Security certificates 'an infosec weak spot'
Implicitly trusting all digital security potentially allows vast amounts of malware into corporate systems, warns enterprise key and certificate management solutions firm, Venafi.
Venafi evangelist, Calum MacLeod, says malware with embedded digital security certificates easily penetrates enterprise systems, and often remains undetected in the network for years.
"The nasty thing about this malware is that it is digitally signed, with a genuine certificate, but the certificate may have been stolen. Because the systems are set to accept security systems from the over 1 500 organisations who issue security certificates, the malware and its certificates don't raise an alarm," he says.
A recent survey by Venafi in partnership with Ponemon Institute found that the failure to control trust in the face of new and evolving security threats places every global enterprise at risk. The report found that more than half of the companies surveyed did not know how many keys and certificates they had, that every company had experienced an attack on trust due to failed key and certificate management, and that trust attacks are projected to cost organisations an average of $35 million over 24 months, with a maximum cost exposure of $398 million per organisation.
The study noted that cryptographic keys and digital certificates provide the foundation of trust for the world of secure communications, card payments, online shopping, smartphones and cloud computing. However, it said failing to manage certificates and keys created vulnerabilities that cyber criminals exploit to breach enterprise networks, steal data and disrupt critical business operations.
MacLeod says: "This is a big problem - recent studies indicate that over 50% of all malware is going undetected, and the speed at which it is coming to market is phenomenal. There could be two million pieces of digitally signed malware coming to market every quarter."
He says organisations can mitigate the risk by adopting a model of trusting only themselves. Security certificates allowed into the system need to be carefully managed too, he says. "They need to look at how many they really need to support - there may be as few as five or six they actually ever use. They need to block the rest and continually monitor this."
Venafi will participate in the upcoming ITWeb IT Security Summit in partnership with Performanta. MacLeod says the company's experts will give delegates more insight into the 'trust' threats; as well as hosting an information security game show in the expo throughout the event. For more information about the ITWeb IT Security Summit, click here.