Plugging the trust gap
by Jeff Hudson - Venafi CEO - Monday, 27 May 2013.
Every business and government is dependent upon cryptographic keys and certificates to provide trust for critical communications. These trust technologies underpin the modern world of business, establishing secure transactions and protecting access to confidential corporate data.

Unlike before, when trust could be measured in terms of locks, safes and video cameras, trust today is established in such security technologies within the enterprise network that canít be seen, only managed. As organizations adopt cloud computing and employee-owned devices have increased access to the corporate networks and sensitive information, the challenge of securing company data everywhere increases exponentially. Cryptographic keys and digital certificates establish trust in the enterprise, ensuring that corporate data remains secure whether accessed by the employee in the cube on the second floor or by an executive in a hotel room in Singapore.

The attack vehicle

When it comes to Advanced Persistent Threats (APTs), bad actors will take advantage of the trust gap - using any and every exploit that they can leverage to steal your organizationís data. They will look for the weakest link in your security systems and find the path of least resistance. Over the past several years, criminal organizations and individual bad actors have found that by taking advantage of poor key and certificate management practices that they can breach trust to infect systems with information-siphoning malware and in some cases even implant weaponized code that can inflict physical damage on facilities.

All you have to do is look back at the past few years to realize the impact trust-based attacks have had on organizations. Organized groups have been using encryption keys and digital certificates to steal information for years, as they serve as perfect vehicles for sliding past defensive systems. Case in point: Stuxnet and Flame. These two well-known examples of malware took advantage of stolen and weak certificates. Why did the actors choose this method? Compromised certificates authenticated the malware on the network making it appear as if it was legitimate code. As a result, the infected operating systems allowed the installation of the malware without any warning.

The certificate-based attack problem is ongoing and growing. In April, the Common Computing Security Standards (CCSS) forum has logged sixteen legitimate digital certificates associated with malware. In the grand scheme of things, this doesnít sound too bad, but when you take into account that an average of 200,000 new malicious programs are found every day, the use of legitimate certificates becomes a very real problem that organizations arenít ready to face. Cybercriminals have gone as far as setting up fake companies to deceive a public Certificate Authority (CA) into issuing legitimate certificates that could be used to distribute malware, as was the case with the Brazilian banking malware signed with a valid DigiCert certificate.

Does this mean that trust-based technology is broken? Not quite.

Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //