Forrester_Research_Attacks_on_Trust_Cybercriminal_Weapon

A Custom Technology Adoption Profile Commissioned By Venafi

Attacks On Trust: The Cybercriminal’s New Weapon

July 2013

The Keys That Open The Doors To The Kingdom for Cybercriminals

The trust established by cryptographic keys and certificates is critical to enabling just about every electronic interaction and

process that businesses and governments rely on today. Much like a nation’s currency, people who use these keys and certificates

need to trust their value if they’re to be accepted and facilitate transactions. Yet, this trust can easily be exploited. Cybercriminals

have identified keys and certificates as a weak spot for many organizations today; cybercriminals can become trusted users on

your networks, in your clouds, or on mobile devices, evading a multitude of technical controls and gaining undetected access.

In 2013, we’re seeing cybercriminals accelerate the exploitation of keys and certificates to steal data or enable other attacks

against victims. We’ve seen several high-profile cases that point to magnitude and seriousness of this threat. Recently, rogue

Microsoft digital certificates allowed Flame malware to make its way past Windows controls.1 This year, attackers gained access

to security firm Bit9’s trusted certificate and used it to sign malware.2 Google also discovered an unauthorized certificate

impersonating Google.com for a man-in-the-middle attack.3 Cybercriminals are also known to steal SSH keys or manipulate

which keys are trusted to gain access to source code and other valuable intellectual property.4

Failing To Secure And Protect Keys And Certificates Puts Your Enterprise At Risk

Attackers are targeting keys and certificates to get to your data. Personally identifiable information of customers and intellectual

property are the two most common data types compromised in a breach (see Figure 1). Globally, the cost of a data breach

currently averages $136 per compromised record; in the US, this figure averages $194 per compromised record.5 Yet today,

enterprises are lacking when it comes to addressing security and control over their keys and certificates. Consider that:

• Data security investments don’t adequately address trust-based attacks. Data security is a hot area of investment today,

taking up roughly 16% of the security budget within very large enterprises (see Figure 2). Much of the spending and

attention for data security goes toward encryption and DLP. Currently, only 39% of organizations have invested in

centralized key and certificate management (see Figure 3). However, while it’s promising to note that 13% indicate plans to

invest, this still leaves a very large gap between the pressing need to better secure and protect keys and certificates and the

actual ability of many enterprises to do so. This gap enables a situation that is every attacker’s dream: 1) The enterprise has

no visibility into the problem, and 2) the enterprise has no controls to respond to an attack. Basically, the enterprise is a

sitting duck.

• Next-generation security solutions only address a portion of the threat. Solutions for advanced persistent threat (APT)

detection/prevention are top of mind and very important for 61% of enterprises as a part of their security strategy today

(see Figure 4). Advanced threat detection provides an important layer of protection but is not a substitute for securing keys

and certificates that can provide an attacker trusted status that evades detection.

Forrester Consulting


Page 2

• Enterprise awareness of attacks on keys and certificates is in its infancy; most don’t understand how to detect or

respond to an attack. Headlines about attacks on keys and certificates have 60% of firms asking if their organization is

susceptible to such an attack, while 44% indicate they have already experienced such an attack (see Figure 5). In addition,

57% of firms indicate that key and certificate management is very important for their security strategy, which is promising

to note. Yet, your average enterprise is unlikely to have an incident response plan for an attack on keys and certificates. For

example, NIST 800-61 Rev 2 is considered the guidebook for incident response, but it doesn’t offer guidance on key and

certificate attack.6 In 2012, the National Institute of Standards and Technology (NIST) Information Technology

Laboratory did publish high-level guidance in its ITL Bulletin for July 2012 on how best to prepare and respond to a

certificate authority compromise, but this has not yet been incorporated into NIST’s incident response standards.7 For a

typical enterprise, it can take days to resolve and recover from an attack. This doesn’t count the elapsed time between

when the attack actually occurred and the time of discovery, which could be months.

The risk established by this gap wouldn’t be tolerated elsewhere today. No CISO could consider having tens of thousands of

unknown network ports open and have no way to control them. But that’s the alarming reality today with regards the trust

established by keys and certificates that every government and business depends on today. There is simply a lack of visibility and

control over the hundreds and thousands of keys and certificates responsible for creating the confidence and security in today’s

modern world that we’ve all taken for granted.

Figure 1

PII And IP Are The Two Most Commonly Compromised Types Of Data In A Breach

Base: 154 US and European IT security decision-makers from firms with 10,000 or more employees

Source: Forrsights Security Survey, Q2 2012, Forrester Research, Inc.



Page 3

Figure 2

Data Security Takes Up One Of The Largest Pieces Of The Security Budget Pie





Page 4

Figure 3

Although Enterprises Are Investing In Data Security, They Put Themselves At Risk By Neglecting Key And Certificate

Management



Figure 4

Advanced Persistent Threat Detection/Prevention Is Top Of Mind, But Key And Certificate Management Is Not Far Behind


Source: A commissioned study conducted by Forrester Consulting on behalf of Venafi, June 2013



Page 5

Figure 5

Sixty Percent Of Firms Wonder If They Are Susceptible To An Attack On Their Keys And Certificates; 44% Have Been Attacked

Base: 100 US and European IT security decision-makers at firms with more than 10,000 employees

Source: A commissioned study conducted by Forrester Consulting on behalf of Venafi, June 2013

As Trust-Based Attacks Escalate, Enterprises Must Close The Gap

The floodgates have been opened. Cybercriminals see the promise of trust-based attacks using compromised keys and

certificates. As these attacks escalate, enterprises must be ready. Close the gap between understanding this risk and implementing

the necessary controls to mitigate the risk. Enterprises can achieve this if they:

• Gain visibility into threats. Only about half (52%) of organizations know how many keys and certificates are in use, what

they’re used for, and who is responsible for them.8 You can’t control what you don’t know you have.

• Enforce policy to establish norms and detect anomalies. Once an organization has gained visibility, it can begin to

enforce policies and establish a norm. This makes detecting anomalies easier, whether they’re accidental policy violations

by a well-intentioned developer or a malicious attack.

• Automate key and certificate functions to gain control and reduce risk. A typical large enterprise has thousands of keys

and certificates to secure and protect. Work smarter, not harder, by automating security for processes like key generation,

certificate requests, monitoring for changes and anomalies, and other related tasks. This automation not only streamlines

and centralizes this process, but helps to establish the necessary control to reduce risk, shrink the threat surface of attack,

and help the organization respond to attacks faster. This is also part of establishing a norm that can be monitored for

possible anomalies and attacks.

• Analyze data to gain intelligence. Analysis of data gained from securing keys and certificates will provide a wealth of

information and insight that can help to identify opportunities to reduce risk. By looking at the data generated, firms can

spot patterns of potentially suspicious activity or anomalies that require further investigation. It may also help identify keys

and certificates that may be problematic, such as those that are about to expire or are no longer needed.

As cloud services and user mobility increase, there will be new and expanding use cases for cryptographic keys and digital

certificates. With this increased dependency, the surface area of attack for every government and business also increases. Much

of your company’s value will be protected by these keys and certificates. Your future — the trust in and control over your cloud

services, mobile devices, and data — depends upon on how you secure keys and certificates.



Page 6

Methodology This Technology Adoption Profile was commissioned by Venafi. To create this profile, Forrester leveraged its Forrsights Security

Survey, Q2 2012. Forrester Consulting supplemented this data with custom survey questions asked of 37 US, 33 German, and 30

UK IT security decision-makers at firms with more than 10,000 employees. Survey respondents included decision-makers

specifically involved in strategy, implementation, or management of encryption keys and digital certificates. Respondents were

asked survey questions regarding current security solutions, threats to and incidents involving IT security, and details related to

their organizations’ deployment of keys, certificates, and crypto technologies. The auxiliary custom survey was conducted in

June, 2013. For more information on Forrester’s data panel and Tech Industry Consulting services, visit www.forrester.com.

Appendix A: Endnotes

1 Source: Kelly Jackson Higgins, “Flame Burns Microsoft With Digital Certificate Hack,” Dark Reading, June 4, 2012

(http://www.darkreading.com/attacks-breaches/flame-burns-microsoft-with-digital-certi/240001452). 2 Source: John E. Dunn, “Bit9 customers attacked after firm fails to protect its own digital certificate,” Techworld, February 9,

2013 (http://news.techworld.com/security/3425282/bit9-customers-attacked-after-firm-fails-to-protect-its-own-digital-

certificate/). 3 Source: Kim Zetter, “Google Discovers Fraudulent Digital Certificate Issued for Its Domain,” Wired.com, January 3, 2013

(http://www.wired.com/threatlevel/2013/01/google-fraudulent-certificate/). 4 Source: John Leyden, “Hackers break into FreeBSD with stolen SSH key,” The Register, November 20, 2012

(http://www.theregister.co.uk/2012/11/20/freebsd_breach/). 5 Source: “Data Breach Trends & Stats,” In Defense of Data (http://www.indefenseofdata.com/data-breach-trends-stats/). 6 Source: Computer Security Incident Handling Guide (http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736). 7 Source: Paul Turner, William Polk, and Elaine Barker, “ITL Bulletin For July 2012,” NIST

(http://csrc.nist.gov/publications/nistbul/july-2012_itl-bulletin.pdf). 8 Source: A commissioned study conducted by Forrester Consulting on behalf of Venafi, June 2013.

About Forrester Consulting

Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a

short strategy session to custom projects, Forrester’s Consulting services connect you directly with research analysts who apply expert insight to your

specific business challenges. For more information, visit www.forrester.com/consulting.

© 2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions

reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are

trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com.

[1-M6GXL2]

Documents

Forrester_Research_Attacks_on_Trust_Cybercriminal_Weapon