Trust is the knowledge that corporate data and code retains both confidentiality and integrity. As cloud computing becomes the norm and companies lose the ability to defend data by ring-fencing it with perimeter-based defenses, companies must increasingly defend the data itself. This is inevitably done by encryption: encrypting the data for confidentiality and using cryptographic certificates to prove its integrity and provide trust. Code-signing certificates, for example, prove the integrity of software: that is, that the software is what it says it is, and is neither a forgery nor a trojan. If the system trusts the software by virtue an associated certificate, it is allowed free entry regardless of content. If that content contains zero-day malware unrecognised by anti-malware software, it is simply trusted, ushered in and run.
But cryptography is only as strong as its keys, and legacy cryptography can often be broken. Criminals know this, and companies are beginning to realize it. Over the last couple of years criminals have begun to use stolen or forged certificates to trick other security defenses into bestowing trust on malware. Stuxnet, Duqu and Flame are prime examples. Now a new report from the Ponemon Institute and Venafi attempts to quantify corporate understanding of trust, and the cost of its loss.
The problem, suggests the report, is that companies have completely lost control over the instruments of trust: the cryptographic keys and certificates. Ponemon’s research shows that the average number of such server keys and certificates in each global 2000 company is 17,807. With such a huge number it is perhaps not surprising – but certainly worrying – that more than half of the companies simply don’t know how many certificates are actually in use; even though 45% accept that “failing to manage keys and certificates means losing control over the trust my organization relies upon to operate.”
SSH, the ubiquitous and forgotten certificate, is a perfect example. It is used to allow one server to communicate with another securely, and while important within a defensible perimeter, it is increasingly essential when company servers are communicating with third party cloud servers over the internet. It is considered to be the #1 threat. But, “the inability to detect and take action in the event of an attack on SSH keys compounds the risk and potential costs,” says the report. The big problem, Venafi’s CEO Jeff Hudson told Infosecurity, is that “companies don’t really understand their trust model, while the bad guys understand it only too well.”
Since the bad guys, he continued, always look where you’re not looking, they’re attacking this unmanaged cryptography; and this is “proven by an increasing cadence of information on how these trust implements are being compromised and used to gain access and do some pretty bad things to the system. People aren’t managing or even thinking about managing these trust instruments, and the bad guys know this and are exploiting it.”
The problem is actually one of management rather than just technology (although the use of old legacy and broken cryptography can compound the issue). Server-to-server communication is a basic IT issue pre-dating the rise of separate security departments. As a result, IT rather than security has tended to generate SSH certificates to accomplish that communication securely. But managing the security has slipped into the crack between the IT and security departments and simply isn’t done. Seeing this, criminals have recently focused, very successfully, on attacking trust itself.
This is happening. What the new Venafi/Ponemon study does is show how much it costs: up to $400 million dollars for a breach of trust in a major global 2000 company. The solution, however, is theoretically simple: companies need to locate, inventory, and better manage all of their existing and future keys and certificates.