Most IT security professionals are failing to take action about the risks associated with untrustworthy digital certificates and cryptographic keys, a survey has revealed.
This is despite the fact these risks are acknowledged and understood by most, according to a survey of 300 IT security professionals at the BlackHat USA 2015 security conference in Las Vegas.
The survey by security firm Venafi also reveals some information security pros do not understand what security services certificate authorities (CAs) do and do not provide.
Nearly two-thirds of those polled do not know CAs do not secure certificates and cryptographic keys. Venafi notes CAs only issue and revoke certificates, but do not monitor their use beyond that and cannot provide any security for them.
There are hundreds of CAs issuing digital trust worldwide and the average organisation has over 23,000 keys and certificates, according to Ponemon Institute research.
When a major CA is breached or when a CA fraudulently issues unauthorised certificates for an organisation, attackers can impersonate, surveil and monitor their organisational targets, as well as decrypt traffic and impersonate websites, code or administrators.
Unsecured keys and certificates provide the attackers trusted access to the target’s networks and allow them to remain undetected for long periods of time.
By design, cryptographic keys and digital certificates are natively trusted by servers and other security applications to provide for authentication and authorisation for everything internet protocol-based, including servers, cloud applications and devices making up the internet of things (IoT).
Yet, according to Venafi, this blind trust is being misused against organisations by cyber criminals so they can monitor and impersonate their targets to steal data.
When asked what security risks would result from an untrustworthy CA issuing certificates for their browser, application or mobile device, 58% of respondents stated they are concerned about man-in-the-middle (MITM) attacks and 14% have concerns about replay attacks.
Venafi said this finding further underlines the fact that despite understanding the risk, many information security professionals are not doing anything to mitigate that risk.
When asked how many CAs are trusted on mobile devices, survey responders believe it is be a median of 3, when in fact it is more than 240.
When asked what action they have taken following the news that the official Chinese government CA CNNIC was no longer trusted by Google and Mozilla due to untrustworthy certificate issuance practices, only 26% said they had removed CNNIC from all desktops, laptops and mobile devices.
The rest of respondents either took no action (23%), are waiting for Apple and Microsoft to take action (17%) or just don’t know (34%).
Even though 90% surveyed believe a leading CA like Symantec, Entrust or Comodo will be compromised in next two years, only 13% have existing automation to remediate.
Venafi said without a CA migration plan and automation in place, all organisations using a public CA that is breached will have to rapidly migrate certificates issued from the compromised CA to another – manually.
Given that the average organisation has more than 23,000 certificates and it takes around four hours to perform the necessary steps to replace one certificate on a single system, the security firm said to do so manually for all certificates and associated keys is untenable.
“The results of this survey are disturbing given the number of IT security professionals who recognise the threats posed by CAs and misused certificates, but lack the knowledge, understanding and automaton to solve the problem and reduce the risk of attack,” said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.
“From the DigiNotar breach to MCS Holdings and Google, organisations continue to blindly trust certificates and lack the ability to efficiently respond and develop future protections.
“Cyber criminals know the major impact of fraudulent issuance and misuse of keys and certificates and will continue to leverage them for advanced persistent threat-style attacks because they know they are effective,” he said.
Bocek said if IT security professionals do not address the risks of untrusted CAs, MITM attacks and certificate-related breaches are likely to increase.
“Unfortunately, we live in a world without trust because there is no immune system to detect keys and certificates that do not belong and are being misused as the bad guys accelerate their attacks.
“As a whole, global organisations and IT security and operations teams need to wake up and take the steps necessary to secure their keys and certificates and realise the CAs just can’t help with that,” he said.
According to Bocek, as billions of devices come online and more IoT devices are widely adopted, it will become all the more critical to protect the keys and certificates used for authentication, validation and privileged access control.