The Ponemon Institute recently published the first-ever research on the cost of losing control of trust—that is, losing control of the cryptographic keys and digital certificates that underlie trust for all transactions in our digital age. How intertwined are these encryption assets and trust? Consider two major exploits of this year alone: the Bit9 certificate theft and the DigiCert compromise.
In both cases, hackers managed to obtain legitimate certificates to sign their malware. Their malware perfectly masqueraded as legitimate software because to users’ systems, which rely on certificates to determine whether to throw up system warnings or automatically install software, the malware was legitimate. The financial impact of such an exploit can hardly be exaggerated.