12-03-2015, 13:52 #1
[EN] Study: Enterprises Losing Faith In Digital Certificates, Crytographic Keys
On the heels of Heartbleed and other vulnerabilities, many enterprises are not confident in the ability of digital certificates to protect their data, Ponemon report says
Security professionals are losing confidence in the ability of digital certificates and encryption keys to protect their data, according to a study published Wednesday.
The Ponemon Institute released its bi-annual Cost of Failed Trust report, a survey of 2,300 IT security pros across the globe. This year's results indicate that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million (USD), an increase of 51 percent from 2013.
The study, which was developed in conjunction with encryption vendor Venafi, says that the number of keys and certificates deployed on infrastructure -- such as Web servers, network appliances, and cloud services -- grew more than 34 percent over the last two years, to almost 24,000 per enterprise. Some 54 percent of respondents admitted to not knowing where all keys and certificates are located and how they're being used.
Virtually all of the respondents said their organizations have responded to multiple attacks on keys and certificates over the last two years. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, at over $126 million among the 2,300 respondents.
Security researchers are reporting an increasing number of attacks on enterprises, principally man-in-the-middle attacks, that use false or compromised digital certificates to fool devices into giving up data or credentials. Researchers at Intel in December posted a blog stating that stealing certificates to sign malware will be "the next big market" for cyber criminals.
One of the key reasons for the growing problem is the rapid proliferation of keys and certificates across the enterprise, says Kevin Bocek, vice president of security strategy at Venafi. As enterprises take on new, network-based applications and technologies -- such as cloud services and mobile systems -- they increase the number of keys and certificates they use while losing visibility of where they are.
"Most of the key management systems we've seen to this point have provided vaults for storing the keys, but they don't really provide much more than that," Bocek says.
Última edição por 5ms; 12-03-2015 às 13:54.
12-03-2015, 13:58 #2
Stealing Certificates to Sign Malware will be the Next Big Market for HackersHackers are always on the lookout for new ways to monetize their activities. We know cyber attackers have the first-move advantage and are currently outpacing security capabilities and implementations. Even now, they run undetected and unabated through the networks of many large and respected companies and government sites. When they are detected or choose to show their position, what makes news is the breach, data loss, and potential financial liabilities. What is rarely spoken of is how such incidents on trusted organizations can be used to greatly amplify broader cyber-attacks across the systems of other entities and their respective customer base.
As attackers are rummaging and shopping around compromised networks, one of the highly valued targets are the certificates of the host. These are used when communication, updates, and applications are sent to customers and partners to validate content is coming from a legitimate and trustworthy source. Certainly not as sexy as credit card numbers, but in the wrong hands it can be a much more powerful tool to professional attackers. These stolen credentials are being used to ‘sign’ malware which will get past typical defenses and then infect and compromise the computers of the host’s customer base.
Say for example you have a media or game company that requires end-users to install an application to access news, movies, songs, games, entertainment, or anything really. The content pushes, program updates, and even security patches are electronically signed by the host, to ensure they are legitimate. This is good security practice that is often used by app stores, anti-malware software, network filters, etc. If this host company is compromised and their certificates are then used to ‘sign’ a malicious update, one which will compromise the target system and open it to the attackers, the entire community is at a heightened risk of these slipping past the security controls. Chances are very good that recipients will receive and install code designed to hack their systems. Now imagine that such users have this app on their phone, home system, and most worrisome their work computer. All could be quickly compromised, at the speed of updates. Most security defenses will not stop such an attack until it becomes known the certificates have been stolen. Even then, it is not such a simple process to revoke usage across an entire community. It can take years to close the vulnerability on all the potential targets.
Welcome to the 3rd Level of future cybersecurity attacks. Here is my prediction: the broader community of attackers will soon realize the value of these certificates and begin to regularly harvest them as a resource for resale to discrete buyers, much like how vulnerabilities are being sold today. Additionally, we will see more darknet services emerge where a malware writer can pay to have their software ‘signed’ with a stolen certificate for propagation to targeted communities. This will be the next big market for hackers and will become a standard practice for cyber warfare teams worldwide.
Hold on, this is going to be a bumpy ride.