sss78 - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Study warns security certificates, cryptographic keys are in peril

A growing number of cryptographic keys and security certificates are being abused, according to a new study from cybersecurity firm Venafi and the Ponemon Institute.

According to a new study from the Ponemon Institute, rampant abuse of security certificates and cryptographic keys has pushed online trust to the breaking point.

The study, titled the 2015 Cost of Failed Trust Report, focuses on the growing enterprise use of cryptographic keys and security certificates, as well as the increasing threats and risks associated with those trust measures.

Underwritten by Venafi Inc., a cybersecurity firm based in Salt Lake City, the reported surveyed more than 2,300 global security professionals and showed that the majority are greatly concerned about the condition of basic trust measures like SSL and enterprise certificates.

"More than half of the respondents of the survey say the security trust they rely on to run their businesses is in jeopardy," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

According to the research, 58% of security pros believe their organizations need to better secure keys and certificates to stave off man-in-the-middle attacks and other techniques used to steal or comprise them. At the same time, 54% admitted they didn't know where all of their organizations' keys and certificates were located.

More than half of the respondents of the survey say the security trust they rely on to run their businesses is in jeopardy.
Kevin BocekVP of security strategy, threat intelligence at Venafi

Bocek said the danger -- and the concern for security professionals -- is greater when it comes to mobile certificates because misuse of the credentials can provide access to Wi-Fi networks, corporate VPNs and even data protected by enterprise mobile device management systems. Illustrating the cause for concern, the study showed that 62% of respondents said their organizations could not detect anomalous mobile certificate usage.

"As you get into mobile devices, the risk of misuse of certifications goes up," he said. "Enterprise mobility certificates don't really do a good job validating SSL or TSL."

In addition, respondents indicated that the risk of certificate and key abuse will cost many of the world's largest firms  a minimum of $35 million. The Ponemon study also showed that 60% of security pros feel enterprises must improve how they respond to threats or attacks against keys and certifications.

But Bocek also asserted that certificate authorities need to provide more transparency and do a better job vetting certifice purchasers in order to prevent misuse.

"The problem with certificate authorities," Bocek said, "is that no one really knows what going on behind the scenes."

To that end, Venafi today unveiled a cloud-based reputation service designed to guard enterprises against cryptographic key and digital certificate abuse.

"We needed to develop a system that looks out for this kind of misuse of security certificates," Bocek said.

Called TrustNet, the real-time protection service notifies security teams when it detects anomalies and vulnerabilities associated with keys and certificates. It scores the reputation of the certificates by combining global sensor networks, data collection, analytics and tuned algorithms with the data from Venafi customers.

Venafi said TrustNet is available for customers this month.

Next Steps

Find out how certificate pinning improves certificate authority security

Learn how to defend against man-in-the-middle attacks

Dig Deeper on Web authentication and access control