Encryption: The Next Generation

“While enterprises should keep an eye on advancements made in quantum computing, current research is ‘just one more evolutionary step’ toward making QKD-based systems a reality, says Kevin Bocek, vice-president of product marketing at Venafi, a key management company.”

“Until then, enterprises need to focus on securing and protecting the keys and certificates used within their infrastructure. The NSA frequently obtained encryption keys simply by breaking into the servers, according to the news report, so it’s likely these keys hadn’t been secured properly and the organizations did not know they had been improperly accessed.”

Read More

How the NSA’s decrypting practices erodes basic trust

“The consequences of a digital world without trust are not predictable, and they are very possibly catastrophic….The NSA has collected keys and certificates, and reportedly used them to intercept and eavesdrop on the digital world. The only solution is to protect, secure and control the foundations of trust in the digital world, which means strengthening many systems, including keys and certificates.”

Read More

Date: July 27 – August 1, 2013
Location: Bellevue, WA
Details: The Cybercriminals’ New Weapon and Next-Generation Trust Protection Briefing

Date: September 26, 2013
Location: Santa Clara, CA
Details: The Cybercriminals’ New Weapon and Next-Generation Trust Protection Briefing

Keeping Communication Secure in New Era

“Organizations must be aware of how they use keys and certificates and have the ability to identify risks, and respond and remediate, says Kevin Bocek, vice-president of marketing at Venafi, a key management company. ‘Otherwise, Forrester’s ‘sitting duck’ warning will be more than a warning,’ he stresses.”

Read More

Google plan to thwart government surveillance with encryption raises stakes

“Bocek agreed, saying that the most serious vulnerabilities are often in the systems companies use to manage the keys and certificates for encrypting data.

‘While encryption provides a significant barrier and certainly makes it economically expensive if I’m going to attack directly, it doesn’t mean that I as the enterprise is invincible,’ he said.”

Read More

The Need for Greater Flexibility and an Evolving Threatscape Put Spotlight on Keys and Certificates

The PCI Security Standard Council (SSC) recently previewed PCI DSS 3.0, the next update of the payment card standard which will be released at the North American Community Meeting in Las Vegas at the end of September. Detailed in the SSC’s highlights are a number of changes that will be important to protecting the keys and certificates used to secure payment card transactions. September’s meeting will also debut proposals for the 2014 Specific Interest Groups (SIGs), which include a key management SIG to provide more guidance for protecting the keys and certificates on which we depend for trust and privacy.

DSS 3.0 is driven by the increasingly complex threatscape targeting the entire PCI ecosystem, including attacks on keys and certificates. Forrester recently found that “there is simply a lack of visibility and control over the hundreds and thousands of keys and certificates responsible for creating the confidence and security in today’s modern world that we’ve all taken for granted.” Cybercriminals have caught on to this opportunity, as Forrester notes: “This gap enables a situation that is every attacker’s dream: 1) The enterprise has no visibility into the problem, and 2) the enterprise has no controls to respond to an attack. Basically, the enterprise is a sitting duck.”

The SSC is focusing on three themes for the PCI DSS 3.0 updates:

• Education and awareness: Increase the understanding of the standard’s purpose and the steps organizations must take to comply with that standard
• Flexibility: Allow more customization to help organizations implement the right controls coupled with monitoring and testing
• Shared responsibility for security: Increase awareness of the responsibilities for securing data and the fact that there are now more access points to cardholder data, especially with the  adoption of cloud services

All three themes will impact the expectations for an organization to secure and protect keys and certificates.

The following updates in PCI DSS 3.0are of particular interest:

• Requirement #2: Maintain an inventory of system components in scope for PCI DSS. Research has shown that enterprises have, on average, 17,000 keys and certificates. Many of these will fall in scope and need to be fully documented and maintained. Although organizations may have an awareness of the keys and certificates used on public-facing web servers, most fail to comprehend the number and use of keys and certificates on application servers, databases, load balancers, payment gateways, phone systems, printers, and much more. Organizations must consider not only X.509 certificates but also SSH keys. To keep an updated inventory, organizations will need systems that can constantly and thoroughly monitor all keys and certificates.
• Requirement #2: Clarified that changing default passwords is required for application and service accounts as well as user accounts. Keys and certificates are stored in a variety of keystores, which may sometimes have default passphrases. Organizations need systems that can discover all keys and certificates and identify their application owners so that, at a minimum, organizations can change keystore passphrases from the default settings.
• Requirement #3: Provided flexibility with more options for secure storage of cryptographic keys and clarified principles of split knowledge and dual control. Securing keys is just one area of increased flexibility outlined in the PCI DSS 3.0 update; however, the additional enhancements won’t be fully understood until 3.0 is available.
• Requirement #5: Evaluate evolving malware threats for systems not commonly affected by malware. Although this update does not state exactly how organizations should detect and evaluate evolving threats, it is vitally important because cybercriminals are always trying to attack where organizations least expect those attacks. Many organizations overlook attacks on keys and certificates, but according to McAfee, in 2013 malware enabled by compromised certificates grew 10x over 2012. In February 2013, Symantec found 800 Trojans, which were designed to steal certificates, and these Trojans have been used to infect millions of computers. Self-signed certificates, used with everything from application servers to printers, pose another problem: organizations may have tens of thousands of self-signed certificates but do not have the ability to discern valid certificates from anomalous ones. Mandiant’s APT1 report found that cybercriminals had used self-signed certificates purporting to be from “IBM” or for use as “WEBSERVER” to enable their attacks and exfiltration of data. The only way to establish a baseline, detect anomalies, and evaluate new risks is to continuously monitor keys and certificates and enforce policies.
• Requirement #8: Security considerations for authentication mechanisms such as physical security tokens, smart cards, and certificates. Since the last PCI DSS update, organizations have realized that password and one-time password authentication methods do not adequately protect their systems and data. Combined with the increased use of mobile devices and applications, certificate-based authentication has grown in popularity. In fact, Gartner noted that “certificate-based authentication can provide a high level of security, as well as a great UX.” Increased flexibility to use digital certificates for authentication will also require increased levels of monitoring and anomaly detection.

While the highlights revealed so far indicate that organizations will need to better demonstrate how they are securing and protecting keys and certificates, full details and understanding of these changes will need to wait until the SSC releases PCI DSS 3.0.

As mentioned, the other important event at the Las Vegas meeting will be the first presentation of 2014 Special Interest Group (SIG) proposals. These focused working groups will play an important role in removing ambiguities and improving controls for changing environments. One SIG that will be proposed for online voting in November is “Encryption Key Management Guidance.” If approved, the SIG’s work will likely increase the scrutiny Qualified Security Assessors (QSAs) give to analyzing how organizations are securing their certificates and keys.

Look for more updates and analysis from Venafi following the 2013 North America Community Meeting at the end of September.

Cybercriminals want access to your network. You need to not only recognize the risk of trust-based attacks but also learn how to thwart them. This study outlines practices that you can implement to keep these criminals out.

Read Now (pdf)

Vendors enforcing a 60-month validity period will help organizations adhere to best practices

For years, cybercriminals have been taking advantage of the blind trust organizations and users place in cryptographic keys and digital certificates. Only now are vendors starting to respond to the use of keys and certificates as an attack vector.

Last month, for example, Google announced that as of Q1 2014 Google Chrome and the Chromium browser will not accept digital certificates with a validity period of more than 60 months. Certificates with a longer validity period will be considered invalid (Deprecating support for long-lived certificates). Mozilla is considering implementing the same restrictions, however no decision has been announced yet. But are the responses from vendors enough in the constant battle against compromised keys and certificates as an attack vector?

The Certificate Authority Browser (CA/B) Forum, a volunteer organization that includes leading Certificate Authorities (CAs) and software vendors, has issued some baseline requirements for keys and certificates, which include reducing the certificate’s validity period. By 1 April 2015 CAs should not issue certificates that have a validity period greater than 39 months. The CA/B Forum makes some—very few—exceptions whereby CAs are allowed to issue certificates that have a 60-month validity period.

The National Institute of Standards and Technology (NIST) has disallowed the use of 1024-bit keys after 31 December 2013 because they are insecure. Rapid advances in computational power and cloud computing make it easy for cybercriminals to break 1024-bit keys. When a researcher from Ecole Polytechnique Fédérale de Lausanne (EPFL) in Switzerland cracked a 700-bit RSA key in 2007, he estimated that 1024-bit key lengths would be exploitable 5 to 10 years from then. Not even three years later, in 2010, researchers cracked a 1024-bit RSA key.

Last week Symantec responded to the NIST’s recommendation in a Symantec blog, stating that on 1 October 2013 Symantec will automatically revoke all certificates that have a key length of less than 2048 bits. The only exception is certificates that are set to expire before 31 December 2013. Symantec responded quickly because the company wants to help customers avoid potential disruptions to their websites and internal systems during the holiday period (Deadline to Upgrade to 2048-bit SSL Certificates? Sooner Than You Might Think).

Both the certificate’s validity period and the key’s length are paramount in any security strategy. The deprecation of vulnerable key lengths is the first step in mitigating against keys and certificates as an attack vector, but reducing the validity period of certificates is an important second step. Longer validity periods offer an inviting open door to cybercriminals who can take advantage of advances in computational power and cloud computing to launch more sophisticated attacks. No one knows when 2048-bit keys will be broken, but enforcing a 60-month validity period will help organizations adhere to best practices, rotating certificates on a regular basis and when doing so potentially replacing older certificates with ones that have better cypher strengths. Who knows, in 60 months companies may need to move to 4096-bit keys to achieve adequate security.

Symantec’s move to revoke all 1024-bit certificates with expiration dates after 31 December 2013 on the 1 October 2013 is a bold move, which is most certainly in the right direction. With such a short amount of time before the certificates become invalid, however, it will be very challenging for many organizations to replace the certificates in time. Most organizations—more than 50%–don’t have a clue how many keys and certificates they have in their inventory (Ponemon Institute Cost of Failed Trust Report). Moreover, they manage their certificate inventories manually, making it difficult to respond quickly to new guidelines or actual attacks.

Cyber-attacks continue to advance in complexity and speed and increasingly target the keys and certificates used to establish trust—from the data center to the cloud. With the advances in technology, is a 60-month, or even a 39-month, validity period for certificates short enough to reduce risk? Perhaps certificates should be ephemeral, with a lifespan of only a few seconds? Reducing the lifespan of certificates to only a few seconds may drastically limit the exploitation of certificates as an attack vector.

The 16 Years of Escalating War on Trust whitepaper takes a historical overview of the how cyber attacks have evolved, and examines how cybercriminal efforts have become increasingly complex and frequent. During this period, sensitive and valuable data has grown exponentially, as has the complex IT infrastructure within enterprises that is meant to protect it. Data and supporting IT systems have become ripe targets for attack – and the cyber security attacks have become increasingly nefarious.

Read Now (pdf)

VIEW NOW

Venafi, in collaboration with Forrester Research, Inc., presents the on-demand webinar—“Attacks On Trust: The Cybercriminal’s New Weapon”.

Due to the significant rise of cybercriminal attacks on cryptographic keys and digital certificates, more and more organizations are finding themselves vulnerable to threats to their data. Hackers have learned how to access critical keys and certificates and how to exploit those trusted resources to infiltrate a network. Many common security measures are unequipped to block these types of assaults and, as a result, hackers are stealing or tampering with information from high-profile corporations and individuals alike.

Presenters John Kindervag, Principal Analyst, Forrester Research and Jeff Hudson, CEO, Venafi will guide you through both the risks and the solutions, explaining:

• The rise of trust-based cybercriminal attacks
• Reasons why keys and certificates can be targeted as weak spots in your defense
• How common security measures are failing to protect businesses
• Steps you should take to protect your valuable data

VIEW NOW

The shift toward Bring Your Own Device (BYOD) has led to the rapid deployment of hundreds of thousands of mobile certificates, increasing the risk of unauthorized access to critical networks, applications, and data. Although a remote wipe of a device mitigates data loss, it does not remove potentially orphaned or compromised mobile certificates. Download this whitepaper and learn how to gain visibility and control over mobile access in your organization.

Read Now (pdf)

Digital certificates and cryptographic keys are interwoven into our everyday lives. Think about it: from accessing the Wi-Fi hotspot at your local coffee shop to flying across the county in a new Boeing 737, keys and certificates are entwined into the very fabric of cyber-space. They help to authenticate and secure person-to-machine and machine-to-machine communications—creating the foundation for secure online transactions. Data at rest or in transit is secured by keys and certificates. They establish trust.

But what happens when trust is broken? When malicious actors take advantage of trust established by keys and certificates, turn that trust against you, and use certificates and keys for nefarious gain. That’s exactly what is happening. The last few years have seen a rampant increase in the use of keys and certificates as an attack vector against organizations. It’s important to recognize cyber-criminals’ motives and techniques to understand how to better protect yourself from the onslaught of attacks on keys and certificates.

Generally, there are three types of cyber-criminals: cyber-crime actors, cyber-espionage actors, and other threat actors such as hacktivist groups. Cyber-crime actors are motivated by financial gain, whereas cyber espionage actors are driven by the collection of intellectual property (IP). Hacktivists, on the other hand, are motivated by ideologies such as religious beliefs, or political views.

Venafi collaborated with ISIGHT Partners to highlight some examples of how reliant society is on keys and certificates, and how cyber-criminals exploit keys and certificates to gain illicit access to organizations. ISIGHT Partners provides detailed information about the different types of cyber-criminals, including:

• Threat actor threat sources
• Threat actor attack methodologies
• Threat actor attack surface

What’s very evident from the research is that cyber-criminals will use any tactic they can to gain access into an organization’s network. The Broken Trust white paper includes a few case studies that show exactly how cyber-criminals use keys and certificates to their advantage, exploiting the trust keys and certificates are meant to establish. Some of the case studies include:

• Using certificates in a spam campaign
• Pharming
• Using Secure Shell (SSH) to infiltrate a network and expand a user’s rights within that network
• Using Secure Sockets Layer (SSL) to disguise communications

The alarming part is that the examples in the paper are by no means an exhaustive list. On a daily basis, news outlets report new ways cyber-criminals are taking advantage of the blind trust most organizations have in keys and certificates.

Download your copy of the Broken Trust whitepaper to learn more.

VIEW NOW

For years, digital trust that is foundational to every business and government has been established by cryptographic keys and digital certificates. Recently, this trust has come under attack from cyber criminals. Through theft and forgery, malicious actors use stolen or compromised keys and certificates to attack and infiltrate organizations by stealing data and valuable IP. Their motives are different, as are their tactics and techniques.

In this webinar you will:

• Obtain insight into the profiles of malicious actors
• Understand the current cyber threat landscape
• Learn about real-world examples of attacks on keys and certificates
• Understand the exposure to your organization

VIEW NOW

The “V” in Venafi is for “Very” Cool

“Today, due to increased data protection requirements and security best practices, there has been a surge in certificate inventories… Failure to properly maintain these encryption assets can result in crippling system downtime, data breaches, and non-compliance, costing organizations millions of dollars.”

Read More

NSA’s Inability to Detect and Respond to Fabricated Cryptographic Keys and Certificates Allowed Exiled Attacker to Steal Thousands of Classified Documents and Intellectual Property

Salt Lake City, UT – November 12, 2013

Venafi, the leading cyber security company in Next-Generation Trust Protection, today announced the results of in-depth research by its Threat Center team into how Edward Snowden successfully breached the National Security Agency (NSA). After months of review, analysis and peer feedback, this research reveals that the contract worker leveraged valid credentials as a low-level system administrator to fabricate cryptographic keys and digital certificates, which he then used to access and steal classified information and US intellectual property. The NSA’s inability to detect or respond to anomalous key and certificate activity on its network allowed him to infiltrate systems and exfiltrate data without being detected.

Tweet This: @Venafi analysis reveals how #Snowden breached #NSA. Inability to detect fabricated #keys allowed him to steal data

“For more than a decade, we’ve been observing similar attacks at some of the most security-minded enterprises and agencies in the world. Based on all available evidence, we’ve concluded that fabricated SSH keys and self-signed certificates along with the agency’s inability to detect their presence and use is what led to the breach,” said Jeff Hudson, CEO, Venafi. “The NSA knows this is how the breach was accomplished, and we’re so confident in our analysis and conclusions that we’re comfortable challenging the NSA—or Edward Snowden—to prove us wrong.”

Cybercriminals and nation-backed operators have successfully used unsecured keys and certificates to breach trust on enterprise and government agency systems on repeated occasion. Most global organizations have no ability to detect anomalies or to respond to attacks on trust that leverage compromised, stolen or fabricated keys and certificates. Because of these deficiencies, enterprises are “sitting ducks” according to a recent Forrester Consulting report

In addition to Forrester’s conclusion, it is also well documented that some of the most famous computer breaches have been the result of abused keys and certificates, including the Flame, Duqu and Stuxnet attacks. Attackers and common cyber-criminals understand this well, which is why attackers increasingly use self-signed certificates and maliciously manipulated SSH and asymmetric keys to attack organizations in order to steal data and valuable intellectual property.

“As a leading organization responsible for contributing to U.S. national and global cyber defense, the NSA has a responsibility to disclose the truth behind the breach,” continued Hudson. “Until the agency openly admits what happened along with all of the steps it’s taken to correct the problem, all organizations that rely on keys and certificates to ensure trust will remain vulnerable to this attack vector.”

Following analysis and peer review of the information that has been publically reported, Venafi has identified the critical elements to piece together the full story of how Snowden attacked common trust mechanisms in order to breach the NSA, and has released its findings via multiple sources that outline in detail how the attack occurred:

• Venafi CEO Blog: Deciphering how Edward Snowden breached the NSA
• Video: NSA breach kill chain whiteboard
• Infographic: Breaching the NSA, how Snowden did it
• On-demand webinar: Breaching the NSA via an attack on trust

To access the content, visit: http://www.venafi.com/NSA

For even more information and to join the Snowden discussion:

• Post to our blog: http://www.venafi.com/about/blog/
• Follow Venafi on LinkedIn: http://www.linkedin.com/company/Venafi
• Contact the NSA via email: nsapao@nsa.gov

About Venafi

Venafi is the market leading cybersecurity company in Next-Generation Trust Protection. As a Gartner-recognized Cool Vendor, Venafi delivered the first trust protection platform to secure cryptographic keys and digital certificates that every business and government depend on for secure communications, commerce, computing, and mobility. With little to no visibility into how the tens of thousands of keys and certificates in the average enterprise are used, no ability to enforce policy, and no ability to detect or respond to anomalies and increased threats, organizations that blindly trust keys and certificates are at increased risk of costly attacks, data breaches, audit failures and unplanned outages.

As part of any enterprise infrastructure protection strategy, Venafi Director helps organizations regain control over trust in the cloud, on mobile devices, applications, virtual machines and network devices by protecting Any Key. Any Certificate. Anywhere™. Venafi prevents attacks on trust with automated discovery and intelligent policy enforcement, detects and reports on anomalous activity, and remediates errors and attacks by automatically replacing misconfigured and compromised keys and certificates. Venafi Threat Center provides primary research and threat intelligence for trust-based attacks.

Selected as a 2013 FiReStarter and Red Herring Top 100 company, Venafi customers are among the world’s most demanding, security-conscious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, manufacturing, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

How Edward Snowden did it and is your enterprise next?

There’s one secret that’s still lurking at the NSA: How did Edward Snowden breach the world’s most sophisticated IT security organization? This secret has as much to do with the NSA as it does with your organization. In this exclusive infographic, Venafi breaks open how Edward Snowden breached the NSA. Venafi is sharing this information and challenges the NSA or Edward Snowden to provide more information so that enterprises around the world can secure their systems and valuable data.

NSA Director General Keith Alexander summed up well Snowden’s attack: “Snowden betrayed the trust and confidence we had in him.” The attack on trust, the trust that’s established by cryptographic keys and digital certificates, is what left the NSA unable to detect or respond. From SSH keys to self-signed certificates, every enterprise is vulnerable. This exclusive infographic provides you with the analysis needed to understand the breach and how it could impact you and your organization.

Download Infographic (JPG)

Learn more about how Edward Snowden compromised the NSA.

• Watch The Snowden Breach: Attack Steps & Prevention Webinar
• Read the Blog: Deciphering How Snowden Breached the NSA
• Learn How to Protect Your Organization From Snowden-style Attacks

VIEW NOW

According to recent Forrester Research, “Advanced threat protection provides an important layer of protection but is not a substitute for securing keys and certificates.” The critical need to secure digital trust by protecting cryptographic keys and digital certificates was proven true again with Edward Snowden’s breach of the NSA.

Snowden brilliantly showed the way for other attackers, both internal and external, by using his knowledge of the NSA’s poor control over their SSH and private keys and self-certificates to turn those security assets against the NSA and steal valuable and top secret information.

In spite of being perhaps the most security conscious organization on the planet, the breach at the NSA does not come as a surprise. Of the 2300+ organizations Ponemon Research surveyed, every enterprise has experienced at least 1 attack on keys and certificates druing the past 2 years.

In this webinar you will learn:

1. How Edward Snowden breached NSA systems without being detected
2. How fabricated and unauthorized keys were used to execute attacks and exfiltrate data
3. What attack methods are shared by both external attackers and insiders
4. Why every enterprise is vulnerable to the same attack method
5. What steps you can take to reduce your exposure to a Snowden-like attack

A Snowden-like breach is waiting to happen in every organization due to the lack of security and protection for keys and certificates. Take action now to stop this breach from happening to you. Watch “The Snowden Breach: Attack Steps & Prevention” webinar now.

VIEW NOW