Soaring Use of Digital Keys/Certs Exposes Firms to Risk

Written by

Nearly 90% of UK IT professionals have seen digital key and certificate use grow by more than a quarter over the past year, but few are managing them effectively, offering opportunities for attackers, according to Venafi.

The cybersecurity firm polled more than 500 companies with more than 1000 employees in the UK, Germany, France and US to better understand how cryptographic keys and certs are being used.

Across all countries, half claimed they saw usage grow by more than 25% in 2016, with a similar number (49%) claiming it will rise by the same percentage during 2017.

This is understandable as increasing numbers of organizations switch to encrypted HTTPS to secure connections for web applications, cloud services and IoT.

However, if not managed correctly, this could actually give cyber-criminals the upper hand, warned Venafi vice-president of security, strategy and threat intelligence, Kevin Bocek.

For example, Most Global 5000 organizations Venafi works with find an average of 16,500 keys and certificates that were previously unknown. 

“With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private,” Bocek told Infosecurity.

“Without an effective way to manage key and certs, businesses are unknowingly increasing the risk of hackers slipping through undetected in the chaos and taking their systems hostage.”

Businesses must better understand the importance of keys and certificates as the foundation of cybersecurity, he added.

“My advice is: firstly, know where all keys and certificates are installed; secondly, have detailed information on each instrument, including owner, in-use algorithm and key lengths; and finally, have recovery plans in place to replace any key, certificate, or service that has been compromised and get it done within hours, not days or weeks,” Bocek concluded.

“Ultimately, knowing what is in use on the network and being prepared with a rapid response is the best plan.”

What’s hot on Infosecurity Magazine?