Download - Trust Online is at the Breaking Point
TRUST ONLINEIS AT THE BREAKING POINT
The trust established by cryptographickeys and digital certificates is in jeopardy
58% OF COMPANIESNeed to better secure and protect their keys and certifiates
60% OF IT SECURITY TEAMSBelieve their organization needs to better respond to vulnerabilities involving keys and certificates
100% ATTACKEDAll survey respondents reported that they have responded to attacks
using keys and certificates within the last 2 years—this is a costly problem that is just getting worse.
WHAT’S THE RESULT?
$597M TOTAL IMPACTTotal possible impact per organizations for all attacks
2013UP 50%
$53M RISK OF ATTACKOver the next 2 years per organization
2015 - $53M
2013 - $35M
UP 51%
Risk = Probability of attack x total impact$398M
WHAT’S THE RESULT?
2,394 RESPONDENTSIn Global 5,000 Organizations
Australia
336France
339
Germany
574
UK
499United States
646
WHO DID WE ASK?
TOP 5 INDUSTRIESRepresented
Financial Services
17%
Government
11%
Professional Services
8%
Consumer Products
7%
Retail
7%
59% OF COMPANIESHave 5,000 or more employees
WHO DID WE ASK?
23,922 KEYS & CERTIFICATES On average per company
UP 34% FROM 2013
$1000 PRICE TAGFor a stolen certificate in the underground marketplace
WHAT CAUSES THIS RISK?
54% OF ORGANIZATIONS ARE UNAWAREMost organizations do not know
where all keys and certificates are located
UP FROM 50% IN 2013
WHAT CAUSES THIS RISK?
CRYPTOAPOCALYPSEMost alarming threat to security professionals in 2015 is a Cryptoapocalypse: a discovered cryptographic weakness that becomes the ultimate weapon, allowing websites, payment transactions, stock trades, and governments to be spoofed or surveilled (term was coined by researchers presenting their findings at Black Hat 2013).1
1. Stamos, Alex, et al. Blackhat USA 2013. Preparing for the Cryptopocalypse. July 2013.
WHAT ARE THE MOST ALARMING THREATS?
GREATEST RISK$22M Weak cryptographic exploit$11M Mobility certificate misuse$8.4M Code-signing certificate misuse$6.5M MITM attacks$3.1M SSH key misuse$1.9M Server certificate misuse
LARGEST IMPACT$126M Mobility certificate misuse$114M Weak cryptographic exploit$102M Code-signing certificate misuse$93M SSH key theft$90M MITM attacks$73M Server certificate misuse
WHAT ARE THE MOST ALARMING THREATS?
!
THREAT TO MOBILE LOOMS LARGE Enterprise mobility certificates— used with WiFi, VPN, and MDM/EMM$11M - #2 Greatest Risk $126M - #1 Largest Impact
WHAT ARE THE MOST ALARMING THREATS?
HALF OF IT SECURITY PROFESSIONALS BELIEVE• Trust established by keys and certificates is in jeopardy• The way we create trust is broken• Gartner is right,“Certificates can no longer be blindly trusted”2
2. Gartner. Maverick Research: Living in a World Without Trust: When IT’s Supply Chain Integrity and Online Infrastructure Get Pwned. Gartner Doc: G00238476. October 5, 2012.
TRUST IS IN JEOPARDY
Know what’s being used: find all keys and certificates
Always know what’s trusted, what’s not: continuously monitor, check reputation for all
1
3
Establish what should be trusted: enforce policy, automate security
Remediate what’s not trusted: fix and replace vulnerable keys and certificates
2
4
4 RECOMMENDATIONS FOR SECURITY TEAMS