Early last year the BBC dubbed 2014 to be the year of encryption. How right they were—not only for the increased use of encryption, but also for the 2014 threats that leveraged cryptographic keys and digital certificates in their attacks. Encryption and keys and certificates were hurdled to the forefront of the media on multiple occasions. To name a few, Heartbleed, Cupid, Open SSL CSS, Shellshock, and POODLE, impacted the entire world. Very quickly cybercriminals mobilized themselves to take advantage of these exploits based on vulnerabilities that many were not remediating. One example was the Community Health Systems (CHS) breach by the Chinese espionage group APT 18 who exploited Heartbleed to breach CHS and steal data on 4.5 million patients.
At Venafi, we reviewed how well organizations have remediated Heartbleed since it was first discovered. The research focused on the largest global organizations in the world (Global 2000), and the results are not very comforting. In last year’s Venafi Labs report, a staggering 76% of Global 2000 organizations with public-facing, Heartbleed-vulnerable systems were still vulnerable. We would have expected to see a significant improvement this year. Unfortunately that’s not the case. There is only a 2% improvement in the number of Global 2000 organizations that have remediated Heartbleed.
| 2014 | 2015 | |
|---|---|---|
| Vulnerable Incomplete Remediation | 76% | 74% |
| Remediation Complete | 24% | 26% |
In last year’s Venafi Q3 Heartbleed Threat Research Analysis we found that 97% of Global 2000 public-facing servers previously susceptible to Heartbleed had still not been fully remediated. The University of Maryland performed similar analysis in November 2014 and found that 87% of the susceptible servers had still not been fully remediated. Now a year after Heartbleed’s public disclosure, 85% of Global 2000 public-facing servers still remain vulnerable. Even though that’s a 16% improvement over 2014, it is still very poor performance, leaving the door open to cybercriminals.
The surprising part from the research findings this year is that the Heartbleed remediation steps that were taken weren’t actually driven by Heartbleed remediation efforts—this was just a secondary benefit. Instead, they were the result of impending certificate expirations. An astounding 65,000 certificates were re-issued with new private keys simply because of impending expirations. Although it is a good practice to keep short key and certificate rotation cycles, organizations should be replacing all keys and certificates to remediate Heartbleed. Industry experts from Bruce Schneier to Gartner’s Erik Heidt made it clear that to fully contain and remediate Heartbleed, SSL keys and certificates needed to be replaced.
Why so many are still susceptible to Heartbleed
It would seem based on the trend of replacing keys only for impending certificate expirations that organizations have either given up on trying to fully remediate this massive vulnerability or simply don’t grasp the gravity of the situation. I believe that there are two additional reasons for such poor Heartbleed remediation. As described by Gartner, “lazy” remediation—when organizations fail to replace the private key or fail to revoke the old certificate—shows that organizations do not understand that once the private key is exposed, everything is exposed. Another probable reason for the lack of Heartbleed remediation is that organizations simply don’t see the impact yet. According to Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last 2 years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks which leverage keys and certificates increasing, their impact is as well. The organizations surveyed by Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.
Remediating Heartbleed
Remediating Heartbleed goes beyond simply patching the OpenSSL vulnerability. Just like user IDs and passwords are assumed compromised after a breach, so too should keys and certificates.
To remediate Heartbleed 4 steps are required:
- Patch the OpenSSL vulnerability
- Generate new keys
- Issue and install new certificates
- Revoke old certificates
It’s only the beginning
Using kill chain analysis we see exactly how keys and certificates are used throughout an attack. Since last year, there has been a significant increase in hijacked VPNs used to maintain access to victim’s environments. Intel Security noted a 12% increase in SSL-based network attacks—up from 0% in 2013. And Gartner estimates, by 2017 that 50% of network-based attacks will use SSL/TLS.
If organizations do not secure their keys and certificates and enable fast rotation when breached, we could be heading towards a cryptoapocalypse. This phrase was coined by researchers in their Black Hat 2013 presentation and is a scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited, allowing bad guys to spoof or surveil all Internet communications.
What is your organization’s response plan to handle potentially compromised keys and certificates when breached? Does your organization treat keys and certificates like user ID passwords and replace them when a breach is suspected? I would love to hear from you.
The full analysis on our 2015 Heartbleed research can be found here.