New research has found overwhelming consensus among IT executives that the foundation of cyber security – cryptographic keys and digital certificates – is being left unprotected, leaving enterprises blind, in chaos, and unable to defend their businesses.
In a survey of 500 CIOs, commissioned by Venafi, respondents acknowledged they are wasting millions of dollars on layered security defences that ‘blindly trust’ keys and certificates – unable to differentiate between which keys and certificates should be trusted and which shouldn’t.
Gartner has previously predicted that 50% of network attacks will come over SSL/TLS, meaning popular security systems will only work half of the time. According to the research, CIOs recognise this is ‘jeopardising’ their most strategic plans to build fast IT organisations around DevOps.
Nine of ten survey respondents said they had suffered, or expected to suffer, an attack that is hidden by encrypted traffic, while 87% said their security defences are less effective since they can’t inspect encrypted network traffic for attacks.
>See also: The 2016 cyber security roadmap
Meanwhile, 86% of respondents said stolen encryption keys and digital certificates will be the next big market for hackers, and 79% agreed their core strategy to accelerate IT and innovation is in jeopardy because these initiatives introduce new vulnerabilities.
Enterprises rely on tens of thousands of keys and certificates as the foundation of trust for their websites, virtual machines, mobile devices, and cloud servers. The technology was adopted to help solve the original Internet security problem of knowing what is safe and private.
From online banking, secure communications and mobile applications to the Internet of Things, everything IP-based depends upon a key and certificate to create a trusted and secure connection.
But unprotected keys and certificates are being misused by cybercriminals to hide in encrypted traffic, spoof websites, deploy malware, elevate their privileges, and steal data.
Deployed technologies like endpoint protection, advanced threat protection, next generation firewalls, behavioural analytics, intrusion detection systems (IDS) and data loss prevention (DLP) are fundamentally flawed, said Venafi, because they cannot determine which keys and certificates are good or bad, friend or foe.
As a result, one consequence is that they are unable to inspect the vast majority of encrypted network traffic. This leaves holes in enterprise security defences that cybercriminals are taking advantage of, using unprotected keys and certificates to hide in encrypted traffic and circumvent security controls.
“Increasingly, the systems we’ve put in place to verify and establish online trust are being turned against us,” said Kevin Bocek, VP threat intelligence and security strategy at Venafi. “Worse still, the vendors that tell us they can protect us, can’t. Endpoint protection, firewalls, IDS, DLP and the like are worse than useless because they are lulling people into a false sense of security.
“This research shows CIOs now understand they are wasting millions because security systems like FireEye can’t stop half of the attacks. When you consider that the market for enterprise security is worth an estimated $83 billion worldwide, that’s a lot of money being wasting on solutions that can only do their jobs some of the time.
The risks from unmanaged and unprotected keys and certificates increase as their numbers grow. A recent Ponemon report revealed that the average enterprise has more than 23,000 keys and certificates, and 54% of security professionals admitted to not knowing where all of their keys and certificates are located, who owns them, or how they are used. CIOs are concerned that the increase in keys and certificates to support new IT initiatives will confound the problem.
In light of Encryption Everywhere plans, driven in large part by Edward Snowden’s revelations and breach of the NSA, virtually all CIOs (95%) indicated they are worried about how they will securely manage and protect all encryption keys and certificates.
And as the speed of IT increases – creating and decommissioning services based on elastic needs – keys and certificates will grow in orders of magnitude. When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organisations, 79% of CIOs said yes.