Date: June 25, 2013
Location: Minneapolis, Minnesota
Details: http://surgantventures.com/Innovation_Showcase.html

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: June 27, 2013
Location: Seattle, Washington
Details: https://chapters.cloudsecurityalliance.org/seattle/

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: October 24, 2013
Location: Dallas, Texas
Details: http://surgantventures.com/Innovation_Showcase.html

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: June 25, 2013
Location: Abu Dhabi
Details: https://www-950.ibm.com/events/wwe/grp/grp015.nsf/v17_agenda?openform&seminar=E6ZH7TES&locale=en_GB

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: June 13, 2013
Location: Luxembourg
Details: http://www.lannews.be/SecurityLux2013

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: July 2, 2013
Location: London, UK
Details: http://www.pci-portal.com/event/pcilondonuk13july

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: July 17, 2013
Location: London, UK
Details:

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: June 20, 2013
Location: Holland
Details: Knowledge Event

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Again and again the news breaks: bad actors have succeeded in infiltrating an organization and stealing data. How did they get in, and how did they evade detection for long periods? Increasingly often, they are using crimeware designed to steal keys and certificates.

Keys and certificates should form the foundation of every enterprise’s security. But organizations—blindly trusting in the security of keys and certificates that they do not inventory and track, let alone regulate with assigned custodians and access policies—have left the door open to bad actors, all too ready to steal a key or certificate. Stolen security assets then become weapons in the hackers’ hands. The bad actors can sign malware so that it appears legitimate, crack into cloud systems managed by SSH keys—the possibilities spin out from there. With the recent leak of the source code of the Carberp Trojan, one example of crimeware that steals keys and certificates, similar attacks will only proliferate.

To protect your organization, you need to understand bad actors’ tactics. Let’s examine a common targeted attack for infiltrating an organization. This attack is based on a spear-phishing campaign, in which a victim inadvertently installs a remote access Trojan (RAT). The hacker then ramps up the damage using the RAT to obtain more keys and greater access, burrowing past the original victim further and further into the organization’s data.

Phase 1: The bad actor first obtains or builds the RAT and any other crimeware to be used during the attack. From this very first phase, hijacked encryption assets play a role. Typically, the bad actor digitally signs the malicious code with a fake or stolen digital key, helping the crimeware evade security solutions.

Phase 2 & 3: The hacker selects and investigates potential victims. Using information that is freely available on the Internet, the hacker designs a spear-phishing campaign with personal details to lure victims into clicking a URL or opening an attachment. Either action delivers the malicious payload, which is installed on the victim’s machine.

Phase 4: During this phase the malicious payload establishes an outbound connection back to the bad actor. In most cases, this connection is encrypted with SSL, helping attackers to evade network-based threat detection and interfering with security vendors attempting to analyze their traffic.

Phase 5: Having infiltrated the network, the bad actors expand the scope of the attack. They strengthen their foothold in the network by stealing user credentials; in particular, they seek elevated credentials like SSH keys, which can offer root access to valuable systems. Also during this phase, bad actors add further outbound connections for redundancy, as well as for providing more immediate access to systems and data flagged as high value.

Phase 6: The final phase consists of slowly extracting the data from the victim. Bad actors know to encrypt their traffic and to keep it slow, avoiding unusual behavior that might trip an event trigger.

Recommendations:

Gain visibility: The first step in mitigating these trust-based attacks—attacks that use your trusted keys and certificates against you—is to understand your key and certificate inventory. Without clear visibility into the cryptographic credential inventory, strong control over the number and types of keys and certificates, and clear policies assigning owners to particular cryptographic credentials, an organization can do little to defend itself against these attacks.

Monitor for anomalies: Network monitoring tools can help you detect the use of suspicious SSL certificates or SSH sessions in your network. By cross-referencing a suspicious SSL certificate with the known certificate inventory—once you have gained that visibility—you can quickly determine whether the SSL traffic is legitimate or possibly part of a targeted attack. Similarly, you can detect suspicious SSH sessions that might indicate a hacker quietly expanding into your critical systems.

Respond quickly: In the event that you detect an anomaly and prove it to be malicious, you must respond quickly, limiting the scope of the damage by removing compromised credentials and replacing them with new, valid keys and certificates. Because improper removal of a certificate may impact applications’ trust chains and cause an outage, you must carefully plan and monitor the rotation of any key material. Automated deployment and verification tools not only speed the response but prevent unexpected downtime due to human errors.

Venafi Director™ is a platform that provides Enterprise Key and Certificate Management enabling organizations to gain insight and control over their keys and certificates in the datacenter, on desktops and mobile devices, and in the cloud. Director is a vendor-agnostic platform that reduces organizations’ threat surface and response time to targeted attacks with full key and certificate lifecycle control spanning across the widest range of certificate authorities (CA). The Director platform enables organizations to rapidly develop an accurate key and certificate inventory to quickly identify security risks associated with trust exploits, operational and compliance risks. Enterprises can quickly establish consistent policies and automate operations across the organization and in to the cloud. As a result, organizations can successfully prevent security breaches, eliminate unplanned outages, and achieve audit success and compliance.

Date: September 17 – 19, 2013
Location: Mons, Belgium
Details: http://www.nias2013.com/

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Because most advanced persistent threats (APTs) succeed when someone makes an innocent error—clicks that link, runs that Java application—you’re probably looking for ways to train employees to see through common ruses. But if your organisation is like most others, it has thousands of assets that are working just as hard training employees to let the hackers in.

What are these assets that can work against you? Self-signed certificates.

Many organizations face a common challenge and frequently ask the question – why should we treat self-signed certificates in the same manner as we do other types?

Do organizations address any other security controls the way they do self-signed certificates – No visibility and No controls?

Certificates are used to secure and authenticate communications, yet organizations are doing nothing too keep it that way. Over 50% of organizations are not even aware of the number of keys and certificates used within their own environments. For any opportunistic cybercriminal, this is the perfect attack vector.

What self-signed certificates do in your environment

CA-signed certificates call on a trusted third-party to testify that, for example, a web server really belongs to your bank and not a hacker phishing for your account. A self-signed certificate, on the other hand, presents itself without any outside stamp of approval, relying on users to click past a warning to accept it.

Organizations deploy these certificates extensively on embedded web servers in printers and in network devices or perhaps even on internal-facing applications. Just like CA-signed certificates, self-signed certificates serve the important purpose of authenticating and securing communications—with the seeming added bonus of costing nothing and being easy to generate or even coming pre-installed.

Limited visibility

A Venafi customer performed a discovery and uncovered 87,000 records.

Of these records 63,664 self-signed certificates were discovered.

• {“key”:”Hewlett-Packard Company”,”value”:47894},
• {“key”:”International Business Machines Corp”,”value”:10360},
• {“key”:” VMware Inc.,”,”value”:4360},
• {“key”:” Dell Inc.”,”value”::1050},

Upon running a query Venafi uncovered ‘nine’ instances of a certificate introduced on October 3rd 2003, due to expire on October 2nd 2013. The organization was unaware of the certificates location, or how it was being used.

A wolf in sheep’s clothing

Self-signed certificates provide the perfect cover for advanced threats. In fact, the Mandiant APT1 report shows attackers used self-signed certificates, such as certificates purporting to be from “IBM” or for use as “WEBMAIL,” “EMAIL,” “”SERVER,” or “”ALPHA,” for control and control (C&C) cover

Consider a typical day for employees, whether normal users or IT administrators. Administrators might need to access an administrative console, so they click past a familiar security warning from the embedded self-signed certificate. Or users need to download and run a Java applet to offload processing from an older embedded web server. Again, they must click through a certificate warning.

The self-signed certificates become the boy who cried wolf, raising so many warnings during normal operations that users notice nothing suspicious when a hacker redirects them to a fake printer or network device. Similarly, users may click through Java security warnings and download and run a malicious Java applet on their machine. Many modern web threats silently hijack the browser, so the certificate warning might give users their only chance to save their machine from compromise. Instead, given nothing but a warning that looks so much like the innocent ones so long ignored, users let the hacker in.

How you can protect yourself

First, you need to realize that your organization likely has many self-signed certificates even if inventories indicate otherwise. A Venafi customer recently discovered that 63,664 of its 87,000 certificates were self-signed, and the company had no idea where those certificates were deployed.

Next, you must determine how you will counteract the bad habits that self-signed certificates are instilling in users. You might set up an internal CA and replace self-signed certificates with certificates signed by it. You might keep the self-signed certificates, but monitor their use more closely, training employees to recognize the certificates that truly belong to their appliances and applications.

In any case, ongoing visibility into and control over your certificate deployment, combined with enforcement of best practices, will provide your primary line of defense—helping employees recognize a wolf when they see one.

Nation-State Cyberespionage Provides Attack Blueprint; Armed Cybercriminals Increasingly Target Trust Exploits as Attack Vector of Choice Against Businesses and Governments

Salt Lake City,UT – Jul. 24 2013

Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) security solutions, is celebrating Black Hat’s “Sweet 16″ with the release of its latest report, “16 Years of Black Hat – 16 Years of Attacks: A Historical Overview of the Evolving Cyberattack Landscape.” The report chronicles the last 16 years of attacks, threats and exploits, and analyzes how they’ve evolved and intensified over time. The report also offers advice to enterprises on how to better defend against a new era of attacks that increasingly leverage unprotected cryptographic keys and digital certificates—the security technologies that form the foundation of IT security and online trust.

Report readers will learn about the history and evolution of attacks and the changing faces of the attackers. They will also realize that criminals have used every weapon in their arsenal—from malware and Trojans to attacks on trust—in order to make a name for themselves, disrupt business and steal data and state secrets. The report shows that as enterprises have responded, advanced attackers have had to develop new and more resistant attack and evasion methods. More recent persistent and targeted attacks demonstrated a range or attack methods and provided powerful blueprints for more common cybercriminals.

“State-backed and organized cybercriminals learned from early hackers that their vast resources could be used for a variety of nefarious, disruptive or lucrative activates. Common criminals looking for the path of least resistance have mimicked advance attack methods. This, coupled with organizations’ failure to secure and protect keys and certificates has left the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want,” said Jeff Hudson, Venafi CEO. “Organizations must stop blindly trusting keys and certificates, and take steps to understand how these attacks work and what they can do to defend against them. Otherwise, they are a vulnerable target to anyone with a cause, computer and Internet connection.”

Chronicled in the report are the different eras of attacks and attackers, with factual examples of attacks and exploits from each period, including overviews of the CIH computer virus, Melissa, Code Red, MD5, Aurora, Stuxnet and Flame. Historical eras include:

• 1997–2003: VIRUSES, WORMS AND A LITTLE DENIAL
• 2004–2005: THE BIRTH OF FOR-PROFIT MALWARE
• 2007–2009: THE RISE OF APTS
• 2010–PRESENT: ASSAULT ON TRUST USING KEY AND CERTIFICATE-BASED ATTACKS

To access “16 Years of Black Hat – 16 Years of Attacks: A Historical Overview of the Evolving Cyberattack Landscape,” visit: www.venafi.com/sweet16

About Venafi

Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) security solutions. Venafi delivered the first enterprise-class solution to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys—from the datacenter to the cloud and beyond—built specifically for encryption management interoperability across heterogeneous environments. Venafi products reduce the unquantified and unmanaged risks associated with encryption deployments that result in data breaches, security audit failures and unplanned system outages. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

This year Black Hat turns 16. In honor of its longevity, we’ve produced a new report that chronicles the evolution of cyberattacks and methods over the past 16 years. Looking back, the cyberattacks have used every weapon in their arsenal from malware, to Trojans. The tactics, targets, motives and identities of cybercriminals have changed substantially during this period, and we take a look at how what began as a way for computer geeks to gain notoriety has become a worldwide industry with far-reaching national defense and economic ramifications. The attacks have become increasingly nefarious, complex and frequent.

The graphic below highlights the evolution of cyberattacks since 1997, the year Black Hat launched. As IT footprints have expanded, so too have the type and variety of attacks, forcing all IT-dependent organizations to contend with diminished trust.

In addition to chronicling the evolution of cyberattacks, the piece also discusses intelligence trends that can help readers shape effective cyber-defense strategies, as well as a few tricks that have not changed much over the years. The means by which digital smart weapons are guided into their targets and authenticate within target networks has, however, changed dramatically. One of the most dramatic developments is the corruption and weaponization of online trust, established by digital certificates and cryptographic keys.

As business and government have responded, our reliance on cryptographic keys and certificates has increased. Yet the criminals have turned our strength against us, using digital certificates and cryptographic keys—the fundamental components for digital security and trust—to compromise systems, trick people, and gain access to sensitive data. And why not? Keys and certificates are the perfect vehicle for exploitation.

According to McAfee, last year alone malware signed by stolen digital keys grew by a factor of ten as criminals took advantage of the difficulty of detecting and responding to compromised keys and certificates. Most organizations are not able to identify an attack until after the fact, they cannot respond to an attack, and most have failed to deploy effective controls that can stop cybercriminals from attacking either of these technologies.

As global enterprises and government agencies continue to expand their digital presence by connecting literally everything to the Internet, the size of their attack surface will grow, opening up more opportunities for cybercriminals.

Access the full report here and stop by and see us in Las Vegas at the Black Hat show next week. We’ll be at booth #333.

Selected From Among Thousands of Startups, Venafi Recognized for IT Security Innovation, Execution Ability and Accelerated Growth

Salt Lake City, UT – August 7, 2013

Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) security solutions, announced that Red Herring has selected it as a Top 100 North America winner. Venafi helps organizations reduce their attack surface by providing visibility and control over cryptographic keys and certificates, closing the door on escalating cyber-attacks against these vital resources. Fueled by demand from the world’s leading financial institutions, retailers, manufacturers and high-tech companies, Venafi has achieved explosive growth year over year and demonstrated its ability to deliver improved threat detection and IT security to a wide range of enterprises.

“In 2013, selecting the Top 100 achievers was by no means a small feat,” said Alex Vieux, publisher and CEO of Red Herring. “In fact, we had the toughest time in years because so many entrepreneurs have crossed significant milestones so early. But after much thought, rigorous contemplation and discussion, we narrowed our list down from hundreds of candidates from across North America to the Top 100 Winners. We believe Venafi embodies the vision, drive and innovation that define a successful entrepreneurial venture. Venafi should be proud of its accomplishment, as the competition was very strong.”

Red Herring selects only 100 award winners from the 3,000 technology startups financed each year in the US and Canada, choosing the winners based on their technology innovations, financial performance, intellectual property, leadership, business model, customer footprint and market growth. Since 1996 Red Herring’s editors have led the pack in recognizing up-and-coming companies such as Facebook, Twitter, Google, Yahoo, Skype, salesforce.com, YouTube, Palo Alto Networks and eBay.

Venafi joins this elite group for its unique efforts in helping enterprises maintain trust in the encryption assets on which business operations rely. “Today, every business and government is a target for data theft. Hackers and criminals look for the weakest link in security systems—vectors where IT staff can neither monitor or respond to attacks—and they find those weak links in the average enterprise’s vast pool of unsecured certificates and keys,” said Gregory Webb, Venafi Vice President of Marketing.

“When bad actors steal trusted keys or compromise certificates, they can sign malware so that it appears legitimate or gain virtually unlimited access to a company’s private data—all without triggering a response from firewalls, anti-malware, intrusion detection systems and SIEM solutions,” Webb continued. “Only solutions that protect those trusted keys and certificates themselves can defend against these emerging attacks, and we are thrilled that Red Herring has highlighted Venafi’s leadership in meeting this business imperative.”

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

In the 21st century, there’s probably one certainty in life beyond death and taxes: cybercriminals will use what we’ve trusted against us. From email to online banking, cybercriminals hijack what we trust. In a new study, Forrester concludes that cybercriminals have added new weapons to their arsenal: cryptographic keys and digital certificates. And in doing so, they’ve converted what is supposed to create security and trust in to a powerful attack weapon. Download your copy of this new study, Attacks on Trust: Cybercriminal’s New Weapon to learn more.

Because of the demonstrated capabilities compromised keys and certificate provide adversaries, new security systems, like next-generation threat protection systems, prove little help in thwarting attacks since criminals take on trusted status. These conclusions echo Venafi’s analysis looking back over the last 16 years of weaponization by the cybercriminal community.

Forrester’s study identifies new insights including:

• How spending on keys and certificates ranks compared to other data security initiatives
• How advanced threat protection (APT) investments are being prioritized
• What is the impact to organizations by attacks on trust and are enterprises concerned

Forrester finds that:

“There is simply a lack of visibility and control over the hundreds and thousands of keys and certificates responsible for creating the confidence and security in today’s modern world that we’ve all taken for granted.”

And the problem is of our doing.

“The risk established by this gap wouldn’t be tolerated elsewhere today. No CISO could consider having tens of thousands of unknown network ports open and have no way to control them.”

How serious is the problem then? Forrester concludes that it’s one of the most serious facing enterprises today:

“This gap enables a situation that is every attacker’s dream: 1) The enterprise has no visibility into the problem, and 2) the enterprise has no controls to respond to an attack. Basically, the enterprise is a sitting duck.”

How can IT security teams can fight back against an “attacker’s dream” that leaves every enterprise a “sitting duck?” Forrester recommends 4 goals enterprise should and can achieve. Getting these right is important today, but Forrester believes even more important in the future:

“As cloud services and user mobility increase, there will be new and expanding use cases for cryptographic keys and digital certificates. With this increased dependency, the surface area of attack for every government and business also increases. Your future — the trust in and control over your cloud services, mobile devices, and data — depends upon on how you secure keys and certificates.”

Download your copy of this new study, Attacks on Trust: Cybercriminal’s New Weapon to learn more.

The first day of Black Hat was all about the opening keynote: NSA Director General Keith Alexander’s opening stirred emotions but also shared some new insights in to NSA operations.

Most interesting for me was the screenshot of the analyst’s user interface to the NSA’ phone metadata. Looking very Windows 3.11ish, the small screen shot shows how you can search for calls and the data that’s returned back.

Beyond the keynote, there were a number of great briefings. Topping the list was the very serious, but at times comical view, in to the FBI’s programs to identify malicious insiders by the agency’s former CISO Patrick Reidy.

The FBI learned that looking for insiders could not be performed by merely looking for anomalous behavior outside the norm of the entire user community. Instead, data must be normalized and analysis considered in context of the individual. The use of analytics and recommendations on normalizing data are great lessons for everyone looking to use big data to detect threats.

Day one also revealed that attacks on SSL and TLS are possible even without access to a server’s master asymmetric keypair. Using session tickets symmetric sessions keys are stored to create a stateless environment for encryption. While reducing server demands, it means TLS sessions could be decrypted without a server’s private.

While the attack tool demonstrated and released to attendees required server access and memory dumping, something that attackers are capable of pulling off, enterprises need to understand the constantly changing use of keys and certificates. This is especially true as the shift to elastic public and private cloud computing moves in to higher gear and developers are now making security decisions outside the domain of IT security.

The last day of briefings at Black Hat 2013 was full of new attacks that every enterprise needs to be aware of. The attacks on the trust that’s established by keys, certificates, and underlying cryptography displayed at Black Hat is both a recognition of the cybercriminal focus and their importance to everyday life.

While salacious and headline grabbing, one of most important sessions this year was Cryptopocalypse. The presenters from iSEC Partners detailed how academic advancement in mathematics have accelerated and new breakthroughs could happen any day that lead to the ability to factor RSA keys at key lengths thought adequate today. As an example, the panel presented how the Flame attack accelerated MD5 collisions orders of magnitude to fabricate seemingly valid Windows update certificates.

The presenters used humor to make an important point, saying:

“We should give Ron Rivest a break. One man, in one decade, developed what commerce around the world depends on.”

It’s been 40 years since many of the asymmetric cryptographic innovations we depend on everyday were made and guidance to move on is almost a decade old itself. When the NSA released Suite B cryptographic recommendations, they decided not to include the RSA algorithms, indicating the US government should make preparations to move away from RSA. It’s likely a good time for enterprises to review the recommendations.

While the compromise of any particular cryptographic method did not occur, the presenters did encourage enterprises to be prepared. Organization should understand where and how they use certificates.

The NIST guidance on CA Compromise provides a good set of detailed recommendations to prepare organization for dealing with compromised certificates –whether due to an attack on a CA or when particular cryptographic methods can no longer be trusted.

The Snowden case has caused an international media frenzy, with many questions that still need to be answered. No matter what questions we have about the U.S. government’s surveillance policies, however, we should not ignore the network vulnerability this case highlights. As I have followed all the news about this case, one statement in particular intrigues me. Last month U.S. National Security Agency (NSA) director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden accessed “files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator.” I find this statement interesting because it has sparked numerous conversations and debate about how Snowden gained access to confidential information.

What does “fabricating digital keys” mean? There is some debate as to whether Snowden simply used other people’s Secure Shell (SSH) keys that had weak or no passwords, whether he ran a fake certificate authority (CA), or whether he “minted a certificate, or a ticket, or token, or whatever the thing is, by subverting an issuing authority or its processes (possibly via social engineering).”

We may never know how Snowden fabricated digital keys to gain elevated privileges to systems, but if we focus on discovering his exact methods, I think we are overlooking an important question: How are encryption keys and digital certificates being used within our organizations? The Snowden case should be a wakeup call for organizations—regardless of what type of digital keys Snowden used. It clearly shows that low-level administrators can gain elevated privileges into areas within an organization where they should not normally have access. When using digital certificates or encryption keys for authentication—such as SSH or user certificates—users can bypass authentication mechanisms on a host, resulting in elevated privileges.

We’ve seen how bad actors use self-signed certificates to encrypt their traffic and thereby disguise their communications within organizations. Security solutions blindly trust encrypted traffic. Many security solutions cannot scan encrypted traffic because they do not have the capability to decrypt it, and although some security solutions have this capability, they must actually have the encryption keys to be able to scan this traffic.

As the Snowden case shows, encrypted traffic and the use of encryption as an authentication mechanism within the confines of an organization’s network is generally trusted, which can create a security risk. Organizations can learn three main lessons from this case:

Lesson 1

More than 50% of organizations do not have a clear understanding of their encryption keys and digital certificate inventory. These organizations do not know how keys and certificates are used, what systems they provide access to, or who has control of them. It is imperative that organizations understand what keys and certificates are being used in the network, who has access to them, how they are being used, and when they are being used. The first step in gathering this information is to gain a clear understanding of the key and certificate inventory by centrally managing these cryptographic assets.

Lesson 2

Bad actors (including insider threats) take advantage of the fact that keys and certificates are blindly trusted. They use this trust against organizations by gaining elevated privileges to systems, thereby bypassing host authentication controls. One such example was highlighted in the Mandiant APT1 report, which briefly describes how attackers inserted their own self-signed certificates that were used to encrypt communications between victims’ hosts and the attacker’s command and control. By gaining a clear understanding of your key and certificate inventory, you can detect anomalous behavior. For example, if you have a clear understanding of the entire key and certificate inventory and a rogue self-signed certificate is detected on the network, you could immediately investigate the certificate, reducing the exposure and mitigating any potential losses.

Lesson 3

Security experts strongly recommend that organizations encrypt any sensitive data and control access to systems that house that data. However, encryption is only as strong as how secure the encryption key is. Failure to secure encryption keys is as risky as transmitting the sensitive data as plain text. Direct access to cryptographic keys and certificates enables anyone to gain elevated privileges. You should implement solutions that create separation of duties so that encryption keys and certificates cannot be accessed directly. Any action performed with encryption keys and certificates should also be logged for audit purposes.

16 years: from viruses, worms, DDoS, advanced persistent threats, to key and certificate-based attacks

It used to be that programmers created and launched annoying but mild virus and spam malware to show the world just how brilliant they were and to gain notoriety. Today, we live in a very different world where cyber threats and attacks are recognized as significant global, political and commercial challenges with serious financial and reputational consequences. Check out The Evolution of Cyber Attacks Infographic to see how cyberwarfare and new attacks on trust have escalated over the last 16 years.

Consumers worried about NSA intrusions have little recourse

“Or as Jeff Hudson, CEO of encryption key provider Venafi put it, “The foundation of this world that we built is starting to crumble. When people say, ‘I didn’t think the government could do this to me,’ I look at it and say, ‘Guess what? That’s not the worst thing.’ This has become a template for criminals who are going to use it to destroy the most important thing on the Internet, which is trust.”

Read More