A group of IT security pros were asked to determine the “cost of failed trust” as it pertains to attacks targeting cryptographic keys and digital certificates, and they predicted that the average risk facing enterprises was $53 million over the next two years.
The study (PDF), released Thursday by the Ponemon Institute and underwritten by Venafi, included the responses of 2,300 individuals in Germany, France, Australia, the UK and the U.S. In the report, “risk” was defined as the possible damage of attacks occurring in any given organization looking two years ahead.
Overall, the estimated risk of attacks on keys and certs increased from the last time the survey was conducted in 2013. This year, the average risk was $53 million, up from $35 million in 2013 – a 51 percent increase. Broken down by cost, respondents believed the most costly attacks for organizations would involve misuse of mobile certificates ($126 million), weak cryptographic exploit ($114 million) and code-signing certificate misuse ($102 million).
Secure shell (SSH) key theft ($93 million), man-in-the-middle attacks ($90 million) and server certificate misuse ($73 million) also made the list.
Respondents also estimated that the total impact of an exploited enterprise mobility certificate, used with Wi-Fi, a virtual private network (VPN) or for mobile device management (MDM)/ enterprise mobility management (EMM), could cost an organization up to $126 million.
“Over the last two years, the average number of SSL/TLS and SSH keys and certificates has grown 34% to at least 23,922,” the report said. “This growth is driven from an increasing number of needs: from more focus on privacy following Edward Snowden's NSA revelations... to Google ranking sites with SSL/TLS and digital certificates more highly in its search results algorithm. As the number of keys and certificates grows, IT security teams are unable to keep up with what's trusted and what's not.”
The survey found, for instance, that 54 percent of IT security professionals didn't know where all of their keys and certificates were located. In 2013, fewer respondents (50 percent) faced the problem.
In a Thursday interview with SCMagazine.com, Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said that a major concern for organizations was management of enterprise mobile certificates as the use of mobile devices in work environments continues to mushroom.
“It's an unknown territory and I think it reflects why you get this angst over it,” Bocek said. “It was high on the list of threat concerns.” He later noted that, overall (not just in the mobile environment), “all of the organizations globally had experienced at least one attack on keys and certificates.”
The report offered four straightforward recommendations for security teams: to find all keys and certificates to know what's being used, to establish what should be trusted (through policy and automated security), and to “always know what's trusted” via continuous monitoring. Finally, teams were advised to remediate security issues by fixing and replacing vulnerable keys and certs.