A surprise too many, 100% of UK organisations have admitted that they have responded to multiple attacks over the past two years involving the foundation of online security – cryptographic keys and digital certificates – leaving security professionals concerned of a ‘Cryptoapocalypse’ if action isn’t taken soon.
The 2015 Cost of Failed Trust Report, released by The Ponemon Institute and Venafi, is the first research of its kind to examine the Internet system of trust. Over half of UK respondents (54%) recognise that the trust established by keys and certificates, the technology used to solve the first security issues of trust and privacy online, is in peril. Even more concerning is the remaining 46% who appear to be burying their heads in the sand when it comes to online security.
With 63% of organisations totally unaware of the location of their keys and certificates, and how they are being used, it is difficult to see how they, their customers, and their business partners could have any trust online. Without the trust established in keys and certificates, the Internet is right back in the ‘stone age’, with users unaware as to whether a website, device, or mobile application is secure, and if it can be trusted.
The potential risk facing each UK enterprises from attacks on keys and certificates, is set to hit a staggering £33 million over the next two years. It is imperative that an accelerated strategy to protect these keys and certificates is put in place, or security professionals in the UK could find themselves unpreparedly responding to a Crytoapocalypse, where the encryption algorithms we blindly trust are compromised, and organisations have no means to make bulk changes quickly. This could be catastrophic and would dwarf attacks such as the Heartbleed vulnerability in scope, cost, complexity, and the time it would take to remediate.
With keys and certificates increasingly being misused by cybercriminals, and certificates fetching upwards of £700 on the black market, organisations should view this as a red flag. With no alternatives to keys and certificates on the market, businesses must prioritise protecting them. An immune system that finds all keys and certificates, determines which are trusted or not, fixes vulnerabilities, and changes and replaces them automatically, is needed to secure the system of trust that the UK and global economy depends on.
By Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi
BIO : Kevin Bocek is responsible for security strategy and threat intelligence at Venafi. He brings more than 16 years of experience in IT security with leading security and privacy leaders including RSA Security, Thales, PGP Corporation, IronKey, CipherCloud, nCipher, and Xcert. He is sought after for comment by the world’s leading media such as Wall Street Journal, New York Times, Washington Post, Forbes, Fortune, BBC, Süddeutsche Zeitung, USA Today, Associated Press, Guardian, and Telegraph along with security press including SC Magazine, Dark Reading, and Network World.
Venafi is the market-leading cybersecurity company in Next Generation Trust Protection (NGTP). As a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to secure cryptographic keys and digital certificates that every business and government depends on for secure communications, commerce, computing, and mobility. With little to no visibility into how the tens of thousands of keys and certificates in the average enterprise are used, no ability to enforce policy, and no ability to detect or respond to anomalies and increased threats, organizations that blindly trust keys and certificates are at increased risk of costly attacks, data breaches, audit failures, and unplanned outages.