Most IT security professionals acknowledge they don’t know how to detect or remediate quickly from compromised cryptographic keys and digital certificates.
Since encryption and certifications make up the foundation of trust in our modern, digital world, this is a rather alarming statement.
Venafi, in a 2015 RSA Conference survey, found that most security departments and systems blindly trust keys and certificates, which leaves enterprises unable to determine what is “self” and trusted in their networks and what is not, and therefore dangerous. This means that cyber-criminals can use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data.
The survey results show that 38% of respondents can’t or don’t know how to detect compromised keys and certificates, and 56% of the other respondents said they use a combination of next-generation firewalls, anti-virus, IDS/IPS and sandboxes to detect these types of attacks. Both groups leave themselves open to additional attacks.
“According to Gartner, 50% of all inbound and outbound network attacks will use SSL/TLS by 2017,” the report pointed out. “Bad actors understand that most security systems either blindly trust SSL/TLS or lack access to the keys to decrypt traffic and find hidden threats. These shortcomings create blind spots and undermine critical security controls like sandbox threat protection, NGFW, IDS/IPS, and DLP.”
Over three-quarters (78%) of those surveyed would still only complete partial remediation of a data breach thanks to blind trust. They would conduct standard practices such as re-imaging servers, reviewing logs, removing malware, installing patches and changing user passwords. However, only 8% indicated they would fully remediate against a Sony-like attack by replacing potentially compromised keys and certificates to prevent further access.
Attacks on keys and certificates are unlike other common attacks seen today. With a compromised or stolen key, attackers can impersonate, surveil and monitor their organizational targets as well as decrypt traffic and impersonate websites, code or administrators. Unsecured keys and certificates provide the attackers unrestricted access to the target’s networks and allow them to remain undetected for long periods of time with trusted status and access.
“The results of this survey are very concerning when you look at the uptick of attacks on trust and all of the major SSL/TLS and SSH key and certificate-related vulnerabilities revealed in the past six months alone,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “From Heartbleed, ShellShock and POODLE, the GoGo man-in-the-middle attacks and Lenovo’s Superfish vulnerability to FREAK and now the more recent LogJam flaw, cyber-criminals know unprotected keys and certificates are vulnerable and will use them to carry out their malicious website spoofing and man-in-the-middle attacks.”
When asked what their organizational strategy is to protect the online trust provided by keys and certificates, only 43% of respondents reported that they are using a key management system. Another 16% have no idea at all, 14% said they are using a manual process to try and manage them, and 22% placed the responsibility elsewhere. Without a strategy and implemented security controls to protect keys and certificates, attackers can gain and maintain extensive access to the target’s networks and remain undetected for long periods of time with trusted status.
Further, more than half of IT security professionals admit that they cannot quickly respond to an attack on SSH keys. Almost two-thirds (64%) of security professionals admit that they are not able to respond quickly (that is, within 24 hours) and most said it would take 3 or more days, or up to a week, to detect, diagnose and replace keys on all hosts if breached. Cyber-criminals are exploiting the lack of visibility and control over SSH keys, which are used to authenticate administrators, servers, and clouds. Because SSH keys never expire, cyber-criminals and insiders alike gain almost permanent ownership of systems and networks by stealing SSH keys.
“IT security professionals need to realize that keys and certificates establish trusted connections for virtually everything IP-enabled today,” Bocek added. “Just like the human immune system, when SSL/TLS and SSH keys are protected and used correctly, they identify webservers, software, mobile devices, applications and even security administrators as ‘self’ and trusted and those that are misused should be identified as ‘other’ and replaced or blocked.”