Brian Jackson - Fotolia

CIOs admit they are blind to cyber threats despite security spend

Many of the security defences that companies invest in are blind to encrypted traffic and untrustworthy digital certificates, a study reveals

CIOs admit to being blind to new cyber threats and waste millions on cyber security that does not work on half of those attacks, a survey revealed.

Most CIOs agree enterprises cannot defend themselves because cryptographic keys and digital certificates are left unprotected, according to the survey of 500 CIOs around the world, commissioned by security firm Venafi.

According to the survey report, many of the layered security defences that companies have invested in, blindly trust keys and certificates and are unable to differentiate between which keys and certificates should be trusted and which should not.

With Gartner predicting that 50% of network attacks will come over channels encrypted using SSL/TLS encryption , the report said this means many popular firewalls, intrusion detection systems (IDS), data loss prevention (DLP) systems, endpoint protection, advanced threat protection and other security technologies will be effective only half of the time.

The survey shows that CIOs recognise that this chaos is jeopardising their most strategic plans to make their organisations more agile by using a “fast IT” flexible and automated model for IT infrastructure and blending tasks performed by application development and systems operations teams (DevOps).

According to the survey, 87% of CIOs believe their security defences are less effective since they cannot inspect encrypted network traffic for attacks, and 90% of CIOs have or expect to suffer from an attack in which encrypted traffic is used to hide the attack.

The findings confirm the latest annual threat report by Dell Security, that a continued surge in encryption is giving cyber criminals more opportunities to conceal malware from firewalls, with nearly 65% of internet traffic already encrypted.

The Venafi survey revealed that 86% of CIOs think stolen encryption keys and digital certificates will be the next big market for hackers; while 79% of CIOs agree their core strategy to accelerate IT and innovation is in jeopardy because these initiatives introduce vulnerabilities.

Read more about encryption

In 2015, the cost of a certificate on the black market was $1,000, while IBM Security’s X-Force research team found large numbers of codesigning certificates are now a hot commodity in the black market, the report said.

Enterprises rely on tens of thousands of keys and certificates as the root of trust for their websites, virtual machines, mobile devices and cloud servers. The technology was adopted to help solve the original Internet security problem of knowing what is safe and private.

Criminals exploit unprotected keys

From online banking, secure communications and mobile applications to the internet of things (IoT), everything IP-based depends upon a key and certificate to create a trusted and secure connection.

But, according to the report, unprotected keys and certificates are being misused by cyber criminals to hide in encrypted traffic, spoof websites, deploy malware, elevate their privileges and steal data.

“Keys and certificates are the foundation of cyber security, authenticating system connections and telling us if software and devices are doing what they are meant to,” said Kevin Bocek, vice-president of threat intelligence and security strategy at Venafi.

Read more about digital certificate management

“If this foundation collapses, we’re in serious trouble because, with a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds and mobile devices, and decrypt communications thought to be private.”

According to Bocek, the systems many organisations have put in place to verify and establish online trust are increasingly being turned against them. These systems, he said, are worse than useless, because they are lulling organisations into a false sense of security.

“This research shows CIOs now understand they are wasting millions, because security systems like FireEye can’t stop half of the attacks,” said Bocek.

“When you consider that the market for enterprise security is worth an estimated $83bn worldwide, that’s a lot of money being wasting on solutions that can only do their jobs some of the time.”

Public lose confidence in security

According to Bocek, the public markets are reflecting a loss of confidence in cyber security, with the Hack Fund, a major cyber security investment fund, down 25% in the past 3 months, which is much greater than the overall market downturn of 10% in the S&P500 index.

The risks from unmanaged and unprotected keys and certificates increase as their numbers grow, with a recent Ponemon report revealing that the average enterprise has more than 23,000 keys and certificates, and 54% of security professionals admit to not knowing where all their keys and certificates are located, who owns them, or how they are used.

The Venafi survey shows CIOs are concerned that the increase in keys and certificates to support IT initiatives will confound the problem.

With the growing use of encryption – driven largely by Edward Snowden’s revelations of the mass internet surveillance by US intelligence agencies – 95% of CIOs polled indicated they are worried about how they will securely manage and protect all encryption keys and certificates.

As the speed of creating and decommissioning IT services depending on demand increases, the number of keys and certificates in use is expected to grow exponentially.

When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organisations, 79% of CIOs said yes.

Agility brings risk

“Gartner predicts that by 2017 three out of four enterprise organisations will be moving to a bimodal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects,” said Bocek.

“Yet using agile methods and introducing DevOps is an extremely high risk and chaotic endeavour. In these new environments security will always suffer and it will become virtually impossible to keep track of what can and can’t be trusted,” he said.

Venafi claims that the findings of the survey confirm the need for an “immune system for the internet” that enables organisations to know which keys and certificates should be trusted and which should not.

“With trust in keys and certificates restored, the value of a business’s other security investments increases,” said Bocek.

Read more on Hackers and cybercrime prevention