence at Venafi.
According to the research, 58% of security pros believe their organizations
PA G E 3 O F 1 1
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
need to better secure keys and certificates to stave offman-in-the-middle attacksand other techniques used to steal or comprise them. At the same time,
54% admitted they didn't know where all of their organizations' keys and certificates were located.
Bocek said the danger -- and the concern for security professionals -- is
greater when it comes to mobile certificates because misuse of the credentials
can provide access to Wi-Fi networks, corporateVPNsand even data protected
by enterprisemobile device managementsystems. Illustrating the cause for
concern, the study showed that 62% of respondents said their organizations
could not detect anomalous mobile certificate usage.
"As you get into mobile devices, the risk of misuse of certifications goes up,"
he said. "Enterprise mobility certificates don't really do a good job validating
SSL or TSL."
In addition, respondents indicated that the risk of certificate and key abuse
will cost many of the world's largest firms a minimum of $35 million. The
Ponemon study also showed that 60% of security pros feel enterprises must
improve how they respond to threats or attacks against keys and certifications.
But Bocek also asserted thatcertificate authoritiesneed to provide more
transparency and do a better job vetting certifice purchasers in order to prevent
PA G E 4 O F 1 1
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
misuse.
"The problem with certificate authorities," Bocek said, "is that no one really
knows what going on behind the scenes."
To that end, Venafi today unveiled a cloud-based reputation service designed to guard enterprises against cryptographic key and digital certificate
abuse.
"We needed to develop a system that looks out for this kind of misuse of
security certificates," Bocek said.
Called TrustNet, the real-time protection service notifies security teams
when it detects anomalies and vulnerabilities associated with keys and certificates. It scores the reputation of the certificates by combining global sensor
networks, data collection, analytics and tuned algorithms with the data from
Venafi customers.
Venafi said TrustNet is available for customers this month.
PA G E 5 O F 1 1
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
FAKE SSL CERTIFICATES ENABLE VARIETY OF SECURITY
THREATS, SAY EXPERTS
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
George Leopold
Security experts say this week's flap over inflight wireless provider Gogo LLC's
use offake SSL certificateshighlights the consequences of broader use of private encryption and the unintended consequences, which can include using
the technology to conceal malware.
AGoogle engineerworking on digital certificate technology reportedly
discovered that the airborne Wi-Fi provider was issuing fake Google SSL certificates, essentially executing a man-in-the-middle (MITM) attack against its
own customers.
While it appears the inflight carrier was caught red-handed, Gogo issued a
statement stressing that it utilizes several techniques to limit video streaming
on planes, adding: "Whatever technique we use to shape bandwidth, it impacts
only some secure video streaming sites and does not affect general secure [Internet] traffic."
The incident caught the security industry off-guard, illustrating the
PA G E 6 O F 1 1
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
growing vulnerability of digital certificates that underpin trust and security
on corporate and consumer networks.
Industry experts warn that it must now be assumed that certificates will
eventually be compromised.
"We have seen man-in-the-middle attacks for years -- there is no reason
to suspect these attacks to lessen despite the ominous warnings the browser
manufacturers have put in place concerning 'invalid server certificate,'" said
Garret Grajek, CSO at dinCloud Inc., a provider of virtual desktops and cloud
security services in Gardena, Calif."Hackers count on most (or some percentage) of users to just 'click through.'"
Nevertheless, the desire for greater privacy protections online has
prompted individuals and companies to adopt SSL encryption and "always-on
HTTPS". But some worry that the growing use of "transport encryption" may
pave the way for common use of fake security certificates, which in turn could
enable man-in-the-middle attacks, concealed malware or DNS attacks.
WHY 'BLIND SPOTS' HIGHLIGHT SSL CERTIFICATE THREATS
Some network security vendors like Blue Coat Systems Inc., based in Sunnyvale, Calif., have warned that pervasive use of SSL/TLS encryption is
PA G E 7 O F 1 1
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
creating"blind spots" in network trafficthat can be used to conceal malware
and facilitate attacks. The security vendor said following a recent study that
it "routinely observes encrypted traffic used for the delivery of command and
control of malware."
Blue Coat warned that, "Malware attacks, using encryption as a cloak, do
not need to be complex because the malware operators believe that encryption
prevents the enterprise from seeing what they are doing."
The Gogo incident, and recent spate ofDarkHotel attacksagainst Wi-Fi
users in Asian hotels, are especially disturbing since "a service provider, not
a bad guy, was doing what a bad guy does," noted Kevin Bocek, vice president
of security strategy and threat intelligence at Venafi Inc., a security software
firm based in Salt Lake City, that specialized in protecting digital certificates.
"Unfortunately, this is not a new risk and is pervasive across the Internet,"
Bocek added. "It's best if business providers like Gogo don't complicate the
matter by creating more confusion and risk with what looks like malicious
certificates that could be used to spoof and monitor private communications."
Grajek said it's conceivable that fake SSL certificates could enable DNS
attacks. SSL certificates are put in place to ensure that the DNS IP and Web
URL match the issued certificate, and the warnings that browsers offer when
PA G E 8 O F 1 1
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
they don't match are there to alert users to a potential DNS attack.If such mismatches and warnings become common, users may gradually fail to see them
as indicative of significant security risks.
Grajek said SSL certificates should be deployed and sites should be designed to support HTTPS.
"Right now, user education is needed to ensure that users do not 'click
through' these warnings," Grajek said. "With Google strongly encouraging SSL
for all sites (by rewarding SEO searches), we should see the general public becoming more aware and cognitive of SSL-certificate errors, which could denote
a hacker site that the user has been redirected to."
The upshot is that digital certificates that may be valid for as much as a
decade can no longer be taken at face value. "We've created too much 'blind
trust,'" Bocek said. "This is a technology that comes with an expiration date."
Meanwhile, compromised digital keys and certificates are poised to become the next big marketplace for cybercriminals. In an attempt to address the
growing vulnerability of digital certificates, companies like Google Inc. have
reduced the validity date on digital certificates to three months.
Venafi estimates that stolen certificates are fetching up to $980 each in
Russian underground markets, or 400 times the value of a stolen credit card
PA G E 9 O F 1 1
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
Home
number.
As the recent Sony hack illustrates, cyber criminals possess the data collection capacity to sweep up digital certificates that would allow them to monetize
their operations, Bocek noted.
Executive Editor Eric Parizo contributed to this story.
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
PA G E 1 0 O F 1 1
SPONSORED BY
�SECURITY CERTIFICATE THREATS AND CRYPTOGRAPHIC KEYS IN PERIL
FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS
Home
Study warns security
certificates, cryptographic keys are in
peril
Fake SSL certificates
enable variety of
security threats, say
experts
TechTarget publishes targeted technology media that address
your need for information and resources for researching products, developing strategy and making cost-effective purchase
decisions. Our network of technology-specific Web sites gives
you access to industry experts, independent content and analysis and the Webs largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research
reports and more drawing on the rich R&D resources of technology providers to address
market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you
face daily. Our social community IT Knowledge Exchange allows you to share real world
information in real time with peers and experts.
WHAT MAKES TECHTARGET UNIQUE?
TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and
management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peersall to create
compelling and actionable information for enterprise IT professionals across all industries
and markets.
PA G E 1 1 O F 1 1
SPONSORED BY
