Everything is Connected but Nothing is Trusted
Enterprise connectivity has grown exponentially in recent years, extending beyond the perimeter to cloud applications, mobile devices and dispersed DevOps teams pushing code to production faster than ever. The internet is the new landscape for business operations, as organizations continuously share critical data across connected apps, devices and remote users.
But this multitude of new connections is also an opportunity for cybercriminals, giving them a host of new launching points for attacks and vastly increasing organizations’ security exposure to data theft. Attackers themselves are using the cloud — obtaining stolen digital identities on the dark web and automation tools that let them quickly zero in on thousands of vulnerable targets.
And that’s only the beginning. Interconnected apps and the advent of the IoT are exponentially expanding the attack surface by providing new portals to everything from business-critical data to life-critical medical devices. Even connected cars, planes and trains are vastly increasing the number of potential cyberattack sites.
There’s now a 30% chance that an organization will face a digital identity breach in the next two years, according to Ponemon Institute’s 2019 Cost of a Data Breach Report. Between regulatory fines and lost business, just a single breach costs businesses an average of $3.92 million, with resulting reputational damage that can drive customers away for years.
In this environment, organizations can’t afford to stand still. They must act now to strengthen their defenses quickly and effectively. But many are uncertain of the best approach, adopting the latest cybersecurity tools as they reach the market instead of creating a firm foundation to keep their entire infrastructure safe. While some tools work better than others, it’s important to remember the classic security adage: You’re only as strong as your weakest link.
Enterprise PKI as the Foundation
To protect the growing number of connections and comply with evolving privacy laws, modern enterprises have relied on the use of cryptography to establish trust and control access between every person, device and application across their network. By leveraging keys and digital certificates to encrypt and authenticate all of these connections, organizations can protect their most critical data and infrastructure. The most effective way to deploy cryptography is through public key infrastructure (PKI) and digital certificates.
This is the underlying infrastructure that secures the entire internet. Virtually every enterprise today uses PKI, both to encrypt vital information and to create secure access for users, devices and applications throughout the organization.
Entrprise managed PKI ensures that every device on your network has a secure digital identity — and that only the right devices connect to the right applications in the right ways. It gives visitors to your website confidence that the software they download can be trusted. For these reasons, and many others, PKI is at the heart of enterprise security, enabling people, applications, and tools such as firewalls and gateways to communicate with one another securely. Such security is increasingly vital as connections extend well beyond the enterprise to travel across open and often-unsecured networks worldwide.
The vast majority of organizations understand the value of PKI. Encryption methods have strengthened, and PKI is now routinely used for securing files and emails, as well as mobile payment transactions, Wi-Fi and VPN connections, and IoT applications.
So, why is the digital security exposure epidemic getting worse instead of better?
is a critical infrastructure for digital business and, therefore, requires attention and investment."
Technology Insight for X.509 Certificate Management,
David Mahdi, David Collinson, October 2019
The Digital Certificate Management Problem
Managing digital certificates and keys was easy before the age of the cloud, DevOps and the IoT. IT could keep track of everything on a spreadsheet. But managing PKI today has become an extremely complex endeavor. Forty-eight percent of organizations now have more than 10,000 certificates across their environment, research shows. Most don’t even know how many certificates they have, much less where they are and when they expire.
Security professionals simply don’t have the time or resources they need to keep pace. But poorly managed digital certificates lead to serious problems, including security breaches, failed audits, and expensive, productivity-draining network and application outages.
When organizations lose track of digital certificates, bad things happen. When they lose keys, they experience data loss and cannot retrieve or open encrypted messages. And if certificates expire, the aftermath can be even costlier.
Expired digital certificates open businesses up to potential security breaches and can cause outages in critical applications, impacting both business operations and revenue.
Equifax: How an Expired-Certificate Led to a Costly Breach
A congressional investigation of the notorious Equifax breach — in which the names, addresses, Social Security numbers and driver’s license numbers of 148 million people were exposed — revealed that a monitoring device, designed to alert the company to the data exfiltration, failed to operate because of an expired security certificate. When the company finally updated and replaced the certificate, it immediately noticed the suspicious web traffc on its customer interface portal, known as the Automated Consumer Interview System (ACIS). The attack lasted 76 days. “Had Equifax implemented a certificate management process…the company would have been able to see the suspicious traffc to and from the ACIS platform much earlier — potentially mitigating the data breach,” the congressional report said.
The attack, which lasted 76 days, would likely have been contained much sooner and affected far fewer people if the company had kept better track of its certificates.
It also gives companies a very public black eye, as global telecom provider Ericsson learned after an expired certificate caused millions of mobile customers in the UK and Japan to lose their online connections. Microsoft-owned LinkedIn was similarly embarrassed after an expired certificate resulted in a pop-up informing users that their connection — and consequently, their personal data — was not secure.
Outages have significant financial consequences, too, including millions of dollars in lost commerce and productivity. The cost of an unplanned outage resulting from a single certificate expiration can add up to $10 million or more, according to a 2019 report from Ponemon Institute and Keyfactor. Resulting penalties and fines may far exceed the original cost of the outage.
Poor digital certificate management can also cause companies to fail a compliance audit, costing non-compliant organizations more than $14 million on average, the Ponemon-Keyfactor report found. Failed audits are embarrassing, expensive and uncomfortably common. Organizations now have a 42% likelihood of experiencing a failed audit in the next two years, the same report shows.
Compliance auditors are hyperaware of the digital security exposure epidemic and have become more vigilant in response to public concern. New laws, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, lay out much stricter controls for personal information — and high fines for those who neglect them. Other jurisdictions are considering similar laws.
Theft and Misuse from Cybercriminals
Keeping up with certificate expirations is not enough. To combat the digital security exposure epidemic, organizations must also guard against their theft and misuse.
Cybercriminals have hacked both public and private certificate authorities to create phony, or “rogue,” certificates, which are popping up across the internet. Thieves who broke into one such authority — Dutch certificate provider DigiNotar — were able to create more than 200 rogue certificates. Attackers use these phony certificates in phishing scams, luring people to fake websites they create.
It happens more than you might think. Your organization has a 38% chance of experiencing a certificate authority breach within the next two years, according to the Ponemon-Keyfactor study.
Once a certificate authority is breached, trust is completely eroded. The provider has no choice but to revoke all existing certificates and start anew, a painstaking task.
Another nasty trick hackers play is misusing genuine certificates to spread malware.
For example, intruders hacked into a server of Taiwan-based device manufacturer ASUS and used an authentic ASUS code signing certificate to sign and distribute malware to 1 million unsuspecting customers.
If bad actors get their hands on private encryption keys, they can decrypt protected information at will. That may have happened at hotel chain Marriott, where the personal data of 500 million guests — including payment card numbers — were exposed over four years. Though the card data was protected by encryption, Marriott said it “couldn’t rule out” the possibility that attackers had gained access to its encryption keys.
of organizations will experience a certificate authority breach in the next two years.
The Impact of Unsecured Digital Identities - February 2019
Increasing Pressure on Developers
When combating the digital security exposure epidemic, few things are as important as securing your digital certificates and encryption keys. But security practices for protecting both are notably lax.
This is often the case for code signing certificates, which developers use to establish trust in software applications or device firmware that they build and deliver to market. In today’s competitive environment, where developers are under immense pressure to design new products and services quickly, code signing is rarely top-of-mind.
Highly skilled cybercriminals are aware of the vulnerability and are quick to take advantage of it. They can exploit code signing certificates to distribute malware, as they recently did in an attack on networking equipment manufacturer D-Link.
In some cases, it's all too easy for an attacker to exfiltrate keys or infiltrate code signing infrastructure. Only a few years ago, developers at D-Link accidentally published four private keys used to sign code in open-source firmware. In other cases, busy developers may forget to sign their code or leave certificates and keys in unsecured locations.
The average cost of code signing certificate and key misuse is an estimated $15 million, and there’s a 29% likelihood that organizations will experience an incident over the next two years.
The Impact of Unsecured Digital Identities - February 2019
The Growing IoT Security Threat
Configuring and managing cryptographic technology is a specialized niche that requires expertise few IT departments have. Even those who master the discipline may struggle to keep up with fast-evolving standards.
Nowhere is this truer than in the IoT environment, where the digital realm reaches into our everyday lives — and even into our bodies, with the expanding use of connected medical devices. By 2021, there will be 25 billion internet-connected devices and appliances in use, Gartner predicts.
In addition to consumer products like smartwatches and smart thermostats, the IoT extends to office equipment, including smart printers and security cameras, which are notoriously easy to hack.
Shockingly, many of today’s IoT devices don’t just have weak security controls — they officer no cyber protection whatsoever. “The IoT is exploding, but there are tons of devices that have nothing for security,” said NIST computer scientist Kerry McKay.
Researchers have already found ways to hack into cars and heart pacemakers, and the IoT revolution is still in its infancy. NIST is now saying that IoT devices will require an entirely new class of encryption. Few companies are prepared to handle the growing volume of business-critical and life-critical devices and manage all their accompanying certificates.
They have neither the time nor the expertise to master the learning curve that maintaining all these new devices will require.
The cost to an organization of an unplanned outage resulting from a single expired certificate is more than
The Impact of Unsecured Digital Identities - February 2019
A Sea Change for Encryption
Once seen as a dubious notion more akin to science fiction than technological reality, quantum computing today is advancing by leaps and bounds. A quantum computer recently developed by Google solved in 200 seconds a complex computation that would have taken the world’s most powerful supercomputers 10,000 years to finish. Startups as well as tech behemoths are racing to develop their own versions of the technology, and some researchers believe professionals will be using quantum computing in as few as five years.
A computer that processes ones and zeros simultaneously will be able to crack today’s cryptography in no time, making even the strongest keys and algorithms underlying current PKI systems vulnerable. And most of today’s PKI deployments and IoT devices have lifespans that will extend far beyond the expected time it will take to reach quantum-supremacy. Unless new countermeasures are developed, the digital security exposure epidemic will soon reach epic proportions. No one — and no system — will be safe.
To avoid that catastrophe, cryptography experts are creating agile PKI models built to adapt to new encryption methodologies as they develop. The need for crypto-agility is greater than ever as the pace of technological change shifts from incremental to radical and abrupt.
"Security and risk management leaders must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process.”
- Gartner, 10 Things to Get Right for Successful DevSecOps
Keeping Pace With Security Change
In the exciting environment of cloud computing, mobility, DevOps and the IoT, security is too often seen as an afterthought, even as threats multiply and hackers become more sophisticated. The result is a much broader attack surface, new and unchecked vulnerabilities, and breaches that have become both more frequent and more costly.
Modern PKI can provide the strongest and best protection available for connecting people, devices and applications, but competing priorities and slack security practices have prevented organizations from realizing its full benefits.
With IoT devices on the rise and quantum computing just around the corner, it’s time for organizations to wake up to the reality of the digital security exposure epidemic — and the imminent risks they face by maintaining the status quo.
Only by implementing strong, well-managed and agile cryptographic solutions will organizations have the tools they need to thrive in a future of constant, disruptive change.