Inability to Remediate Vulnerabilities Posed by Untrustworthy CAs

• Nearly two-third (63%) of infosec professionals falsely believe or don’t know that a Certificate Authority (CA) does not actually secure certificates and cryptographic keys
• Roughly two-thirds (64%) of infosec pros understand the risks associated with untrustworthy CAs like CNNIC but aren’t doing anything about it
• Even though mobile devices trust hundreds of CAs, survey responders falsely believe their mobile devices trust only 3

Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, released the results of its 2015 Black Hat USA survey, gathered from over 300 IT security professionals during the week of August 3rd in Las Vegas, NV. The survey data reveals that most IT security professionals understand and acknowledge the risks associated with untrustworthy certificates and keys, which act as the foundation of all cybersecurity, but take no action. The survey also reveals that some information security pros don’t understand what security services certificate authorities (CAs) do and do not provide.

There are hundreds of CAs issuing digital trust across the globe and the average organisation has over 23,000 keys and certificates, according to Ponemon Institute research. When a major CA is breached, or when a CA fraudulently issues unauthorised certificates for an organisation, attackers can impersonate, surveil, and monitor their organisational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers trusted access to the target’s networks and allow them to remain undetected for long periods of time.

By design, cryptographic keys and digital certificates are natively trusted by servers and other security applications to provide for authentication and authorisation for everything that is IP-based today, including servers, clouds, applications, and Internet of Things (IoT) devices. Yet this blind trust is being misused against organisations by cybercriminals so they can monitor and impersonate their targets to steal data.

Venafi’s 2015 Black Hat USA survey revealed : 

• Nearly two-thirds (63%) of infosec professionals falsely believe or don’t know that a Certificate Authority does not actually secure certificates and cryptographic keys. When asked if a CA protects them from theft, misuse or forgery of digital certificates, only 37% correctly responded no. The remainder said either yes (29%) or they don’t know (34%). CAs only issue and revoke certificates – they don’t monitor their use beyond that in the wild and ultimately cannot provide any security for them.

• Roughly two-thirds (64%) of infosec pros DO understand the risks associated with untrustworthy CAs like CNNIC. When asked what security risks would result from an untrustworthy CA issuing certificates for their browser, application or mobile device, 58% of respondents stated they are concerned about man-in-the-middle (MITM) attacks and 14% have concerns about replay attacks. This data indicates a major gap – they understand the risk, but aren’t doing anything about it.

• Even though mobile devices trust hundreds of CAs, survey responders falsely believe their mobile devices trust only three. When asked how many CAs are trusted on mobile devices, survey responders believe it is be a median of 3. On Apple iOS devices the median was 2, when in fact it is over 240.

• A surprising three-quarters (74%) of respondents don’t understand that CNNIC is a clear and present danger and have done nothing about it, even after Google and Mozilla announced CNNIC was no longer trustworthy. When asked what action infosec pros have taken following the news that the official Chinese government CA “CNNIC” was no longer trusted by Google and Mozilla due to untrustworthy certificate issuance practices, only 26% actually removed CNNIC from all desktops, laptops and mobile devices.  The rest of respondents either took no action (23%), are waiting for Apple and Microsoft to take action (17%) or just don’t know (34%).

• 90% of respondents believe a leading certificate authority, the primary supplier of trust on the Internet, will be breached within the next two years. Even though 90% surveyed believe a leading CA like Symantec, Entrust or Comodo will be compromised in next two years, only 13% have existing automation to remediate. Without a CA migration plan and automation in place, all organisations using a public CA that is breached will have to rapidly migrate certificates issued from the compromised CA to another – manually. Given that that average organisation has over 23,000 certificates and it takes about four hours to perform the necessary steps to replace one certificate on a single system, to do so manually for all certificates and associated keys is untenable.

“The results of this survey are disturbing given the number of IT security professionals who recognise the threats posed by CAs and misused certificates, but lack the knowledge, understanding and automaton to solve the problem and reduce the risk of attack,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “From the DigiNotar breach to MCS Holdings and Google, organisations continue to blindly trust certificates and lack the ability to efficiently respond and develop future protections. Cybercriminals know the major impact of fraudulent issuance and misuse of keys and certificates and will continue to leverage them for APT-style attacks because they know they are effective.”

“Ultimately, if what our survey data says is true, and IT security professionals do understand the risks of untrusted CAs like CNNIC but do nothing about them, we will continue to see more and more MITM attacks and certificate-related breaches. Unfortunately, we live in a world without trust today because there is no immune system to detect keys and certificates that do not belong and are being misused as the bad guys accelerate their attacks. As a whole, global organisations and IT security and operations teams need to wake up and take the steps necessary to secure their keys and certificates and realise that the CAs just can’t help with that. As billions of devices come online and more IoT devices are widely adopted, it will become all the more critical to protect the keys and certificates that are used for authentication, validation, and privileged access control,” Bocek added.[su_box title=”About Venafi” style=”noise” box_color=”#336588″]Venafi is the Immune System for the Internet™ and protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can’t be misused by bad guys in attacks. In today’s connected world, cybercriminals want to gain trusted status and remain undetected, which makes keys and certificates a prime target. Unfortunately, most security systems blindly trust keys and certificates. Venafi patrols across the network, on devices, and behind the firewall, constantly assessing which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking those that are not.

As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP) and a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to protect keys and certificates and eliminate blind spots from threats hidden in encrypted traffic. As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™ help organizations regain control over keys and certificates by establishing what is self and trusted on mobile devices, applications, virtual machines and network devices and out in the cloud. Venafi protects Any Key. Any Certificate. Anywhere™. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, your business, and your brand. Venafi Threat Center also provides primary research and threat intelligence for attacks on keys and certificates.

Venafi customers are among the world’s most demanding, security-conscious Global 5000 organizations in financial services, retail, insurance, healthcare, telecommunications, aerospace, manufacturing, and high tech. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners, and Origin Partners.[/su_box]