All 499 UK security professionals polled in a global survey say their organisations have responded to multiple attacks on keys and certificates in the past two years.
The 2015 Cost of Failed Trust Report, commissioned by security firm Venafi, claims to be the only research of its kind to examine the internet system of trust.
The potential risk facing UK firms from attacks on keys and certificates is expected to reach at least £33m in the next two years, according to the report, based on interviews with more than 2,300 IT security professionals around the world.
The research findings highlight that security professionals most fear a crypto apocalypse-like event.
A scenario where the standard algorithms of trust, such as the secure hash algorithm (SHA), are compromised and exploited overnight is reported as the most alarming threat. Instantly transactions, payments, mobile applications and a growing number of internet of things (IoT) could not be trusted.
“Whether they realise it or not, every business and government relies on cryptographic keys and digital certificates to operate,” said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.
“Without the trust established by keys and certificates, we’d be back to the internet ‘stone age’ – not knowing if a website, device, or mobile application can be trusted,” he said.
Online trust in security at breaking point
Bocek said the overwhelming theme in this year’s report is that online trust is at breaking point.
Read more about keys and certificates
- Google has warned of unauthorised digital certificates issued for several of its domains that could be used to intercept data traffic to its services.
- Malware using seemingly real digital certificates is becoming more prevalent.
- Unauthorised certificates from trusted vendors have become a big internet security concern.
But that is no surprise, he said, with leading researchers from FireEye, Intel, Kaspersky, Mandiant and many others consistently identifying the misuse of key and certificates as an important part of advanced persistent threats (APTs) and cyber criminal operations.
Bocek said that trust in online security is difficult to achieve, with the report showing that 63% of UK organisations do not know where all keys and certificates are located or how they are being used.
The research uncovered that attacks are becoming more widespread as the number of keys and certificates deployed on infrastructure such as web servers, network appliances and cloud services has grown by 40% to almost 24,000 per enterprise in the past two years.
Russian cyber criminals, for instance, recently stole digital certificates from one of the top five global banks, enabling them to steal 80 million records, while another attack allowed hackers to steal data from 4.5 million healthcare patients.
Bocek said these are worrying figures when 60% of all surveyed respondents agreed that they need to do a better job at responding to vulnerabilities involving keys and certificates.
Time to raise awareness and understanding of security risks
With the rising tide of attacks on keys and certificates, it is important that enterprises really understand the grave financial consequences, said Larry Ponemon, chairman and founder of the Ponemon Institute.
“We couldn’t run the world’s digital economy without the system of trust they create,” he said.
Ponemon said the research is timely for IT security professionals everywhere. “They need a wake-up call like this to realise they can no longer place blind trust in keys and certificates that are increasingly being misused by cyber criminals.”
Jeff Hudson, chief executive at Venafi, said the report should be seen as a red flag for security teams to recognise that the very core of their security processes is a breaking point, and the trust placed in these keys and certificates is waning.
Ponemon said that with no alternatives on the market, organisations need to prioritise the management and security of these crucial protective measures and understand the risks associated with an attack.
Stolen trust certificates command a high price
The report also revealed that the use of more keys and certificates makes organisations a better target for attack. Stolen certificates sell for almost £1,000 on underground marketplaces, having doubled in price in just one year.
Researchers from Intel believe hacker interest is growing quickly and that stolen certificates will soon become the next big hacker marketplace.
The report shows that the misuse of enterprise mobility certificates used for applications such as Wi-Fi, VPN and mobile device management (MDM) or enterprise mobility management (EMM) is a growing concern for security professionals.
Misuse of enterprise mobility certificates was a close second to a crypto apocalypse-like event as the most alarming threat.
Incidents involving enterprise mobility certificates were assessed to have the largest total impact – over £79m – and the second largest risk.