IT professionals are more reliant on public key encryption than ever before. They’re also more doubtful than ever before that the technology will keep their critical data and assets safe.
That’s the conclusion of a survey of more than 2,000 IT professionals conducted by The Ponemon Institute and the security firm Venafi. The survey of IT security professionals in the U.S., U.K. Germany, France and Australia found that attacks on both encryption keys and certificates are universal, while enterprise governance of certificates continues to lag.
The proliferation problem
Data collected in the survey found that the number of keys and certificates deployed within organizations has grown by 34% to almost 24,000 per enterprise. Unsurprisingly, that rapid growth has left organizations less sure of where they use keys and certificates. Fifty-four percent of organizations surveyed acknowledged that they did not know where all their keys and certificates are located, the report said.
[ Also on ITworld: 6 aging protocols that could cripple the Internet ]
The report sounds a dire warning for the countless government and private sector firms that rely on public key encryption to protect online transactions and data. “The digital trust that underpins most of the world’s economy is nearing its breaking point, and there is not replacement in sight,” it concludes.
The problems facing the global system for digital trust are legion. Digital certificates have become a standard tool for securing communications to and from Internet connected devices, but oversight of those certificates and the infrastructure that supports them is often loose.
Among other causes for certificate proliferation: makers of connected devices like laptops, mobile phones or set top boxes mass manufacture digital certificates that ship with each product without a thought to maintaining them over time, said Kevin Bocek, the Vice President of Security Strategy at Venafi, which sponsored the Ponemon survey.
An attractive target for attacks
Those certificates have become an attractive target for cyber criminal groups and state-backed hacking crews, who exploit the implicit trust granted to the certificates to plant malicious code on other systems. The report cited an October, 2014 report on cyber criminal marketplaces by the firm SenseCy that suggested a brisk trade in stolen certificates.
[ Also on ITworld: Security experts weigh in on what they would change about how the Internet was built ]
The report cites research suggesting that cyber criminal groups and malware authors see stolen and forged certificates as a reliable way to get malicious software installed on target systems. Groups behind malware like Carbanak and Flame use certificates to sign malicious software and make it seem legitimate. Advanced persistent threat (or APT) groups including Mask and Dark Hotel use stolen certificates to gain a foothold on target networks or to conduct phishing- and man in the middle attacks on executives and other high value targets, the report notes.
The report comes amid reports about attacks on the integrity of digital certificates and the system of certificate authorities that support online encryption. Among those: a vulnerability in OpenSSL dubbed “Heartbleed” led to attacks on vulnerable SSL and TLS keys and certificates.
More recently, controversy erupted over the laptop maker Lenovo’s decision to ship hardware containing adware by the firm Superfish. The Superfish software subverted secure web sessions by conducting “man in the middle” attacks on it: decrypting the sessions locally to analyze their content.
Research by the Electronic Frontier Foundation subsequently found evidence of 1,600 SSL certificates that may have been used to carry out “man in the middle” attacks in a similar fashion to the Superfish adware. The web domains involved included high-profile properties like Google, Yahoo, Amazon and banking websites, the EFF said.
The cumulative effect of the warnings and attacks is a reduced confidence in the ability of keys and certificates to guarantee online identities and protect sensitive transactions. Half of respondents to the Ponemon study said that the online trust model was broken and agreed “certificates can no longer be blindly trusted.”
Bocek of Venafi said that –like public infrastructure – the system of keys and certificates has been ignored while the Internet has grown up around it. “In the last 20 years we’ve created $100 billion in value on the back of the Internet and digital commerce…This has been trusted technology for a long time, but like anything in information technology, it has to change.”
There are no easy fixes
The report suggests organizations adopt practices that allow them to identify and track the certificates used within their environment. Bocek believes that companies like Google are blazing a path that other firms may follow: ending use of compromised encryption standards and devoting resources to certificate integrity checking and transparency. Among other things, Google has established a three-month expiration date on all certificates it issues, limiting the useful life of any compromised certificate.
That search giant has also launched Google Certificate Transparency, an open framework for monitoring and auditing SSL certificates in near real time. Vocek said tools like Certificate Transparency will make it easier to identify and weed out stolen or malicious certificates and to identify certificate authorities that are no longer reliable: issuing certificates that have been used in rogue operations.
"The whole system need to be more agile," he said. "We have to decide whether (a certificate) is trusted or not and be ready to replace things."
This story, "Survey finds faith in Internet trust system fading fast" was originally published by ITworld.