It has taken some time but we finally have succumbed to the delights of a certain kitchen utensil. Years of resisting George, John, and the seductive talents of Penelope, had left me more determined than ever to resist at all costs.

The result: a plethora of appliances – eight at last count – to produce the perfect cup of coffee at the right moment, cluttering kitchen surfaces and cupboards, and never quite getting it right.

After all, each appliance needs and produces its own unique type of coffee. And it’s difficult, when you’re the only serious coffee drinker, to convince ‘management’ at home that such a thing as a CCM (Centralised Coffee Management) system is essential.

And the story is similar with encryption keys and certificates. Look around any mid to large size organisation and you will find SSL, SSH and Symmetric keys and digital certificates scattered around – and each type will also have several variants.

Every Global 2000 enterprise faces a total exposure of almost U.S. $400 million over 24 months due to new and evolving attacks on failed cryptographic key and digital certificate management. And adjusting for probability established by survey participants, we found every enterprise risks losing $35 million.

This findings cap our First Annual Cost of Failed Trust Report: Trusts and Attacks, which quantifies, for the first time, the financial impact of impact of new threats and attacks on our ability to control trust.

Learn More

In recent news SSHD (SSH daemon) backdoors have been all the buzz, though SSHD rootkits are nothing new. What’s interesting with the new SSHD rootkit is the level of sophistication where the ssh, ssh-agent, and sshd binaries were all replaced. As a result, changing the password on a compromised system will do you no good, the attacker already has root access! As is well known, the main goal of the rootkit is to steal passwords, but this is not the end goal. The end goal is to use the stolen credentials to access systems for their data, and to sell the information for profit.

The use of SSH is widespread in organizations, system administrators commonly rely on it to perform tasks like secure remote system management within their datacenters. When it comes to cloud computing, there is no difference, SSH is commonly used to manage workloads running in private or public cloud environments. Many organizations use cloud computing as an extension to their datacenter; securing the data and controlling trust – as in, who has access to data and how it is accessed, has never been more critical. To any organization, losing control over SSH is a very serious problem. Research on the cost of losing control of trust published by Ponemon institute showed that the most alarming threat to organizations for key & certificate management is the compromise of SSH.

Once a system is compromised via SSH exploit it is very difficult to detect and remove. Simply because the attacker has root privilege and can do pretty much anything they want to do to the system. If there is anything that we can learn from history, it is that criminals will go where the money is; they will take advantage of every weakness in any systems, exploiting them for their own nefarious gain. Cloud computing takes advantage of economies of scale, unfortunately this also means that any exploit that can be taken advantage of – an SSH exploit for example – results in a larger fallout.

So far it has not been confirmed whether the recently discovered SSH rootkit can steal the private key from compromised systems. Simply because the private key is not stored on the system. What has been confirmed is that rootkit hooks the functions used to dump the private key into a file. Evidently SSH exploits are growing in number and are being taken advantage of by cyber-criminals. At the RSA conference this week in the keynote, Microsoft stated something that is very evident and real – PKI (Public Key Infrastructure) is under attack. The question, what are enterprises going to do about it? There are some alarming truths when it comes to the handling of encryption assets like SSH keys that put most organizations at high risk.

Manual key and certificate management – 60 percent of global 2000 organizations manage their keys and certificates manually; that is via spreadsheets maintained by application administrators.

Silo management – If you take into account the number of application administrators the average enterprise has, a new problem is added to the equation: not only are keys and certificates managed manually, but there is a silo effect where multiple organizations within the enterprise each manage their own keys and certificates, in spreadsheets! The result, no enterprise-wide visibility into the trust assets – the key and certificate inventory.

Overbearing volume – The average enterprise has over 17,000 keys and certificates; it is no wonder we see mistakes made by system administrators resulting in damaged brand reputation, like the recent McAfee incident where a digital certificate was inadvertently revoked. As a result trust broke down, and Mac users could no longer verify if an application could be trusted or not.

No third party vetting – SSH has no equivalent to a Certificate Authority that can vet if the system is to trust the SSH keys or not. System administrators must manage this trust relationship themselves. When dealing with multiple internal organizations and tens of thousands of keys and certificates to manage, mistakes will be made and in many cases, shortcuts are taken.

There is an increase in outages and exploits related to the mismanagement of keys and certificates. For SSH key theft alone, according to the Ponemon Institute, an enterprise can expect over $U.S. 75 million in potential cost exposure.

Organizations need to take proactive measures to gain control over trust in the management of cryptographic keys and certificates; manual procedures and processes are no longer sufficient. Make sure your organization has an automated key and certificate lifecycle management solution in place. How is your organization protecting itself from PKI attack? How does your organization work around some of the challenges outlined?

At last week’s RSA Conference 2013 in San Francisco, a clear consensus emerged: attacks on the trust established by cryptographic keys and certificates are on the rise and important element in today’s threat landscape. In the Microsoft keynote, Scott Charney, corporate vice president for Trustworthy Computing, declared “PKI is under attack.” Charney explained how criminals are obtaining unauthorized digital certificates or misusing cryptographic keys to enable further attacks.

In the weeks leading up to RSA, criminals obtained valid digital certificates to spread banking malware. And the week before RSA, keys used by Bit9 to digitally sign whitelisted applications were misused, enabling subsequent attacks on Bit9 customer. These and other trust exploits were covered in detail in an educational webcast delivered by Paul Turner, Venafi’s VP of Products and Strategy.

These attacks coincided with the release of new research by the Ponemon Institute into the impact and cost of trust exploits that take advantage of failed key and certificate management. The 2013 Annual Report: Cost of Failed Trust found that all of the more than 2,300 respondents in mostly large enterprises had experienced at least one trust exploit. In his joint session with Boeing at RSA, Ponemon discussed how weak cryptographic exploits and CA compromises were found to impact every organization in the survey.

Ponemon was most surprised about the concern and alarm respondents have about future attacks on SSH. Critical to establishing trusted connections between administrators, machines, and other machines, SSH is the first and last line of control for IaaS cloud services from Amazon, Microsoft, and others. Ponemon said “the importance of SSH to the future of cloud computing” was the reasons why enterprises appear most alarmed by attacks on SSH compared to any other attack on key and certificate management. Criminals have already recognized the enterprise dependence on SSH and in the weeks leading up to the conference were found modifying SSH libraries that captured credentials for subsequent misuse.

While highlighting the rampant rise in attacks on the trust every business and government depends, Charney encouraged the packed keynote audience to “better manage key and certificates” to prevent these attacks. The Cost of Failed Trust research indicates that many organizations first need to start by understanding how and where keys and certificates are used. Over half of respondents believed their organization did not know how many keys and certificates are in use. This means that the average 17,000 keys and certificates used by servers, appliances, and cloud services reported in the research is likely underestimated.

Building an inventory is just one of the best practices Venafi customers helped develop and part of NIST’s July 2012 guidance on Preparing for and Responding to a CA Compromise. Taking these steps can place an enterprise on the journey to regaining the control over trust that presenters at RSA described as being so fragile today. While attacks are on the rise, there is reason for hope. Ponemon noted that almost two thirds of enterprises believe that if you “get key and certificate management right” then the security risks, along with the operational and compliance challenges of using encryption, will be solved.

Microsoft is a trusted partner for some of the world’s largest enterprises – providing the software, and now cloud services, they use to build and run their businesses. Unfortunately, like so many other enterprises have learned, failed key and certificate management put a dent in special trust Microsoft enjoys. During last week’s unplanned Azure outage, Microsoft and its customers learned that it only takes a single oversight, in this case an expiring digital certificate, to bring down a service that tens thousands of customers rely on for almost half a day.

“Microsoft is by no means alone. A single, overlooked SSL certificate that expires unexpectedly or one that isis not installed properly can cause failures on mission-critical systems and applications. Cloud providers should thank Microsoft for highlighting how critical key and certificate management has become. As part of its response, Microsoft is “expanding monitoring of certificates expiration” and “will improve the detection of future expiring certificates deployed in production.” Having a current and complete SSL key and certificate inventory is the first step in a continuous process of preventing key and certificate managements that breach trust.

How many enterprises face the same challenges? According to new Ponemon Institute research on Global 2000 organizations, over half of all enterprises don’t have an accurate inventory of their keys and certificates. On average Global 2000 organizations have over 17,000 keys and digital certificates deployed. It’s easy to see why errors and oversights like the one with Microsoft Azure happen every day around the world.

Establishing systems and processes to automate the renewal and lifecycle management for keys and certificates isn’t just about preventing unplanned outage, lost revenue, and reputation damage.

In his keynote presentation at the RSA Conference 2013, Scott Charney, Corporate Vice Present of Trustworthy Computing at Microsoft, declared “PKI (Public Key Infrastructure) is under attack” by cybercriminals and all organizations need to better manage their keys and certificates. Ponemon research revealed attacks on keys and certificate management are exposing enterprises to potentially hundreds of millions of dollars in losses. Even more troubling, attacks on SSH (Secure Shell) are now viewed as most troubling by enterprise IT managers. SSH is the technology used by Microsoft Azure, Amazon Web Services, and other cloud service providers to establish trust and control.

There simply is no reason for organizations to fall victim to what happened to Microsoft and hundreds of other organizations each and every day. There are numerous resources available to help organizations establish processes and systems to maintain their control over trust that’s established by cryptographic keys and digital certificates. These resources include:

• The National Institute of Standards and Technology (NIST) and Venafi's "Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance."
• The National Institute of Standards and Technology's (NIST), "Key Management Recommendations."
• UK Information Commissioners Office (ICO), Guidance on the use of cloud computing.

Earlier this week Amazon Web Services announced their new CloudHSM offering. Essentially the service is a Luna SA appliances offered by SafeNet for each tenant, and can take at least two days to provision once ordered. The cryptographic assets are not accessible to AWS as they hold the admin credentials and the customer keeps both the HSM Admin and HSM Partition Owner credentials.

You can choose from multiple availability zones in the US East and EU West regions. The Cloud HSM is meant specifically for use in the AWS Virtual Private Cloud (VPC).

Ref: AWS CloudHSM

The addition of the AWS CloudHSM is a welcome evolution in making the cloud more secure. However it still leaves many problems. In a recent publication about the “Cost of Failed Trust” by the Ponemon Institute, the average global 2000 organization has in excess of 17,000 encryption keys and certificates spread across their network. A network that spans the enterprises datacenter into virtual private clouds such as the AWS offering, and mobile devices.

Organizations need to be weary of silo management of encryption keys and certs. The Cloud HSM is only available for AWS Virtual Private Cloud workloads. Thus creating silo management of keys and certificates for your AWS deployment, your datacenter deployment and mobile devices. You need to make sure you implement a centralized key management solution in order to gain full visibility into your entire key and certificate inventory.

The only key difference whether or not you are using an HSM on-premise or the AWS CloudHSM is the location of the HSM. You still need to be able to manage your entire key and certificate inventory. The CloudHSM is not going to provide you with this.

Make sure you deploy a key and certificate management platform, that from a single pane of glass can manage the encryption keys stored within the HSM—be it AWS CloudHSM or a locally installed one. Venafi Encryption Director manages any key, any certificate, anywhere.

Security has its foundation in trust, but trust and control over the source of trust go hand in hand. What happens when a lack of control over the technologies on which trust is built means you can no longer trust them?

Take a look, for example, at our reliance on cryptographic keys and digital certificates—technologies that were once thought of as intrinsically trustworthy. Case after case has shown how easily malicious individuals can usurp control of those technologies. Keys can be stolen and certificates forged.

Read the full article on Security Week

Caesar, infrastructure, outsourcing and offshoring

I never wanted to spend my life in IT. I passed a programming exam at high school because I promised the teacher I would never return. It was the hardest 50% I ever had to work for! My passions were history and literature, and especially Latin, which I was actually quite good at. And little did I realise all these years later that the “dead” civilisation would come back to haunt me!

Learn More

The recent news about the looming generic top-level domain (gTLDs) names that the Internet Corporation for Assigned Names and Numbers (ICANN) is adding has sparked mixed emotions. Dot-anything domain extensions are already being auctioned off and should be seen as early as April 23, 2013. Despite growing contention from organizations such as the CA Security Council, it seems evident that gTLDs like “.local”, “.corp”, “.internal” to name a few will probably come to pass.

There are two areas of controversy related to the proposed gTLDs that directly impact each other. The first is the impact on security, while the second is the time organizations have to respond to the new gTLDs. Organizations face instrumental challenges nowadays to reduce their threat surface, and respond to targeted attacks related to the breakdown in trust asset management like keys and certificates. Sadly many are failing, the addition of gTLDs only helps them fail faster at poor key and certificate management.

Security - the Man-in-the-Middle:

One concern over the gTLDs is with regard to a domain like “.corp” or “.local” for example. Many organizations have used these domains for internal domains. It would be very easy for an attacker to spoof one of these internal domains for an internal company website, and redirecting employee traffic to a malicious website. On a public internet connection, instead of an employee going to intranet.corp, they could very easily be sending sensitive authentication information to unknown sources that have registered wildcard “.corp” TLDs.

Man-in-the-middle attacks are nothing new. It is fairly easy for an attacker to redirect traffic via DNS to a fake website with a fraudulent certificate. The big concern over gTLDs is based on the fact that a large percentage of organizations do use generic top-level domain names internally. By ICANN making these gTLDs available for purchase it causes a duplication issue. There will be collisions on the internet from conflicting certificates issued to the same gTLDs by certificate authorities (CAs) who have issued short name certificates to organizations using these generic domain names.

For a long time CAs have been issuing short name certificates to organizations for internal use for non-fully qualified domain names. The massive risk of the new gTLDs is that an attacker can apply for a certificate from a CA for a gTLD before it is approved by ICANN. Once ICANN approves the gTLD, the attacker has a legitimate certificate to go about performing man-in-the-middle attacks.

Time is not on your side:

ICANN already started accepting applications in 2012, and expects registry agreements as soon as April 23, 2013.

The implications of the new gTLDs results in organizations having to change their internal organizational structure where they no longer use non-fully qualified domain names like “intranet.corp” to fully qualified domain names like intranet.company.com. This is no small task and can take years to fully execute.

Short name certificates that have already been issued need to be deprecated. CAs have been requested to stop issuing such certificates by Nov 1, 2015. Organizations need to move quickly to plug the security gap before it becomes an issue. One of the fastest ways would be to block the names from resolving. However this will result in unexpected behavior on corporate networks, which in tail will result in increased costs and potential downtime.

The gTLD saga once again highlights the fact that a large percentage of organizations do not know how many certificates they have.

Confirmed by the Ponemon Institute, fifty one percent of global 2000 organizations do not know how many keys and certificates are in use within their organizations. When you take into account that organizations need to understand how many short name certificates are in use within the network to close the security gap of new gTLDs, time is very short indeed.

The Ponemon Institute recently published the first-ever research on the cost of losing control of trust—that is, losing control of the cryptographic keys and digital certificates that underlie trust for all transactions in our digital age. How intertwined are these encryption assets and trust? Consider two major exploits of this year alone: the Bit9 certificate theft and the DigiCert compromise.

In both cases, hackers managed to obtain legitimate certificates to sign their malware. Their malware perfectly masqueraded as legitimate software because to users’ systems, which rely on certificates to determine whether to throw up system warnings or automatically install software, the malware was legitimate. The financial impact of such an exploit can hardly be exaggerated.

Read the full article on Security Week

Organized criminals are using encryption keys and digital certificates against you on a daily basis. We’ve all come to trust that we securely communicate with websites as we go about our daily online transactions. The green address bar in our browsers gives us a sense of confidence that the transfer of information is secure. However, many times when our browsers popup with a warning that something is wrong with the website certificate, we ignore it and proceed anyway. Cryptographic keys and certificates are the core of trust in digital communication. But what happens when that trust is used for nefarious action against you?

For years now organized groups have been using encryption keys and digital certificates to steal information. Stuxnet and Flame are two commonly known examples of malware that took advantage of weaknesses in MD5 and were signed by forged certificates. Why do this? To make the malware appear as if it comes from a legitimate source. In doing so the operating system will allow the installation of the malware without any warning.

One does not even need to go to the extent to forge a certificate. It’s much easier to simply steal one to sign the malicious code. So far, for the month of April, the Common Computing Security Standards (CCSS) forum has logged sixteen legitimate digital certificates associated with malware. Doesn’t sound too bad compared to the number of nodes on the internet, right? Wrong, take into account that there is an average of 200,000 new malicious programs found every day, the problem is quite serious!

If forging or stealing a digital certificate sounds like too much work, why not setup a fake company, and deceive a public certificate authority (CA) into issuing you a legitimate certificate? That is exactly what the creators of Brazilian banking malware did. A fake company was setup to successfully dupe the CA DigiCert into issuing the nonexistent company Buster Paper Comercial Ltda with a legitimate certificate. ¹

The advent of new gTLDs makes obtaining a legitimate certificate all too easy for top level domain names. These new certificates can be used for man-in-the-middle attacks. Read more on gTLD security woes.

The Mandiant APT1 report (http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf) released earlier this year showed that 100% of attacks identified were based on compromised credentials – from laptops to servers. Attackers are compromising and misusing keys and certificates used for authentication all the time. They are using keys and certificates to encrypt Command & Control traffic. It’s no surprise that every organization surveyed by the Ponemon Institute has had to respond to at least 1 attack on keys and certificates over the last 2 years.

What to do about it?

Despite the multi-layer defense in depth strategies deployed by organizations, we clearly see that targeted attacks are taking advantage of trust, breaking it down, and using it against us. We need new strategies to protect our data—the new currency.

In an effort to address the breakdown in trust, earlier this month the National Institute of Standards and Technology (NIST) released a baseline set of security controls and practices to support the secure issuance of certificates. This is specifically aimed at CAs as a result of analysis of the continuous security breaches showing “insufficient security controls being in place on the computer systems and networks at these CAs, and sometimes exacerbated by weak record keeping” (http://csrc.nist.gov/publications/drafts/nistir-7924/draft_nistir_7924.pdf).

One in five organizations expect to respond to an attack related to encryption keys and digital certificates in the next two years. Attackers are looking two things: 1) where there is little visibility of a vulnerability 2) there is little ability to respond. On average, enterprises have over 17,000 keys ³. Sixty percent of attendees at RSA2013 said it would take one or more days to respond to an attack that took advantage of encryption keys or certificates.

Trust can only be established and maintained if you have a clear understanding where your organization is vulnerable, and are able to respond to an attack—they are inevitable—with the least amount of damage. To do this you need to understand the source of the encryption keys and certificates, how they are being used, and managed.

With a clear understanding and control over your key and certificate inventory you can trust in the internet, and respond to the rise in malware that takes advantage of keys and certificates.

Last month I wrote about the use of digital certificates and encryption keys used nefariously against organizations. In the time it takes you read this blog, 1388 new malicious programs would have been submitted to AV-Test for analysis. With a percentage of these malicious programs stealing private keys and digital certificates, it’s imperative that you understand where and how these assets are being used within your organizations. In one month of malware analysis Symantec found over 800 samples that had been designed to steal keys and certificates. The growth rate of malware using digital keys and certificates is staggering. Compared to the growth rate of apps submitted to Apple every day, digital certificates used in malware is 5 times that – in the last year by 600%.

The question that needs to be answered, why would an attacker steal private keys and digital certificates? Simply put, to gain access to your data more easily. Signed malware with a stolen digital certificate, in many cases, will be executed without any error from operating systems. In the month that Symantec specifically tracked malware that steals encryption keys and digital certificates, the US alone accounted for more than half of all infections worldwide.

Attackers haven’t ignored Secure Shell (SSH) keys either. Stolen SSH keys are used to break into systems and expand within the network. As an organizations you should prioritize in understanding where SSH keys are being used, who has access to them or for what purpose in order to reduce your attack surface. Take for example the FreeBSD servers that were hacked late last year as a result of a stolen SSH key – which was being used by a developer. Had the SSH private key been assigned a password, the attack would probably not have been successful, or at least made more difficult.

Most organizations have been hacked at one time or another; according to FireEye, 95% are already breached. In fact, one in five global 2000 organizations expect to be compromised in the next two years due to weak or legacy cryptography. Organizations do not look at, or understand how many keys and certs—51% according to Ponemon—are in use that have access to their data. Compared to traditional network perimeter security, you would not expose external facing ports to internal only traffic with no monitoring. Why then allow keys and certificates to be used within the organization without appropriate control. Organizations need to understand where the security gaps that expose the network to exploits which take advantage of keys and certificates are?

The first thing you learn in any offensive strategy is to look for your opponents weak areas. It is no different for cyber-criminals. Organizations no longer deal with securing company data behind the proverbial four walls. With the cloud computing, employee owned device, and very soon the “internet of things", the attack surface cyber-criminals can exploit has increased exponentially. To add to the problem, organizations need to maintain control over, and respond to attacks on a global basis as employees become more mobile.

Strategies to reduce your risk

Trust but verify: The average global 2000 organization has in excess of 17,000 encryption keys that they need to deal with – most of the time manually. The first step in self-defense is to know thy self. Your organization is inept to defend itself against trust exploits if there is not a clear understanding of the encryption key and certificate inventory. One of the concepts in the Forrester Zero Trust model is that all resources should be accessed securely regardless of location. Cybercriminals can easily collect unencrypted data within the network, therefore internal data should be protected in the same manner in which external data is—encrypted. The entire encryption keys lifecycle should be securely managed with an enterprise key and certificate management solution.

Control: Nearly 60 percent of RSA 2013 survey respondents stated that they were concerned about the issuance of certificates to mobile devices outside of IT control. The same percentage of respondents were also perturbed that system administrators, who are not security experts, were responsible for encryption keys and certificates, which can result in security breaches, unplanned outages, or audit and compliance failures. Only with well-defined policies can you mitigate against this risk. By enforcing long key lengths, strong algorithms, frequent rotation of keys, along with short validity periods for certificates, can you increase your ability to reduce the threat surface.

Automate: How long would it take you to respond to an attack related to SSH key or digital certificate theft? That is, the length of time it would take your organization to replace the keys and certificates to protect the data? Sixty percent of attendees at RSA2013 said it would take one or more days to respond to an attack that took advantage of encryption keys or certificates. Only through automated processes can you respond fast enough to a compromise, and rotate out encryption keys and certs that have been compromised.

Venafi Director™ is a platform that provides Enterprise Key and Certificate Management enabling organizations to gain insight and control over their keys and certificates in the datacenter, on desktops and mobile devices, and in the cloud. Director is a vendor-agnostic platform that reduces organizations’ threat surface and response time to targeted attacks with full key and certificate lifecycle control spanning across the widest range of certificate authorities (CA). The Director platform enables organizations to rapidly develop an accurate key and certificate inventory to quickly identify security risks associated with trust exploits, operational and compliance risks. Enterprises can quickly establish consistent policies and automate operations across the organization and in to the cloud. As a result, organizations can successfully prevent security breaches, eliminate unplanned outages, and achieve audit success and compliance.

Trust comes at a price. However, while IT security professionals understand this, they often treat trust as an afterthought. As a result, companies suffer the consequences in unexpected recovery costs and failed business relationships.

The financial sector takes trust very seriously; stakeholders at financial institutions never trivialize the trust their clients place in them because they know the entire value of the company rests on that trust. That same level of concern should extend throughout the business world, and the proper control of trust should form a primary component of security management. This view is validated by cutting-edge research from the Ponemon Institute, an independent center dedicated to research on data privacy, data protection and information security policy.

Read the full article on Security Week

Again and again the news breaks: bad actors have succeeded in infiltrating an organization and stealing data. How did they get in, and how did they evade detection for long periods? Increasingly often, they are using crimeware designed to steal keys and certificates.

Keys and certificates should form the foundation of every enterprise’s security. But organizations—blindly trusting in the security of keys and certificates that they do not inventory and track, let alone regulate with assigned custodians and access policies—have left the door open to bad actors, all too ready to steal a key or certificate. Stolen security assets then become weapons in the hackers’ hands. The bad actors can sign malware so that it appears legitimate, crack into cloud systems managed by SSH keys—the possibilities spin out from there. With the recent leak of the source code of the Carberp Trojan, one example of crimeware that steals keys and certificates, similar attacks will only proliferate.

To protect your organization, you need to understand bad actors’ tactics. Let’s examine a common targeted attack for infiltrating an organization. This attack is based on a spear-phishing campaign, in which a victim inadvertently installs a remote access Trojan (RAT). The hacker then ramps up the damage using the RAT to obtain more keys and greater access, burrowing past the original victim further and further into the organization’s data.

Phase 1: The bad actor first obtains or builds the RAT and any other crimeware to be used during the attack. From this very first phase, hijacked encryption assets play a role. Typically, the bad actor digitally signs the malicious code with a fake or stolen digital key, helping the crimeware evade security solutions.

Phase 2 & 3: The hacker selects and investigates potential victims. Using information that is freely available on the Internet, the hacker designs a spear-phishing campaign with personal details to lure victims into clicking a URL or opening an attachment. Either action delivers the malicious payload, which is installed on the victim’s machine.

Phase 4: During this phase the malicious payload establishes an outbound connection back to the bad actor. In most cases, this connection is encrypted with SSL, helping attackers to evade network-based threat detection and interfering with security vendors attempting to analyze their traffic.

Phase 5: Having infiltrated the network, the bad actors expand the scope of the attack. They strengthen their foothold in the network by stealing user credentials; in particular, they seek elevated credentials like SSH keys, which can offer root access to valuable systems. Also during this phase, bad actors add further outbound connections for redundancy, as well as for providing more immediate access to systems and data flagged as high value.

Phase 6: The final phase consists of slowly extracting the data from the victim. Bad actors know to encrypt their traffic and to keep it slow, avoiding unusual behavior that might trip an event trigger.

Recommendations:

Gain visibility: The first step in mitigating these trust-based attacks—attacks that use your trusted keys and certificates against you—is to understand your key and certificate inventory. Without clear visibility into the cryptographic credential inventory, strong control over the number and types of keys and certificates, and clear policies assigning owners to particular cryptographic credentials, an organization can do little to defend itself against these attacks.

Monitor for anomalies: Network monitoring tools can help you detect the use of suspicious SSL certificates or SSH sessions in your network. By cross-referencing a suspicious SSL certificate with the known certificate inventory—once you have gained that visibility—you can quickly determine whether the SSL traffic is legitimate or possibly part of a targeted attack. Similarly, you can detect suspicious SSH sessions that might indicate a hacker quietly expanding into your critical systems.

Respond quickly: In the event that you detect an anomaly and prove it to be malicious, you must respond quickly, limiting the scope of the damage by removing compromised credentials and replacing them with new, valid keys and certificates. Because improper removal of a certificate may impact applications’ trust chains and cause an outage, you must carefully plan and monitor the rotation of any key material. Automated deployment and verification tools not only speed the response but prevent unexpected downtime due to human errors.

Venafi Director™ is a platform that provides Enterprise Key and Certificate Management enabling organizations to gain insight and control over their keys and certificates in the datacenter, on desktops and mobile devices, and in the cloud. Director is a vendor-agnostic platform that reduces organizations’ threat surface and response time to targeted attacks with full key and certificate lifecycle control spanning across the widest range of certificate authorities (CA). The Director platform enables organizations to rapidly develop an accurate key and certificate inventory to quickly identify security risks associated with trust exploits, operational and compliance risks. Enterprises can quickly establish consistent policies and automate operations across the organization and in to the cloud. As a result, organizations can successfully prevent security breaches, eliminate unplanned outages, and achieve audit success and compliance.

As the use of Secure Shell (SSH) keys and related encryption services evolves and expands, security experts question what drives that evolution and are looking for ways to maximize the security effectiveness of the ubiquitous technology.

Recently, the Ponemon Institute found that most enterprises believe the largest security threat to their cryptographic assets is SSH key pairs, which are heavily entrenched in both data centers and cloud computing platforms. Simply put, enterprises fear attackers can easily compromise corporate access and data, thanks to weaknesses in traditional SSH key escrow and management processes.

Read the full article on Security Week

Because most advanced persistent threats (APTs) succeed when someone makes an innocent error—clicks that link, runs that Java application—you’re probably looking for ways to train employees to see through common ruses. But if your organisation is like most others, it has thousands of assets that are working just as hard training employees to not let the hackers in.

What are these assets that can work against you? Self-signed certificates.

Many organizations face a common challenge and frequently ask the question – why should we treat self-signed certificates in the same manner as we do other types?

Do organizations address any other security controls the way they do self-signed certificates – No visibility and No controls?

Certificates are used to secure and authenticate communications, yet organizations are doing nothing to keep it that way. Over 50% of organizations are not even aware of the number of keys and certificates used within their own environments. For any opportunistic cybercriminal, this is the perfect attack vector.

What self-signed certificates do in your environment

CA-signed certificates call on a trusted third-party to testify that, for example, a web server really belongs to your bank and not a hacker phishing for your account. A self-signed certificate, on the other hand, presents itself without any outside stamp of approval, relying on users to click past a warning to accept it.

Organizations deploy these certificates extensively on embedded web servers in printers and in network devices or perhaps even on internal-facing applications. Just like CA-signed certificates, self-signed certificates serve the important purpose of authenticating and securing communications—with the seeming added bonus of costing nothing and being easy to generate or even coming pre-installed.

Limited visibility

A Venafi customer performed a discovery and uncovered 87,000 records.

Of these records 63,664 self-signed certificates were discovered.

• {"key":"Hewlett-Packard Company","value":47894},
• {"key":"International Business Machines Corp","value":10360},
• {"key":" VMware Inc.,","value":4360},
• {"key":" Dell Inc.","value"::1050},

Upon running a query Venafi uncovered ‘nine’ instances of a certificate introduced on October 3rd 2003, due to expire on October 2nd 2013. The organization was unaware of the certificate's location, or how it was being used.

A wolf in sheep’s clothing

Self-signed certificates provide the perfect cover for advanced threats. In fact, the Mandiant APT1 report shows attackers used self-signed certificates, such as certificates purporting to be from “IBM” or for use as “WEBMAIL,” “EMAIL,” “"SERVER,” or “"ALPHA,” for control and control (C&C) cover

Consider a typical day for employees, whether normal users or IT administrators. Administrators might need to access an administrative console, so they click past a familiar security warning from the embedded self-signed certificate. Or users need to download and run a Java applet to offload processing from an older embedded web server. Again, they must click through a certificate warning.

The self-signed certificates become the boy who cried wolf, raising so many warnings during normal operations that users notice nothing suspicious when a hacker redirects them to a fake printer or network device. Similarly, users may click through Java security warnings and download and run a malicious Java applet on their machine. Many modern web threats silently hijack the browser, so the certificate warning might give users their only chance to save their machine from compromise. Instead, given nothing but a warning that looks so much like the innocent ones so long ignored, users let the hacker in.

How you can protect yourself

First, you need to realize that your organization likely has many self-signed certificates even if inventories indicate otherwise. A Venafi customer recently discovered that 63,664 of its 87,000 certificates were self-signed, and the company had no idea where those certificates were deployed.

Next, you must determine how you will counteract the bad habits that self-signed certificates are instilling in users. You might set up an internal CA and replace self-signed certificates with certificates signed by it. You might keep the self-signed certificates, but monitor their use more closely, training employees to recognize the certificates that truly belong to their appliances and applications.

In any case, ongoing visibility into and control over your certificate deployment, combined with enforcement of best practices, will provide your primary line of defense—helping employees recognize a wolf when they see one.

This year Black Hat turns 16. In honor of its longevity, we’ve produced a new report that chronicles the evolution of cyberattacks and methods over the past 16 years. Looking back, the cyberattacks have used every weapon in their arsenal from malware, to Trojans. The tactics, targets, motives and identities of cybercriminals have changed substantially during this period, and we take a look at how what began as a way for computer geeks to gain notoriety has become a worldwide industry with far-reaching national defense and economic ramifications. The attacks have become increasingly nefarious, complex and frequent.

The graphic below highlights the evolution of cyberattacks since 1997, the year Black Hat launched. As IT footprints have expanded, so too have the type and variety of attacks, forcing all IT-dependent organizations to contend with diminished trust.

In addition to chronicling the evolution of cyberattacks, the piece also discusses intelligence trends that can help readers shape effective cyber-defense strategies, as well as a few tricks that have not changed much over the years. The means by which digital smart weapons are guided into their targets and authenticate within target networks has, however, changed dramatically. One of the most dramatic developments is the corruption and weaponization of online trust, established by digital certificates and cryptographic keys.

As business and government have responded, our reliance on cryptographic keys and certificates has increased. Yet the criminals have turned our strength against us, using digital certificates and cryptographic keys—the fundamental components for digital security and trust—to compromise systems, trick people, and gain access to sensitive data. And why not? Keys and certificates are the perfect vehicle for exploitation.

According to McAfee, last year alone malware signed by stolen digital keys grew by a factor of ten as criminals took advantage of the difficulty of detecting and responding to compromised keys and certificates. Most organizations are not able to identify an attack until after the fact, they cannot respond to an attack, and most have failed to deploy effective controls that can stop cybercriminals from attacking either of these technologies.

As global enterprises and government agencies continue to expand their digital presence by connecting literally everything to the Internet, the size of their attack surface will grow, opening up more opportunities for cybercriminals.

Access the full report here and stop by and see us in Las Vegas at the Black Hat show next week. We’ll be at booth #333.

The first day of Black Hat was all about the opening keynote: NSA Director General Keith Alexander’s opening stirred emotions but also shared some new insights in to NSA operations.

Most interesting for me was the screenshot of the analyst’s user interface to the NSA’ phone metadata. Looking very Windows 3.11ish, the small screen shot shows how you can search for calls and the data that’s returned back.

Beyond the keynote, there were a number of great briefings. Topping the list was the very serious, but at times comical view, in to the FBI’s programs to identify malicious insiders by the agency’s former CISO Patrick Reidy.

The FBI learned that looking for insiders could not be performed by merely looking for anomalous behavior outside the norm of the entire user community. Instead, data must be normalized and analysis considered in context of the individual. The use of analytics and recommendations on normalizing data are great lessons for everyone looking to use big data to detect threats.

Day one also revealed that attacks on SSL and TLS are possible even without access to a server’s master asymmetric keypair. Using session tickets symmetric sessions keys are stored to create a stateless environment for encryption. While reducing server demands, it means TLS sessions could be decrypted without a server’s private.

While the attack tool demonstrated and released to attendees required server access and memory dumping, something that attackers are capable of pulling off, enterprises need to understand the constantly changing use of keys and certificates. This is especially true as the shift to elastic public and private cloud computing moves in to higher gear and developers are now making security decisions outside the domain of IT security.

The last day of briefings at Black Hat 2013 was full of new attacks that every enterprise needs to be aware of. The attacks on the trust that’s established by keys, certificates, and underlying cryptography displayed at Black Hat is both a recognition of the cybercriminal focus and their importance to everyday life.

While salacious and headline grabbing, one of most important sessions this year was Cryptopocalypse. The presenters from iSEC Partners detailed how academic advancement in mathematics have accelerated and new breakthroughs could happen any day that lead to the ability to factor RSA keys at key lengths thought adequate today. As an example, the panel presented how the

The presenters used humor to make an important point, saying:

It’s been 40 years since many of the asymmetric cryptographic innovations we depend on everyday were made and guidance to move on is almost a decade old itself. When the NSA released Suite B cryptographic recommendations, they decided not to include the RSA algorithms, indicating the US government should make preparations to move away from RSA. It’s likely a good time for enterprises to review the recommendations.

The NIST guidance on CA Compromise provides a good set of detailed recommendations to prepare organization for dealing with compromised certificates –whether due to an attack on a CA or when particular cryptographic methods can no longer be trusted.

In the 21st century, there’s probably one certainty in life beyond death and taxes: cybercriminals will use what we’ve trusted against us. From email to online banking, cybercriminals hijack what we trust. In a new study, Forrester concludes that cybercriminals have added new weapons to their arsenal: cryptographic keys and digital certificates. And in doing so, they’ve converted what is supposed to create security and trust in to a powerful attack weapon. Download your copy of this new study, Attacks on Trust: Cybercriminal’s New Weapon to learn more.

Because of the demonstrated capabilities compromised keys and certificate provide adversaries, new security systems, like next-generation threat protection systems, prove little help in thwarting attacks since criminals take on trusted status. These conclusions echo Venafi’s analysis looking back over the last 16 years of weaponization by the cybercriminal community.

Forrester’s study identifies new insights including:

• How spending on keys and certificates ranks compared to other data security initiatives
• How advanced threat protection (APT) investments are being prioritized
• What is the impact to organizations by attacks on trust and are enterprises concerned

Forrester finds that:

“There is simply a lack of visibility and control over the hundreds and thousands of keys and certificates responsible for creating the confidence and security in today’s modern world that we’ve all taken for granted.”

And the problem is of our doing.

“The risk established by this gap wouldn’t be tolerated elsewhere today. No CISO could consider having tens of thousands of unknown network ports open and have no way to control them.”

How serious is the problem then? Forrester concludes that it’s one of the most serious facing enterprises today:

“This gap enables a situation that is every attacker’s dream: 1) The enterprise has no visibility into the problem, and 2) the enterprise has no controls to respond to an attack. Basically, the enterprise is a sitting duck.”

How can IT security teams can fight back against an “attacker’s dream” that leaves every enterprise a “sitting duck?” Forrester recommends 4 goals enterprise should and can achieve. Getting these right is important today, but Forrester believes even more important in the future:

“As cloud services and user mobility increase, there will be new and expanding use cases for cryptographic keys and digital certificates. With this increased dependency, the surface area of attack for every government and business also increases. Your future — the trust in and control over your cloud services, mobile devices, and data — depends upon on how you secure keys and certificates.”

Download your copy of this new study, Attacks on Trust: Cybercriminal’s New Weapon to learn more.