I just attended Black Hat 2015, and what a great conference it was. I learned that “hackers,” including white hats, grey hats, and black hats, are really interesting people. At Black Hat, I saw briefings on how to hack a Jeep, a smart card, android, iOS, Windows, HTTPS, and a fingerprint. Pretty much anything can be hacked. Some do it for the greater good, letting the manufacturers know so the security can be hardened down and the hacks cannot occur in the future.

The presentation on the Black Hat network was especially interesting. This year was the first year that the network operations center (NOC) was open to the attendees of Black Hat to tour. The NOC is a labor of love for a lot of IT security professionals—many even take PTO to make it happen. This is the network that is used for the training classes at Black Hat. The top websites visited, top applications used, botnets detected, and malware detected were presented.

The people that run the NOC do keep a close eye on any “egregious” hacks, but how is that defined, really? Think of what these folks, doing their labor of love, learn about the attack vectors that are coming. Wow! If the hack is being taught at a training class, then they are expecting it. However, they did state that all types of hacks were done to each other, one attendee of the conference to another.

At the conference, 80% of the traffic was encrypted this year using TLS, which is way up from past years. This is a really interesting antidote, if you think about how a hacker can go undetected in encrypted traffic.

These Black Hat sessions highlight how important it is to encrypt sensitive information properly so it isn’t available to hackers. Maybe, even more importantly, is the ability to conduct SSL/TLS inspection by decrypting the ingress and egress of traffic for your enterprise. SSL/TLS inspection ensures that there is no malware phoning home to a command and control center or a hacker, who is landing and expanding on your systems.

How are you protecting SSL/TLS in your organization? Are you using SHA-2, at least 2048 bit keys, short validity periods, and SSL/TLS 1.2 to protect your SSL/TLS sessions? Do you have visibility into where all of your SSL/TLS keys are located to prevent outages? Would you be able to find a fake certificate issued in your brand name in your enterprise or on the internet? Are you conducting SSL/TLS inspection at your organization? Overall, do you feel you are protected from hacking when you use SSL/TLS?

We live in the age of technology. It is a fast-paced, break-neck ride to deliver great solutions—everything from the largest, complex integrated solution to the single, simple iPhone app. With online solutions a part of so much of our everyday lives, why are we still talking about digital certificates, the backbone of internet communication, being broken?

I will tell you why. It’s hard. Once Netscape introduced the SSL protocol used with x.509 certificates in 1994, it was obvious we needed to fix online communication and FAST. We seized the quickest solution and the use of x.509 certificates with SSL for online communications soared. With this protection, online commerce exploded with the confidence that identity and privacy could be ensured.

Well, the internet is all “grow’d up” and our SSL/TLS solution needs to be refitted. Moxie Marlinspike at Defcon 19 in 2011 told an over-packed audience of hackers at the Rio in Las Vegas that the way we establish trust needs to change; we need to take the power back from trust stores that have been force-fed into our systems and make our own intelligible decision on who or what we want to trust. Convergence Beta was then created.

I just got back from Defcon 23 and, yet again, there were several talks on exploiting digital certificate weaknesses. Besides the few sneaky hacks I saw, it was interesting to see a solution proposed to the open source community to try and help our broken trust. A couple of guys, for the love of protected communications, came up with a product called TLS Canary (warning: the content is provocative). In real time, it will check the trustworthiness of the certificate you are trying to access and tell you whether it is good or bad.

There are now several approaches to certificate trustworthiness, but we need to ensure that we’re turning to a comprehensive source. Google is running the Google CT (Certificate Transparency) project, TLS Canary has been developed, and we have the SSL Observatory. In addition, some people are trying to solve issues with certificate pinning. Good, great! Finally we have several groups out there pushing for and delivering solutions. Everyone is starting to see the issue that Venafi has been solving for years. Venafi, the Immune System for the Internet™, provides the single most comprehensive source of certificate trustworthiness.

Venafi has a platform that not only helps you establish what to trust through its TrustNet product, but will also bring order to the chaos that is your PKI (Public Key Infrastructure) and keys though the Trust Protection Platform. Technology overall has been slow to address its trust issues, and understandably, because it’s hard. But let’s heal our known broken trust issues already so we can get new, interesting topics at Defcon!

Original article published at Infosecurity Magazine on August 25, 2015: http://www.infosecurity-magazine.com/opinions/superfish-one-step-closer/

Earlier this year Lenovo got caught installing Superfish adware on its laptops. Superfish breaks open SSL/TLS encryption using forged digital certificates and unwittingly allows bad guys to exploit the digital trust they provide. Unfortunately, man-in-the-middle (MITM) attacks with forged certificates are nothing new.

The SSL/TLS trust model is designed to protect communications end-to-end. But Lenovo inserted the Superfish CA certificate as trusted, meaning that all of the MITM certificates were trusted within the browser, thereby exposing users to insecure sites or interception of private communications. Whilst Lenovo admitted its mistake and claims to no longer ship adware, it is clear that the system of trust established by keys and certificates is under attack.

Keys and certificates were designed to be like the biological tags in living cells – identifying what’s safe and trusted. However, we left out one thing it seems: an immune system to keep up with what really is trusted. There’s a lot we can learn from our human immune system and apply to the cyber realm.

Read the full article at: http://www.infosecurity-magazine.com/opinions/superfish-one-step-closer/

This article was originally posted by IDG Connect on August 5, 2015 at: http://www.idgconnect.com/abstract/10251/research-clueless-enterprises-miss-certificate-breaches

Attacks on digital keys and certificates are very different to typical cyberattacks and are becoming increasingly common, leaving victims open to devastating security breaches.

With a compromised or stolen key, cyber criminals can impersonate, surveil, and monitor their targets, as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates give attackers unrestricted access to their victim’s network, where they may go undetected for some time with trusted access, siphoning off confidential data to use for criminal ends.

In light of attacks such as Sony Pictures Entertainment last year, Venafi conducted a survey amongst IT security professionals to garner what they do to prevent breaches and establish greater trust online? Disturbingly, the data revealed that most IT professionals acknowledge they don’t know how to detect or remediate compromised cryptographic keys and digital certificates.

The survey results highlighted that 38% of respondents can’t, or don’t know how to, detect compromised keys and certificates, and 56% of the other respondents said they are using a combination of Next Generation Fire Walls (NGFW), anti-virus, Intrusion Defense Systems (IDS), Intrusion Prevention Systems (IPS), and sandboxes to find these types of attacks.

One area in which cybercriminals are taking advantage is through Secure Sockets Layer (SSL) encrypted traffic, which is rapidly gaining momentum in enterprises. According to market research company Gartner, 50% of all inbound and network attacks will use SSL/Transport Layer Security (TLS) by 2017. Attackers are aware that most security systems either trust SSL/TLS or don’t have access to keys to decrypt traffic and search out hidden risks. These security weaknesses create blind spots that subvert critical security controls.

Perturbingly, almost two-thirds (64%) of security professionals admitted that they are not able to respond quickly (within 24 hours) to attacks on keys, and most said it would take three or more days, or up to a week, to detect, diagnose, and replace keys that have been breached.

Following a breach, more than three-quarters (78%) of those surveyed said they would still only complete partial remediation which would leave them vulnerable to further attacks. When asked what their organisational strategy is to protect the online trust provided by keys and certificates, only 43% of respondents said that they use a key management system. Another 16% had no idea. A manual process was being used by 14%, whilst 22% placed the responsibility elsewhere in the enterprise.

The survey findings are concerning given the increase in attacks on internet trust and the major SSL/TLS and SSH key and certificate-related vulnerabilities we’ve seen over the past six months alone. From Heartbleed, ShellShock, POODLE, the Gogo man-in-the middle attacks, Lenovo’s Superfish vulnerability, FREAK and now the LogJam flaw, cybercriminals are all too aware of the vulnerabilities in unprotected keys and certificates and are using these weaknesses to carry out malicious acts.

Read the full article at: http://www.idgconnect.com/abstract/10251/research-clueless-enterprises-miss-certificate-breaches

There has been a dramatic increase in attacks that leverage keys and certificates, and the recent breadth and criticality of vulnerabilities, from Heartbleed to POODLE, underscore the importance of strong security and remediation capabilities. With the rapid growth of threats that misuse keys and certificates, it’s not surprising that the Payment Card Industry Security Standards Council (PCI SSC) announced today in its PCI Monitor weekly newsletter that Securing Cryptographic Keys and Digital Certificates is among the five finalists selected for a 2016 Special Interest Group (SIG) project in support of the Payment Card Industry Data Security Standard (PCI DSS).

This is the second year running that the PCI SSC has designated key and certificate security as a SIG finalist. Although the PCI Participating Organizations did not elect key and certificate security as a 2015 SIG last year, the PCI SSC has selected it as a finalist again—this time for the 2016 PCI SIGs—showing the council’s support for this important security and the need for a SIG in this area. Its acceptance for the second time emphasizes how critical it is for organizations to protect keys and certificates, which establish the trust on which businesses depend—securing data, keeping communications safe and private, and establishing trust between communicating parties.

This year the vulnerabilities in SSL and early TLS moved the PCI Council to eliminate their use under PCI DSS 3.1. However, to date, there has not been specific guidance on how to best implement and secure keys and certificates with detailed information on industry best practices and how these security elements interrelate for optimal protection.

Both organizations and Qualified Security Assessors (QSAs) will benefit from this SIG. We have increased our reliance on keys and certificates that protect communications and authorize and authenticate servers, devices, software, cloud, and privileged administrators and users. As for the PCI DSS, keys and certificates are critical to securing cardholder data, as well as all sensitive electronic information, and are specifically mentioned throughout the standard. But the PCI DSS requirements demand more visibility and security over keys and certificates than most organizations can deliver.

Are you one of the doubters that don’t think you’ll become a victim? It looks like many G5000 organizations are. But odds are you’re already a victim—according to Ponemon Institute research, for the last four years running, every major enterprise has been attacked using compromised keys and certificates. So, I hope all of the doubters are getting converted to believers—the likelihood that you’ll be a victim of an attack on trust is very high and, without the right security in place, the impact even higher. Advanced Persistent Threats (APTs) that target keys and certificates such as APT 1, APT 18, Mask, POODLE, FREAK, Shellshock, and the Sony breach, as well as the Chinese certificate authority, CNNIC, involved in the issuance of malicious certificates, are just a few examples that underscore the importance of strong key and certificate security and remediation capabilities.

The open approach of the PCI DSS requirements provides flexibility to implementing organizations, which is helpful when working to secure unique business environments. But organizations subject to the PCI DSS and QSAs need more clarity on how to secure keys and certificates to establish a foundation of trust for an effective security program and a defense against today’s cyber threats.

We have two primary objectives for this SIG:

• Develop the document PCI DSS Cryptographic Key and Digital Certificate Security Guidelines
• Draft a compliance checklist which outlines the different security options to meet the PCI DSS requirements for keys and certificates

So what’s next? Video presentations of the selected PCI SIG finalists will presented at the 2015 PCI Community Meetings in North America (September) and Europe (November), and on the PCI SSC website. After the community meetings, an election will be held and the PCI Participating Organizations will vote. The leading 1-2 SIG topics will become PCI SIG projects for 2016.

We have several participants already committed to supporting the SIG, including QSAs, vendors, and merchants in the Global 2000. We hope that PCI Participating Organizations will follow the council’s show of support for key and certificate security for two years running and vote for this important SIG.

If you are the voting member of a PCI Participating Organization, vote for Cryptographic Key and Digital Certificate Security as a 2016 SIG and consider becoming one of the SIG participants.

During my time at PGP which was run by some of the most passionate security trailblazer’s of their time, part of the fight was trying to teach the world that they should encrypt their data. Time and time again, I have heard people say that they have nothing to hide so they are not worried about privacy. I love Edward Snowden’s quote “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” His quote really brings it home for me.

Philip Zimmerman went to federal court and won the right to privacy for us. For me, this is up there with the right to vote. At PGP, we taught the need to encrypt and protect your data at rest and in transit. Here at Venafi, we teach that you need to protect your encryption assets—keys and certificates. Those are the new targets, because encryption is pretty good (PGP: Pretty Good Privacy), which makes our encryption keys a target of cybercriminals to break or leverage encryption in their attacks.

Sadly, they are apparently an easy target, because in most environments, digital certificates and keys are like the Wild West. Even with a software solution from a leading company like Venafi, if you don’t put the proper level of attention to managing and securing your certificates and keys, you will be vulnerable to exploitation from, at the very least, your lack of visibility.

Let’s face it; unless you have a solution in place and have dedicated the right resources, you don’t have the following:

1. You don’t know what CAs are in your environment (we have discovered rogue CAs issuing certificates in customer environments)
2. You don’t know where all of your wild card certificates live (we have found file shares with certificates and private keys)
3. You don’t have any control whatsoever over self-signed certificates that anyone can issue and use
4. You don’t know what data is being sent out of your organization to some outside entity (e.g., Edward Snowden)
5. You don’t have any guarantee that your production will not shutdown tomorrow due to a certificate-related outage
6. You don’t have any control over or visibility into your SSH inventory, which provides privileged access to your systems
7. You don’t have the ability to respond quickly to a problem with CAs, keys, or certificate-related outages

There are many more specific scenarios and examples I can share. The Wild West was a dangerous place. It eventually got better as communication and response times improved and society got together to solve the problem. In the Wild West days, physical banks and trains were the targets. Intercepting a train carrying a valuable payload was pretty easy because, by the time you knew you were robbed, it was too late. Today, it is digital keys and certificates. Welcome to the Wild West of encryption.

Why all of the fuss?

SHA-1 was deprecated by NIST from 2011 through 2013 because of its security strength being susceptible to a collision attack. Due to ever increasing computational power, the risk of SHA-1 being broken via a collision attack in the next few years is very real. For that reason, most certificate authorities (CAs) only issue certificates using SHA-2 or above.

Google, Microsoft, and Mozilla have already started taking steps last year to aid end users in understanding the risks and have updated their policies. These policies state that sites with end-entity certificates expiring on or after 1 January 2017 that make use of SHA-1 will no longer be accepted as secure. These policies also require CAs to stop issuing new SHA-1 certificates after 1 January 2016.

What progress are we making with SHA-1 to SHA-2 migration?

It’s now well known that certificates signed with SHA-1 are not secure, but what progress are companies really making in transitioning to SHA-2? Using Venafi TrustNet certificate reputation services, I generated a report of all SHA-1 certificates that have been issued since 31 December 2013—this date is after NIST had deprecated SHA-1 usage—and filtered out any certificates that are set to expire before the 1 January 2017 deadline. The results speak for themselves as to the state of the industry!

There are over 1.5 million certificates that have been issued since 31 December 2013 with SHA-1 that are set to expire well beyond the 1 January 2017 deadline, when major browsers will stop trusting these certificates.

Although too small a percentage to show on the chart above, 330 certificates were found to be expiring in more than 100 years! I guess some security practitioners are looking out for future generations so that they don’t run into any outages related to certificate expirations, they obviously don’t believe SHA-1 will be fully exploitable by 2114—but this is at the cost of security.

What steps should you take to start your SHA-1 migration?

Certificate inventory assessment is the first step, establishing the scope and extent of your SHA-1 to SHA-2 migration. With a clear understanding of your certificate inventory and trust stores, you can determine which systems and applications may be impacted.

Revision of policies is needed to indicate that only SHA-2 certificates are generated moving forward and newly generated keys and certificates are in compliance with corporate and industry security standards.

Application and system testing is one of the very first things that needs to be performed before attempting to deploy any new certificates into the environment. You may have a legacy application that does not support SHA-2 and there is no migration plan from the vendor. If this is the case, you need to make a judgment call: migrate the application to a newer application that does support SHA-2 or live with the risk knowing full well that it’s a ticking time bomb.

Automated deployment of new certificates is recommended, especially when you consider that the average large enterprise has over 23,000 keys and certificates to manage. By automating the process you can validate the entire CA and certificate refresh process, including SHA-2 implementation.

Another recommendation is to deploy a new PKI hierarchy for SHA-2 and slowly migrate all systems and applications from the old one. In doing so, any system or application that does not support SHA-2 can be left using the old PKI hierarchy while all those that do support SHA-2 can use the new, more secure PKI environment.

Where are you in your SHA-1 to SHA-2 migration? Please share any roadblocks or successes you’re experiencing.

Today, Venafi released a report based on survey findings and analysis, IT Security Professionals Know the Risk of Untrusted Certificates and Issuers, but Do Nothing. The survey was conducted at 2015 Black Hat USA and gathered responses from over 300 IT security professionals. As the title suggests, the report reveals that security professionals know the risks associated with untrusted certificates, including compromises of certificate authorities (CAs), but they are currently not taking steps to protect themselves and don’t have remediation mechanisms in place to effectively mitigate a future CA compromise.

Why is it important to understand and respond to threats using untrusted certificates? The report highlights how cybercriminals are increasingly misusing keys and certificates to breach organizations, elevate their privileges, and hide activity. And although they may know the risks, most organizations are unprepared to defend against these attacks.

Watch Now - Free Ponemon Webinar on Enterprise Certificate and Keys Attacks

Security Pros Know the Risks

Here are a couple survey responses that indicate that security professionals are aware of the risks associated with untrusted certificates and compromised CAs:

• The major issuers of online trust will be compromised, with 90% of the respondents believing a leading CA will be breached within the next two years.


• When asked what security risks would result from an untrustworthy CA issuing certificates for their browser, application, or mobile device, 58% stated they are concerned about MITM attacks and 14% had concerns about replay attacks.

They Lack Visibility into the Extent of their Risk Exposure

Although security professionals understand the types of threats that can result from misused certificates, they do not grasp the extent of their risk exposure.

• Most security professionals (63%) don’t know or falsely believe that a CA secures certificates and cryptographic keys. CAs only issue and revoke certificates—they don’t monitor their use and do not provide any security for them.


• When asked how many CAs are trusted on mobile devices, survey responders believe it to be a median of three. On Apple iOS devices the median response was two, when in fact the number of trusted CAs is over 240.

Security Pros Aren’t Taking Action

Maybe because of the lack of insight to the extent of their risk, security professionals aren’t taking action against current threats or establishing incident response plans that will protect them in the future when a leading CA is compromised.

• Only 26% removed CNNIC from all desktops, laptops, and mobile devices after Google and Mozilla deemed CNNIC as untrustworthy to protect Chrome and Firefox users from a MITM attack. The remaining 74% are still exposed.


• Most (61%) would be unprepared to promptly respond to a breach of a leading CA, relying on manual procedures performed by administrators or incident response firms to remediate (including manually addressing Vulnerability Management System data).


• Worse yet, 30% either did not know what they would do or would continue using the same CA—leaving them vulnerable

What should organizations do to protect themselves? Read the report to get a 3-point recommendation plan on how to reduce the risk and impact of fraudulent issuance and misuse of certificates. The report concludes by saying we should take a lesson from nature and use the Immune System for the Internet™ to identify good vs. bad, friend vs. foe to defend against the misuse of keys and certificates.

What are your thoughts on these survey results? Is your organization prepared for the next CA compromise? How do you remediate when your certificates and keys are misused by cybercriminals?

During what is believed to be the biggest breach in U.S. history, it was reported that along with all of the other sensitive data, over 5.6 million fingerprints were also exposed to the hackers.

While you may think that spies wearing life-like masks and gloves with false fingerprints on them to commit espionage could only happen in a Mission Impossible plot, you may be shocked to know that with the biometric data that was stolen in the recent Office of Personnel Management (OPM) breach, this may now be possible.

Of course we hope these tricks will continue to only be acted out by Tom Cruise, but everyone should still be aware of the very serious fact that hackers obtained over 5.6 million fingerprints (originally estimated by the OPM at only 1.1 million, but has now grown) from the 21.5 million people whose personal data was stolen. Having these biometrics stolen is terrifying for two major reasons:

1. There could be a brand new type of stolen goods being trafficked on the black market: biometrics.
2. Those whose biometrics were stolen will have to deal with losing their identity for the rest of their lives.

It is still unclear what the hackers plan to do with the biometric data they have stolen, but already, impersonators are on the black market selling fake OPM-breached fingerprints. Knowing there is already a demand for them shows that biometric data may become the newest, “hot ticket data” hackers are after. This could now open up a Pandora’s Box for those impacted by the breach since your fingerprints, along with other biometric data, are exposed and easy for the taking. And the fact that you cannot change your fingerprints every few months, like you can a credit card number, is also scary because unlike stolen passwords and identity numbers, your fingerprints can’t be changed. Keeping your biometric data secure is a serious security concern that hasn’t been addressed much—at least not to-date.

Download Now - Close the Gaps in Identity and Access Management

Today, fingerprints are used for background checks, border crossings, workplace identification, and, more recently, unlocking smartphones. If your biometric data is stolen, being able to identify yourself by what was once the most trusted way, will no longer be an option for you. Even worse is that those U.S. diplomats and government agents whose sensitive biometric data was exposed by the OPM hack, if now stolen, could lead the hackers to even more horrifying information. It could have the potential to unlock devices that hold incredibly sensitive, current data like undercover investigations, international negotiations, and conversations that were kept secret for a reason.

In the early 1900’s, my grandmother’s brother (immigrant from Italy) was fingerprinted when he entered the U.S. He spent many years working in a brick yard—he literally burned off all of his fingerprints and always joked, “Now the government doesn’t know who I am!” Who would have thought that a century later, a cyber attack would leave millions of people in the dark wondering what hackers plan to do with their fingerprints and personal information.

Now is a really good time for the U.S. government and global companies around the world to consider better security measures around their biometric data. We simply can’t sit here and wait for another OPM-like breach to happen that leaves even more data for the taking.

Cheers!
Tammy

Venafi is proud to announce the availability of the Venafi CT log and CT monitor.

Key Takeaways

• Google Certificate Transparency provides safer internet browsing by allowing anyone to scrutinize the certificate issuance process.
• Venafi supports Google Certificate Transparency (CT) with the Venafi CT log and CT monitor.
• Venafi TrustNet uses Google CT log information in conjunction with SSL/TLS information gathered from the Venafi sensor network to identify misuse of certificates on the internet.

Download the TrustNet white paper to learn how Venafi uses Google CT in Venafi TrustNet

The Google Chrome browser requires public logging of Extended Validation (EV) SSL/TLS certificates as part of Google Certificate Transparency (CT). Any EV certificate issued after January 1, 2015 that is not logged with CT will cease to show the EV indicator “green bar” in the Chrome browser.

Google CT aims to stop unauthorized certificate issuance by providing the ability for anyone to scrutinize the issuance process. This is provided by three core components: the certificate log, a monitor, and an auditor.

A Growing Need

Cybercriminals and nation states have realized the value of misusing certificates—shown in certificate issuance practices being abused more and more frequently. Earlier this year, reports of a man-in-the-middle attack orchestrated by the China Internet Network Information Center (CNNIC) provide just one example of how certificate issuance can be used for nefarious purposes.

Google CT aims to provide safer internet browsing by detecting mis-issued certificates, malicious certificates, or rogue CAs within a few hours of conception. This is achieved due to the CT requirements that dictate how and where any certificate issued should be logged with Google CT.

Venafi Support for Google CT

Venafi is proud to announce support for Google CT with the Venafi CT log and CT monitor. As the Immune System for the Internet™, Venafi provides a CT log independent of any specific Certificate Authority (CA), welcoming any CA to publish to the Venafi CT log.

CT Log: Any CA wishing to be compliant with Google CT is required to publish certificates that they issue to at least three (3) logs. These logs are publicly auditable and cryptographically assured.   

CT Monitor: Venafi also participates in the Google CT initiative by providing a monitor. Monitors watch logs for suspicious certificates and verify that all logged certificates are visible.

The Value of Google CT

Gartner got it right back in 2012 when they concluded that “no certificate can be blindly trusted.” In one good example of the value of Google CT, Google found an Extended Validation (EV) pre-certificate issued without Google’s authorization by Thawte CA. However, although CT identified the fraudulent certificate when Thawte issued the pre-certificate, CT identification is limited to the detection of certificate misuse at time of issuance only.   

Beyond Google CT

Because Venafi is CA-agnostic, providing a CT monitor allows Venafi to gain early visibility into certificate issuance practices across CAs. And Venafi TrustNet™ goes beyond certificate issuance information, using Google CT log information in conjunction with SSL/TLS information gathered from the Venafi sensor network to identify misuse of certificates on the internet throughout the certificate lifecycle.

In addition to the pre-certificate found by Google that was issued last week by Thawte, I decided to run a report utilizing Venafi TrustNet and found 20 other certificates issued to the google.com domain that are currently live and issued by some suspicious CAs that are not in the Google CT log.

To protect your organization’s brand from being misrepresented, Venafi TrustNet certificate reputation helps organizations detect and remediate certificate misuse at issuance and throughout the life of a certificate by evaluating the entire internet.  

How does your organization ensure no digital certificate is being used on the internet to misrepresent your brand?

Stop keys and certificates from slowing innovation. The speed of cloud computing, the demands of internal IT services SLAs, and the explosion of IoT devices must be supported with automated key and certificate management and security.

Key Takeaways

• Speed of IT continues to dramatically increase with cloud computing, IoT, and IT service demands
• Manual key and certificate management, used by most organizations, is slowing IT speed
• To meet speed demands, corners are cut in key and certificate security or it is sacrificed completely

To improve customer experience, new IT is enabling speed to business in ways that could not have been considered a few years ago. Not too long ago, QA test environments were rebuilt every week. Today they are rebuilt on a continuous basis. Previously, if you wanted to provision a webserver, it would have taken weeks, sometimes months, to secure the hardware followed by the operating system and required software.

Watch this demo to see how to support Chef with automatic key and certificate provisioning.

I remember how it was before the cloud started being adopted; one customer I worked with mentioned that it was faster for them to retrofit a Boeing 737 than it was to stand up a new webserver. How things have changed with DevOps where a new server instance can be available within seconds today. And containerization has only further increased the speed at which application stacks can be made available. One Venafi customer tears down and instantiates its entire environment every week. Think of the mammoth task—no, near impossible task—this would have been just 5 years ago!

Speed + Security in the Cloud

Without speed to market and dynamic, on-demand service delivery, your competition is going to take your customers. But speed should not come at the sacrifice of security. Think about it, keys and certificate are one of the technologies that are foundational to the internet and the way we do business. They provide authentication and authorizations for millions of systems. Yet keys and certificates, which are at the heart of IT security, often slow down dynamic IT. Most organizations are using manual methods to issue and track keys and certificates. Then when certificates are used with cloud servers, these manual methods are slowing down processes, significantly.

In results from a survey conducted by TechValidate for Venafi, we found that over half (56%) of our customers used manual certificate tracking methods before using

What good is it to be able to instantiate cloud workloads quickly if security slows down the process or, worse yet, is skipped completely in the interest of speed.

Organizations and cloud vendors sometimes try to cut corners in key and certificate security to avoid slowing down cloud provisioning. Dell SecureWorks did a study a couple of years back and found that 1 in 5 AWS instances had rogue SSH keys included in them. You may ask yourself, why is this important? Well, it’s basically the same as buying a new car and making multiple copies of your car keys and handing them out to strangers at your local supermarket—anyone who has the key will then have access to your car!

Most cloud vendors now offer ephemeral session keys that cannot be used again. This dramatically reduces the lifespan of the key material. To support the speed benefits of cloud computing while also ensuring security, keys  need to be generated and provisioned automatically based on defined security policies. Regardless of how you provision workloads in the cloud, it is of the utmost importance to ensure that you do not re-use keys. Also make sure you have visibility into where the keys are being used, by whom, and for how long.

Speed + Security for Internal SLA of IT Services

Speed is an important factor in internal IT services Service Level Agreements (SLAs). Other departments turn to IT to deliver services, and key and certificate issuance in support of these services can significantly impact the SLAs to which the IT department can commit.

In the recent TechValidate survey, we found that over half (57%) of the respondents were able to improve their internal IT services SLA after deploying Venafi—over one-third (34%) were able to change this from days to just hours. Automated key and certificate provisioning can have a significant impact on the services SLA that IT can deliver.

Speed + Security for IoT

We already have a few billion Internet of Things (IoT) devices connected through the Internet. And with the additional IoT devices coming to market, supporting a multitude of use cases, that number is expected to grow dramatically.  According to Gartner, by 2020 there will be 25 billion connected “things”, all which need some way of authenticating on the network and communicating securely.

Automakers are expecting cars to be a high-value target for hackers and have already begun to put security controls in place. One such control changes the SSL/TLS certificates at least 12 times per hour—think what a PKI management nightmare that may be if you are not able to automate processes and tell whether a certificate is good or bad, friend or foe. As IoT devices increase, real-time key and certificate management will be needed to keep up with security and access demands.

Security at Speed

Although I focused on cloud, internal IT services, and IoT, there are many other examples where keys and certificates need to be provisioned or replaced very quickly to satisfy the business need. But security does not have to be sacrificed to achieve speed of deployment in any environment. The full key management lifecycle process can be automated so that security policies can be applied and the environment kept safe.

If you are interested to see how Venafi automatically provisions keys and certificates with Chef please review the following demonstration video.

How does your organization ensure your key and certificate management and security keep up with the speed demands of IT?

If your public key infrastructure (PKI) is like that of most companies today, it’s probably outdated. That can be a serious problem. Outdated PKI systems result in errors, missed updates, costly business interruptions, and even breaches. This is due to a lack of central visibility, consistent processes, and the refresh validation needed to streamline updates. Moreover, new security and compliance requirements and an evolving threatscape can make it costly and difficult to revamp PKIs.

Key Takeaways

• Outdated PKI results in errors, missed updates, costly business interruptions, and even breaches
• T stay protected, reduce certificate lifetimes, migrate to SHA-2, rely on standards, and develop remediation strategies
• Successful PKI refreshes require visibility, enforced policies and workflows, automation, and validation

Why is it so difficult and costly to refresh an outdated PKI? There are almost 24,000 keys and certificates in today’s average enterprise and 54% of security professionals admit to being unaware of where all of their keys and certificates are located, who owns them, or how they are used. In addition, establishing new root or intermediate CAs and distributing certificates to hundreds or thousands of applications and trust stores is incredibly time consuming, expensive, and error prone. Add to the mix differing, distributed applications and administrators unfamiliar with certificates, and the challenges quickly multiply.

Check out the PKI Refresh solution brief.

But putting off a PKI refresh can open your business to outages and attacks. According to the Ponemon Institute, 100% of the Global 5000 surveyed have responded to attacks using keys and certificates and have had 2 or more certificate-related outages within the last 24 months. What does this mean in dollars and cents? Security professionals estimate that the total possible impact of an attack using keys and certificates is almost $600 Million and the total possible impact of a certificate-related outage is $15 Million. That’s a serious impact—even for the largest enterprises.

To stay protected from these costly and damaging incidents, you may want to consider adopting new PKI refresh standards and strategies:

• Reduce certificate lifetimes to 3 months or less, as recommended by Google and others to reduce certificate risk exposure (but even Google recently let a certificate expire, showing that even the most security conscious organizations can struggle with key and certificate management and security)
• Replace SHA-1 with SHA-2, due to potential attacks on SHA-1 certificates. (See NIST’s Policy on Hash Functions.)
• Update digital certificate maintenance rules according to compliance regulations, such as the PCI DSS, and other security frameworks, such as SANS 20.
• Develop new remediation strategies ;to apply following a CA compromise or new vulnerability (Venafi research shows that 3 out of 4 organizations still have not completely remediated the Heartbleed vulnerability).

Manage and Validate Your PKI Refresh with Confidence

How do you implement all of these standards and strategies? With today’s fast changing threatscape and increasing use of digital certificates, successful PKI refreshes require complete visibility, enforced policies and workflows, automation, and validation.

Visibility: Most don’t have complete visibility into their PKI. But for successful PKI management, you need to identify all keys, certificates, CAs, and trust stores across your enterprise networks, the cloud, and multiple CAs.

Enforcing policies and workflows: To ensure consistency while updating your PKI, you need to enforce configurable workflows capabilities for replacement, issuance, and renewal. Also, a policy-enforced, self-service portal can be used to simplify certificate requests and renewals.

Automation of PKI: Automation is critical for PKI in today’s enterprises and should cover the entire CA and certificate refresh process, including the distribution and whitelisting of new CAs in trust stores.

Validating your progress: You should be able to track your progress and completion of your PKI refresh, validating that certificates are installed and applications are running.

With all of these requirements, does a PKI refresh sound like an impossible task? Believe it or not, you can now take the guesswork and complexity out of your next PKI refresh and reduce your risk. With the right solution for your PKI refresh, you can achieve complete visibility, enforce policies and workflows, automate processes, and validate progress. But don’t put this project off—it could literally cost you millions.

What do you consider to be the most critical PKI updates needed? Please share your experiences and thoughts.

Before your view becomes 20/20 from hindsight and you are too little too late, adopt an approach that gives 100% insight. Virtually all enterprises are unaware of how many certificates they have in their organization. Visibility is critical to properly manage certificates, avoid certificate-related outages, and secure your business and brand.

Key Takeaways

• Everyone is utilizing more certificates than they know and in ways they don't know.
• Lack of visibility leads to outages, downtime, exploited vulnerabilities, and financial Loss.
• Venafi TrustNet and Google CT care about your brand and you should too.

Visibility for Certificate Management

Without visibility, in today’s flooded wires of packet transfers, you will not really know how many certificates are in use within your organization. In 2015 research by the Ponemon Institute, 54% of IT security professionals admitted to not knowing where all of their keys and certificates are located. But I think this is grossly underestimated. I have never met an organization utilizing certificates who accurately knew the count of their digital certificate usage before using Venafi. Usually, we wind up finding at the least 3x what they thought they had.

Download the solution brief, Eliminate Blind Spots in Your SSL Traffic.

Yet finding all of your certificates is just the beginning. To properly manage them, you’ll need visibility into all of these aspects:

• Who owns each of your certificates?
• What does each certificate do?
• Who is controlling your self-signed certificates?
• Where do all of your wildcard certificates live?
• Are all certificates being issued by the CAs you have approved?

Visibility to Avoid Certificate-related Outages

Another critical component to certificate visibility is the ability to identify approaching certificate expirations. At some point certificates expire, and at some point you need to renew that certificate and go replace it everywhere it belongs (1 year maximum if you are following best practices). But it’s important to do this before they expire and cause outages of critical business systems. We’ve already seen several examples of certificate-related outages in large global businesses in 2015, including in Google Gmail, Microsoft Azure, and Instagram. These outages can cost you millions. In research by the Ponemon Institute, IT security professionals set the average cost of a certificate-related outage at $15 million.

Visibility to Protect Your Business and Brand

Visibility into your keys and certificates isn’t just crucial for management—as the foundation to online trust, it’s also critical to securing your business and protecting the privacy of your customers and partners. Here are some questions you should be able to answer:

• Who is making sure that certificates with proper strength are being created?
• Has anyone stood up a rogue CA on your network?
• Are all certificates being issued by the CAs you have approved?
• Are stolen or rogue keys and certificates being used to hijack your brand?

Enterprises need to also realize that using encryption creates security blind spots. Cybercriminals are now using SSL/TLS to hide getting malware into organizations and to hide taking sensitive data out. Gartner estimates that by 2017, 50% of network attacks will use SSL/TLS. Organizations need real-time access to keys and certificates to decrypt SSL/TLS traffic and pass the content to security devices, such as Blue Coat, for further processing, analysis, and policy administration.

When the online trust established by keys and certificates is broken, businesses lose customers. Thank goodness solutions such as Google Certificate Transparency (CT) and Venafi TrustNet™ are out there to help add some visibility to our ever expanding use of digital certificates and keys.

Recently, Thawte CA had some of its employees issue unauthorized Google certificates. Fortunately, pre-certificate data gets sent to Google CT prior to actual issuance. In this case, the Google CT team was able to raise the red flag about these unauthorized certificates and alert the proper channels, allowing immediate corrections to be made. Venafi TrustNet combines information from Google CT with information from the Venafi sensory network to provide information on certificate issuance as well as throughout the entire certificate lifecycle on all certificates used on the internet.

Businesses rightly take encryption seriously. This means they care about the CAs they use, how long certificates are valid, and what hashes, algorithms, and protocols are used. We have seen companies with very strong policies on their certificates who have removed employees when a certificate that was unauthorized showed up via our discovery. How do you know whether your policies are being followed if you can’t see? It’s time to shed some light on your certificates. You can’t fix what you can’t see, and you can’t protect a door if you don’t know it exists.

2015 survey results reveal that unprotected and poorly managed keys and certificates result in a loss of customers, costly outages, failed audits, and security breaches.

Key Takeaways

• Most businesses admit to losing customers because they failed to secure keys and certificates
• Misuse of keys and certificates continues to increase (e.g. Superfish, GoGo, FREAK, and LogJam)
• Several unplanned outages have hit major enterprises in 2015 (e.g., Gmail, Azure, Instagram)

Today, the Ponemon Institute and Venafi released new data on how businesses are being directly impacted by unsecured cryptographic keys and digital certificates. This data has been released in a new report, 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers, and reveals how unprotected and poorly managed keys and certificates result in a loss of customers, costly outages, failed audits, and security breaches.

Download the report: 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers

In March 2015, the Ponemon Institute and Venafi published research on the risks global business face from attacks using cryptographic keys and digital certificates in the 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. The 2015 research survey used as the basis for this report was completed by 2,394 IT security professionals around the globe: 646 U.S., 499 U.K., 574 German, 339 French, and 336 Australian respondents. Consensus among the global participants was that the system of trust was at the breaking point. Now, unpublished data from the survey is included in this new report that shows businesses around the globe are suffering the damaging impacts of unsecured keys and certificates.

• When trust online breaks, businesses lose customers: Nearly two-thirds (59%) admitted to losing customers because they failed to secure the online trust established by keys and certificates.
• Critical business systems are failing: An average of over 2 certificate-related unplanned outages have been reported per organization over the last 2 years, with an average cost of $15 million per outage.
• Businesses are failing audits: On average, organizations failed at least one SSL/TLS audit and at least one SSH audit within the last 2 years.

These certificate-related outages and failed audits are symptoms of larger security issues—if you can’t manage your keys and certificates, you can’t secure and protect them, leaving your business exposed. Criminals steal and compromise keys and certificates that are not properly protected, and use them to circumvent security controls—to hide in encrypted traffic, deploy malware, and steal data.

Here is a quick summary of examples of the misuse of keys and certificates in 2015.

GoGo MITM: In early 2015, it was discovered that inflight internet service provider, GoGo, was issuing fake Google certificates. GoGo indicated that this was simply used to block online video streaming to conserve bandwidth, but breaking this security protocol has undoubtedly tainted the GoGo brand.

Superfish: Lenovo damaged customer confidence when it was caught in early 2015 installing adware on its laptops that conducted man-in-the-middle (MITM) attacks using forged digital certificates to break open SSL/TLS encryption.

FREAK: Or Factoring Attack on RSA-EXPORT Keys, is a vulnerability in SSL/TLS encryption that forces vulnerable clients and servers to use a weak key that enables attackers to break the encryption with brute-force decryption. Victims of this vulnerability might have the effectiveness of their security put into question.

LogJam: The LogJam vulnerability uses a flaw in the Diffie-Hellman (DHE) key exchange and is similar to FREAK in that it can be used to downgrade the TLS encryption. Attackers can use this vulnerability in a MITM attack to read or modify data passed over the TLS connection, which would violate customer privacy.

Outages: Certificate-related outages that cause critical services to go down can also cause customer loss. Here are some newsworthy certificate-related outages in 2015, showing that even well-established businesses can suffer crippling business interruptions due to poorly managed certificates:

• Google Gmail experienced an outage due to an expired root certificate, which prevented millions of users from accessing their email accounts.
• The Microsoft Azure storage cloud platform experienced a worldwide outage due to an expired SSL certificate.
• Instagram users, when using the web interface, received either an error message saying the company’s certificate was invalid or, if using Chrome, were denied access to the Instagram site all together due to an expired SSL certificate.

The new Ponemon report also shows that these impacts from unprotected and poorly managed keys and certificates will continue with a security risk per organization of $53 million over the next 2 years and a combined availability and compliance risk of $7.2 million—showing that security risk greatly outweighs availability and compliance risk. Read the report to get an action plan to reduce these risks.

How are you reducing the risk of key and certificate misuse in your organization?

A new report, 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers, was released today by the Ponemon Institute and Venafi, and reveals the damaging impacts on global business from unprotected and poorly managed cryptographic keys and digital certificates. In March 2015, a related report (2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point) revealed the risks global business face from attacks using keys and certificates (see the infographic on this first report). Now this new report looks at how the failure to secure and manage keys and certificates is adversely impacting today’s businesses, and quantifies the direct financial impacts.

Global enterprises depend on the trust, privacy, and integrity established by keys and certificates. But when keys and certificates are unsecured, companies lose customers, suffer costly outages, fail audits, and experience breaches. The infographic below captures the extent of these impacts in today’s enterprises over the past 2 years as well as the amount of security, availability, and compliance risk over the next 2 years. The infographic then concludes with the challenges that enterprises face with securing keys and certificates and an action plan to reduce risk.

Over the past 30 years of being in information technology and security, it has always been obvious that there is a huge need for diversity in this field. It’s a common topic that comes up often, especially in security circles. Just a few weeks ago, there was a special Black Hat panel session dedicated solely to addressing this topic: “Beyond the Gender Gap: Empowering Women in Security.” Also, certification body (ISC)² reports that just 10 percent of information security professionals worldwide are women.

While this is an upsetting statistic to many, and I do agree that we need more women in the workforce, I firmly believe that we need to consider an even more pressing issue that I hear time and time again when I’m meeting with CISOs all over the globe: we simply do not have enough skilled security professionals to meet the need right now. (ISC)²’s latest global workforce study, sponsored by Frost & Sullivan, finds that the shortage of security professionals will reach 1.5 million within five years. That’s a startling number, and why I believe that employing qualified, skilled IT security professionals—both women and men—should be the priority.

So, how do we build the next generation of cyber warriors, both men and women?

First, we need to encourage kids to study Science, Technology, Engineering, and Mathematics (STEM) at a young age so that they will be interested in pursuing more technical degrees and certifications later on. Most high schools are offering basic computer classes, and colleges all over the globe have courses in computer science and cyber security. And even if you don’t go to college, there are great certifications and workshops you can take to obtain and learn the skills yourself. Trust me, I’ve hired a lot of security professionals over the years and the main thing I always look for is actual, real-world, hands-on experience.

We also can help lead the way by setting a good example and showing kids and teens that they can have successful and rewarding careers in IT security. In my own career, I started at the IT helpdesk and was able to work my way up the ladder into holding several leadership positions at major corporations and now Venafi. Also, security pays well! IT security professionals, on average, make $90,000 or more a year! And there’s a lot of job security in security—companies are always hiring and looking to fill jobs quickly.

As you can imagine, I have managed many security teams during the course of my career so I’m very passionate about sharing my own insights into how to grow and build successful careers and teams in IT security. In fact, I’m actually presenting on October 12 at 3pm CT at the ISSA International conference on “Diversified IT: Why the Security Workforce Needs Qualified Women...and Men.” If you’re there, definitely stop by my session!

While these are just a few of my thoughts, there are probably many more things that we can be doing to build up the security workforce to meet the demand. I just hope that over time, we do start to see the tables turn with a more diversified and skilled workforce. This is definitely a fight we can’t win alone!

Cheers!

The Cyber Spotlight: Securing Online Gaming 2015 event is happening on October 6th in London, UK. It is a one day event focusing on threats and solutions pertaining specifically to online gaming. Venafi is a strategic partner participating in the event.

If you are attending, check out the session by Craig McLean, an Operations Transformation Consultant who will be speaking on behalf of Venafi in the session, Certificates Are Easy. Why Managing PKI in an Agile Way Isn’t as Hard as You Might Think at 11:50 AM.

Also, take a look at the article below that is printed in the event publication on how to protect keys and certificates to prevent their misuse in cyber attacks. For more information on how to protection yourself from attacks that misuse keys and certificates, download this Gartner report.

The Security Gap that Lets Cybercriminals Breach Enterprises 

Lessons we can learn from the human immune system.

Most organisations don’t realise the role that cryptographic keys and digital certificates play in today’s cyber attacks. Keys and certificates are the foundation of security. They establish the trust on which businesses depend – securing data, keeping communications safe and private, and establishing trust between communicating parties. However, when these keys and certificates get breached, enterprises and individuals are left vulnerable to attack and compromise.

How our reliance on keys and certificates is used against us

We have increased our reliance on keys and certificates that protect communications and authorise and authenticate webservers, software, mobile devices, apps, admins and even airplanes. Virtually everything that is IP-enabled today relies on keys and certificates, from online banking and shopping to government sites. And this reliance will only increase as we expand our use of interconnected networks and physical devices and systems – also known as the Internet of Things. The Internet of Things depends on Secure Socket Layer (SSL)/Transport Layer Security (TLS) keys and certificates to authenticate devices and systems.

Other security controls, such as access control, next generation firewalls (NGFW), intrusion detection systems (IDS), intrusion prevention systems (IPS), data loss prevention (DLP), and more, are designed to blindly trust keys and certificates. But what happens when cybercriminals forge or steal unprotected keys and certificates?

Attacks weaponise these compromised or stolen keys and certificates, allowing cybercriminals to bypass security controls and use keys and certificates to impersonate, surveil and monitor their targets’ websites, infrastructure, clouds, mobile devices and system administrators, as well as decrypt communications thought to be private, and even impersonate websites, code or administrators. Today’s cybercriminals use keys and certificates to gain trusted status for unrestricted access to their victim’s network and remain undetected for extended periods of time – hiding in encrypted traffic, deploying malware and siphoning off confidential data to use for criminal ends.

What is the risk of suffering an attack using keys and certificates?

The 2015 ‘Cost of Failed Trust’ survey by the Ponemon Institute found that the average enterprise has over 23,000 keys and certificates, yet 54% of security professionals admit to not knowing where all of their keys and certificates are located, who owns them or how they are used.¹ Enterprises need to understand the role keys and certificates play in today’s attacks and how to protect them to close this gap in their security.

Attacks on keys and certificates are not new – Stuxnet is the first known kinetic attack that leveraged misused keys and certificates and it was discovered in 2010. However, attacks on keys and certificates are becoming increasingly common, leaving victims open to devastating security breaches. From Heartbleed, ShellShock, POODLE, the Gogo and OnStar man-in-the middle attacks, Lenovo’s Superfish vulnerability, the MASK attack and FREAK, cybercriminals are exploiting the weaknesses in unprotected keys and certificates to carry out malicious acts.

What is the risk? In the Ponemon survey, 100% of the respondents had suffered attacks using keys and certificates within the past 24 months.¹ In addition, according to market research company Gartner, 50% of all inbound and network attacks will use SSL/TLS by 2017.² If you haven’t already been attacked using keys and certificates, you soon will be.

What are enterprises doing to protect themselves?

With keys and certificates a prime target, organisations need to prioritise protecting them. Most organisations use manual or home grown systems to manage keys and certificates and these do not provide sufficient visibility and security to ensure that keys and certificates remain secure.

In light of attacks such as Sony Pictures Entertainment last year, Venafi conducted a survey amongst IT security professionals to establish what they are doing to prevent breaches and establish greater trust online.³ Disturbingly, the data revealed that most IT professionals acknowledge they don’t know how to detect or remediate compromised cryptographic keys and digital certificates.

The survey results highlighted that 42% of respondents can’t, or don’t know how to, detect compromised keys and certificates, and the other 56% of respondents said they are using a combination of NGFW, anti-virus, IDS, IPS and sandboxes to find these types of attacks. However, attacks using forged or stolen keys and certificates bypass these security controls, which are designed to blindly trust keys and certificates. SSL/TLS decryption systems that can detect attacks hidden in encrypted traffic often do not have sufficient access to keys to provide meaningful protection.

Painfully, almost two-thirds (64%) of security professionals admitted that they are not able to respond quickly (within 24 hours) to attacks using keys and certificates, and most said it would take three or more days, or up to a week, to detect, diagnose and replace keys and certificates that have been breached.

Following a breach, more than three-quarters (78%) of those surveyed said they would only complete partial remediation, not replacing compromised keys and certificates, which would leave them open to further attacks. The vast majority of organisations are still vulnerable to Heartbleed, for example, more than a year since it was discovered.⁴ When asked what their organisational strategy is to protect the online trust provided by keys and certificates, only 43% of respondents said that they use a key management system.

The immune system for the internet

If most security controls are designed to blindly trust keys and certificates, how can we detect misuse of keys and certificates by cybercriminals? What if we had an immune system for the internet that, like the human immune system, would let us detect what is self and trusted, and what is not and therefore dangerous on our networks?

Just like the human body’s HLA tags, keys and certificates serve as an identification system for the internet. However, unlike humans, there has been no immune system for the internet to search out which keys and certificates to trust and which to destroy. Not being able to identify what is trusted or how to recognise and remediate untrusted keys and certificates following an attack, leaves organisations wide open to breach and compromise.

Enterprises not only need to manage keys and certificates, and know where they are and who is responsible for them, but they also need to protect them and the trust they establish. This requires an immune system for the cyber realm that can provide constant surveillance, take immediate action when anomalies are detected, and fully automate remediation to replace old or bad keys and certificates with new ones. Also, as we move increasingly to the cloud and DevOps environments, organisations need a system in place that can scale up and tear down quickly, dynamically keeping everything safe and trusted.

One solution that can serve as an immune system for the internet and fill this security gap is certificate reputation that enables immediate blacklisting of untrusted certificates and flags them for future remediation. With global certificate reputation, companies can get an internal and internet-wide view in real-time of what’s good or bad, friend or foe, when it comes to certificates, allowing IT professionals to respond in a timely manner to the misuse of keys and certificates and protect their business and brand.

Enterprises need to be able to secure keys and certificates, because, if they don’t, online trust will be broken with dire ramifications especially to the economy that relies so heavily on the trust established by keys and certificates for commerce and mission-critical business activities. And with the Internet of Things, billions of connected devices are coming online that drive, fly, keep us safe, and keep us alive. The world will be much more dangerous and vulnerable unless we find a way to maintain the trust established by keys and certificates.

1. Ponemon Institute. 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. 2015. ↩
2. D’Hoinne, Jeremy and Hills, Adam. Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, December 9, 2013. Gartner RAS Core Research Note: G00258176. ↩
3. Venafi survey of nearly 850 IT security professionals during the RSA Conference USA 2015. ↩
4. Venafi Labs Analysis. Hearts Continue to Bleed: Heartbleed One Year Later. 2015. ↩

The foundation of the internet, DNS and PKI-SSL, is now threatened by attacks using SSL/TLS keys and certificates. We need an Immune System for the Internet to identify and neutralize key and certificate misuse.

Key Takeaways

• The foundation of the Internet is based on two pillars: DNS and PKI-SSL
• Cybercriminals misuse PKI-SSL to create trusted identities and to hide in encrypted channels
• We need a third pillar: the Immune System for the Internet™ to identify and neutralize misused certificates

Download free Gartner Research: Strategies for Responding to New SSL Cybersecurity Threats

When we humans created the cyber realm known as the Internet, we based its foundation on two fundamental technology pillars: DNS (Doman Name System) and PKI-SSL (Public Key Infrastructure-Secure Sockets Layer). DNS was the Internet's first technology pillar: It functioned like an address book and postal-delivery service, providing routing tables that got electrons (that is, electronic information) from Point A through 10 or 12 hops to Point B.

For a little while, DNS's miraculous ability to move information from computer to computer was enough.

Then people realized they couldn't necessarily trust the information they received via the Internet because there was no way to truly identify the sender. Peter Steiner's 1993 New Yorker cartoon delightfully illustrated this problem. In it, a computer-savvy canine tells his cartoon pal: "On the Internet, nobody knows you're a dog."

The Internet is a Good Place to Hide

In 1995, Netscape's chief scientist, Taher Elgamal, spearheaded the effort to address the Internet's identity problem through the second technology pillar (SSL), and soon X.509 certificates were providing trustworthy communications to individuals and organizations everywhere. So foundational is this technology today that the New Yorker recently published a sequel to Steiner's famous cartoon—a 2015 cartoon by Kaamran Hafeez, wherein both dogs are computer savvy and the first says to the other: "Remember when, on the Internet, nobody knew who you were?"

For a little while, PKI-SSL's ability to establish trusted identities and to encrypt data was enough.

But in the last five years, many cybercriminals have successfully attacked businesses and governments that rely on the second technology pillar to provide trusted identities. And they've done it by using the pillar itself in the form of forged or stolen certificates and keys. You see: certificates and keys are powerful. They authenticate people, in this case the cybercriminals who stole or forged them, and they open the vaults to rich stores of information. They also encrypt data. So authenticated cybercriminals can use them to bring malware in, encrypted so no one can see it, and to send valuable data out, again encrypted. And  the problem is only compounded given that many of Global 5000 organizations blindly trust  the keys and certificates deployed on their networks.

The Solution has to Intelligently Adapt to Change

To fix this problem, we need a third technology pillar: We need a cyber equivalent of the human immune system. Just as the human immune system travels throughout the body using HLA (human leukocyte antigen) markers to identify what is self and what is other, the Internet needs a technology that travels throughout cyber systems and identifies certificates that are forged or stolen—and then automatically neutralizes them, just as the human immune system automatically surrounds and destroys entities that are not self.

In other words, what the Internet needs if it is to have a whole and healthy foundation is the Immune System for the Internet™. Without it, the Internet's foundation will surely crumble.  This is our mission: to provide global organizations with an intelligent, adaptive security solution that works like an immune system to secure the foundational trust that keys and certificates provide.

Check out this video on the Immune System for the Internet.

The SANS Institute, realizing the critical nature of security risks to SSL/TLS, has added several requirements related to SSL/TLS management to Critical Security Control 17: Data Protection. From recent vulnerabilities like Heartbleed, Shellshock, POODLE, and FREAK to the Sony and CHS breaches and other APT attacks, like APT 1 and APT 18, enterprises can no longer blindly trust SSL/TLS certificates.

This growing lack of blind trust in SSL/TLS certificates stems largely from corporate security teams’ failure to secure and manage their vast certificate and key populations properly. By following the new SANS 20 requirements for SSL/TLS certificate management, enterprises can regain trust in SSL/TSL and rely on it once again for secure communications, authentication, and authorization for applications, appliances, devices, and cloud services.

For more details on how to best comply with these new SANS SSL/TLS certificate management requirements, get the SANS whitepaper, New Critical Security Controls Guidelines for SSL/TLS Management.

The original article was published at Dark Reading on October 16, 2015.

As billions of devices come online, it will be critical to protect the keys and certificates we use for authentication, validation, and privileged access control.

As technology becomes more interconnected with the Internet of Things, we should expect to see more insidious hacks like those demonstrated at Black Hat USA this past summer that will -- at some point in the near future -- strike close to home. It’s one thing when your company gets hacked and quite another when your pacemaker, commercial airline, or traffic light control and coordination system gets pwned because of security vulnerabilities in IoT devices.

What is the core of the problem?

There are two technologies that are foundational to enabling our world economy today. They are DNS and keys and certificates. According to Gartner, there is an estimated 4.9 billion IoT devices connected to the Internet, a number that is estimated to grow to 25 billion devices by 2020. As was so clearly displayed in the GM RemoteLink app hack at Black Hat, at the core of IoT are keys and certificates; SSL/TLS validation, or the lack of validation, was exploited as part of the hack.

As billions of devices come online, it will become all the more critical to protect the keys and certificates that are used for authentication, validation, and privileged access control.

Read the rest of the article on Dark Reading.

See how the Venafi Trust Protection Platform can help secure and manage certificates to help protect the Internet of Things.