While each of the above exploits demonstrates the misuse of a digital certificate, it is not the technology that is the root of the failure but the proper controls over the technology. The cybercriminals behind these exploits understand that each unmanaged and unaccounted for cryptographic key and certificate deployed in an organization is a valuable asset ripe for exploitation.
The problem is systemic, and the exposure is significant. Over half of all enterprises donít know how many keys and certificates are in use, for instance. More than 60 percent of the organizations surveyed by Venafi at RSA 2013 would take a day or more to correct a CA trust compromise if they were attacked by digitally signed malware; it would take at least that long to respond to a compromised SSH key. Combine the inability to understand how trust is established with the incapacity to quickly respond when it breaks down, and you have the perfect environment for APTs and for sophisticated attackers to launch their exploits. The financial impact of these exploits can hardly be exaggerated.
The average global 2000 organization must manage in excess of 17,000 encryption keys Ė and most of the time the keys are managed manually. The first step in self-defense is to know thyself. Your organization is fully exposed to trust exploits and the consequences of targeted and persistent attacks on intellectual property if it does not have a clear understanding of its key and certificate inventory. Cybercriminals can easily collect unencrypted data within the network, so internal data should be protected in the same manner as external dataóby encryption.
The lifecycle of all cryptographic keys should be securely managed with an enterprise key and certificate management solution. Itís no surprise that every organization surveyed by the Ponemon Institute for the 2013 Annual Cost of Failed Trust Report has had to respond to at least one attack on keys and certificates over the last two years.
Nearly 60 percent of survey respondents at RSA 2013 stated that they were concerned about the issuance of certificates to mobile devices outside of IT control. The same percentage of respondents were also perturbed that system administrators, who are not necessarily security experts, were responsible for encryption keys and certificates. This situation can result in security breaches, unplanned outages, or audit and compliance failures. By enforcing longer key lengths, strong algorithms, frequent rotation of keys and short validity periods for certificates, you can increase your ability to reduce the threat surface.
Only through automated management can you respond fast enough to a compromise and limit significant reputational and financial damage. With APTs leveraging trust technology weaknesses, itís critical to have visibility into and control of enterprise key and certificate inventories. Cybercriminals understand that the easy targets are those organizations that have little visibility into their threat surface and cannot respond quickly. As an industry, we need to gain control over trust and plug the gap related to key and certificate-based exploits.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.