Digital Certificates Chaos Could Cost Companies $398 Million

Trust. It is the basis of all digital transactions. We trust that our inventory systems are providing the correct information, that the documents we're reading have not been altered, that the entity on the other side of a financial transaction is our bank.

But outside of the security function, the mechanisms of trust in the digital world--the mechanisms that every business and government agency rely on to ensure that communications and transactions conducted across the Internet and within closed networks remain trusted, private and compliant with regulations--are not readily understood. That makes them vulnerable, and criminals are increasingly beginning to prey on that trust.

Imagine, for instance, a criminal exploiting a digital certificate for a printer in the executive suite, giving the bad guys the capability to read every document as it's printed.

"When the printer in the executive office gets hacked, people can just watch the stream," says Jeff Hudson, CEO of Salt Lake City-based Enterprise Key and Certificate Management (EKCM) provider Venafi.

"Those executives might not want to put sensitive documents in email because they feel email is too insecure, but they might as well just email it directly to the people who want to manipulate the stock price," Hudson says. "Nobody's looking. The criminals will figure out how to get into the stream."

Attacks on Trust Will Cost Enterprises Average of $35 Million

According to a new study by Ponemon Institute, underwritten by Venafi, Global 2000 organizations are projected to lose an average of $35 million over the next 24 months due to attacks on trust. Larry Ponemon, chairman and founder of Ponemon Institute Research, says that estimate is based on a total possible cost exposure of $398 million per organization.

"In partnering with Venafi, we set out to answer for the first time one of the most sought after questions in information security and compliance: What are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?" Ponemon says.

"We rely on keys and certificates to provide the bedrock of trust for all business and government activities, online and in the cloud. Yet criminals are turning our dependence on these trust instruments against us at an alarming rate," Ponemon says.

"This new research not only allows us to quantify the cost of these trust exploits, but also gives insight into how enterprise failures in key and certificate management open the door to criminals," Ponemon adds.

"More than half of the companies surveyed, for instance, do not know how many keys and certificates they have, which is both a serious security issue and Governance, Risk and Compliance (GRC) gap that executives must address with proper controls," Ponemon says.

"It's not surprising then that all companies we spoke with had suffered an attack on trust due to failed key and certificate management, or that these attacks are projected to cost organizations an average of $35 million, with a maximum possible cost exposure of $398 million per organization, according to Ponemon. This level of risk and exposure demands remediation."

Ponemon Institute surveyed 2,342 respondents from within the Global 2000 in Australia, France, Germany, the U.K. and U.S. The respondents represented 16 unique vertical industries, the top five of which were these: financial services, public sector, consumer products, services (including audit and consulting) and education and research.

"The empirical question was: If an organization experiences a meltdown involving their encryption key or certificate management, what would happen?" Ponemon explains. "We attempted to extrapolate a maximum cost per exposure."

Ponemon had respondents evaluate four cost categories for each type of attack:

Incidence reponse

Lost productivity

Revenue loss

Brand and reputation damage

"Using this methodology, what we were able to do was estimate and extrapolate the costs of the different scenarios," Ponemon explains. "Each of the scenarios we used were based on real-life events."

All Respondents Had Suffered at Least One Attack

All of the enterprises surveyed had suffered at least one attack on trust due to failed key and certificate management. Easily preventable exploits of weak cryptography turned out to be both the most likely and the most costly, averaging $125 million per incident, per organization.

Attacks on trusted certificate authorities (CAs), which issue and validate digital certificates, can lead to man-in-the-middle and phishing attacks on enterprises, with costs averaging $73 million per incident, per organization.

Ponemon notes that the high cost makes sense given that attacks on cryptographic keys and certificates are difficult to detect and also target the most critical IT and business processes. He notes that the numbers are in line with the results of other major breaches, like the 2006 breach of TJX Companies, the owner of T.J. Maxx and other stores. In that instance, hackers accessed a system that stored information on customer credit card, debit card, check and merchandise return transactions. The breach affected 45.7 million customers and cost TJX at least $256 million.

"The Internet really relies on a mechanism of trust," Hudson says. "What trusts what and why does it trust it? This is not a well-understood area. Even at the CISO and CIO level, when we ask them 'where are your SSL certificates?' they don't really know. But it's fundamental to the way this whole thing works."

"This is also the first time when CEOs and other C-level executives in large corporates don't really have a clue how things work," Hudson adds. "It used to be they knew they could trust what was in their inventory because they could say, 'we've got armed guards, locked doors and keys, dogs, etc.' But when we move into this era of the Internet, they just don't know. They don't know how this machine knows it can trust that machine. And the bad guys have figured that out. What a bad guy will always do is go after you when you're not looking."

Organizations Don't Know How Many Keys, Certificates They Have

Much of the problem, Ponemon and Hudson agree, comes down to the fact that organizations simply do not know how many cryptographic keys and certificates exist in their infrastructure. The survey found that 61 percent of U.K. organizations don't know exactly how many keys and certificates they have deployed.

The same is true of 59 percent of Global 2000 organizations in France, 54 percent in the U.S., 47 percent in Australia and 34 percent in Germany. And that inability to discover where keys and certificates are deployed, how they are being used and who is using them essentially means that an enterprise has lost its control over trust, Ponemon says.

The problem may also be even worse than the above numbers imply. Ponemon found that respondents, on average, estimated they had 17,807 keys and certificates each. But Hudson notes that organizations invariably have far more than they estimate.

"When we go into a Global 2000, on average, when we're done they have discovered five times more of these instruments than they thought they had," Hudson says.

"The scale of the problem means it's not a human problem anymore," Ponemon adds. "You really need to have the right tools in place to manage it."

Compromised SSH Keys Most Alarming Threat

Perhaps most alarming, and identified as the biggest threat by respondents working in the security trenches, is the possibility of SSH key theft and compromise, which has an average potential exposure cost of $75 million.

While not well-known outside the domain of the system administrator, SSH is used extensively to establish secure connections between computers and provides root access to systems. As organizations adopt cloud computing, SSH keys become an even more tempting target, as SSH is used to maintain control and ownership of cloud systems like Amazon Web Services and Microsoft Azure.

SSH has been infrequently audited in the past, despite the fact that criminals who obtain keys used by a trusted administrator or system could compromise all connected systems and data, even if it's encrypted.

"The journey to regaining control over trust will require bringing together process, policy, people and technology," Ponemon says. "Best practices, such as those from NIST on preparing and responding to CA compromises and on managing the key management lifecycle, are valuable. Guidance from regulators, such as the U.K. Information Commissioner's Office (ICO) on cloud computing and data privacy, also provide valuable frameworks for maintaining control over trust in the current and emerging age of computing."

Ponemon also suggested Forrester Research's report, Kill Your Data to Protect It from Cybercriminals as a primer on defending data and trust.

"Ultimately, as this research demonstrates, organizations' control over trust remains only as strong as their ability to manage cryptographic keys and digital certificates," Ponemon adds.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Amazon Web ServicesForrester ResearchICOMicrosoftSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place