News Stay informed about the latest enterprise technology news and product updates.

Study warns security certificates, cryptographic keys are in peril

A growing number of cryptographic keys and security certificates are being abused, according to a new study from cybersecurity firm Venafi and the Ponemon Institute.

According to a new study from the Ponemon Institute, rampant abuse of security certificates and cryptographic keys...

has pushed online trust to the breaking point.

The study, titled the 2015 Cost of Failed Trust Report, focuses on the growing enterprise use of cryptographic keys and security certificates, as well as the increasing threats and risks associated with those trust measures.

Underwritten by Venafi Inc., a cybersecurity firm based in Salt Lake City, the reported surveyed more than 2,300 global security professionals and showed that the majority are greatly concerned about the condition of basic trust measures like SSL and enterprise certificates.

"More than half of the respondents of the survey say the security trust they rely on to run their businesses is in jeopardy," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

According to the research, 58% of security pros believe their organizations need to better secure keys and certificates to stave off man-in-the-middle attacks and other techniques used to steal or comprise them. At the same time, 54% admitted they didn't know where all of their organizations' keys and certificates were located.

More than half of the respondents of the survey say the security trust they rely on to run their businesses is in jeopardy.
Kevin BocekVP of security strategy, threat intelligence at Venafi

Bocek said the danger -- and the concern for security professionals -- is greater when it comes to mobile certificates because misuse of the credentials can provide access to Wi-Fi networks, corporate VPNs and even data protected by enterprise mobile device management systems. Illustrating the cause for concern, the study showed that 62% of respondents said their organizations could not detect anomalous mobile certificate usage.

"As you get into mobile devices, the risk of misuse of certifications goes up," he said. "Enterprise mobility certificates don't really do a good job validating SSL or TSL."

In addition, respondents indicated that the risk of certificate and key abuse will cost many of the world's largest firms  a minimum of $35 million. The Ponemon study also showed that 60% of security pros feel enterprises must improve how they respond to threats or attacks against keys and certifications.

But Bocek also asserted that certificate authorities need to provide more transparency and do a better job vetting certifice purchasers in order to prevent misuse.

"The problem with certificate authorities," Bocek said, "is that no one really knows what going on behind the scenes."

To that end, Venafi today unveiled a cloud-based reputation service designed to guard enterprises against cryptographic key and digital certificate abuse.

"We needed to develop a system that looks out for this kind of misuse of security certificates," Bocek said.

Called TrustNet, the real-time protection service notifies security teams when it detects anomalies and vulnerabilities associated with keys and certificates. It scores the reputation of the certificates by combining global sensor networks, data collection, analytics and tuned algorithms with the data from Venafi customers.

Venafi said TrustNet is available for customers this month.

Next Steps

Find out how certificate pinning improves certificate authority security

Learn how to defend against man-in-the-middle attacks

Dig Deeper on Web authentication and access control

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

It gets even worse, considering apps like Superfish on Lenovo laptops, that create their own certificates which are hidden from you and easily hackable.
Cancel
First I was aware of this and it scares me that it's likely the tip of the iceberg. I don't think systems can ever be safe unless they are isolated, sandboxed and never connected to the Web. And that's not going to happen. I don't have a solution. Hmmmm.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close