Every Global 2000 organisation faces $398m in potential losses from new and evolving attacks on their ability to control online trust with cryptographic keys and digital certificates, a study has revealed.
The figure is based on the first extensive study of failures in cryptographic key and digital certificate management, carried out by the Ponemon Institute.
Some 18% of enterprises studied expect attacks on their use of weak cryptography, according to the 2013 Annual Cost of Failed Trust Report, commissioned by key and certificate management firm Venafi.
Weak cryptography is a preventable problem that can be easily detected, but it could cost $125m in a single attack and is the single most expensive failure identified by this research.
Attacks that impersonate trusted identities using compromised certificate authorities (CAs) to enable man-in-the-middle and phishing attacks are believed by enterprises to cost $73m on average – about $10m more than the average for the UK.
All global enterprises surveyed by Ponemon revealed they had been affected by their inability to control trust, with attacks exploiting the use of weak cryptography already having some effect.
Cyber criminals understand how fragile our ability to control trust has become
Jeff Hudson, Venafi
Security technologies form foundation of trust in digital world
Every business relies on security technologies to ensure that communications and transactions across the internet, as well as within closed networks, remain trusted and private.
The most essential of these technologies are cryptographic keys and digital certificates, which provide the foundation of trust for communications, payments, online shopping, smartphones and cloud services.
Failing to manage certificates and keys creates vulnerabilities that cyber criminals exploit to breach enterprise networks, steal data and disrupt critical business operations, the report said.
Until now, the cost of failed trust from these attacks has not been quantified, but the Ponemon report claims to provide the first hard research data about the financial risks.
“Cyber criminals understand how fragile our ability to control trust has become, and as a result, they continue to target failed key and certificate management,” said Venafi CEO Jeff Hudson.
“One of the biggest problems is the lack of knowledge and understanding of how trust works on the internet by C-level executives, who tend not to listen to those at the coal face, even if they are warning of the risks,” he told Computer Weekly.
“The bad guys are attacking where big corporations are not paying attention, and our hope is that this report provides both the validation and the motivation to help business and IT executives take action,” said Hudson.
More on digital certificate management
- Options for mitigating digital security certificate problems
- SSL certificate management: Common mistakes and how to avoid them
- Adobe to revoke certificate following fraudulent use
- More meticulous testing validates SSL certificates
Financial cost of cryptographic key and digital certificate failures
Larry Ponemon, chairman and founder of Ponemon Institute Research, said the study set out to discover the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures.
The study found the average cost of cryptographic key theft is $124m, compared with $120m for UK corporates.
“Criminals are turning our dependence on these encryption keys and digital certificates against us at an alarming rate, and the research allows us to quantify the cost of these trust exploits and provides insight into how enterprise failures in key and certificate management open the door to criminals,” he said.
According to the report, more than half of the companies surveyed do not know how many keys and certificates they have.
The UK had the poorest knowledge among the countries surveyed, with 61% of respondents not knowing, followed by France (59%), the US (54%), Australia (47%) and Germany (34%).
All companies we spoke with had suffered an attack on trust due to failed key and certificate management
Larry Ponemon, Ponemon Institute Research
“This is a serious security issue and a governance, risk and compliance (GRC) gap that executives must address with proper controls,” said Ponemon.
“It’s not surprising that all companies we spoke with had suffered an attack on trust due to failed key and certificate management,” he said.
Regaining trust in keys and certificates a tough challenge
In addition to the cost of failing to control trust, the research also shows the extent of the challenge facing enterprises in regaining control of their keys and certificates.
The problem is too vast for manual management, the report said, with enterprises estimating that they have 17,807 keys and certificates on average.
“Typically, organisations under-estimate the number of keys and certificates they use by a factor of five,” said Venafi’s Jeff Hudson.
Cloud computing keys carry significant threat of attack
Cloud computing also represents a danger because respondents believe difficult-to-detect attacks on Secure Shell (SSH) keys, critical for cloud services from Amazon and Microsoft, present the most alarming threat arising from failure to control trust.
“Most C-level executives do not even know what an SSH key is, let alone who is generating them or how many there are in an organisation,” said Hudson.
The study found that SSH key theft by Trojans will cost enterprises an average of $75m, compared with the UK average of $72m.
The study identified a need to establish control over trust, and 59% of enterprises said they believed that proper key and certificate management could help them to achieve that.