Untrusted certificates: IT Security Pros not acting on risks
Venafi have released a report based on survey findings and analysis, IT Security Professionals Know the Risk of Untrusted Certificates and Issuers, but Do Nothing. The survey was conducted at 2015 Black Hat USA and gathered responses from over 300 IT security professionals.
As the title suggests, the report reveals that security professionals know the risks associated with untrusted certificates, including compromises of certificate authorities (CAs), but they are currently not taking steps to protect themselves and don’t have remediation mechanisms in place to effectively mitigate a future CA compromise.
Why is it important to understand and respond to threats using untrusted certificates? The report highlights how cybercriminals are increasingly misusing keys and certificates to breach organisations, elevate their privileges, and hide activity. And although they may know the risks, most organisations are unprepared to defend against these attacks.
Watch Now – Free Ponemon Webinar on Enterprise Certificate and Keys Attacks
Security Pros know the risks:
Here are a couple survey responses that indicate that security professionals are aware of the risks associated with untrusted certificates and compromised CAs:
- The major issuers of online trust will be compromised, with 90 percent of the respondents believing a leading CA will be breached within the next two years.
- When asked what security risks would result from an untrustworthy CA issuing certificates for their browser, application, or mobile device, 58 percent stated they are concerned about MITM attacks and 14 percent had concerns about replay attacks.
They lack visibility into the extent of their risk exposure:
Although security professionals understand the types of threats that can result from misused certificates, they do not grasp the extent of their risk exposure.
- Most security professionals (63 percent) don’t know or falsely believe that a CA secures certificates and cryptographic keys. CAs only issue and revoke certificates—they don’t monitor their use and do not provide any security for them.
- When asked how many CAs are trusted on mobile devices, survey responders believe it to be a median of three. On Apple iOS devices the median response was two, when in fact the number of trusted CAs is over 240.
Security Pros aren’t taking action:
Maybe because of the lack of insight to the extent of their risk, security professionals aren’t taking action against current threats or establishing incident response plans that will protect them in the future when a leading CA is compromised.
- Only 26 percent removed CNNIC from all desktops, laptops, and mobile devices after Google and Mozilla deemed CNNIC as untrustworthy to protect Chrome and Firefox users from a MITM attack. The remaining 74 percent are still exposed.
- Most (61 percent) would be unprepared to promptly respond to a breach of a leading CA, relying on manual procedures performed by administrators or incident response firms to remediate (including manually addressing Vulnerability Management System data).
- Worse yet, 30 percent either did not know what they would do or would continue using the same CA—leaving them vulnerable
What should organisations do to protect themselves? Read the report to get a 3-point recommendation plan on how to reduce the risk and impact of fraudulent issuance and misuse of certificates. The report concludes by saying we should take a lesson from nature and use the Immune System for the Internet™to identify good vs. bad, friend vs. foe to defend against the misuse of keys and certificates.
What are your thoughts on these survey results? Is your organisation prepared for the next CA compromise? How do you remediate when your certificates and keys are misused by cybercriminals?