UK firms at risk from attacks on crypto keys, digital certificates

A joint study from Venafi and the Ponemon Institute reveals that digital keys and certificates are in peril, especially at UK organisations.

UK firms at risk from attacks on crypto keys, digital certificates
UK firms at risk from attacks on crypto keys, digital certificates

The ‘2015 Cost of Failed Trust Report', is based on interviews of over 2,300 IT security professionals, and it reveals that 100 percent of UK organisations have responded to multiple attacks on keys and certificates in the past two years, with 54 percent noting that the trust established by these keys and certificates that is necessary for online banking, shopping, and government is in jeopardy.

Conducted in the UK, Australia, France, Germany, and the United States, the report highlights that over the next two years, the potential financial risk facing UK enterprises from attacks on keys and certificates is expected to reach at least £33 million. The biggest concern security professionals have is of a ‘Cryptoapolocalypse'-like event, where RSA and SHA encryption protocols are compromised and exploited, although misused enterprise certificates are also a problem.

A term first coined by researchers at Black Hat two years ago, experts believe that a Cryptoapocalypse would dwarf Heartbleed in scope, complexity, and time to remediate.

“Whether they realise it or not, every business and government relies upon cryptographic keys and digital certificates to operate. Without the trust established by keys and certificates, we'd be back to the Internet ‘stone age' – not knowing if a website, device, or mobile application can be trusted,” said Kevin Bocek, VP of security strategy and threat intelligence at Venafi. 

“The overwhelming theme in this year's report is that online trust is at the breaking point. And it's no surprise. Leading researchers from FireEye, Intel, Kaspersky, and Mandiant, and many others consistently identify the misuse of key and certificates as an important part of APT and cyber-criminal operations.” 

The report goes on to note that 63 percent of firms do not know where all keys and certificates are, or how they are being used, and details that attacks will become more widespread as the number of keys and certificates spread. In fact, Venafi says that the number on web servers, network appliances and cloud services has grown by 40 percent to 24,000 per enterprise over the last two years. 

This has expanded the attack surface layer, with the report citing Russian cyber-criminals, stealing digital certificates from one of the top five global banks, enabling them to steal 80 million records, while another attack allowed hackers to steal data from 4.5 million healthcare patients.

Stolen certificates sell for almost a thousand pounds on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe that hacker interest is growing quickly and that stolen certificates will soon become the next big hacker marketplace.

"With the rising tide of attacks on keys and certificates, it's important that enterprises really understand the grave financial consequences. We couldn't run the world's digital economy without the system of trust they create,” said Dr Larry Ponemon, chairman and founder of the Ponemon Institute. “This research is incredibly timely for IT security professionals everywhere – they need a wake-up call like this to realise they can no longer place blind trust in keys and certificates that are increasingly being misused by cyber-criminals.” 

Sriram Srinivasan, cyber-security expert at PA Consulting Group, said in an email to SC: “Cryptoapocalytic events where fundamental cryptographic algorithms are compromised would have far reaching consequences for businesses and governments world-wide and most businesses are poorly equipped to respond to such an event. Widespread theft of cryptographic keys and the compromise of certificates which underpin the security of modern IT and communication systems such as the recently alleged large scale theft of keys from a global SIM card manufacturer would also fall into the same category if they are in fact true. 

“In our experience, most organisations today have policies and standards in place on the use of cryptography. However, with the growing complexity of modern IT systems, there is often a lack of understanding of the full extent of the proliferation of cryptographic keys and certificates within their environments."

He added: “Organisations also have poor understanding of the consequences arising from a compromise of their keys and certificates and often do not have a view on how they would respond. Too few organisations have robust systems in place for the ongoing inventory and management of keys and certificates. They must also ensure that they have a well-defined strategy supported by senior management to promote the on-going health and security of their cryptographic systems.”