A whopping 59 percent of businesses report losing online customers due to certificate errors that cause website outages and generate certificate warning messages.
That's according to a Ponemon Institute report, sponsored by Venafi, that surveyed 2394 IT security professionals in a range of industries in the UK, US, Germany, France and Australia. The 2015 Cost of Failed Trust Report concluded that unprotected keys and certificates are jeopardising the digital trust which underpins the world's economy.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said the problems can be traced to outdated methods of work and the pace of application development which doesn't always leave enough time for security.
The Ponemon/Venafi report found that the global average of business system failure was two certificate-related outages in two years, with an average cost of almost £10 million per outage. When it came to the UK, unfortunately, the average number of outages was three.
Respondents reported that their businesses had failed one or more SSL/TLS and SSH audits in the same period. The global average was one but the UK average was two which Bocek attributes in part to there being more auditors in the UK.
The root of the problem can be traced to lack of visibility and lack of policy enforcement and remediation for keys and certificates, as 54 percent of respondents admitted their organisations lacked either of these.
Bocek said the average number of certificates held by organisations in the UK in this year's survey is 25,000, up 40 percent from 2013.
“In just two years you've had 20 percent growth year over year in the number of keys and certificates that these survey respondents are aware of,” Bocek said. “That tells you the direction of where we are headed, which is good, which is a Snowden effect. That's an adversary effect, that's us becoming more aware and sensitive of attacks, so those are all good things. We want more encryption and authentication behind our websites, devices and applications.”
However, the downside is that the keys and certificates protecting these assets are also causing businesses to lose customers and trade when authentication fails.
While the average amount of losses among the five countries was 59 percent, the figure was slightly higher in the UK with 61 percent of respondents saying their organisations had lost business in the past two years because of problems with certificates and keys. The extent of individual business losses was not reported.
In August, the information arm of GCHQ, CESG, was forced to take down its HTTPS website after the organisation's SSL certificate failed because it was reliant on obsolete SHA1 encryption. It took a few days to upgrade the certificate to SHA-256.
Interconnected devices are a particular area of concern. Earlier this year, a home control device called Wink failed after the certificate that authenticated the “mother ship” expired which reduced each device to a non-functional “brick”. As a consequence, some customers had to send the devices back to the manufacturer. The company admitted that the mistake had been entirely avoidable.
There have been encouraging developments in the last six to 12 months in the field of certificates and keys, an area that in the past 19 to 20 years had seen little change. The introduction of certificate reputation and certificate transparency and the launch of Let's Encrypt are examples of positive moves, he said.
Part of the challenges and problems were created in part by the cyber-security profession itself. “We didn't have a lot of visibility, we weren't following practices consistently and I think that it's exciting to see changes finally happen,” Bocek told SC.
However, the changes are possibly not happening fast enough because, as Bocek pointed out, the same mistakes are still being made, “perhaps even more so” than before.
“There are now even more keys and certificates so there are more people involved in the process and oftentimes that's administrators and operations teams who aren't security professionals,” he said. “If you look at the rise in devops, it's about being fast and using virtualisation and containers. By design these are teams that are not focused on security, they're focused on being fast.
“Fast often means that I do things like copy keys and certificates and use the same ones or don't follow policies, and rather than go to Trustwise, I get certificates from GoDaddy, which starts to create more chaos and uncertainty.”
Fixing the problem begins with locating and identifying all the keys and certificates in your organisation and questioning whether they fit with the organisation's security policies, Bocek said. And automating these processes would help by removing human decision-making from the system.
As we get more IoT devices, if we are not able to control certificates, cyber-criminals will be able to take control of networks of connected devices and hold them to ransom, “because instead of trusting us they will replace that with their own, so being able to know what's there, have certificate reputation and being able to change out keys fast are things that we will have to get better at”, he said.