Over the years, we have seen many instances of unprotected and poorly managed keys and certificates resulting in consequences, such as in a loss of customers, costly outages, failed audits and security breaches.
Several years ago, the cost of poor certificate management was categorized in a study, where the Ponemon Institute and Venafi released data on how businesses are being directly impacted by the unsecured cryptographic keys and digital certificates that result in comprised machine identities. Their joint 2015 Cost of Failed Trust Report: When Trust Online Breaks, Businesses Lose Customers reveals how unprotected and poorly managed keys and certificates can result in a loss of customers, costly outages, failed audits and security breaches.
Months before those findings came out, the Ponemon Institute and Venafi published research on how global business faces risks from attacks using cryptographic keys and digital certificates in their 2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point. That survey, which served as the basis for the second report, incorporated the responses of 2,394 IT security professionals from around the globe: 646 U.S., 499 U.K., 574 German, 339 French and 336 Australian respondents. These participants together agreed that the system of trust was at a breaking point.
Unpublished data from the survey is now included in this new report. This information shows the adverse effect that unsecured keys and certificates have on businesses around the globe.
- When trust online breaks, businesses lose customers:Nearly two-thirds (59%) admitted to losing customers because they failed to secure the online trust established by keys and certificates.
- Critical business systems are failing:Organizations reported an average of over two certificate-related unplanned outages between 2013 and 2015, with an average cost of $15 million per outage.
- Businesses are failing audits:Generally, organizations failed at least one SSL/TLS audit and at least one SSH audit between 2013 and 2015.
These certificate-related outages and failed audits are symptoms of larger security issues—if you can’t manage your keys and certificates, you can’t secure and protect them, leaving your business exposed. Criminals steal and compromise keys and certificates that are not properly protected. They then use them to circumvent security controls—to hide in encrypted traffic, steal data or even deploy malware.
That’s exactly what happened in the summer of 2018. Researchers at ESET identified a malware campaign passing along several suspicious files. Further analysis revealed that digital attackers had signed the files with a stolen D-Link Corporation code-signing certificate to evade detection and distribute Plead malware. ESET notified D-Link Corporation about the campaign; in response, the networking equipment manufacturing company revoked the certificate on July 3.
Certificate-related outages that cause critical services to go down can also spell trouble for a buisiness. Here are some newsworthy certificate-related outages that recently made news:
- HelloSign’s browsers and API integrations went offline on June 6, 2017 for nearly a half hour as a result of an expired SSL certificate, thereby preventing customers from accessing their information.
- A few months later, one of LinkedIn’s SSL certificates expired, which kept millions of users from accessing the platform. The outage also prevented those who were already logged in from navigating the website with a secure connection.
- A certificate linked to Oculus Rift devices expired in early March 2018, causing users to see a “Can't Reach Oculus Runtime Service" error when they attempted to boot up.
Looking back, the Ponemon report forecasted that these and other impacts from unprotected and poorly managed keys and certificates would continue with a security risk per organization of $53 million over the next two years and a combined availability and compliance risk of $7.2 million. This estimate demonstrates that security risk greatly outweighs availability and compliance risk.
Read the report to get an action plan to reduce these risks.
How are you reducing the risk of key and certificate misuse in your organization?
(This blog has been updated. It was originally posted by Kevin Bocek on September 29, 2015.)