While more and more employees are using their own phones, tablets, and other mobile devices for work, these practices often keep enterprises in the dark about mobile device access to enterprise data and systems. Digital certificates can shed light on enterprise access issues but only when certificates are properly managed and secured.

One good thing about cell phones is this: You're not as likely to run into people in the dark as you were before cell phones became ubiquitous. Nearly every face you see at night is bathed in the soft blue light of a cell phone. But illuminating people's faces isn't the only good thing about the phones' ubiquity. Mobile devices have done enterprises a few good turns.

Most enterprises welcome mobile devices because they allow people to work anytime, anywhere, and enterprises benefit from this increased productivity. You could even say that mobile devices have become indispensable to enterprises.

But there's a problem lurking here: Employees use mobile devices to access enterprise systems and often store enterprise data on them. I personally have a cell phone, an iPad, and a laptop, all of which have access to our corporate email system (and other corporate systems). This abundance of connected mobile devices is not unusual.

Access to enterprise networks usually involves certificates, of course, but how do the enterprises know for sure who owns the certificates? What happens if employees lose the devices or the devices get stolen? Enterprises need to be able to revoke access privileges as soon as a mobile device goes missing.

Clearly, enterprises must have some way of knowing which certificates, on which devices, belong to which employees. They must also have a means by which they can identify and remove compromised certificates, even on devices that do not belong to them. And they must have the ability to control—that is, issue or revoke—certificates at a moment's notice. For example, if I were to call our helpdesk and report that someone stole my backpack one dark night, our helpdesk would have a mechanism for immediately revoking the certificates on each of my stolen devices, thereby preventing access to corporate systems. In other words, it would have a kill switch for the certificates that are located on these devices.

Unfortunately, most enterprises do not have such capabilities. Lacking them, they are as blind and as vulnerable to hidden cyberattacks as were people strolling down dark alleys in the days before cell phones.

What is your enterprise’s BYOD policy? If employee-owned devices are allowed, how does your business shed light on and control enterprise data and system access on these devices?

I've had the pleasure of working with a lot of security professionals in my time with security software and there is a reoccurring trend: People have an inherent craving for simplicity and often give in to this craving in ways that are not in their best interests. I feel protective of our customers and want to help them avoid the security mistakes I see others make in their misguided efforts to simplify.

To put it bluntly, people, you shouldn't assume that just because you are dealing with security professionals from vendor companies that your passwords, private keys, and other sensitive information are safe with them. You shouldn't even assume this with your own company's security professionals. If you want to destroy any security solution, add people.

You have no idea how many passwords and plain-text encryption keys I've seen come across screens—or in the case of passwords, seen written on sticky notes and pasted in obvious locations. For example, a colleague and I were working onsite to help a customer resolve an issue. During this visit, a member of the customer's security team was having difficulty remembering a password he needed for access to something.

"Check the back of your keyboard," my colleague and I joked. But when he turned over his keyboard, there it was: the 1Password password that gave access to all of their “secured” passwords. When I see such things, I fear for our customers.

Admittedly, there's a tradeoff. In the fight for security and simplicity often the first thing to be compromised is security. Most people understand passwords and we still don’t take good care of them. Imagine a certificate and/or a key. Many people really don’t understand those and so we find those spread around on file servers with no password or silly passwords. Can you say “easy brute force target”?

Please properly vet your vendors and security team members: Do all you can to make sure their reputations are spotless and that they are security minded. 1Password has attempted to help corral the mess that we make with passwords and passphrases by making a central location with some level of control. Venafi is helping add security by doing the same for keys and certificates, including policies to enforce company regulations and automation for a complex process that most of our administrators don’t fully understand.

As we just finished Halloween and National Cybersecurity Awareness Month, there are lots of current horror stories around IT security, like the Internet of Pumpkins, the Little Book of Hacking Tales, and many more—all highlighting how human error can cause security issues.

But what are the solutions? How can we take people—always the weakest link in the security chain—out of the picture, or at least limit their impact? Automated key and certificate management and security can be part of the answer.

Venafi can help—providing key and certificate management and security for SSL/TLS keys and certificates, SSH keys, and mobile and user certificates. With Venafi, the Immune System for the Internet™, you can have your simplicity and your security, obviating the need for password-protected private key files by automatically discovering certificates and keys, placing them securely under its protection and control, and managing them throughout their lifecycles. Managing your cryptographic assets can't be simpler—automating the process and taking out the risk of human error.

Venafi even reaches beyond your organization's network to the Internet, where it provides an authoritative key and certificate reputation service. But even with our solutions, you'll still need to take more care in other areas of your company's security.

We know Superman is virtually unbeatable, just like so many security software solutions claim to be, but he has kryptonite as his weakness. Don’t let your craving for simplicity be your security kryptonite. Make sure you always have security-minded people as part of your team.

What is the worst IT security horror story you’ve heard? Any other suggestions on how to avoid security kryptonite? 

Virtually every enterprise uses Secure Shell (SSH) as the administrative protocol for secure, remote access to nearly all mission-critical systems. If it’s not Windows or a mainframe, then SSH is used to manage it—including Unix, Linux, routers, firewalls, network and security appliances, and more. SSH enables remote access by administrators as well as automated communications between systems.

All SSH access depends on the proper management and security of SSH keys. I cannot say this strongly enough: If your organization does not have an active SSH key management and security project, it is at risk.

SSH is quintessentially about access control. It secures machine-to-machine access in automated systems and user-to-machine access in interactive systems. In both cases, the level of access in which this technology specializes is privileged. For example, automated access enables organizations to spin up and provision virtual machines in cloud services. And interactive access allows IT administrators to remotely configure and manage network devices such as servers, routers, and firewalls.

With SSH being responsible for securely handling communications for your organization’s most critical and valuable digital assets, it’s little wonder that cybercriminals are motivated to steal, break, or otherwise compromise the cryptographic keys upon which SSH relies. The greater the value of your assets, the greater criminals' motivation—and the greater the impact on your organization if they succeed.

What should you do if you don’t have an active SSH key project in your organization? The National Institute of Standards and Technology (NIST) recently issued a new publication, Security of Interactive and Automated Access Management using Secure Shell (SSH), which addresses several critical aspects of SSH, including its underlying technologies, inherent vulnerabilities, and best practices for managing SSH keys throughout their lifecycle. This was an interagency effort and the Venafi CTO of Server Products, Paul Turner, was a coauthor of the paper.

The publication enumerates several vulnerabilities, including, but certainly not limited to, the following:

• Vulnerable SSH implementations, such as implementations that allow weak encryption keys or that use SSH version 1, which is no longer secure
• Improperly configured access controls, which can inadvertently allow unauthorized access to the root accounts that underpin your entire system
• Stolen, leaked, derived, and unterminated keys, which have obvious ramifications and can occur for a wide variety of reasons—including the practice of duplicating keys from device to device so employees can work from home or on the road, thus expanding cybercriminals' opportunities for theft
• Pivoting, which can occur when cybercriminals successfully compromise a key and then use the tainted key to introduce malware that travels throughout your entire system using SSH as its vehicle

I could name other vulnerabilities, many of which you can find in the publication. But by now, you are probably wondering what you can do to prevent criminals from exploiting vulnerabilities in your own SSH implementation.

This is precisely where having the aforementioned active SSH management project comes in. But implementing this type of project can meet resistance.  To quote Paul Turner on this subject, “Despite the significant risk that unsecured SSH keys present, many organizations have not implemented an SSH key management and security program because of lack of SSH knowledge at the executive level and internal resistance. IT administrators are accustomed to managing their own SSH keys and individual departments believe other operational tasks take priority. Unfortunately, because many executives don’t understand the significant risk SSH poses if not properly managed, we’ve seen that many enterprises wait until they’ve experienced an SSH compromise before taking action.” To be effective, an SSH key management project needs to be conducted companywide with support from upper management.

The NIST publication outlines SSH management practices your organization should have implemented. For example, it should be maintaining a complete inventory of your organization's SSH keys, one that includes information such as the systems where they’re deployed, key lengths, encryption algorithms, and issue dates.

Your organization should also be using a policy-based system that manages each key's lifecycle, from access request to access termination. And it should be actively monitoring your lifecycle management system.

As for the type of SSH management approach you should use, NIST recommends automation as the only practical choice, especially considering the sheer scale of SSH deployments in most organizations, where many organizations can literally have hundreds of thousands of key instances. Implementing a manual system that keeps an accurate, up-to-date inventory, manages each key throughout its lifecycle, and provides continuous monitoring would take many man-years of effort every month. And it would introduce human error into the process—which is, ironically, one of the vulnerabilities the publication mentions by name.

I strongly suggest that you read Security of Interactive and Automated Access Management using Secure Shell (SSH) for yourself, and if you have any questions or comments about the paper or its content, I'd love to hear them.

SANS Institute and Venafi are cohosting a live webinar this Wednesday on the Secure Shell (SSH) network protocol, its vulnerabilities, and how organizations can address these vulnerabilities using SANS Critical Security Controls (CSCs).

When I read news stories about SSH-based attacks, I always wonder if organizations are paying attention. Are they taking the news stories as cautionary tales? Or are they taking the stories as isolated incidents that don't affect them? Or are they ignoring the stories altogether?

If your organization is in either of the latter two camps, I have news for you. While SSH is a sound technology, it has its vulnerabilities—all technologies do. And because it is providing privileged access to your organization's highest-value digital assets, you should know what these vulnerabilities are and how to address them. If you don't, how can you be sure you've adequately protecting your SSH implementation from the bad guys who seek out and prey upon SSH vulnerabilities?

In other words, how can you tell if you're properly securing the technology that secures your digital wealth?

Experts agree that SSH must be secured. Read this recent blog on the new NIST paper on SSH titled, Security of Interactive and Automated Access Management using Secure Shell (SSH), which emphasizes that SSH provides access to nearly all mission-critical systems and organizations should have an active SSH key management and security initiative to ensure their SSH keys remain protected.

This Wednesday, I’m cohosting a webinar with SANS SSH expert, Barb Filkins, to give organizations precisely the information they need to implement this type of initiative. In the webinar, Securing SSH Itself with the Critical Security Controls, we’ll share how the bad guys exploit SSH vulnerabilities to give themselves privileged access to organizations' most confidential and critical data. And follow up with ways organizations can stop the bad guys cold.

A few SSH vulnerabilities lie in the technology itself, but the webinar will show that most lie with a wide variety of implementation and configuration mistakes. For example, harried key administrators can inadvertently deploy authorized keys to root user accounts rather than to regular user accounts. Then when SSH keys are compromised, this opens the door to attacks where bad guys gain privileged access to everything from organizations' firewalls to their most coveted (and perhaps heavily regulated) data—costing organizations millions.

The webinar will also explain how to remediate these SSH vulnerabilities so SSH can be a strong tool for enabling and controlling access. When configured correctly, SSH keys are harder to crack, steal, or guess than are passwords.

In the webinar, you'll see how the SANS CSCs map to the National Institute of Standards and Technology (NIST) best practices for properly implementing SSH, a good complement to the new NIST paper on SSH. For example, CSC subcontrols and NIST's best practices both recommend that organizations automate key-provisioning processes, keep a complete inventory of enabled SSH identity keys, and rotate these keys regularly.

You'll also learn how, with Venafi, you can effectively implement these SANS and NIST recommendations—easily creating a complete key inventory, managing SSH keys throughout their lifecycles, and automating SSH key issuance and revocation. Venafi, as the Immune System for the Internet™, also seeks, destroys, and replaces keys that are compromised, much as the human immune system seeks and destroys cells that threaten the body.

Most enterprises do not have companywide SSH policies and management practices—instead turning to administrators to manage their own keys. This ad hoc approach to SSH key management and security doesn’t keep organizations safe. It’s time to learn how to implement effective SSH key protection that secures your critical systems and data. And, besides, you'll enjoy the webinar much more than reading a story about your organization's SSH-based data breach in the morning news.  

I hope you join me at the SSH webinar this Wednesday!

It’s that time of the year again: security “predictions” season. But before sharing our 2016 predictions (coming soon), we first want to look back at how we did with our 2015 predictions. 

What’s our score? A total of 6 out of 8 of our 2015 cybersecurity predictions were accurate, and of the other two, one is unknown and the other we believe will still come to pass. Take a look at the results and see how these new cybersecurity realities impact businesses today.

1. 2015 Prediction: SSL will be used and abused a lot more. CORRECT
   
   What Happened in 2015? 
   SSL/TLS use did increase, including the U.S. government requiring HTTPS for all public-facing government web services and many companies striving for encryption everywhere for better data privacy and protection. But this increase also spurred on cybercriminals’ use of SSL/TLS keys and certificates—to hide their nefarious activities and bypass security controls. Intel Security noted a 12% increase in SSL-based network attacks. Netcraft also found that certificate issuers Comodo, Cloudflare, GoDaddy and Symantec had issued domain-validated certificates to phishers targeting banks, PayPal, and other sites.
   
   What This Means for Businesses Today
   Cybercriminals target unprotected keys and certificates, but with key and certificate security in place, businesses can increase the use of keys and certificates for data privacy and protection without increasing the risk of attack and compromise.
    
2. 2015 Prediction: Certificate expirations and resulting outages will be recognized as major security issues. NOT YET
   
   What Happened in 2015?
   While major certificate outages did occur in 2015 with Google Gmail, Microsoft Azure, Instagram, and others, they weren't fully recognized as security concerns. Globally, an average of over 2 business systems per organization stopped working over the last 2 years due to certificate-related outages and the average impact was $15 million per outage. Although this lack of visibility and management is obviously a sign of bigger security issues, businesses are still viewing this as an operations issue.
   
   What This Means for Businesses Today
   It’s time to stop costly certificate-related outages, but it is also time to acknowledge that outages are a symptom of bigger security issues. If you’re experiencing certificate-related outages, you don’t have visibility or proper management of your certificates. Odds are you’re not seeing out-of-policy, misconfigured, or even malicious certificates in your IT environment. 
    
3. 2015 Prediction: Our security controls will be useless against half of the network attacks. CORRECT
   
   What Happened in 2015?
   Previously, Gartner predicted that 50% of all inbound and outbound network attacks would use SSL/TLS by 2017. We’re already there. According to Ponemon Institute, all (100%) of the organizations it researched responded to attacks that misuse keys and certificates in the last two years. And the impact of these attacks is increasing—currently estimated at a risk of attack of $53 million over the next 2 years (up 51% from the 2013 study). 
   
   What This Means for Businesses Today
   Most organizations don’t realize that when keys and certificates aren’t secure, cybercriminals can use them to bypass their other defenses. Bad guys understand that most security systems, like threat protection, NGFW, IDS/IPS, and DLP, either trust SSL/TLS or lack the keys to decrypt traffic. However, by protecting keys and certificates and using them to maximize SSL/TLS traffic inspection, your business will increase the effectiveness and value of your other security investments.
    
4. 2015 Prediction: Incident response teams will leave the door open for bad guys, resulting in more attacks. UNKNOWN
   
   What Happened in 2015?
   We predicted that incident response (IR) and forensics analysis teams would forget to revoke and replace keys and certificates after network breaches, allowing breaches to recur. We have no explicit examples of this occurring in 2015—but this doesn’t mean it didn’t happen. Without revoking and replacing stolen keys and certificates, bad guys can continue to gain access to networks and hide their malicious activities. 
   
   What This Means for Businesses Today
   Lazy remediation, as described by Gartner,  when organizations fail to replace compromised private keys or fail to revoke old certificates, is an indication that the organizations do not understand that when private keys are exposed, everything is exposed. Organizations should establish automated certificate issuance, replacement, and revocation practices as part of incident response plans BEFORE a compromise to enable fast, complete remediation when needed. 
    
5. 2015 Prediction: Hearts will continue to bleed. CORRECT
   
   What Happened in 2015?
   In April 2015, a year after Heartbleed’s public disclosure, Venafi reported that 85% of Global 2000 public-facing servers still remained vulnerable. Even though this figure represents a 16% improvement over the number of vulnerable servers in 2014, it indicates very poor remediation performance.
   
   What This Means for Businesses Today
   Most IT teams didn’t bother to do proper Heartbleed clean up by changing the vulnerable keys and cybercriminals are still exploiting this lack of Heartbleed remediation. Are you still exposed? Learn the steps needed to fully remediate Heartbleed and ensure your business remains secure.
    
6. 2015 Prediction: Kinetic attacks will take advantage of misused certificates and keys. CORRECT
   
   What Happened in 2015?
   The Internet of Things (IoT) is exploding—according to Gartner, there is an estimated 4.9 billion IoT devices connected to the Internet today. In the IoT, keys and certificates are used for authentication, validation, and privileged access control. When these keys and certificates are exploited, they can be used in kinetic attacks—those that can actually cause physical harm to people. In just one example, weaknesses in certificate usage in several car applications enabled hackers to gain remote control of vehicles.    
   
   What This Means for Businesses Today
   As mentioned in my DarkReading article, “It’s one thing when your company gets hacked and quite another when your pacemaker, commercial airline, or traffic light control and coordination system gets pwned because of security vulnerabilities in IoT devices.” Businesses need to design IoT apps that make secure use of certificates to protect their customers.
    
7. 2015 Prediction: Compliance and security frameworks will continue to add guidance on how to protect keys and certificates. CORRECT
   
   What Happened in 2015? 
   • SANS reports
     • New Critical Security Control Guidelines for SSL/TLS Management

     • Securing SSH with the CIS Critical Security Controls

   • National Institute of Standards and Technology (NIST) report, Security of Interactive and Automated Access Management Using Secure Shell (SSH)
   • Payment Card Industry Security Standards Council (PCI SSC) selected, Cryptographic Keys and Digital Certificate Security Guidelines, as a PCI special interest group finalist for the 2nd year running (election results for the 2016 PCI SIG topic are still pending).
   
   What This Means for Businesses Today
   In the last 2 years, every enterprise surveyed failed at least one SSL/TLS audit and one SSH audit. With this additional guidance in compliance and security frameworks, auditors will have a structure to better evaluate the proper management and security of SSL/TLS keys and certificates, and SSH keys. If organizations don’t start adopting these guidelines in their ongoing business practices, they will fail more audits and endanger their business.
    
8. 2015 Prediction: The Underground Digital Certificate Marketplace is now open for bad guys. CORRECT
   
   What Happened in 2015? 
   Underground key and certificate marketization continues to be the trend and prices in this black market continue to rise—at this writing, prices had risen to $1000 per certificate. In addition, IBM Security’s X-Force research team has found that large numbers of code-signing certificates are also now hot commodities in the black market.
   
   What This Means for Businesses Today
   Businesses need to assume their keys and certificates are being targeted by cybercriminals either to use to compromise their networks and data, or for resale. Organizations must make key and certificate security a priority. 

So here you have it: 6 out of 8 isn’t bad. Although this confirms we understand the market trends around online trust, it also means that businesses are struggling with key and certificate management and security. Find out how Venafi can help.

What are the Venafi cybersecurity predictions for 2016? First we must take a quick look at where 2015 has brought us—there were increases in both the use of encryption and in attacks on cryptographic keys and digital certificates. In 2016, we expect both of these trends to continue. What does this mean for businesses? To maintain online trust and customer confidence, keys and certificates must be safeguarded so they can be relied upon as the foundation of online trust, used for secure communications, authentication, and authorization.

In 2015, encrypted traffic became mainstream. “HTTPS Everywhere” was a predominant theme, as enterprises came to realize that encrypted communications can no longer be optional, they must be the norm. The U.S. government also mandated the use of HTTPS for all publicly-accessible web services by the end of 2016 to ensure the authenticity and privacy of federal websites.

As the use of encryption increased, so did the attacks that misuse cryptographic keys and digital certificates, impacting everything from airline Internet services to laptop software to government certificate authorities (CAs) to apps for your car or your fridge to Google and banking sites and more (keep an eye out for our 2015 attack summary blog post coming soon).

The reality is that with more encryption comes more opportunities for the bad guys to use keys and certificates in their attacks. According to 2015 Ponemon Institute research, the average number of keys and certificates increased by 34% since 2013 to over 23,000 per enterprise. And every organization surveyed (100%) has been attacked using compromised keys and certificates for the last 4 years running. The likelihood that in 2016 most enterprises and government agencies will fall victim to an attack on trust—one that impacts cryptographic keys and digital certificates—is very high.

We can predict with strong confidence several new threats and trends for 2016:

1. With more use of encryption in 2016, we'll see more misuse of the trust provided by keys and certificates.
   Ironically, Edward Snowden called for more encryption two years ago, and now the U.S. government has mandated the use of HTTPS for all publicly-accessible web services by the end of 2016. We expect the private sector to strive towards HTTPS everywhere as well. Yet, as a result, bad guys will use HTTPS to disguise their efforts and either forge or compromise certificates to mount effective attacks.
   
   Business impact: Implementing more HTTPS can create significant security gaps and operations nightmares if implemented incorrectly. Enterprises and government agencies will need SSL/TLS inspection to detect threats hidden in encrypted traffic and key and certificate lifecycle management to enforce policies and workflows and prevent outages. Organizations must also be prepared to detect the malicious use of forged, compromised, or fraudulent certificates across the Internet to stop spoofing and man-in-the-middle (MITM) attacks. If not detected, they will damage online trust and reduce customer confidence.
    
2. IoT ransomware will become one of the cybercriminal’s attack vectors of choice.
   Billions of Internet of Things (IoT) devices are coming online—20 billion by 2020 according to Gartner—and they rely upon keys and certificates for authentication and privacy. But if not protected, these keys and certificates can be compromised and IoT devices hijacked, allowing cybercriminals to demand a ransom before returning control. This risk was made real when security researchers demonstrated during Black Hat 2015 that the GM Onstar system could be hacked, and this was followed by news of similar vulnerabilities in other car apps. Similarly, we saw vulnerabilities involving certificates with Samsung’s smart refrigerators.
   
   Using a MITM attack, cybercriminals can easily intercept traffic between the IoT device and mother ship (enterprise network), telling the IoT device to perform a malicious action (for instance, apply brakes on a car, change plane altitude, keep a coolant valve open on a power plant, apply too much morphine to a patient, etc.). Cybercriminals can also send firmware updates to brick a device or pwn the device via a malicious update.
   
   Business impact: Cybercriminals will take full advantage of the connected IoT world and use hijacked IoT devices to take control over entire networks for financial and other nefarious gains, using mobile devices, smart home networks, and larger connected things in the enterprise.
   
   These threats will necessitate stronger key and certificate security and careful use of keys and certificates in business apps to protect their customer use of these apps. As these risks become better known, businesses will start to be held accountable for damage done through their apps.
    
3. Code-signing services for malicious code will become the norm.
   Signing malware code with certificates can help the malware appear trustworthy and increase the chances of fooling its victims. The IBM Security X-Force has been tracking malware code-signing-certificates-as-a-service on the underground. There are even malware tools that bundle in code-signing certificates.
   
   Intel Security has tracked close to 20 million unique pieces of malicious code signed and enabled by certificates. Digital certificates used by malware are also being tracked by the Common Computing Security Standards (CCSS) Forum. Overall, signed malware has grown by 50% per quarter and we expect this to continue to increase.
   
   Business impact: Enterprises and government agencies can no longer rely solely on security controls that are designed to blindly trust keys and certificates. They must be able to determine whether to trust a certificate and be able to block or fix a certificate when needed. Organizations also need to safeguard the integrity of their own code-signing practices to protect their certificates and their brand and ensure that customers continue to have faith in the veracity of the software they offer.
    
4. The Certificate Authority (CA) model will be broken and the value of certificates will be chipped away, resulting in diminished online trust.
   More free certificates will be issued through services like “Let’s Encrypt” while CAs will continue to lose credibility as their certificates are spoofed by cybercriminals and as they issue legitimate certificates for fake websites (see Netcraft’s recent research that found fake banking websites using domain-validated SSL certificates issued by Symantec, Cloudflare, Comodo, and GoDaddy).
   
   Business impact: The value of a certificate will not be in its issuance cost, but will be based on the value and reputation of the issuing CA and in the certificate’s purpose. To maintain that value, organizations must limit issuance of certificates to credible CAs and ensure the integrity and security of its certificates.
    
5. CAs will be ranked across the user community, also adding to the lack of trust.
   User communities as well as major browsers will start ranking CAs. For example, Google and Mozilla no longer acknowledge the China Internet Network Information Center (CNNIC) CA as a trusted root in their browsers, yet Apple and Microsoft still do. However, based on a Venafi survey conducted at BlackHat USA 2015, 24% of respondents said they removed CNNIC from their browsers as a trusted root, showing that user communities are starting to rank CAs themselves. And with research, such as that by Netcraft revealing that multiple CAs are issuing domain-validated SSL certificates for phishing sites, there will be ample reason for user communities to flag certain CAs as untrusted.
   
   Business impact: Businesses will need to follow suit and no longer blindly trust CAs or certificates, but instead look to their reputation. With tools like certificate reputation, whitelisting, and blacklisting, businesses can use the guidance from user communities, the major browsers, and new reputation services to better protect their organizations.
    
6. Large security vendors will lose customers, revenue, and overall credibility because they cannot see attackers lurking in encrypted traffic.
   More encryption will once again grow the attack surface and leave our adversaries with more opportunities to attack by hiding in encrypted traffic.  Most enterprises won’t be able to detect APT-like attacks and those that can detect these threats will often not remediate fully by replacing and revoking compromised keys and certificates, leaving them exposed to ongoing or future attacks.
   
   Business impact: Enterprises will need to deploy security solutions that can decrypt and inspect traffic, both inbound and outbound, in real time. Without these capabilities they will suffer attacks that hide in encrypted traffic, have their networks and data compromised, and ultimately lose customers and revenue. Large security vendors that do not offer the ability to inspect encrypted traffic will decrease in value to their customers.

With increased use of encryption in 2016, and therefore more keys and certificates, cybercriminals will have more opportunities to carry out their attacks by hiding in encrypted traffic and conducting MITM attacks. They will also use keys and certificates to make their nefarious actions look more legitimate on phishing sites and in malware with code-signing certificates. Yet businesses can defend themselves. User communities and major browser vendors will provide guidance. And Venafi can help. Venafi is the Immune System for the Internet that constantly assesses which keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not.

What are your main security predictions for 2016? Do you agree we’ll see more attacks on trust as more and more enterprises embrace 100% encryption? 

Newly released emails corroborate the forensic analysis conducted by Venafi TrustNet certificate reputation service which concluded that Secretary of State Hillary Clinton did not use encryption on her email server at the beginning of her term.

Earlier this year, Venafi TrustNet, a digital certificate reputation service, identified that the email server operated for Secretary Clinton and mail.clintonemail.com appeared not to use encryption for the first 3 months of operation—leaving her email and server potentially open to hackers. During this vulnerable period without encryption, Secretary Clinton travelled to China, Egypt, Israel, South Korea, and other locations outside of the U.S. This analysis was made possible by using Venafi TrustNet—the first certificate reputation service and a database of certificates going back over 10 years.

Venafi TrustNet identified the first digital certificate issued for the server was on 29 March 2009 while Secretary Clinton was sworn in to office on 22 January 2009 and the clintonemail.com domain was registered on 13 January 2009. If the server did not use encryption, access using browsers, smartphones, and computers could have been compromised with man-in-the middle (MITM) attacks, allowing communications to be monitored. These attacks could have allowed for emails or login credentials to be captured, leading to further long-term access to Secretary Clinton’s email and calendar by adversaries.

First clintonemail.com digital certificate obtained in 2009 from Network Solutions.

But over the past few months, one question continued to linger for the Venafi research team and others in the security community: Did Secretary Clinton actually use the email server during the time a digital certificate was not in use and encryption was not enabled?

With the public release of additional clintonemail.com messages, Venafi now believes it can definitively answer this question: Yes, Secretary Clinton did use the clintonemail.com server to send and receive messages while the server did not have a digital certificate installed and was not using encryption.

Email Server Use Timeline

• Wednesday, 18 March 2009—the date of the earliest message publicly released that was sent to Secretary Clinton at clintonemail.com. 
• Saturday, 21 March 2009—the earliest date that publicly-available email messages show the Secretary using the email address, hdr22@clintonemail.com, to send messages. 
• Sunday, 29 March 2009—the date the first digital certificate for mail.clintonemail.com was acquired by Justin Cooper.

The first publicly-known email to be sent by Secretary Clinton using clintonemail.com is on Saturday, 21 March 2009.

Venafi cannot confirm if earlier emails exist or will be made publicly available. Therefore, for at least 11 days, Venafi concludes that while in use the server did not use encryption for access by browsers, smartphones, and computers. The email sent to Secretary Clinton on 18 March is from someone outside of the State Department. This may indicate the email address was in use and known publicly before 18 March. Only public release of further emails by the State Department can confirm this. After 29 March and until the server was taken offline in 2015, the server did operate with a valid digital certificate and did use encryption for browser, smartphone, and computer access.

Venafi also identified that the mail.clintonemail.com server was operating Microsoft’s Outlook Web Access (OWA) in March 2015, meaning that access was possible not just with a smartphone or desktop application like Outlook, but using any web browser. While OWA is installed by default with Microsoft Exchange and the server was hosting the application with Microsoft IIS 7 (released by Microsoft in February 2008), Venafi cannot confirm when web browser access with Outlook Web Access was first enabled.

Outlook Web Access in use and accessible from any browser for mail.clintonemail.com in March 2015 (first date of use cannot be confirmed by Venafi).

The following digital certificate forensic analysis was documented by Venafi in March 2015 to understand when encryption was used on mail.clintonemail.com. Get the full analysis.

What are your thoughts about Secretary Clinton’s use of her email server before encryption was enabled?

We correctly called 6 of the 8 predictions we made for 2015, which isn't bad. But we were absolutely 100% accurate on our overall prediction that attacks impacting the foundation of online trust—cryptographic keys and digital certificates—would increase. Looking back through 2015, Venafi Labs captured data on a steady stream of cyberattacks involving the misuse of keys and certificates, threatening the underlying foundation of trust for everything that is IP-based.

The attacks in 2015 show a continued increase in the misuse of keys and certificates. They also show how keys and certificates have become interwoven into many aspects of our business and personal lives. From airline Internet services to laptop software to government certificate authorities (CAs) to apps for your car or your fridge to Google and banking sites, keys and certificates secure all our online transactions.

Why is this important? If organizations cannot safeguard the use of keys and certificates for communication, authentication, and authorization, the resulting loss of trust will cost them their customers and potentially their business.

Here is a sample of some notable security incidents the Venafi Labs threat research team followed:

• Gogo Dished Up Man-in-the-Middle (MITM) Attacks
  To kick off the year, a Google Chrome engineer discovered that Gogo Inflight Internet service was issuing fake Google certificates. Gogo claimed it was trying to prevent online video streaming, but this practice ultimately exposed Gogo users to MITM attacks.
• Lenovo Pre-installed Superfish Malware on Laptop
  Lenovo found that an adware program it was pre-installing on laptops was making itself an unrestricted root certificate authority, which allowed for MITM attacks on standard consumer PCs. 
• CNNIC Got Banned by Google and Mozilla
  Google found unauthorized digital certificates for several of its domains issued by CNNIC, China’s main government-run CA, making CNNIC certificates untrustworthy and vulnerable to attack. Google, quickly followed by Mozilla, blocked all CNNIC authorized domains. In a 2015 Black Hat survey, Venafi found that IT security professionals understand the risks associated with untrusted certificates, such as those issued by CNNIC, but do nothing.
• St. Louis Federal Reserve Bank Was Breached
  The US bank discovered that hackers had compromised its domain name register. This allowed the hackers to successfully redirect users of the bank's online research services to fake websites set up by the hackers.
• New SSL/TLS Vulnerability Logjam Exposed Crypto Weaknesses
  Logjam exposed a problem with the Diffie-Hellman key exchange algorithm, which allows protocols such as HTTPS, SSH, IPsec, and others to negotiate a shared key and create a secure connection. Identified by university researchers, the Logjam flaw allowed MITM attacks by downgrading vulnerable TLS connections.
• GM’s OnStar and Other Car Apps Were Hacked
  A GM OnStar system hack that locks, unlocks, starts, and stops GM cars was made possible because the GM application did not properly validate security certificates. By planting a cheap, homemade WiFi hotspot device somewhere on the car’s body to capture commands sent from the user’s smartphone to the car, hackers could break into the car’s vulnerable system, take full control, and behave as the driver indefinitely. Similar weaknesses allowed hacks in iOS applications for BMW, Mercedes, and Chrysler.
• Major CAs Issued Compromised Certificates for Fake Phishing Websites
  Netcraft recently issued new research that found fake banking websites using domain-validated SSL certificates issued by Symantec, Comodo and GoDaddy.
• Samsung’s Smart Fridge Was Hackable through Gmail
  A security flaw found in Samsung’s IoT smart refrigerators allowed hackers to compromise Gmail credentials using MITM attacks because the fridge was not set up to validate SSL certificates. 
• Symantec Fired Employees for Issuing HTTPS Certificates for Fake Google Sites
  Several Symantec employees were fired for issuing unauthorized certificates that made it possible to fake HTTPS Google sites. The certificates were found by Google’s Certificate Transparency project.

This list of attacks that leveraged stolen, compromised, and/or unprotected cryptographic keys and digital certificates in 2015 highlights a wide range of potential impacts from attacks on trust, but is by no means a comprehensive list. In truth, many of these attacks go on undetected: cybercriminals use keys and certificates to bypass security controls and hide their actions.

Businesses need to understand that key and certificate management is not just an operations issue—it is critical to securing their networks, data, and trust relationships with customers and partners. The problem is compounded given that most Global 5000 organizations blindly trust the keys and certificates deployed on their networks and use security controls designed to trust these encryption components. There is an evil force out there in the cyber realm, lurking in the shadows that no one sees—until it’s too late. Without the ability to tell friend vs. foe, good vs. bad in the digital realm, our global economy is in a perilous situation.

And we think the misuse of keys and certificates will grow. Check out our predictions for 2016 to see how we think attacks on online trust will evolve in the upcoming year.

Want to find out your organization’s risk level from unprotected keys and certificates? Venafi can help. Contact us and we’ll set up an assessment for your business.

It's been more than two years since Venafi publicly announced our analysis that Edward Snowden used the NSA's own cryptographic keys and digital certificates to steal the agency's classified data. The Venafi team suspected the truth of this modus operandi shortly after the news of the NSA breach based on kill chain and other analysis. A leaked NSA memo confirms this analysis.

In November 2013, the Venafi team published two primary pieces of analysis that made a compelling case: "Infographic: How Snowden Breached the NSA" and "Deciphering How Snowden Breached the NSA."

However, many were skeptical that keys and certificates (the very foundation of Internet trust and security) could be misused, especially at the NSA. While many were skeptical, others came to the same conclusion as Venafi. Our analysis was ultimately published in USA Today.

Before we published our findings, we asked industry experts to vet them. And when we published them, we called on the NSA and Snowden to correct us if we were wrong. We still haven't received a reply from either party. Three months after Venafi published our analysis, validation came in the form of a leaked memo from the NSA to the U.S. House Judiciary Committee. Using social engineering, Snowden had gained access, misused, and, by implication, continued to misuse a colleague’s digital certificate that provided highly privileged access to NSANet and classified documents, the memo states. We don't know how many others he may have practiced this social engineering on and, because keys and certificates are so infrequently changed and revoked, he likely had access for an extended period. Venafi is aware of APTs that have misused keys and certificates for up to 7 years because keys were not replaced.

In looking back over more than two years and reviewing confirmation of Venafi’s analysis, we’re not looking to gloat. But, instead, remind the cybersecurity community that Snowden's successful exploit is but a symptom of a disease that began undermining the Internet's foundation of trust years before. It’s a chronic problem that is finding keys and certificates becoming the ultimate cyberweapon to gain trusted status and steal data. The consequences will only become worse with the rise of DevOps and IOT. For example, one certainty is that IOT ransomware will become a reality—keys behind networks of things will be compromised and used to take over and control devices until money is paid.

The disease continues to spread, checked only by organizations that have discovered and protected every key and certificate across their networks, devices, clouds, containers, and more—from SSL/TLS to SSH, VPN, WiFi, and mobile. (Yes, even the misuse of VPN certificates is on the rise.)

Venafi, the Immune System for the Internet™, can patrol your system, much like the human immune system, and identify all keys and certificates as either part of the system or dangerous anomalies that need to be fixed. Venafi then automates the secure lifecycle of keys and certificates, keeping our customers healthy, reducing risk, and bringing new levels of agility and speed.

It's worth noting that many experts in the security industry have come to recognize the threat misused keys and certificates pose to the Internet's security foundation. It isn't that we should stop using them. Even Snowden freely admits that properly implemented keys and certificates offer ironclad security. "Encryption works," Snowden has said. "Properly implemented strong crypto systems are one of the few things that you can rely on." He should know. Snowden used NSA’s own, unprotected keys and certificates against them to sneak classified information out of NSANet.

And we now have more guidance and recommendations on how to use keys and certificates than we did before. For example, National Institute for Standards and Technology (NIST) recently published a paper, Security of Interactive and Automated Access Management using Secure Shell (SSH), on securing SSH keys. And SANS has made it clear that organizations need to know everything about every key and certificate that resides in their networks and protect them, including automating as many processes as possible. And large organizations like Google have made it standard to reduce key and certificate lifetimes—now down to 3 months for public-facing keys and certificates—to reduce the impact of a possible compromise and resulting misuse.

What are your thoughts about the NSA breach, now over two years later? How are we doing securing keys and certificates in our organizations? How can we get better?

Originally published as Rise of the Robots: How our love affair with automation could spell the end in Computer Business Review on January 13, 2016.

There's an old adage which began its life back in the 1990s - and was perfectly illustrated in a New Yorker cartoon - which says: "on the internet no-one knows you're a dog." It neatly summarizes a core cyber security problem that we still face to this day: how do we know who to trust online? For the last twenty years we have taken the same approach to this problem by using cryptographic keys and digital certificates to establish trust.

By and large the system worked: ecommerce boomed and the economy and society as we know it was transformed, all thanks to a little website padlock here and there. Worryingly though, over the past five years, we are seeing cracks in the very foundation of the internet begin to emerge.

As we hurtle towards a future powered by the Internet of Things (IoT), with automated machines playing an ever-greater role in our day-to-day lives, these cracks will split into chasms that threaten our modern world. Could internet-enabled life as we know it soon be coming to a crashing halt? How can we stop the sinkholes from emerging?

Robot photo by Humanrobo, significant changes to the original image were made. CC BY-SA 3.0

The problem with trust
Cryptographic keys and digital certificates tell us whether an entity is what it says it is. We use them to authenticate web servers, code on devices, apps, and even for enterprise VPN access. It all comes back to that binary decision that machines have to make - is this thing part of "self", trusted and safe; or not trusted, and therefore dangerous - which certificates and keys provide. It's the foundation of cyber security and the whole global economy and it's built on sand.

Over the past five years, hackers have caught on to the potentially lucrative opportunity that keys and certificates offer. We have all seen the scene in a movie where the bad guy dresses up as a painter to gain access to a building, or steals someone's swipe card; this is what is happening in the cyberworld too. Bad guys are trading keys and certificates on the dark web and using them to crack into company systems - just look at Sony, Careto, the Snowden revelations and Flame or Stuxnet. They all involved stolen or misused keys and certificates.

Read the rest of the article on Computer Business Review.

On December 23, 2015, the power grid in the Ukraine was hit with a cyberattack. The outage left a large region of Ivano-Frankivsk without power as a substation went down. They were able to get back online manually as they continue to search for the culprits.

In a report posted on ARS Technica, this attack included the use of unsecure Secure Shell (SSH) crypto keys which give the hackers permanent, root access to infected computers.

Researchers from antivirus provider ESET have confirmed that multiple Ukrainian power authorities were infected by "BlackEnergy," a package discovered in 2007 that was updated two years ago to include a host of new functions, including the ability to render infected computers unbootable. More recently, ESET found, the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems. The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.

The threat is real; the answer is to start taking precautions immediately.

While the Ukraine was first, it’s a harbinger of the danger lurking in all our power grids – and that’s the warning coming from Ted Koppel in his new book, “Lights Out.” He predicts there will be a power grid breach in the next two years that could last anywhere from two months to two years based on the severity of the attack.

In his video about his book, he says, an attack will “plunge tens of millions of people into darkness for weeks or even months with no electric light or heat or refrigeration, no running water, no waste disposal.” His conclusions are based on a year and a half researching the topic with the best experts in and out of government. He adds, “The Internet can be used as a weapon of mass destruction and our electric power grids are a target – that’s a fact.”

Mr. Koppel spoke with the Venafi team at our annual company meeting last week, sharing his sense of urgency and concern about what might happen if the power grid goes down because of a malicious attack. Needless to say, he met with an enthusiastic audience hungry to do our best to keep the internet safe. 

Venafi is committed to preventing Internet-based attacks.

At the office, we talk about keys and certificates all of the time. Our focus comes from our singular mission to protect our customers from the bad guys. We know keys and certificates can be used to encrypt malicious traffic or hide malware, creating pathways for cybercriminals to vital services (like power grids) and critical business information.

At one point, Mr. Koppel asked people in the room to raise their hands if they believed a cyberattack was imminent. About half the room raised their hands. “What about the rest of you,” Mr. Koppel asked.

“Those are the people who are already convinced we can prevent it from happening by getting all of our power companies online with Venafi,” Jeff Hudson, Venafi CEO replied. Based on the energy and dedication in the room, that’s a good bet.

Manage the threat while defeating the attackers.

While the experts debate the consequences of an attack, they agree there is a threat. In an article on CSOonline, “Carl Wright, general manager of TrapX Security, puts it like this, ‘Power plants and our energy grid remain high-risk targets. It is imperative that we find new and innovative ways to detect adversaries early, mitigate the effects and then defeat them.’”

We can help you start defeating the attackers today. By securing your digital keys and certificates, we can restore trust to your networks. We help you safely increase encryption. From preventing outages based on expired or mismanaged keys and certificates to giving you visibility throughout your network, we are your Immune System for the Internet – learning, adapting, and protecting your data and systems.

Note: There’s an earlier book that came out in Germany that speaks to the situation in Europe. Take a look at Blackout by Marc Elsberg.

SSL/TLS certificates are often used with Amazon Web Services (AWS) to encrypt and secure transactions. However, the time it takes to provision, install, and manage SSL/TLS certificates can hinder the use of AWS cloud instances. To help speed this process, last week AWS introduced AWS Certificate Manager (ACM).

ACM reduces SSL/TLS certificate management complexity by issuing certificates directly through Amazon’s certificate authority (CA) and Amazon Trust Services (ATS). Offering this service is a big step for Amazon as it enters the CA business.  It is currently only available in the U.S. East region, but Amazon is moving towards offering the service globally.

ACM is great for businesses who want to quickly encrypt and secure transactions within Elastic Load Balancers (ELC) and/or CloudFront (CF) distributions.  

The best news of all is that any certificate issued by ACM is totally free, a trend that will become the norm as the industry moves towards encrypting 100% of all transaction and communication traffic.

Unlike generic CA’s, the goal of Amazon ACM isn’t to become a direct competitor of other CAs. They are not in the business of selling certificates nor do I believe they will be. In this case, they are simply offering the ability to add a significant layer of security to AWS quickly and with minimal complexity.  This is great for our cloud-enabled world and I strongly believe all CA’s will soon have to adopt the free certificate model and offer domain validated (DV) certificates for free.

Free encryption doesn’t secure your keys and certificates

When Amazon ACM issues certificates, the corresponding private keys are stored in the cloud. But I have a real issue with storing any private keys in the cloud let alone on a hard drive.  An organization takes a huge risk anytime they store a private key anywhere other than on a hardware security module (HSM). This risk increases as the key is stored farther and farther from your  premises, so having a private key in the cloud introduces all kinds of risks.  You are trusting whomever issues and stores your private key to ensure that only your organization has access to it. 

Securing keys in the cloud is exactly what malicious actors (i.e. hacktivists and disgruntled employees) hope an organization will do because that makes the keys much easier to steal.  

Once a key is compromised, a malicious actor gains the upper hand and can then sell it on the Darknet or leverage it to encrypt and hide their actions within the organization’s network. The more free certificates are issued, the weaker the security of the Internet becomes. As keys and certificates are compromised more frequently, malicious actors will increasingly leverage the security blind spots that trusted encryption provides, disguising their attacks.

Amazon ACM does not secure encryption nor increase the security posture of an organization

The benefit of reducing the complexity of encrypting Amazon AWS services is great, but it comes at the cost of security. All the keys and certificates issued by ACM are stored within the Amazon AWS cloud, which makes it easier to issue and manage certificates in the cloud, but as mentioned, this also introduces significant risk—a malicious actor only needs to access to the AWS environment.  

Once malicious actors gain access to an AWS environment, they could proceed to issue their own keys and certificates. Falsified keys and certificates would give the malicious actors an encrypted channel where they could hide their activities. 

The other major risk is that, if the Amazon CA is compromised, there is no quick way to revoke compromised keys and certificates. (Amazon requires a service case be created.) Also there is no way to automate the failover to a secondary CA as recommended by NIST. 

In short, Amazon ACM does not provide any security for the keys and certificates they issue: they simply reduce the complexity of managing them.  

The goal of Amazon ACM isn’t to secure certificates, nor is it to compete with existing CA’s. Amazon ACM simply wants to increase agility by making it easier to acquire and deploy encryption to the AWS cloud. Unfortunately, they also fall short when it comes to management.

Here is a list of some current ACM limitations:

Only Amazon Environment

• Management and visibility limited to only Amazon issued certificates
• Limited to those using AWS Elastic Load Balancing or Amazon CloudFront*
• Cannot issue nor manage certificates outside the Amazon cloud

Restrictions on Key and Certificate Types

• Can only issue Domain Validated (DV) certificates*
• No support for Organizational Validation (OV) or Extended Validation (EV) certificates*
• No support for securing nor managing SSH keys
• No ability to manage mobile, email, or IoT keys and certificates

Lifecycle Restrictions

• All certificates issued are valid for 13 months
• Certificate renewal is done automatically with no controls or notifications
• Revocation requires a service case be opened

Management Limitations that Impact Security

• No ability to discover and inventory unknown certificates
• Lacks ability to create and enforce certificate policies
• Audit logs are tracked in Amazon CloudTrail, not within ACM
• Keys and Certificates are stored in the cloud

*Amazon is expanding support for other AWS services and for other types of domain validation

But I’m not suggesting that businesses shouldn’t use Amazon ACM. As businesses rely on AWS for fast, elastic IT cloud resources, it’s important that they be able to quickly encrypt and secure their transactions. Yet, they need to understand that using ACM alone doesn’t provide enough security for their keys and certificates, exposing them to the risk of key and certificate misuse for breach and compromise.

As Kevin Bocek, the VP of Security Strategy & Threat Intelligence here at Venafi, is quoted in a SecurityWeek article on AWS Certificate Management, “Mark my words: it's just a matter of time before we see cybercriminals leveraging these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data.”

Kevin also notes in the article, “While AWS certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000.”

Looking for true enterprise-class key and certificate security? We can help. Venafi provides a CA-agnostic key and certificate solution that can secure your ACM certificates along with the other keys and certificates in your network.

Say it with me—UNPLANNED OUTAGES ARE PAINFUL! 

Of course, we all know this. The question is, do we all know why they happen and how to prevent them? Most likely not. Outages, also referred to as downtime, are typically thought of as the most important security story that no one wants to talk about. So today, we are going to discuss why it doesn’t matter how sexy APTs, threat intelligence, and other trendy security topics might be; if you don’t start paying attention to outages it could destroy your brand and cost your company millions.

There are seven main causes of unplanned outages that IT security teams should keep top-of-mind:

1. Expired Keys and Certificates: Keys and certificates keep your website running and allow a secure connection to your system/network. When they expire, this is usually a result of human error and can leave your network extremely vulnerable to outages.
2. Software Bugs: Software bugs occur when there is an error, flaw, failure or fault in a computer program or system that causes program or system to produce an incorrect or unexpected result.
3. Equipment Failure: Equipment is often unable to perform its requested function due to it being outdated or overused and this is a common cause of unplanned outages.
4. High Bit Error Rates: This occurs when the number of bit errors per unit time is too high for the system/network to perform correctly.
5. Power Failure: Many of the highly publicized network outages (See 2013 Super Bowl) are due to a system/network losing electrical power.
6. Overload Due to Exceeding the Channel Capacity: This is when a system/network is not set up to support as much traffic as it is receiving.
7. Cascading Failure: This is a failure in a system of interconnected parts in which the failure of one part can trigger the failure of successive parts.

Now, let’s take a deeper look at expired keys and certificates, since it is the reason behind most major service interruptions and an issue that can be easily fixed.

Digital certificates provide a crucial security function by assigning public keys to be used for cryptographic purposes, including digital signatures and encryption. The Certificate Authorities (CAs) that issue these certificates also determine how long they will be valid—weeks, months, or years—before they will need to be replaced or updated. As shown in a survey conducted by TechValidate on behalf of Venafi, most organizations (56%) used manual methods to manage their keys and certificates before turning to Venafi (Source: TechValidate. TVID: 739-CC2-CFC).

According to research by the Ponemon Institute, in the average enterprise, the total number of keys and certificates is over 23,000—so when using manual methods, it’s virtually impossible to know where all of your keys and certificates are located, how to secure and keep track of them, or know exactly when they will expire. In fact, the TechValidate survey discovered that, on average, Venafi customers found over 16,500 previously unknown keys and certificates after deploying Venafi (Source: TechValidate. TVID: 363-53E-598). With this lack of visibility, no wonder organizations are experiencing outages!

Last Fall, Venafi partnered with the Ponemon Institute to release survey results from 2,394 respondents in Global 5000 organizations, which noted that businesses are losing millions due to expired certificates and unplanned outages. To be more exact, $15 million is the average lost per outage! In the survey, the majority of the businesses even admitted to losing customers over the last two years because they failed to secure the trust established by keys and certificates.

Unfortunately, hackers are very aware of the vulnerabilities they can exploit with unsecured keys and certificates, and they take full advantage of them through website spoofing, server impersonation, and Man-in-the-Middle (MITM) attacks.

Knowing that e-commerce, computing, and mobility are all affected by outages, it turns what was once the unsexy story into one that all enterprises need to pay attention to in order to run their businesses smoothly and securely, and avoid becoming the next news headline.

What are you doing to prevent outages at your business while still ensuring strong security practices? I’d love to hear your recommendations and best practices.

Cheers!

Those who have been in the IT industry for 20 years or more will have witnessed enough changes to fill the sea twice over. Each change is necessary, but some are more interesting than others. For example, the rise of mobile applications is undoubtedly one of the biggest waves of change to hit the world of business.

Who’s responsible for mobile app security?

With consumer mobile applications such as video games and social media, it is easy to spot security vulnerabilities if you are someone with a background in the field. However, mobile app developers do not naturally possess a deep knowledge of security, which can ultimately leave their applications open to risk that hasn’t even occurred to them.

Personally, I've been involved with Public Key Infrastructure (PKI) since the start of my career, when I helped develop applications for the U.S. government. As such, security has always been my first consideration. And one of the first points I sought to clarify at the dawn of mobile applications was to find out who was responsible for distributing and managing mobile security certificates. (See this Venafi blog post for a detailed look at some of these questions: Forrester Research Uncovers Gaps in Mobile Certificate Security.)

Security issues with mobile apps are on the rise

Awareness of the mobile-app-security issue has gone mainstream in the wake of recent certificate-related incidents that have captured consumers' attention. Legions of coffee drinkers deleted the Starbucks mobile app in response to hacks that parlayed Starbucks's weak security into direct access to customers' bank and credit card accounts. Similarly, the OnStar RemoteLink app's weak certificate checks enabled hackers to track, unlock, and even start GM cars remotely, which made GM drivers think hard about using the vehicle manufacturer’s mobile app. GM fixed the issue, but many of its rivals seemed to have ignored it; recently, a hacker exploited the very same certificate weakness in iOS applications for BMW, Mercedes, and Chrysler.

Problems like these show just how crucial digital keys and certificates are; indeed, they are the foundation of security for all connected devices. Yet with even the most conservative organizations developing business applications for mobile devices, keeping track of them has become difficult. As I write this, businesses continue to expose information that was previously restricted to their own networks.

To further muddy the mobile-security waters, the Bring Your Own Device (BYOD) revolution has meant that employees are accessing business information using devices that are outside of organizational control. All this has made verifying digital certificates much more difficult. Yet until these conditions change, cybercriminals will be able to misuse digital certificates and take advantage of company or employee data residing on mobile devices, simply because it's easy to do.

Digital certificates must be secured to keep your mobile apps safe

To prevent this misuse by cybercriminals, mobile app developers must be able to secure and protect their cryptographic keys and digital certificates. Venafi has security tools available today that allow developers to discover and control certificates on mobile devices.

Just as the human immune system patrols the body to identify pathogens and anomalies, Venafi, the Immune System for the Internet®, patrols mobile devices on your network to identify certificate anomalies and risks, and to rapidly revoke problem certificates. Venafi also integrates with most mobile device management (MDM) solutions to help enforce business-established policies, which can keep you afloat on a sea of regulations and security requirements.

How does your enterprise use certificates to secure its mobile apps? What do you see as the biggest security challenges to enterprise apps and mobile device usage?

We are ready to see you at RSA Conference 2016 in San Francisco. We’re bringing in the team from around the US, including our CIO/CISO Tammy Moskites, so we’re ready to talk and help you understand how you can both improve your current security efforts and strengthen your existing investment.

Here’s what we’ll be talking about:

• If you’re building a strong global security foundation - we’ll show you how bad guys can still get in.
• If you think your cryptographic keys and digital certificates aren’t a risk - we’ll explain why they make you vulnerable.
• If you think you’ve got your keys and certificates under control - we’ll show you how most companies find they have more keys and certificates than they imagined and where they find them (hint: not where they thought they should be).
• Finally, if you know you have a problem but it’s just not your priority - we’ll show you how easy it is to get started and how quickly you’ll reap the rewards and your other security investments will deliver more value.

We want to meet with you.

RSA is a noisy, exciting, busy place. We want to make sure we make your to-do list and we have several ways to do just that. Here’s how you can find us.​

• Win a $50 Amazon Gift Card: Venafi Game Show
  Are you smarter than a bad guy? Are you betting your cybersecurity?
  Every 30 minutes at Booth 1615 South Hall
  Request a meeting

• Attend IT Security Leader Track Session - Reserve your spot
  “How Poorly Managed Keys and Certificates Impact the Trust Model”
  Wednesday March 2^nd | 10:20 – 11:10 AM | Room 2005
  Stephen Jordan, SVP/Technology Area Manager, Wells Fargo & Company

• Attend Venafi Track Session - Add to your schedule
  “Breaking Closed Systems with Code-Signing and Mitigation Techniques”
  Friday, March 4^th | 9:00 AM – 9:50 AM | West | Room: 3005
  Gavin Hill, Director of Product Marketing and Threat Intelligence, Venafi

•  Join a Cybersecurity Workshop - Reserve a spot
  “How to Get More from Your Security Investment: Protect Keys and Certificates”

  • ​Breakfast: 9 am – 10 am

    3/1 | Marriott Marquis, Sierra C

    3/2 | Marriott Marquis, Sierra C

  • ​Lunch: 12:30  – 1:30 pm

    3/1 | Marriott Marquis, Pacific C

    3/2 | Marriott Marquis, Sierra C

     

     

We look forward to discussing your security issues. And if you can’t make RSA, please take a look at our website and check out our platform architecture to understand how we can help. Then contact us to set up an appointment that works for you.

See you in San Francisco! 

The FBI wants Apple to break our system of trust

A California magistrate has ordered Apple to help the FBI gain access to an iPhone that was used by one of the terrorists in the 2015 San Bernardino shooting. To achieve this, the FBI has asked Apple to create a backdoor. Apple has refused, adamantly.  Of course Apple wants to support investigative efforts in this horrible crime. But what the FBI is asking has ramifications that extend far beyond this one case.

Venafi supports Apple’s decision to oppose the FBI’s order. Complying would break the system of trust used for over 20 years to secure the Internet. By requesting the use of Apple certificates, the government is essentially hijacking the internet, hacking users, and undermining decades of security advancements.

Not just access to one device—FBI request hijacks internet security

In a nutshell, the FBI has asked that Apple create a new version of its operating system that would bypass many security controls. The FBI wants Apple to sign the software with Apple's certificate that will then run what the FBI refers to as a “signed iPhone Software file” which would be trusted on any iPhone. This file would update the phone to the new operating system that is designed to bypass security that keeps the data on that phone confidential.

Although this has been requested to gain access to one particular device, this can’t be viewed as a mechanism to decrypt one device used by one terrorist. Once created, there is no way to ensure this software would not be used more broadly—either by the government when it decides it has other needs for this access, or by cybercriminals who will undoubtedly seek to acquire this software.

This is really about threatening the very foundation of cybersecurity on the Internet—keys and certificates. It’s about breaking the system of trust that certificates provide for all software and to the Internet! If the government gets to use Apple software authenticated with Apple code-signing certificates, it would be able to bypass the security that protects people’s personal data—contacts, financial information, health information, and so much more. Apple equates this to, “a master key, capable of opening hundreds of millions of locks.” This would let governments, and eventually cybercriminals, get control and hijack systems and data. 

It’s not just breaking encryption, it’s breaking trust

In that light, the FBI's request may set a precedent that’s not as much about breaking encryption as it is about breaking software. It's why Tim Cook responded: "The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers."

This tactic is similar to those that made the computer worm, Stuxnet, so successful. That attack used malware signed with valid certificates, which allowed the malicious software to run completely trusted.

We need to defend the foundation of cybersecurity

One of the biggest advancements that Cook refers to is the system of trust established by keys and certificates—one that is increasingly being used as an attack vector by cybercriminals. Software runs the world. And in this world, it’s the role of certificates to know what is trusted or not, friend or foe—whether using TLS or code-signing.

The breaking of the trust model of certificates is a growing threat—something cybercriminals having actively been doing since the Stuxnet blueprint. But it’s much more important than just breaking encryption on one terrorist’s smartphone. It would represent an incredible escalation in the use of certificates as weapons. Experts from Intel to industry CIOs are predicting the next big hacker marketplace to be a place where stolen certificates are sold.

I fully support the government using subpoenas and warrants to obtain access to messages, activity, and other types of data that is stored. But running blanket and broad software on a device or getting access to a key for decryption will risk everyone’s privacy and security. If Apple is forced to create this backdoor, it would continue the current trajectory of online trust violations that are getting worse by the day.  

In one hopeful turn of events, the chairman of the Senate Intelligence Committee, Richard Burr, decided against a proposal to criminalize firms that reject court orders to decrypt. However, Senator Burr is still weighing whether to propose more stringent rules around access to encrypted data—but at least this would not include criminal penalties.

Governments are hacking the internet in more ways than one

This court order is just one example of how governments are hacking the internet. Another is the Chinese CNNIC certificate authority, which was implicated in an incident in Egypt to impersonate Google—an attempt that Google and Mozilla swiftly responded to and permanently untrusted CNNIC.

However, Apple and Microsoft, with tens of billions of dollars in revenue from the Chinese market per quarter on the line, failed to take any action for months. Apple quietly decided to trust some of CNNIC certificates while Microsoft took no action.

The incident was not covered widely by the media at the FBI’s request. Unfortunately, in the case of CNNIC, unlike now, Apple was neither swift nor public in its response, leaving all the appearances of prioritizing Chinese profits over the security and privacy of all iPhone, iPad, and Mac users worldwide.

It’s a welcome change to see Apple respond so quickly to the FBI’s request and hopefully they will do the same with future threats to the security and privacy of their customers.

How this impacts enterprises

So what does this mean for Global 5000 enterprises? I'd say knowing which keys and certificates you trust, and protecting those keys and certificate becomes even more important, especially in a time when they are increasingly of interest to both governments and bad guys.

If the government gets code signed with Apple certificates on court order, it is pretty much hijacking the Internet—which is the lifeblood of your digital business. What’s next? Getting TLS keys and certificates on court order to decrypt? Internet hacked.

What do you think about the recent government actions that impact online trust? Do you agree with Apple’s refusal to comply with the court order?

There is an abundance of use cases in which code signing using certificates has become more critical to prove to end users that they can trust the source and the integrity of the installed code. From software distribution and updates, to mobile apps and container security (like Docker), to execution of scripts and even file distribution—they all need to have their code signed to establish trust. But with stolen or forged code-signing certificates, cybercriminals can hijack the trust granted to signed code and threaten unsuspecting businesses and consumers who will expect this code to be safe.

Not all systems are created equal. There are open systems like Mac OS and Windows, for example, that allow end users to trust unknown publishers, and closed systems that do not. One would think that the closed systems are therefore safe, but hackers break them anyway and are able to install malware. When code-signing certificates are misused to give malware code trusted status, security controls blindly trust this dangerous code, endangering consumers and businesses.

How can enterprises effectively use code-signing to establish trust and avoid attacks that misuse code-signing? At RSA, we reviewed attacks against several open (Windows, Android, Mac OS) and closed systems (IOS, automotive operating systems). We also showed the state of the industry and how organizations are going about protecting code-signing certificates from misuse.

We also gave advice how to protect your business with some proposed steps to mitigate code signing abuse and a proposal to the industry of how to detect and respond to code signing misuse quickly and easily.

How do you use code signing in your organization? What use cases would you like to learn more about?

Top CIOs acknowledge they are wasting millions (take your pick – BSPs, EURs, or USDs) on layered security defences because these technologies blindly trust keys and certificates, according to research we just completed with independent research firm, Vanson Bourne. The bad guys use unprotected keys and certificates to bypass these security defences, exploiting keys and certificates to hide in encrypted traffic, spoof websites, deploy malware, and steal data.

The research reveals CIOs understand they are wasting millions because these layered security defences like FireEye can’t stop half of the attacks. Gartner predicts that by 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls; these technologies can’t defend against any of that.

The recently released annual threat report by Dell describes the growth in SSL/TLS decryption as a “mixed bag.” In Q4 2015, SSL/TLS connections comprised an average of over 64% of web connections, and, throughout 2015, each month increased by 53% over the corresponding month in 2014, on average. Although SSL/TLS is used to secure communications and connections, it’s also used increasingly by cybercriminals as an attack vector. When discussing the Dell report, Business Wire explains, “Using SSL or TLS encryption, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and anti-malware inspection systems.”

When you consider that the market for enterprise security is worth an estimated $83 billion worldwide, that’s a lot of money being wasting on solutions that can only do their jobs some of the time.

A fatal flaw in the foundation of security.

Keys and certificates are the foundation of cybersecurity, authenticating system connections and telling us if software and devices are doing what they are meant to do. But when keys and certificates are left unmanaged and unprotected, this foundation is threatened. And if this foundation collapses, the Global 5000 and federal governments will be in serious trouble. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private.

Layered security—endpoint protection, advanced threat protection, firewalls, behavioural analytics, IDS and IPS security systems, and more—are fundamentally flawed because they blindly trust keys and certificates, unable to determine which are good or bad.

In addition, most security professionals (54%) admit to not knowing where all of their keys and certificates are located, who owns them, or how they are used. Without visibility or access into all keys and certificates, security controls are unable to inspect the vast majority of encrypted network traffic, which leaves gaping holes in enterprise security defences.

Cybercriminals are taking advantage of these blind spots and are using unprotected keys and certificates not only to evade detection, but to achieve authentication and trusted status that bypasses other security controls and allows their actions to remain hidden.

Globally, there appears to be a loss of confidence in cybersecurity.

The public markets are efficiently reflecting a loss of confidence in cybersecurity. It’s no coincidence that 90% of CIOs admit to wasting billions on inadequate cybersecurity at the same time the HACK cybersecurity fund drops by 25% since November 2015. This is well ahead of the overall market downturn with a 10% decline in the S&P500 index.

The number of keys and certificates that enterprises need to secure is exploding. In light of Encryption Everywhere plans, driven in large part by Edward Snowden’s revelations and breach of the NSA, virtually all CIOs surveyed (95%) indicated they are worried about how they will securely manage and protect all encryption keys and certificates.

And as the speed of IT increases—creating and decommissioning services based on elastic needs—keys and certificates will grow in orders of magnitude. When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organizations, 79% of CIOs said yes.

As Fast IT grows, the demand for a secure foundation increases.

Gartner predicts that by 2017, three out of four enterprise organizations will be moving to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects. Yet using agile methods and introducing DevOps is an extremely high risk and chaotic endeavour. In these new environments, security will always suffer and it will become virtually impossible to keep track of what can and can’t be trusted.

This is why businesses need the Immune System for the Internet™—Venafi. Like a human immune system, we let organizations know instantly which keys and certificates should be trusted and which shouldn’t. With trust in keys and certificates restored, the value of a business’s other security investments increases.

Get the full report at: 2016 CIO Study Results: The Threat to Our Cybersecurity Foundation. 

CIOs admit to wasting millions on inadequate security controls. Why? There is a fundamental flaw in their cybersecurity strategy that is letting cybercriminals bypass their defenses in over half of network attacks.

This infographic shows CIO survey results which reveal cybersecurity is crumbling because the foundation of cybersecurity—keys and certificates—is being left unmanaged and unprotected.

Everyone has layered security defenses—next gen firewalls, VPNs, DLP, advanced threat protection, endpoint protection, and more. With all of these investments, CEOs, CIOs, and IT security leaders should expect their security systems to know what’s trusted and safe, and what’s not. But these security controls are blind to attacks that use compromised, stolen, or forged keys and certificates to undermine network defenses.

With Gartner expecting over 50% of network attacks to use SSL/TLS to hide in encrypted traffic by 2017, enterprises have a huge gap in their cybersecurity that won’t protect them against half of attacks.

This infographic is based on a January 2016 survey conducted by Vanson Bourne, an independent technology market research provider. The survey asked 500 enterprise CIO respondents in the U.S., U.K., France, and Germany how the demand for encryption and exponential growth in cryptographic keys and digital certificates are impacting their cybersecurity efforts. 

The results show IT executives understand their cybersecurity approaches are failing and agree they are wasting money on ineffective security controls. But trust in the cybersecurity foundation can be restored by securing keys and certificates. Venafi, the Immune System for the Internet™, helps you know instantly which keys and certificates should be trusted and which shouldn’t. Learn how we can help protect your organization.

RSA 2106 did indeed shape up to be an interesting event. With a hospital in Los Angeles being held hostage by hackers with ransomware and Apple defending its operating system against the federal government’s request for a backdoor, the threats facing cybersecurity are significant and dangerous.

At the same time, we’re needing to provide faster IT—cloud, DevOps, IoT, mobility, and more. As I expected, the RSA sessions, floor, and meetings were buzzing with talk of DROWN and what we need to do to protect the things we care about while delivering more IT services, faster, and with less.