Some 90% of CIOs have either been attacked or are expecting to be because cyber-criminals have managed to use encrypted traffic to hide their activity, according to a new study by Venafi.
The security vendor commissioned Vanson Bourne to poll 500 CIOs from large enterprises in France, Germany, US and the UK to compile its new report: 2016 CIO Study Results – The Threat to Our Cybersecurity Foundation.
The study paints the picture of a security industry undermined and weakened by the misuse of keys and certificates.
An alarmingly high proportion of respondents (85%) said they expect incidents of misuse to get worse because current systems blindly trust keys and certificates and the vast majority of organizations have little visibility into their current environment.
A further 87% of CIOs claimed that security controls are failing because they can’t inspect malicious activity or data exfiltration inside encrypted traffic.
This could amount to millions wasted on traditional security tools, Venafi argued.
The problem is only going to get worse, with Gartner predicting 50% of network attacks will come over encrypted traffic by 2017. It’s no surprise that a vast majority of respondents (87%) said they thought the black market in keys and certs is set to rocket.
Compounding the problem are initiatives to increase the number of keys and certificates within organizations.
So-called ‘Fast IT’ efforts designed to deliver quick results will increase the amount of software within organizations and therefore the amount of keys and certs, the report claimed. Nearly eight in 10 (79%) CIOs expect the speed of DevOps to make it more difficult to know what is trusted or not.
'Encryption Everywhere' initiatives driven by fears of NSA snooping in the wake of the Edward Snowden revelations have also got CIOs worried – 95% claimed they are concerned about how to securely manage and protect all encryption keys and certificates in light of such plans.
That’s not to mention the advent of free encryption services like Let’s Encrypt and AWS Key Management Service.
Venafi chief security strategist, Kevin Bocek, argued that the increasing use of these would create a “security lite” version of certificates hosted in the cloud “which gives hackers an easier time.”
“As developers begin to use these free services, it’s even harder for organizations to know which certs can actually be trusted. Worse still, this is an issue affecting at least eight out of 10 CIOs,” he told Infosecurity by email.
“This can lead to an outright crisis of trust; developers will live fast and security teams will be scrambling to keep up. As time goes on and we see more business turn to the convenience and cost-effectiveness of free certs, the whole foundations of our digital world could begin to crack; the economic impact of which could be huge.”