Visiting to announce the Australian details of a new global report on Internet cybersecurity, Jeff Hudson, CEO of Venafi, Inc., said, “Every business and government department relies on the digital trust provided by cryptographic keys and digital certificates for secure communications and operations. Without the trust established by keys and certificates we’d be back in the internet ‘stone age’, not knowing if a website, device or mobile application is secured.”
He added that leading researchers from FireEye, Intel, Kaspersky, Mandiant and many others consistently identify the misuse of keys and certificates as a significant factor in cybercrime and advanced persistent threats.
The 2015 Cost of Failed Trust Report – the only research of its type to examine the Internet system of trust – was conducted for Venafi by the Ponemon Institute and as Dr. Larry Ponemon, chairman and founder of the Institute observed, “With the rising tide of attacks on keys and certificates, it’s important that enterprises really understand the grave financial consequences. We couldn’t run the world’s digital economy without the system of trust they create.
“This research is incredibly timely for IT security professionals everywhere – they need a wakeup call like this to realise they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals.”
The survey questioned security professionals in Australia, France, Germany, the United Kingdom and the United States. Of the 2,400 organisations covered, 340 were in Australia and, of those, 59 per cent have more than 5,000 employees.
The main Australian sectors surveyed were: consumer products, financial services, government, professional services, retail and technology.
The report highlights that over the next two years, the potential total financial risk facing Australian enterprises from attacks on keys and certificates is expected to reach at least AUD $48.4 million. It also finds that Australian security professionals are most fearful of a ‘Cryptoapocalypse’-like event. Coined by researchers at Black Hat 2013, a Cryptoapocalypse is a scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight and would dwarf Heartbleed in scope, complexity, and time to remediate.
The breakdown of the $48.4 million was:
$20.5M Exploitation of weak cryptographic keys
$8.6M Mobility misuse
$8.4M Code Signing misuse
$6.2M Man-in-the-middle attacks
$3.1M Theft of SSH keys
$1.7M Theft of Server keys
Other headline findings for Australia included:
- Every questioned organisation said it had responded to multiple attacks against keys and certificates
- Of the 340 Australian organisations, 55 per cent conceded they didn’t know how many keys and certificates they actually have
- Of those that did know, the average number of keys and certificates present was 18,788; a 42 per cent increase on only two years earlier
- 60 per cent of Australian IT security professionals conceded they need to better manage keys and certificates to be able to respond to vulnerabilities such as Heartbleed
- 55 per cent agreed that trust established by keys and certificates is in jeopardy; that the way we create trust is broken; and that Gartner is right saying, “Certificates can no longer be blindly trusted”
Globally, The 2015 Cost of Failed Trust Report also revealed:
- As risk increases, so does the number of keys and certificates: Over the last two years, the number of keys and certificates deployed on infrastructure such as web servers, network appliances, and cloud services grew more than 34 per cent to almost 24,000 per enterprise. The use of more keys and certificates makes them a better target for attack. Stolen certificates sell for almost USD$1000 on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe hacker interest is growing quickly.
- Organizations are more uncertain than ever about how and where they use keys and certificates: Now, 54 per cent of organisations admit to not knowing where all keys and certificates are located and how they’re being used. This leads to the logical conclusion: how can any enterprise know what’s trusted or not?
- Security pros worry about a Cryptoapocalypse-like event: A scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight is reported as the most alarming threat. Instant transactions, payments, mobile applications, and a growing number of Internet of Things could not be trusted.
- The misuse of enterprise mobile certificates is a lurking concern: Misuse for applications like Wifi, VPN, and MDM/EMM is a growing concern for security professionals. Misuse of enterprise mobility certificates was a close second to a Cryptoapocalypse-like event as the most alarming threat. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, over USD$126 million, and the second largest risk. With a quickly expanding array of mobile devices and applications in enterprises, it’s no wonder why security pros are so concerned.
“With keys and certificates so broadly deployed and so integral to the future of the world’s digital economy, “said Jeff Hudson, “it must become a top priority for CEOs, boards of directors, and CISOs to better secure and protect them. With no replacement in sight, failure is not an option. New ways of thinking are required – like using certificate reputation now available with Venafi TrustNet.”
