Venafi has released the results of its 2015 Black Hat USA survey, gathered from over 300 IT security professionals during the week of August 3rd in Las Vegas, NV. The survey data reveals that most IT security professionals understand and acknowledge the risks associated with untrustworthy certificates and keys, which act as the foundation of all cybersecurity, but take no action. The survey also reveals that some information security pros don’t understand what security services certificate authorities (CAs) do and do not provide.
There are hundreds of CAs issuing digital trust across the globe and the average organisation has over 23,000 keys and certificates, according to Ponemon Institute research. When a major CA is breached, or when a CA fraudulently issues unauthorised certificates for an organisation, attackers can impersonate, surveil, and monitor their organisational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers trusted access to the target’s networks and allow them to remain undetected for long periods of time.
By design, cryptographic keys and digital certificates are natively trusted by servers and other security applications to provide for authentication and authorisation for everything that is IP-based today, including servers, clouds, applications, and Internet of Things (IoT) devices. Yet this blind trust is being misused against organisations by cybercriminals so they can monitor and impersonate their targets to steal data.
Venafi’s 2015 Black Hat USA survey revealed:
Nearly two-thirds (63%) of infosec professionals falsely believe or don’t know that a Certificate Authority does not actually secure certificates and cryptographic keys. When asked if a CA protects them from theft, misuse or forgery of digital certificates, only 37% correctly responded no. The remainder said either yes (29%) or they don’t know (34%). CAs only issue and revoke certificates – they don’t monitor their use beyond that in the wild and ultimately cannot provide any security for them.
Roughly two-thirds (64%) of infosec pros DO understand the risks associated with untrustworthy CAs like CNNIC. When asked what security risks would result from an untrustworthy CA issuing certificates for their browser, application or mobile device, 58% of respondents stated they are concerned about man-in-the-middle (MITM) attacks and 14% have concerns about replay attacks. This data indicates a major gap – they understand the risk, but aren’t doing anything about it.
Even though mobile devices trust hundreds of CAs, survey responders falsely believe their mobile devices trust only three. When asked how many CAs are trusted on mobile devices, survey responders believe it is be a median of 3. On Apple iOS devices the median was 2, when in fact it is over 240.
A surprising three-quarters (74%) of respondents don’t understand that CNNIC is a clear and present danger and have done nothing about it, even after Google and Mozilla announced CNNIC was no longer trustworthy. When asked what action infosec pros have taken following the news that the official Chinese government CA “CNNIC” was no longer trusted by Google and Mozilla due to untrustworthy certificate issuance practices, only 26% actually removed CNNIC from all desktops, laptops and mobile devices. The rest of respondents either took no action (23%), are waiting for Apple and Microsoft to take action (17%) or just don’t know (34%).
90% of respondents believe a leading certificate authority, the primary supplier of trust on the Internet, will be breached within the next two years. Even though 90% surveyed believe a leading CA like Symantec, Entrust or Comodo will be compromised in next two years, only 13% have existing automation to remediate. Without a CA migration plan and automation in place, all organisations using a public CA that is breached will have to rapidly migrate certificates issued from the compromised CA to another – manually. Given that that average organisation has over 23,000 certificates and it takes about four hours to perform the necessary steps to replace one certificate on a single system, to do so manually for all certificates and associated keys is untenable.
“The results of this survey are disturbing given the number of IT security professionals who recognise the threats posed by CAs and misused certificates, but lack the knowledge, understanding and automaton to solve the problem and reduce the risk of attack,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “From the DigiNotar breach to MCS Holdings and Google, organisations continue to blindly trust certificates and lack the ability to efficiently respond and develop future protections. Cybercriminals know the major impact of fraudulent issuance and misuse of keys and certificates and will continue to leverage them for APT-style attacks because they know they are effective.”
“Ultimately, if what our survey data says is true, and IT security professionals do understand the risks of untrusted CAs like CNNIC but do nothing about them, we will continue to see more and more MITM attacks and certificate-related breaches. Unfortunately, we live in a world without trust today because there is no immune system to detect keys and certificates that do not belong and are being misused as the bad guys accelerate their attacks. As a whole, global organisations and IT security and operations teams need to wake up and take the steps necessary to secure their keys and certificates and realise that the CAs just can’t help with that. As billions of devices come online and more IoT devices are widely adopted, it will become all the more critical to protect the keys and certificates that are used for authentication, validation, and privileged access control,” Bocek added.