Businesses are increasing their use of SSL/TLS. This is being driven by the growth of cyberattacks as well as concerns and regulations over data privacy. Also, Google is prioritizing search results for sites using HTTPS, driving marketing teams across all types of businesses to support the expansion of encryption. While this increase in SSL/TLS provides privacy and authentication, it also creates a blind spot for enterprise security.

Gartner predicts 50% of network attacks will use SSL/TLS by 2017. Most organizations lack the ability to decrypt and inspect SSL traffic, which I highlighted in my earlier blog, Is Your SSL Traffic Hiding Attacks? This means your NGFW and threat detection won’t be able to see or protect against 50% of attacks. That’s a huge blind spot for enterprise security—and cybercriminals are taking advantage of this.

How does using SSL/TLS benefit the bad guys? Cybercriminals are using encryption against enterprises to conceal malware delivery, eavesdrop on communications, and exfiltrate data undetected—undermining layered security defenses. With the increase in SSL/TLS encryption, the ability to ensure every key and certificate is available for decryption, and then decrypt and inspect SSL/TLS traffic in real time, has become critical.

What do you need to do to eliminate this security blind spot? During the RSA Conference 2015, we’re spotlighting our partnership with Blue Coat. Together our solutions maximize decryption and uncover threats.

Here’s how the solutions work together in a nutshell:

• Venafi TrustForce automates key and certificate provisioning and replacement
• Venafi TrustForce automatically adds keys and certificates to the secure key store within Blue Coat SSL Visibility Appliance
• Blue Coat SSL Visibility Appliance uses the keys and certificates for policy-enforced SSL traffic inspection
• Venafi TrustForce ensures keys and certificates have strong authentication, are rotated regularly, and are replaced quickly in the event of a compromise

Having access to all keys and certificates for decryption means one less place for the bad guys to hide, infiltrate your network, and steal data. . With Venafi, businesses maximize the amount of inbound encrypted traffic that can be decrypted and inspected by Blue Coat SSL Visibility Appliance and eliminate blind spots that are hiding in encrypted traffic.

Want to learn more about the protection this partnership provides? See our RSAC 2015 event schedule for upcoming times for the demonstration, Venafi / Blue Coat Remove SSL Blind Spots, at this year’s RSA Conference or read the technology partnership solution brief as part of the Venafi conference collateral at Venafi.com/RSAC2015.

This is the 4th year running that Venafi has hosted a game show at the annual RSA Conference. Participants get a chance to show off their knowledge of today’s threatscape and the latest methods of protection.

It’s been such a huge success that the RSA Conference site highlights last year’s game show on this year’s Expo and Sponsors web page.

So what are we doing this year? We’re holding the game show, “Are You Smarter than a Hacker?”

This is 15 minutes of dynamic fun with short videos and a real-time quiz. The bad guys have figured out how to misuse keys and certificates to elevate their privileges and hide their activity. However, most organizations are not equipped to detect or respond to these types of attacks. Do you know how they do it? Test your knowledge for a chance to win a $50 Amazon gift card awarded at every session.

We are also showcasing our new certificate reputation service called Venafi TrustNet. Stop by the booth and see how TrustNet is able to stop TLS/SSL-based attacks in a live demonstration.

When is your next chance to win? Visit us at booth #S1615 or check out the RSAC 2015 Venafi Event Schedule for upcoming game show and TrustNet demonstration times.

According to Gartner, encrypted traffic now comprises 15%-25% of total web traffic today. But for many businesses, it’s over 50%. The adoption of Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL), to protect web traffic has contributed to our exploding reliance on the Internet for personal use and commercial business.

Our dependence on SSL/TLS continues to rise. Growing concerns and regulations over data privacy as well as the surge in cyberattacks are increasing use of SSL/TLS to encrypt data transmission and authenticate web servers, application servers, load balancers, and other applications.

In addition, Google has called for “HTTPS Everywhere.” As part of this effort, Google is prioritizing search results for sites that provide this secure, encrypted connection. With HTTPS providing better search ranking, even marketing departments across all types of industries are promoting an increase in SSL/TLS use.

But this upsurge in SSL/TLS usage could also be leading to business downfall. Why? Because this growth has also increased the misuse of SSL/TLS keys and certificates, resulting in cyberattacks and network outages. The hard truth is that pervasive SSL/TLS use is only effective if the SSL/TLS keys and certificates themselves are securely managed and protected.

The 2015 Cost of Failed Trust Report, published by the Ponemon Institute, analyzed the impact of attacks on digital trust. It reveals that today’s average enterprise holds almost 24,000 keys and certificates, but the real issue is 54% are unaware of how many keys and certificates they have in use, where they are used, and who owns them. As the use of SSL/TLS increases, this lack of visibility also causes an increase in certificate-related outages—disrupting the systems these certificates were meant to protect. These outages lower productivity and cause lost revenue, profits, and customers.

Here’s another startling fact from the Ponemon report: for four years running, 100 percent of the companies surveyed said they had responded to multiple attacks using keys and certificates. Gartner estimates that by 2017, 50% of cyberattacks will use SSL/TLS to sneak past enterprise security defenses. Unfortunately, many businesses have made it easy for the bad guys to use a company’s own defensive weapons, SSL/TLS keys and certificates, against it. The bad guys understand that organizations are struggling to enforce and automate policies and can’t keep track of what is trusted. If left unprotected, keys and certificates can be usurped by cybercriminals to evade detection and keep their activities cloaked.

Even with this evidence of increased outages and breaches, you can safely expand and rely on SSL/TLS to achieve data security and privacy—with the right key and certificate management and protection. Make it a priority to learn how to automate SSL/TLS key and certificate security and validation to ensure that your data and network resources stay safe. Here are a few steps you can take in the right direction:

• Understand the data protection issues of increasing SSL/TLS usage 
• Learn the necessary tasks to address SSL/TLS key and certificate challenges
• Develop key and certificate management and security strategies that ensure trust in your SSL/TLS systems

You can learn more about safely using SSL/TLS on our data protection solution page, or drop me a comment if you’d like to learn more about SSL/TLS key and certificate management and security solutions.

Today, an increasing number of Identity and Access Management (IAM) strategies include the cryptographic keys and digital certificates for SSL/TLS, SSH, mobile WiFi, and VPN access that authenticate and authorize servers, devices, software, cloud, and privileged administrators and users.

This move to expand the enterprise security perimeter is laudatory because it closes the gap between the authentication and authorization established by keys and certificates and the protection provided for other credentials, such as usernames and passwords. But, without proper management and oversight, cryptographic keys and digital certificates could break that security perimeter wide open. For many companies, their IAM for keys and certificates may be missing in action (MIA).

Unlike passwords and user IDs, which are controlled with layers of automated monitoring policies, certificates and keys have been blindly trusted with inadequate, siloed processes. In many companies, there is no centralized visibility, policy enforcement, or incident tracking and remediation.

According to the 2015 Cost of Failed Trust Report, published this year by the Ponemon Institute and Venafi, an average enterprise has almost 24,000 keys and certificates in circulation. But 54 percent of corporate security professionals surveyed in the report admitted that they have no idea where all of their keys and certificates are located. As a result, thousands of certificates go missing in action every year, a recipe for disaster. Those certificates establish trusted access to critical servers, applications, mobile devices and cloud instances at the highest level of privilege, creating a situation ripe for exploitation.

Ask yourself these questions:

Would your organization tolerate a security situation where 24,000 passwords and user IDs were floating around the company without any awareness, policies, or control? Probably not. But your organization may be doing just that when it comes to keys and certificates. Just like passwords and user IDs, policies and automated controls need to be applied to keys and certificates such as rotation, validity periods, ownership, timely provisioning, and revocation.  Instead, outdated approaches limit visibility and policy enforcement and increase the risk of misuse, exposing enterprises to compliance failures and costly data breaches.

So if you were an enterprise hacker, where would you focus your attack efforts? Cybercriminals have already answered this question for you. In the Ponemon research, security professionals estimated the total possible impact per organization for all attacks using keys and certificates to be almost $600 million and this is up 50% from 2013.

It’s time to apply the same diligence we devote to usernames and passwords to keys and certificates, by deploying enterprise-wide policies and automated controls. Try these best practices:

• Protect
  • Create visibility by inventorying the certificates you have in use today and verifying their ownership
  • Establish enterprise-wide use policies
• Detect
  • Monitor and detect for anomalies
  • Enforce policies and establish management control
• Respond
  • Automate key and certificate issuance, renewal, and installation
  • Replace keys and certificates based on a regularly scheduled inventory and review process
  • Remediate by replacing keys and certificates in the event of a CA compromise or new vulnerability such as Heartbleed

The six steps should give you a good starting point, but there’s plenty more you can do. You can read the Venafi solution brief, Close the Gaps in Identity and Access Management, or drop me a line if you’d like to learn how.

If your public key infrastructure (PKI) is like that of most companies today, it’s probably outdated. That can be a serious problem. Outdated PKI systems result in errors, missed updates, costly business interruptions, and even breaches. This is due to a lack of central visibility, consistent processes, and the refresh validation needed to streamline updates. Moreover, new security and compliance requirements and an evolving threatscape can make it costly and difficult to revamp PKIs.

Why is it so difficult and costly to refresh an outdated PKI? There are almost 24,000 keys and certificates in today’s average enterprise and 54% of security professionals admit to being unaware of where all of their keys and certificates are located, who owns them, or how they are used. In addition, establishing new root or intermediate CAs and distributing certificates to hundreds or thousands of applications and trust stores is incredibly time consuming, expensive, and error prone. Add to the mix differing, distributed applications and administrators unfamiliar with certificates, and the challenges quickly multiply.

But putting off a PKI refresh can open your business to outages and attacks. According to the Ponemon Institute, 100% of the Global 5000 surveyed have responded to attacks using keys and certificates and have had 2 or more certificate-related outages within the last 24 months. What does this mean in dollars and cents? Security professionals estimate that the total possible impact of an attack using keys and certificates is almost $600 Million and the total possible impact of a certificate-related outage is $15 Million. That’s a serious impact—even for the largest enterprises.

To stay protected from these costly and damaging incidents, you may want to consider adopting new PKI refresh standards and strategies:

• Reduce certificate lifetimes to 3 months or less, as recommended by Google and others to reduce certificate risk exposure (but even Google recently let a certificate expire, showing that even the most security conscious organizations can struggle with key and certificate management and security)
• Replace SHA-1 with SHA-2, due to potential attacks on SHA-1 certificates. (See NIST’s Policy on Hash Functions.)
• Update digital certificate maintenance rules according to compliance regulations, such as the PCI DSS, and other security frameworks, such as SANS 20.
• Develop new remediation strategies ;to apply following a CA compromise or new vulnerability (Venafi research shows that 3 out of 4 organizations still have not completely remediated the Heartbleed vulnerability).

Manage and Validate Your PKI Refresh with Confidence

How do you implement all of these standards and strategies? With today’s fast changing threatscape and increasing use of digital certificates, successful PKI refreshes require complete visibility, enforced policies and workflows, automation, and validation.

Visibility: Most don’t have complete visibility into their PKI. But for successful PKI management, you need to identify all keys, certificates, CAs, and trust stores across your enterprise networks, the cloud, and multiple CAs.

Enforcing policies and workflows: To ensure consistency while updating your PKI, you need to enforce configurable workflows capabilities for replacement, issuance, and renewal. Also, a policy-enforced, self-service portal can be used to simplify certificate requests and renewals.

Automation of PKI: Automation is critical for PKI in today’s enterprises and should cover the entire CA and certificate refresh process, including the distribution and whitelisting of new CAs in trust stores.

Validating your progress: You should be able to track your progress and completion of your PKI refresh, validating that certificates are installed and applications are running.

With all of these requirements, does a PKI refresh sound like an impossible task? Believe it or not, you can now take the guesswork and complexity out of your next PKI refresh and reduce your risk. With the right solution for your PKI refresh, you can achieve complete visibility, enforce policies and workflows, automate processes, and validate progress. But don’t put this project off—it could literally cost you millions.

What do you consider to be the most critical PKI updates needed? Please share your experiences and thoughts.

Businesses rely heavily upon SSL/TLS certificates to encrypt data and authenticate systems and applications – both inside and outside the corporate network. The use of keys and certificates will continue to grow as businesses need to ensure appropriate access across servers and applications. In fact, the Ponemon Institute’s 2015 Cost of Failed Trust Report reveals that over the last two years, the number of keys and certificates deployed on network appliances, web servers, and cloud servers grew over 34% to an average of almost 24,000 per enterprise. This leaves enterprise IT environments challenged to secure and keep up with rising key and certificate deployments in the data center.

To ensure successful management of keys and certificates, organizations must gain visibility into every SSL/TLS key and certificate present, including those on network infrastructure solutions such as Application Delivery Controllers (ADCs). When strategically deployed throughout the data center, ADCs enable applications to be highly available, accelerated, and secure. However, most ADCs need to be manually configured to discover thousands of certificates in the network. System administrators need to generate keys and request certificates, as well as oversee installation and configuration. And with so many other network devices like NGFWs, IDS/IPS systems, and servers requiring access to keys and certificates, this process is burdensome, error prone, and can cause certificates to expire which lead to network outages. Manual processes and the lack of a centralized key and certificate management system can limit operational efficiency and also leave gaps in security.

What do you need to do optimize your ADCs and reduce your SSL/TLS security risk?

A10 Networks and Venafi have partnered to create a joint solution with the A10 Thunder ADC line and Venafi Trust Protection Platform that helps organizations automate the management and security of the entire certificate lifecycle process. Here’s how the Venafi and A10 Networks joint solution can help:

• Avoid Outages with Complete Visibility
  When digital certificates expire, it disrupts the very systems they were installed to protect. These expirations often occur from a lack of visibility and 54% of enterprises admit to being unaware of how many certificates they have in use, where they are used, and who is responsible for them. The certificate expirations create outages which lower productivity and cause a loss in revenue, profits, and customers.
  
  To avoid certificate expirations and outages, Venafi TrustAuthority detects and monitors all keys and certificates across enterprise networks, the cloud, and multiple CAs. Having complete visibility can also provide a baseline to flag anomalies, policy violations, and misuse.


• Enforce Policies and Workflows
  Venafi TrustAuthority provides automated workflows for issuance, renewal, installation, and validation to enable rapid, secure deployment of SSL/TLS keys and certificates. These policies and workflows also enable distribution of keys and certificates to your A10 Thunder deployments across the data center.


• Automate Management and Security
  Venafi TrustForce enables automation with full end-to-end certificate provisioning and lifecycle control for complex ADC and load-balanced encryption environments such as your A10 Thunder ADC deployments. This lifecycle automation for A10 devices includes provisioning processes such as key generation, certificate signing request (CSR) generation, CSR submission, certificate authority (CA) approval, issued certificate retrieval, certificate installation, private key backup, and certificate renewal.

Want to learn how to leverage Venafi and A10 Thunder ADC to simplify certificate management? Check out our joint technology partner solution brief. Or you can watch the A10 Networks and Venafi joint webinar to find out how to optimize your ADCs and reduce SSL/TLS security risk.

In 2014, Keren Elazari, an expert Cyber Security Researcher, started speaking to us via her TED talk about how hackers are like the internet’s immune system. She has led the way in this concept and explained how they help and hurt, yet ultimately lead to a healthier, stronger network.

Assisting our immune system like inoculations, hackers give us a taste of a potentially larger problem and help us overcome the illness before it becomes unmanageable.

Venafi recently released a product called Venafi TrustNet. It was released to help monitor and measure the healthiness of the internet, supporting encrypted traffic and authentication. Certificate misuse is at an all-time high. As we use more x.509 certificates to encrypt communications and authentication entities, bad guys will only become more interested.

We’ve blindly trusted certificates, because we’ve lacked an immune system for the cyber realm to know what’s trusted or not. Now Venafi provides a way through TrustNet to establish a baseline of normal certificate use online and alert affected organizations if that baseline is broken, indicating potential certificate misuse. TrustNet allows immediate remediation through blacklisting. Then, as part of the Venafi Trust Protection Platform, organizations can use TrustAuthority to replace and revoke untrusted certificates and TrustForce to automatically complete the certificate and key lifecycle.

If you own a certificate that is being misused, revoke it. If someone is misusing a certificate, blacklist it. Just like Keren Elazari has mentioned, hackers are like our immune system by demonstrating illness. Venafi is the Immune System for the Internet™ that allows us to rapidly detect what shouldn’t be trusted and respond quickly. Hackers have repeatedly demonstrated that we have to do something right now to fix trust online, which is near the breaking point.

What are your thoughts about the Immune System for the Internet?

No matter how secure your environment, cybercriminals will bypass your security defenses, making how quickly you can detect the breach and respond to mitigate the damage a critical component of your enterprise’s cyberdefense. But there’s a challenge—it’s not only your security you need to be concerned about, but your business partners’ as well.

One method that is growing dramatically in popularity with cybercriminals is compromising a target’s business partners. Your business partners may not have security practices that are as good as your organization’s defenses. Cybercriminals use a compromised business partner as a backdoor into your organization via an already trusted channel like a VPN. The Target breach last year is a good example of this approach.

To compromise businesses, cybercriminals are increasingly using keys and certificates to elevate their privileges and hide activity. By the end of 2014, attacks using SSL comprised 12% of network-based attacks according to Intel Security, and Gartner estimates that 50% of network attacks will use SSL by 2017. Using SSL enables cybercriminals to cloak their activities. This helps support Mandiant’s findings that most organizations do not internally discover they’ve been compromised—nearly 70% of victims are notified by an external entity that they have been breached.

But how are cybercriminals compromising business partners and how can organizations quickly detect and remediate these breaches? To better understand cybercriminal attack methods, Venafi teamed up with Raxis, an independent penetration testing firm, to reconstruct a current real-world attack that targeted and compromised a Global 100 bank with techniques that can be used effectively to breach many organizations today.

The breach reconstruction provides full details on how a large hacking group used a stolen private key that was purchased on the underground as part of a multi-chained attack to ultimately steal millions of customer records. The white paper provides details about the thriving underground marketplace where you can buy almost anything needed to compromise networks. It also provides an explanation on how the attack was architected and executed as well as guidance on how the breach could have been quickly detected and mitigated.   

Read the full report here: Venafi.com/BankAPTAnalysis

For the last four years, Ponemon Institute has found that 100% of Global 5000 enterprises surveyed across 5 regions were impacted by attacks using keys and certificates. How does your organization detect and respond to attacks that use keys and certificates to elevate privileges and hide activity? How does your organization detect if a certificate is being used to misrepresent your brand on the internet?

A Venafi Survey of Nearly 850 IT Security Professionals Finds Gaps in Detection and Response to Key and Certificate Vulnerabilities

Attacks on keys and certificates are unlike other common cyber attacks seen today. With a compromised or stolen key, attackers can impersonate, surveil, and monitor their organizational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers with unrestricted access to the target’s networks and allow them to go undetected for long periods of time with trusted status and access.

And we’ve seen many recent instances of these types of attacks. From the GoGo man-in-the-middle (MITM) attacks to Lenovo’s Superfish vulnerability to FREAK and now the more recent LogJam flaw, cybercriminals know unprotected keys and certificates are vulnerable and will use them to carry out their malicious deeds.

The bad guys are able to take advantage of these new vulnerabilities, because most security systems blindly trust keys and certificates. In the absence of an immune system for the internet, enterprises are unable to determine what is “self” and trusted in their networks and what is not and therefore dangerous. Not knowing what is trusted and “self” or how to detect or remediate from attacks on keys and certificates keeps organizations open to breach and compromise.

In light of recent attacks on trust, Venafi conducted a survey of nearly 850 IT security professionals during the RSA 2015 Conference to see what they were doing to stave off breaches and establish better trust online. The data reveals that most IT security professionals acknowledge they don’t know how to detect or remediate quickly from compromised cryptographic keys and digital certificates—the foundation of trust in our modern online world.

Here are other important findings from the Venafi RSA study:

• Respondents are ill informed on how to remediate a Sony-like breach involving theft of keys and certificates. Following a breach, more than three-quarters (78 percent) of those surveyed would still only complete partial remediation that would leave them vulnerable to further attacks. They would conduct standard practices such as re-imaging servers, reviewing logs, removing malware, installing patches, and changing user passwords. However, only 8 percent indicated they would fully remediate against a Sony-like attack by replacing potentially compromised keys and certificates to prevent further access.


• IT security professionals don’t know how to protect keys and certificates and their organizations don’t have a clear understanding or strategy for doing so. When asked what their organizational strategy is to protect the online trust provided by keys and certificates, only 43 percent of respondents reported that they are using a key management system. Another 16 percent have no idea, 14 percent said they are using a manual process to try to manage them, and 22 percent placed the responsibility elsewhere. Without a strategy and implemented security controls to protect keys and certificates, attackers can gain and maintain extensive access to the target’s networks and remain undetected for long periods of time with trusted status.


• Many IT security professionals can’t or don’t know how to detect compromised keys and certificates. The survey results showed that 38 percent of respondents can’t or don’t know how to detect compromised keys and certificates and 56 percent of the other respondents said they are using a combination of next generation firewalls, anti-virus, IDS/IPS, and sandboxes to detect these types of attacks. Both groups leave themselves open to additional attacks. According to Gartner, 50 percent of all inbound and outbound network attacks will use SSL/TLS by 2017. Bad actors understand that most security systems either trust SSL/TLS or lack access to the keys to decrypt traffic and find hidden threats. These security shortcomings create blind spots and undermine critical security controls like sandbox threat protection, NGFW, IDS/IPS, and DLP.


• More than half of IT security professionals admit that they cannot quickly respond to an attack on SSH keys. Almost two-thirds (64 percent) of security professionals admit that they are not able to respond quickly (within 24 hours) to attacks on SSH keys, and most said it would take three or more days, or up to a week, to detect, diagnose, and replace keys on all hosts if breached. Cybercriminals are exploiting the lack of visibility and control over SSH keys, which are used to authenticate administrators, servers, and clouds. Because SSH keys never expire, cybercriminals and insiders alike gain almost permanent ownership of systems and networks by stealing SSH keys.

The results of this study underscore what we at Venafi have been saying all along: IT security pros can no longer place blind trust in keys and certificates. We must realize that the keys and certificates we rely upon to establish trusted connections for everything IP-enabled today are in major jeopardy as attackers continue to misuse them to gain trusted status.

Just like the human immune system, Venafi learns and adapts as it works. Venafi identifies what keys and certificates are trusted and those that need to be replaced. It keeps keys and certificates secured to your policy and replaces them automatically. It scales keys and certificates up and down to meet demand. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects enterprise networks and brands.

Ultimately, if what our survey data says is true, and IT security professionals can’t secure and protect keys and certificates and respond more quickly to attacks that use them, online trust will continue to diminish with grave consequences, especially to the economy which relies heavily on online trust for commerce.

On the heels of the U.S government’s Office of Personnel Management (OPM) breach last week and other recent examples of cyber attacks involving the malicious use of keys and certificates, it's not that surprising to see two major developments this week to increase encryption use and improve website security in general.

This week, the U.S. Office of Management and Budget (OMB) announced it would require federal agencies to use HTTPS. A day later, House Energy & Commerce Committee sent letters to Apple, Microsoft, Google and Mozilla, asking them what they can do to limit or constrain certificate authorities (CAs) issuing certificates outside of their home domains. While they may seem unrelated, these two initiatives go hand in hand. 

While the intentions for more encryption are good (and ironically what Edward Snowden publically called for two years ago) to ensure the authenticity and privacy of federal websites, the OMB’s announcement to increase the use of HTTPS has significant gaps if not properly implemented with an immune system to protect the cryptographic keys and digital certificates. More encrypted traffic will require bad guys to use HTTPS and either forge or compromise certificates to mount effective attacks.

First, this means that all federal agencies must be inspecting inbound traffic for threats as they move toward 100 percent encryption. At this point, no traffic can go un-inspected because cybercriminals will hide there for months, even years, completely undetected (can anyone say Careto?).

Second, agencies must be prepared to detect the malicious use of forged, compromised, or fraudulent certificates across the Internet to stop spoofing and man-in-the-middle (MITM) attacks.

In its directive, OMB has yet to specify or mandate any type of key or certificate management system to ensure their proper care and protection. And there was no reference to or mention of the government’s NIST guidance issued two years ago for preparing for a CA compromise. That’s why it was interesting to see Congress’ letter to the browsers about limiting or constraining certain CAs.   

At Venafi, we've been saying for months that governments should be very concerned about who is trusted in our browsers and if we can trust that any website is secure. That's why we applauded Mozilla and Google for blocking CNNIC, the Chinese CA, back in April.

At this point, any CA in the world, through fraud or compromise, could issue malicious certificates for .gov domains (as well as .com and others). We need to be able to ensure that CAs cannot mis-issue certificates or issue malicious ones that might end up being used as a weapon against the U.S. or its allies. While Google Certificate Transparency (CT) helps it only covers the high-level extended validation (EV) certificates, and doesn’t help with compromise and misuse after issuance. This is why Certificate Reputation is becoming increasingly popular.

What the U.S. OMB and Congress have done is important, and are most certainly positive steps in the right direction, the reality is that now we're only going to have more encrypted traffic which makes the U.S. an even bigger target for cybercriminals who can hide and take on trusted status. In the meantime, unless we use an Immune System for Internet—one that can identify certificates, safely deliver them for use with SSL/TLS inspection, and detect and stop the misuse of certificates for governments and enterprises—we will remain extremely vulnerable to these types of attacks that are increasing at an alarming rate (remember CHS, Sony, Heartbleed, POODLE and Shellshock?). What are your thoughts on the U.S. government’s attempts to better secure government websites and web services?

The Internet is the life blood for today’s business. Billions of dollars in market capitalization have been built on the back of innovation and productivity gains from the Internet and connected computing. However, the idea that security professionals believe online trust is near its breaking point will probably come as a bewildering thought to many companies going about their daily business, quietly confident the Internet’s system of trust is working.

The truth is that businesses need to take their blinders off and face online security issues head on, instead of burying their heads in the sand. Shockingly, 100% of surveyed organizations have admitted being at the receiving end of multiple attacks on unsecured cryptographic keys and digital certificates in the past two years alone. Keys and certificates are the foundation of security and were put in place to attempt to solve the first Internet security problems twenty years ago: what can I trust online and can I have private communications. But, we’ve lacked an immune system to keep them safe, know what’s trusted, and find and replace them when they’re not. If businesses do not take action, they’ll be unprepared for what security experts call a ‘Cryptoapocalypse’—when a discovered cryptographic weakness becomes the ultimate cybercriminal weapon, sending business into chaos.

We’ve already seen the warning signs. Last year, for example, Russian cybercriminals stole an SSL/TLS certificate from a top-five global bank. This enabled the cyber gang to impersonate the bank and steal 80 million customer records. In another case, SSL/TLS keys and certificates enabled hackers to steal data from 4.5 million healthcare patients. Leading industry researchers have identified the misuse of keys and certificates as a key part of an Advanced Persistent Threat (APT) and at the epicenter of cybercriminal operations.

The dire reality of the situation was uncovered in the 2015 Cost of Failed Trust Report, released by the Ponemon Institute. It is the first report of its kind to examine the Internet’s system of trust and what happens when this system breaks down. The report found that half of respondents acknowledged that the trust established by keys and certificates, the technology used to underscore trust and privacy online, is in jeopardy. What is more worrying is the other half who are eschewing the issue of trust altogether.

Can you find your keys and certificates?

With 54% of businesses unaware of the location of their keys and certificates, or how they are being used, it is easy to see how they, their customer base, and partners, fail to establish any trust online. Take away the trust created by keys and certificates, used for everything from online shopping and mobility, to banking and government, and we can see the Internet being hurtled right back into the ‘stone age’, where users have no way of knowing if a website or mobile application is actually secure. How much faith would that give you in doing business online?

The potential liability can’t be underestimated. Over the next two years, the prospective financial risk facing business from attacks on keys and certificates is expected to hit at least $53 million.

Take action now.

With the growing number of attacks on keys and certificates, businesses must see this as a wake-up call and realize that they can’t place blind trust in keys and certificates that are open to exploitation by cybercriminals. We’ll need an immune system to know what’s ours, trusted, or not. And as we move more and more to the cloud and DevOps environment, we need an immune system to scale up fast and tear down even faster, to keep everything safe and trusted.

The total number of keys and certificates used by the average business is over 23,000—up 34% from two years ago, thanks to an increase in deployment on web servers, network devices, and cloud services.

With no alternatives to keys and certificates available, the first priority is to make sure they are adequately protected. Businesses must make sure they know exactly where their keys and certificates are, fix any vulnerabilities, and make sure they are changed and replaced automatically.

Organizations need to put strict policies in place to know who they can, and cannot, trust. Before a certificate is issued a business should make sure it knows exactly how it will be used, who will own it internally, and if it fits into the existing security policy. And with more cloud and DevOps environments, we can only accomplish this with an immune system that’s machine-based to scale up and down in seconds.

Businesses must not forget to include enterprise mobile certificates in their cyber security policy. The misuse of these for applications such as WiFi, VPN and MDM/EMM is a growing concern, especially with an increase in mobile employees and the adoption of BYOD (Bring Your Own Devices). Security professionals indicated that attacks using mobile certificates have the largest impact of all attacks using keys and certificates with a total possible impact of $126 million.

Businesses should sweep the Internet regularly to see if there are any ‘spoofed’ or stolen certificates out there claiming to belong to them. Stolen certificates are now being sold for $1000 and more. This is such a big problem that Intel believes it will be the next big hacker marketplace. Each business’s immune system for its cyber realm should detect these issues and rapidly respond to anomalies as well as know how to fix and replace vulnerable keys and certificates quickly.

It is critical that organizations put broad cyber security controls in place. It’s not possible just to focus in on one type of security control. And, it’s critically important that the foundational elements for security, like keys and certificates, be secured first. Cybercriminals won’t question the size or sector of a business when they attack.

Your network has been attacked and your security is compromised. Your incident response (IR) team goes to work trying to discover the cause of the breach and restore your organization’s equilibrium—the faster the better. Just how fast and how thorough that process is has a lot to do with the tools your IR team uses, particularly when it comes to cryptographic key and digital certificate security.

Most security controls blindly trust keys and certificates, allowing cybercriminals to use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data. The 2015 Cost of Failed Trust Report, published by the Ponemon Institute, confirmed just how widespread the problem is. Every Global 5000 company in the survey had responded to an attack involving keys and certificates within the last 24 months.

Breaches using keys and certificates put sensitive data in the wrong hands and damage corporate reputations. They also consume staff hours and result in lost operational and development time. IT security professionals who responded to the Ponemon Institute estimate the total impact of attacks using keys and certificates at almost $600 million. They also estimate a total risk for each organization of $53 million over the next two years.

Incident Response teams also have to respond to outages. With the increased use of keys and certificates, there are also more outages—all organizations surveyed had 2 or more certificate-related outages over the last 2 years with a total possible impact of $15 million per outage.

The Ponemon Institute report revealed other surprising facts. The average enterprise has over 23,000 keys and certificates, but 54% of security professionals admit that they don’t know where their keys and certificates are located, who owns them, or how they are used. With this lack of visibility it’s not surprising that 100% of organizations responded to attacks using keys and certificates as well as certificate-related outages. And when they respond to incidents, most companies try to get by with issuing new certificates but not issuing new keys, which leaves an organization open to continued breaches, outages, and exploitation.

Without key and certificate security built into your IR plan, your IR team won’t be able to act quickly to determine the extent of the attack and bring your organization back to a trusted, secure state. Here are 4 ways to strengthen IR with key and certificate security controls.

1. Ensure complete visibility
   • Identify all keys and certificates across networks, cloud instances, CAs, and trust stores.
   • Map user access to servers and applications
   • Establish a baseline to identify misuse
2. Enforce policies and workflows
   • Implement policy criteria for strong cryptography and key and certificate rotation
   • Enforce configurable workflow capabilities for replacement, issuance, and renewal
   • Track response progress with real-time dashboards and reports
   • Terminate access when needed, revoking all certificates associated to a user
3. Automate management and security
   • Automate and validate the entire issuance and renewal process
   • Replace certificates in seconds, and remediate across thousands of certificates within hours following a certificate authority compromise or a new vulnerability such as Heartbleed
4. Establish certificate reputation insight.
   • Use global certificate reputation to identify certificate misuse such as stolen certificates used for spoofed websites
   • Remediate immediately through certificate whitelisting and blacklisting

Just like the human immune system, Security Operations and Incident Response teams need to be able to identify what is “self” and trusted and what is not and therefore dangerous. When key and certificate security is added to your incident response plan, you can identify which keys and certificates are trusted, protect those that should be trusted, and fix or blocks those that are not. With this security in place, you can quickly return the network to a trusted state while minimizing damages, downtime, outages, recovery time, and costs—all while protecting your network, your business, and your brand.

Has your IR team recently responded to attacks using keys and certificates? What approaches has your team found helpful to return to a secure, trusted state after these attacks?

Today we are announcing that Venafi has received $39M in new funding from strategic investors: Intel Capital, Silver Lake Waterman, QuestMark Partners, Foundation Capital, Pelion Venture Partners, and Mercato Partners. These are a mix of new and existing investors who believe in and are passionate about the Venafi vision and support our mission to restore trust online by protecting the Global 5000 as the Immune System for the Internet.

Over the past 10 years, enterprises have become more complex and connected, and their security challenges have grown with them. The bad guys are ahead in this race. But Venafi helps enterprises defend against the bad guys and has continued to grow, from a 14-person startup to an international organization working from development centers and offices around the world.

Today, Venafi protects

• 4 of the top 5 U.S. banks
• 8 of the top 10 U.S. health insurance companies
• 4 of the top 7 U.S. retailers

All of whom rely on Venafi as mission-critical security to protect their keys and certificates from misuse. We are their immune system for their cyber realm.

We pioneered the first and only technology to secure keys and certificates—the foundation of all cybersecurity—and protect them from bad guys, and we have continued to evolve as the market leader. We’ve also developed the world’s largest talent of subject matter experts who know how attackers are going after keys and certificates within the Global 5000. Their expertise lets us understand how the bad guys use keys and certificates to gain trusted status and steal valuable data without detection, and how to protect against those threats.

We’ve built a technology stack that secures keys and certificates, whether in the cloud, on mobile devices, inside the firewall and/or in the Internet of Things. During the last 12 months, the most significant vulnerabilities and breaches, including Heartbleed, POODLE, Shellshock, and the attacks on Sony Pictures and others, demonstrate how unsecured keys and certificates provide the trusted status cybercriminals need to go undetected for long periods. Once authenticated with a stolen or forged key or certificate, the bad guys can further hide their activities by encrypting the malware they use against their targets and data they want to steal and exfiltrate from them.

The new funding allows us to accelerate development of the Venafi Trust Protection Platform™ to better support our fast growing customer base worldwide. The investment also demonstrates our investors’ understanding of the size of the problem and their commitment to helping solve it for the Global 5000. You can get perspective from Intel Capital’s Ken Elefant, who blogged about the funding announcement in a new posting “Why Intel Capital Believes in Securing the Foundation of Trust.”

We’ve also built an incredible leadership team with the vision and expertise to make a lasting impact on how the world approaches cybersecurity. And, like our leadership team, our current investors see that the world is changing. They know that the way that we used to think about Internet security and layering defenses isn’t enough anymore, and they want to be alongside Venafi as we develop new ways to secure and protect global enterprises.

Venafi is the Immune System for the Internet. Just as humans have evolved a highly effective immune system that is constantly working to establish what is “self” and trusted, and what is “not self” and dangerous, this too must be applied to security. The human body tags all cells that belong. The human immune system continuously finds those that are not tagged and disables them. The Internet uses keys and certificates to tag what belongs. But before Venafi, there was no immune system to find those that don’t belong and disable them. This fundamental missing piece—the equivalent of an immune system—has allowed the bad guys to do amazing damage. Modern security solutions must be adaptive and responsive. They must operate like a living organism, always scanning for new threats and attacks, detecting that which doesn’t belong, and responding to keep the Internet and our intellectual property (IP) safe.

Unfortunately, as Gartner says, “We live in a world without trust,” and haven’t had an effective way to defend against a new generation of cyber attacks—until now. With Venafi as the Immune System for the Internet—continually identifying what keys and certificates are trusted and those that aren’t—we can secure and protect Global 5000 organizations from the most prevalent attacks today—attacks on the very trust provided by keys and certificates. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, business, and brand—and by doing so, we’re able to protect e-commerce, intellectual property, and sensitive data that underlays all the largest enterprise organizations in operation today.

It’s an enormous task, but one that we meet enthusiastically. We’ll utilize this new investment to expand the Immune System, grow into new global markets, and to help Global 5000 enterprises continue to fight attacks on trust that are increasing exponentially each day.

Enterprises can no longer expect static defense mechanisms to protect them from the dynamic attacks that are launched against us every day. We must evolve. We must get smarter and stronger. We must implement an Immune System for the Internet—and we must do it now.

The Payment Card Industry Data Security Standard (PCI DSS) version 3.1 was released in April 2015. Yet, many organizations are still not compliant with the PCI DSS version 3.0, which went into effect on January 1, 2015. Both versions introduced new requirements for cryptographic keys and digital certificates. While businesses may have a variety of reasons for not meeting the compliance requirements pertaining to keys and certificates, it certainly isn’t because the dangers have subsided. In fact, they’re on the rise.

In a recent Poneman Institute report, 100% of the organizations surveyed said they responded to attacks using keys and certificates within the last 2 years. In response to the growing threat, the Payment Card Industry Security Standards Council (PCI SSC) has introduced stringent rules governing the security and management of keys and certificates.

PCI DSS v. 3.1

Just months after PCI DSS v3.0 went into effect, the new PCI DSS v3.1 was released requiring that SSL and early versions of TLS be replaced to prevent man-in-the-attacks like POODLE. Organizations are no longer allowed to use SSL or early TLS with new systems, but have until June 30, 2016 to transition existing ones. This new mandate impacts the PCI DSS requirements that address encryption used to protect card holder data and requires an enterprise-wide transition to TLS version 1.1 and higher on in-scope systems. The process for migration to TLS 1.1 and higher can be summarized in two steps:

Step 1: Search and Triage

• Find online applications. Can be performed by scanning network ranges on known ports.
• Find applications that operate intermittingly. Can require searching systems for cryptographic keys and digital certificates and mapping back to applications.

Once applications and how cardholder data is processed are known, risk can be established and migration for specific applications can be prioritized. 

Step 2: Migration

Migrating to TLS 1.1 and higher will require at least updating the configuration of affected applications. It may also require updating the application to a version that operates only with TLS 1.1 and 1.2.

As migration proceeds, teams should update scans to validate migration. These scans demonstrate progress and compliance, showing SSL, early TLS, and TLS 1.1 and higher usage.

PCI DSS v. 3.0

However, most organizations still need to address the new key and certificate requirements in PCI DSS v3.0 as well. Here are the top regulations with a description of the impact to your organization’s security resources:

• New requirement 2.4: Maintain an inventory of all in-scope system components.
  This includes all in-scope keys and certificates. But research by the Ponemon Institute shows that 54% of organizations don’t know where all of their keys and certificates are located, who owns them, or how they are used. On average, an enterprise has over 23,000 certificates floating around their network. Hunting down lost keys and certificates can be a long, painful, manual process.


• Revised requirement 5 and new requirement 5.1.2: Protect all systems against malware and review periodically to see if protection has become necessary.
  PCI SSC wants to stress that even systems not commonly impacted by malware should be periodically assessed to determine if protection has become necessary. Organizations may view keys and certificates as uncommonly impacted by malware, but in truth, keys and certificates have become the attack method of choice. There has been a 700% growth in certificate-enabled malware from 2012 to 2015 according to Intel Security. Without first knowing where your certificates are located, it becomes impossible to protect them from misuse. A centralized platform, inventory, policy enforcement, continuous monitoring, and automated management are needed to keep keys and certificates secure.


• New requirement 8.6: Certificates for authentication must be assigned to an individual account, not shared.
  Certificates enable strong authentication and PCI SSC wants to ensure their use and access are restricted. This regulation requires that organizations have strict usage policies in place to prevent the ambiguity of overlapping ownership and use.


• Business as Usual (BaU) Processes: Security controls for compliance should also be part of the BAU security strategy.
  This is the PCI SSC’s way of ensuring that organizations maintain compliance on an ongoing basis. For keys and certificates, this requires that organizations adopt a centralized management and security platform with automated, ongoing monitoring and policy enforcement. Unfortunately, many organizations use legacy, error-prone, manual approaches or home grown scripts that make it difficult, if not impossible, to meet the new PCI DSS requirements governing visibility and security over keys and certificates—at best eating up weeks of time and taking significant resources.

Learn how Venafi is designed to make meeting the new PCI DSS requirements for keys and certificates easy at Venafi.com/PCI.

Last year, Securing Cryptographic Keys and Digital Certificates was a PCI SSC 2015 Special Interest Group (SIG) Finalist. This topic was not selected for 2015, but has been resubmitted for consideration as a 2016 PCI SSC SIG. Want key and certificate security as a PCI SIG? Let the PCI SSC know you’re interested! And drop me a comment if you’d like to participate.

Certificate reputation services can end the risk that certificate validation app developers face (and are not doing a good job of addressing)

The OpenSSL team has released a fix for a critical vulnerability that could allow an attacker to trick an application into trusting a forged certificate—lovingly called by some “OprahSSL” for its propensity to gift something valuable. Why is this so important? Why does it matter? The big story is not just this vulnerability: it’s the ongoing difficulty for apps to validate certificates and know what should be trusted.

FireEye found that 73% of the top 1,000 apps don’t even validate certificates. This lack of attention to checking what should be trusted and what shouldn’t got Fandago and Credit Karma a special 20-year relationship with the U.S. Federal Trade Commission (FTC). This occurred simply because their mobile apps didn’t validate certificates—meaning their mobile apps might be sharing credit card data and sensitive personal information with bad guys without a concern for the consequences. This is a problem for not just enterprise CISOs and IT security teams, but also commercial app developers, fraud prevention, and chief privacy officers (CPOs).

Native iOS apps by default can’t even identify a website with a revoked certificate as being non-trusted

The OpenSSL vulnerability is a clear reason why certificate reputation, now available to enterprises with Venafi TrustNet, is so important. TrustNet uses advanced algorithms as well as big data and cloud-based intelligence to validate digital certificates rather than static code that, for even advanced security professionals or developers, is confusing, at best. The complexity and vulnerabilities like this one perpetuate the “blind trust” we place in certificates today.  We’ve been validating certificates in pretty much the same way for over 20 years—what do most professionals trust in cybersecurity that’s been done the same way for just 2 years, not to mention 20? Certificate reputation services like TrustNet dramatically reduce risk.

OpenSSL’s Certificate Validation Vulnerability

For details on versions affected and patches available, get the details from OpenSSL at https://www.openssl.org/news/secadv_20150709.txt.

Unlike Heartbleed, with this vulnerability, keys and certificates are not directly exposed and do not need to be rotated. The vulnerability impacts client applications validating certificates, such as a browser, VPN, or mobile application, that use the OpenSSL libraries for SSL/TLS sessions. It also impacts server applications, like a webserver or VPN, that authenticate digital certificates presented by client applications.

This vulnerability shows again why we need to know what certificates are in use and what certificates are trusted and where.  And we need this everywhere—on our servers, desktops, and around the world on the Internet. 

Exploiting the Vulnerability

To exploit the vulnerability, an attacker needs to obtain a private key for a certificate issued from a trusted certificate authority (CA). This could be a public third-party CA trusted across browsers and the Internet, or a private CA used and trusted inside your organization. The vulnerability allows the certificate associated with the obtained key to be used as if it were a CA, even though it’s not. This means any type of certificate from a webserver to a VPN certificate could now become a trusted CA issuer.

An attacker could then forge certificates for any domain, website, or user they’d like, including you and your businesses or government. This could prove useful in executing man-in-the-middle attacks, spoofing, spear phishing, and other attacks. And it’s easy to do: OpenSSL is the perfect tool to generate keys and sign a certificate.

It’s also easy to obtain a key from a trusted CA. Depending on the end target, I might just buy a certificate from a trusted third party. If I need the certificate to chain up under a specific CA and don’t want to/can’t buy one reputability, I can easily go the underground market where stolen certificates go for $1000 or more. Or, because thousands of Trojans support the collection and extraction of keys and certificates, the job is pretty easy.

Native iOS apps perform little to no checking as to whether a certificate is truly valid or not, unlike certificate reputation services like Venafi TrustNet

Certificate Reputation Ends the Age of Blind Trust

Today, using Venafi TrustNet certificate reputation APIs, you can validate if a certificate should be trusted or not. This is independent of the static code or rules that might later be vulnerable, like today with OpenSSL or other libraries. Offloading these decisions to an intelligent reputation system mitigates risks of these vulnerabilities in certificate validation that are complex and difficult for even the smartest developers. The TrustNet API can be called from any application, whether a mobile app or container-based service application in the cloud. It’s one API call that takes care of all decisions about certificate chain validation, trust, validity, fraud, and vulnerabilities. Amazing! That’s the power of Venafi as the Immune System for the Internet.

Additionally, with Venafi you can discover what certificates are in use and what CAs are trusted across your organization and then whitelist or blacklist CAs. You can then enforce a policy to not trust particular CAs that your business or government finds untrustworthy, like the Chinese CA CNNIC.

All of these reasons are why Venafi as the Immune System for the Internet is critical to protecting the world’s economy today and in the future. Outside of Venafi there is no system that understands what should be trusted, what is trusted, and can fix it—whether inside the enterprise or outside across the Internet.

Like to learn more and continue the conversation? Drop me a note.

With endless headlines touting the latest costly security breach, you would think that enterprises would be scrupulous about guarding the “keys to their kingdom.” Think again. The keys to the enterprise kingdom I’m talking about are secure shell, or SSH, keys. SSH is a cryptographic security protocol used to connect administrators and machines, allowing users or applications to gain secure remote access to another system. The kingdom, of course, is your valuable corporate IT assets. Users bearing SSH keys have the highest level of rights and privileges. But what if those users aren’t who they say they are? And, what if those users are bent on harm?

All enterprises rely on SSH keys to authenticate and provide privileged access for administrators, applications, and virtual instances in data centers and the cloud. But even though SSH keys provide root access to critical systems, they are treated with weaker policies than those tolerated for much lower levels of access, such as passwords. A recent survey by the Ponemon Institute canvassed over 2100 security professionals working in the U.S., U.K. Germany, and Australia—countries typically considered to be in the forefront of security practices. The results were disturbing.

Most organizations have an over-reliance on system administrators, not IT security, to self-police SSH keys. As a result, organizations are unable to identify how many SSH keys they have, who uses them, and what they access. In many companies, busy department administrators are charged with deploying and protecting SSH keys on the systems owned by their department. This creates a partitioned security structure with no ability to centralize visibility, policy enforcement, or incident tracking and remediation.

In the Ponemon Institute survey, 53% of organizations admitted they lack centralized control over their SSH key usage and access policies, and 60% are unable to detect the introduction of new SSH keys into their network. This lack of visibility hinders policy enforcement and detection of SSH key security issues.

SSH keys do not expire, creating a perpetual vulnerability if not rotated. But the Ponemon survey results show a surprising 82% change their SSH keys at best every 12 months—much longer than the 60-90 day policy for passwords which have less privileged access. This weak policy enforcement is resulting in dire consequences. Over half of organizations surveyed responded to a security incident related to SSH key misuse within the last 2 years. And those were the people willing to admit it. The sad reality is that the real percentage is likely much higher.

The manual approaches and customized scripts that enterprises are using to manage their SSH keys are not protecting their businesses. In the survey, of those that use homegrown scripted solutions to manage SSH keys, 54% were still compromised by rogue SSH keys on their networks—a clear indication that these solutions cannot detect anomalies in SSH key usage.

But there’s a silver lining to this storm cloud. A Forrester Research paper, Gaps in SSH Security Create an Open Door for Attackers, provides five steps you can take right now to regain control of your SSH-based privileged access management:

1. Centralize control and visibility for all SSH hosts in the data center and cloud to effectively enforce policies for all enterprise SSH keys.
2. Establish a baseline of normal key usage—including where keys are located, how they are used, who has access to them, and what trust relationships have been established within your network.
3. Regularly rotate SSH keys using lifecycle periods similar to other credentials (e.g. 60-90 day password lifecycles) to increase their security.
4. Continuously monitor SSH key usage across the network to identify and neutralize any rogue usage.
5. Remediate vulnerabilities by ensuring that server and SSH key configurations adhere to common best practices, such as using 2048-bit key lengths or higher as recommended by NIST.

These 5 steps represent a good starting point, but there’s a lot more you can do. You can learn more on the Venafi solution webpages at Venafi.com/PrivilegedAccess and Venafi.com/SSHAudit. Drop me a comment and let me know what other SSH security practices you’d recommend to other security professionals.

Black Hat USA 2015 is right around the corner and it’s time to start planning which briefings to attend.

Here at Venafi, we’re interested in sessions on protecting cryptographic keys and digital certificates. Keys and certificates are the foundation of online trust, but cybercriminals, hacktivists, and nation states are misusing them to gain unauthorized access and hide their actions.

Venafi and Blue Coat security experts will be conducting cybersecurity briefings that cover 3 different cybersecurity topics and, if you register in advance for a session, you’ll receive a $30 Amazon gife card when you attend. We have also identified others sessions that impact key and certificate security. Check out these briefings we’ve added to our dance card for this year’s Black Hat.

Venafi Cybersecurity Briefings

1. Your Threat Detection Strategy is Only 50% Effective
   While SSL/TLS provides privacy and authentication, it also creates a blind spot for enterprise security. Most organizations lack the ability to decrypt and inspect SSL traffic and bad guys are taking full advantage. This session, co-presented with Blue Coat, provides guidance on how SSL/TLS impacts security controls and how you can eliminate security blind spots. Register here.


2. Advanced Attacks, Encryption, & Certificate Reputation
   As private encryption keys are now sold on the underground marketplace for circa $1000 each, it has become easy for hackers to breach even the most security conscious organizations. This session demonstrates how certificate reputation services are designed to identify and stop certificate misuse globally. Register here.


3. Are Certificate-related Outages Impacting Your Business?
   We rely on digital certificates and cryptographic keys for data protection and authentication. But as security instruments, certificates can, and do, expire, bringing down systems and blocking access to servers, websites, and potentially dozens of critical downstream services. Attend and learn how to eliminate outages caused by expired certificates and reduce your security risks. Register here.

All registered attendees for Venafi briefings will also have a chance to win a $100 Amazon gift card per session. To check out what else Venafi is doing at Black Hat, visit Venafi.com/BH2015.

At Black Hat, we also want to hear what other thought leaders have to say about ensuring keys and certificates remain secure and continue to enable online trust. We’re looking forward to the following sessions:

• Back Doors and Front Doors Breaking the Unbreakable System
  Governments are demanding backdoor access to encrypted data to support criminal and national security investigations, but this is opposed by privacy advocates. This briefing discusses if government agencies could be given backdoor access to encrypted data without weakening encryption systems.


• Breaking HTTPS with BGP Hijacking
  Many believe BGP hijacking is not a significant threat, because the resulting man-in-the-middle attack cannot decrypt or break into an encrypted connection. But this briefing will show how the trust that SSL/TLS PKI places in internet routing can be exploited and how to prevent it.


• Faux Disk Encryption: Realities of Secure Storage on Mobile Devices
  With the number of mobile users now surpassing the number of desktop users, this briefing discusses mobile device security and how it must go beyond full-disk encryption to protect against most attacks types. The session will present other secure storage techniques for both iOS and Android.


• Certifi-gate: Front-Door Access to Pwning Millions of Androids
  Learn how a vulnerability within the Android customization chain can be exploited to access unsecure apps and gain access to any device. This will include information on how hash collisions, IPC abuse, and certificate forging can grant malware complete control of a device.


• TrustKit: Code Injection on iOS 8 for the Greater Good
  See how Trustkit, a new open-source library for iOS, provides universal SSL public key pinning that the developers call “drag & drop SSL pinning.” This open-source library leverages new iOS 8 rules regarding dynamic linking and will be available for deployment by attendees.


• Bringing a Cannon to a Knife Fight
  Bulletproof yourself against China’s Great Cannon which intercepts traffic as a man-in-the-middle proxy and turns global visitors to Chinese sites into the world’s largest botnet that carries out attacks on sites deemed a threat to the Chinese Communist Party. Learn how the Great Cannon works, about the timing of its release, why it was used to attack the Github repos, and how it will change as HTTPS and DNSSEC become more widely used.

Are there other sessions at Black Hat that address cryptographic keys and digital certificates that you plan to attend? Thoughts about any of these upcoming briefings? Drop me a comment.

It’s going to be an exciting week at Black Hat USA 2015 and we are certainly looking forward to it!  Venafi is teaming up with Blue Coat to conduct a technical briefing at Black Hat on how to eliminate SSL/TLS encryption blind spots.  Gartner believes that by 2017, more than 50% of the network attacks, both inbound and outbound, will use encrypted SSL/TLS communications.  And why is that? Well, attackers today are focusing on hiding in SSL/TLS traffic because they know that most network security solutions are “blind” to SSL/TLS traffic.  The majority of organizations blindly trust encrypted communications and don’t, or can’t, decrypt traffic. This means they can’t assess and block threats that leverage SSL/TLS.

How bad is the problem? According to Gartner, less than 20% of organizations with a firewall, IPS, or UTM appliance decrypt SSL traffic. That means 80% of these organizations might be allowing cybercriminals to leverage SSL/TLS tunnels to sneak malware into their network, hide command-and-control traffic, and pilfer sensitive data.

The reason for this security blind spot to SSL/TLS traffic is two-fold: (1) Security systems can’t inspect encrypted traffic or their performance can’t keep up; and (2) Security systems lack the cryptographic keys and digital certificates from across the network that are needed to decrypt SSL/TLS traffic.  This inability to inspect SSL/TLS encrypted traffic undermines traditional layered defenses and increases the risk of a data breach and data loss.

What do you need to enable SSL/TLS decryption and threat inspection?  The Black Hat 2015 briefing, Your Threat Detection Strategy is Only 50% Effective,  co-presented with Blue Coat, provides guidance on how SSL/TLS impacts security controls and how you can eliminate SSL/TLS security blind spots. Go to Venafi.com/BH2015 to register for the briefing.  Together, Venafi and Blue Coat solutions maximize SSL/TLS decryption and uncover threats. 

And if you pre-register, you’ll get a $30 Amazon gift card when you attend as well as a chance to win a $100 Amazon gift card per session.

Drop me a line if you want to learn more. I hope to see you there!

Over the past 30 years, we’ve seen many health analogies used across the entire cyber security industry. If you think about it, it does make a lot of sense: just as viruses make humans sick, they too can also make computers sick and as a result, networks are disrupted or even shut down. To combat the problem of viruses, companies like Symantec and McAfee developed anti-virus solutions and a whole new industry was born.

Today, computer viruses have evolved into sophisticated malware and advanced persistent threats (APTs) that antivirus and other signature-based technologies simply cannot detect.While new markets and perimeter-based security technologies have been developed to help detect APT-like threats—IDS/IPS, NGFWs, DLP and more—hackers have upped their game and now are using the foundation of the Internet and cybersecurity—cryptographic keys and digital certificates—to evade detection, spoof websites and carry out their attacks to steal sensitive data. And keys and certificates run on everything including IoT devices, mobile phones, clouds, even airplanes and cars, and we blindly trust them. Unfortunately, certificate misuse by hackers is at an all-time high and it’s only getting worse. As we use more certificates to encrypt communications and authentication entities, bad guys will only become more interested in using them.

At Venafi, we have been saying for months that Global 5000 organizations and federal governments need The Immune System for the Internet™ because online trust is severely broken.

Humans have evolved a highly effective immune system. It’s always turned on, working to authenticate what is “self” and trusted and what is not self and dangerous. Unfortunately the same cannot be said of the cyber realm—there’s no effective immune system to defend against a new generation of cyber attacks—until now.

Websites, servers, mobile devices, and software are marked as “self” and “trusted” using cryptographic keys and digital certificates. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, mobile devices, and system administrators, and decrypt communications thought to be private. There’s no system today that constantly assesses keys and certificates to determine if they should be trusted, and that adapts to changing threats.

Just like your immune system, The Immune System for the Internet provided by Venafi learns and adapts as it works. It identifies what keys and certificates are trusted and those that need to be replaced. It keeps keys and certificates secured to your policy and replaces them automatically. It scales keys and certificates up and down to meet demand. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response, just like an immune system, that protects your network, your business, and your brand.

So while comparing and making health analogies about cyber security is not necessarily new, Venafi as The Immune System for the Internet is—because it allows us to rapidly detect what shouldn’t be trusted and respond quickly, which is exactly what our immune system does, and what we need to do to stay ahead of the cyber criminals. Venafi is The Immune System for the Internet that protects the foundation of all cybersecurity—keys and certificates—so they can’t be misused by bad guys. Let me know if you’d like to discuss details on how we can help.

Okay—stop laughing, everyone (and I mean everyone) knows I am no singer, but IT Security professionals really need to ensure they have the basics in place and I liked the attention this title brought to light as the foundation for this blog.

As I think back over the high-profile (and some of the not so high-profile…) hacks and breaches that have occurred over the last 18 months, I asked myself:

• How many have been the result of the smartest, most ingenious hackers in the world?
• How many have happened because someone just did something by accident?
• How many have happened just because they didn’t have visibility into their network and security dashboards?

As I sat down and did some research and consulted with my peers around the world, I came to this conclusion: we are truly neglecting the security basics and need to get back to them fast. So what are the basics exactly?

Step #1 Take Careful Inventory of Your Assets and Software: You can’t protect what you don’t know you have and many organizations often skip this basic but fundamental step. I’ve seen several instances of this recently while working with companies to improve their key and certificate security. Many companies simply do not have a complete inventory—they have no idea how many keys and certs they have or how they are being used or misused. In a recent survey that Venafi commissioned with the Ponemon Institute, the results revealed that the average enterprise has almost 24,000 keys and certificates and 54 percent of security professionals admit to being unaware of where all of their keys and certificates are located. This is just one example, but it underscores the reality that organizations need a good inventory of ALL IT assets, identities, hardware, keys and certs, and software.

Step #2 Establish A Trusted Baseline: Organizations need to establish and update a known good state, or baseline. Baselines can be used to identify when security issues arise and provide a means to return the organization back to a known good state after a breach.

A few years back, I read an article with an analogy that struck me. Coupled with the old saying when trying to find something that seems impossible: “It’s like finding a needle in a haystack.” It was changed a bit to be more relevant and has held meaning for me ever since:“You don’t need to know what the needle(s) look like; you just have to know what the hay looks like. You take all the hay out and only the needle(s) are left.”

So how does this relate to baselining? If you take the known good out (your current baseline), then you’re left with the needle(s).  Those needles can be good or bad, but now you know about them and can take proper action, and are able to begin remediation or restore to a known good state.

Step #3 Deploy a Strong Security Foundation: Once you have a complete inventory and you know what you need to protect, the next step is to deploy a good security foundation to build upon. Today, many companies are spending money on expensive “Next-Gen” or “Threat Intel” solutions and are not putting enough emphasis on the basics. You need to know what you have in order to protect it. There are many guidelines out there such as the SANS 20 Critical Security Controls. SANS starts with an “Inventory of Authorized and Unauthorized Devices, and Inventory of Authorized and Unauthorized Software”—obviously to my earlier point, visibility into your inventory is crucial. There are many other standards, guidelines, etc. out there, and it is up to you to determine what you want to work with for the regulations that you must comply with in your industry.

Step #4 Beef Up Your Detection: We tend to become overly invested in and overly reliant on our preventative capabilities to mitigate cybersecurity threats. This is often at the cost of good detection capabilities. In addition to inventories and baselines, IT security teams need to establish strong processes and procedures in incident response plans, triage/analysis tactics, and log monitoring. When there is a breach, organizations need to be able to quickly identify anomalous behavior and remediate, and to return the systems/networks to a good, trusted state while minimizing damages, recovery time, and costs. This need for detection applies across all technical, administrative, and procedural domains regardless of whether the compromise impacts hardware, software, user IDs, privileged access, keys and certificates, or any other IT security asset.

When was the last time you tested your incident response plans? People come and go; processes are always changing, and those changes need to be taken into consideration each and every time you exercise your plans; and don’t forget to follow-up with a postmortem analysis to see what worked and what didn’t.

These are a few easy steps that security professionals should always consider when it comes to establishing the security basics. Without these foundations to build upon, how can we ever hope to keep up with the bad guys who are always two steps ahead?

Remember—It’s all about the basics, ‘bout the basics—and hopefully no trouble!

Cheers!

P.S. Don’t forget to follow me on my new Twitter handle: @QueenofCandor