Cyber attacks on trust expose UK organizations to £247 million in losses reveals Ponemon and Venafi research
Mismanagement of millions of cryptographic keys and digital certificates threatens security and operations of UK businesses
London, UK – 24 April, 2013: Venafi, the inventor of and market leader in enterprise key and certificate management (EKCM) and the Ponemon Institute today reveal that every large UK businesses is open to £247million in possible threat exposure due to a lack of control over cryptographic keys and certificates, the foundation of trust in the modern world of secure communications, smartphones, cloud computing and almost every digital and electronic asset.
Organisations face ever-increasing challenges with trust exploits. With advanced persistent threats (APTs), bad actors are taking advantage of every exploit and look for the weakest link in security systems. Common, well-known vulnerabilities like digitally signed malware, poor key and certificate management and weak cryptographic methods remain in many enterprises. Despite over half (51%) of UK organisations admitting that they know these to be major security issues, few are taking action. Failure to manage certificates and keys creates vulnerabilities that cybercriminals leverage to breach enterprise networks, steal data and IP and disrupt critical business operations. Every UK organisation in the survey had faced at least one of these attacks over the last 2 years.
“With every business and government department across the UK relying on cryptographic keys and certificates in order to operate, failure to manage just one can result in serious attacks or unplanned system outages, says Calum Macleod, Venafi EMEA Evangelist. “Criminals understand how difficult it is to control trust, and by failing to have the correct controls in place to manage or secure certificates and keys, businesses have opened themselves up to risk on a daily basis.”
Today the typical Global 20000 organisation has an average of 17,807 certificates and keys deployed across its infrastructure. Within the UK Fortune 500, there are likely five or six million keys and certificates in use at any one time, which creates a significant target for attack and renders manual management untenable.
The survey also highlights that 61% of UK respondents don’t know how many keys or certificates are currently in use across their infrastructure. This identifies a worrying trend that whilst half of respondents know the security impact of certificate mismanagement, the same amount (half) have no idea how many certificates are currently in action.
Macleod continues “It is extremely concerning to know that so many businesses are aware of the security impacts certificate and key oversight can have on a business, yet are still doing nothing to combat the problem. Unless organisations sit up and take notice of this growing problem the threat and the amount of money lost by organisations each year will only increase.”
New Strategies to Gain Control over Trust
Venafi Director helps enterprises reduce the risk of malicious attacks on trust. With the full lifecycle management of keys and certificates, Director provides full visibility into key and certificate inventories and end-to-end automation of processes, drastically reducing enterprises risk and providing strategies not possible before to shrink the attack surface. One of the new strategies supported in the latest release of Director is the use of fully managed self-signed certificates. A compromise now only impacts a single key and certificate, not many – such as when a CA is compromised. In the past, maintaining thousands of self-signed certificates increased both risk and operational burden on an enterprise.
Certificates must be continuously monitored to ensure that only authorized certificates are being used and errors and oversights do not lead to unplanned outages form expiration or misconfiguration. For example, Mandiant reported in its APT1 Report that multiple self-signed certificates, some purporting to be from the world’s largest IT vendors, were in use. These could have been easily discovered but went undetected in many organizations. Director enables enterprises to automate continuous monitoring and if needed, replace keys and certificates in seconds anywhere across the enterprise and in the cloud. All of this increases the ability of enterprises to prevent attacks and respond faster if needed – continuing Venafi’s success in helping organisations reduce risk from alarming attacks on trust.
Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.
About Ponemon Institute
Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.