All organizations depend on certificates for encryption, authentication and authorization—in data centers, on desktops, on mobile and IoT devices, and in the cloud. But cybercriminals, hacktivists, and nation states are keen to access the trusted status that certificates provide. These assets are particularly valuable because they allow cybercriminals to hide under the cover of encryption to accomplish a variety of nefarious tasks.
Venafi vice president of security strategy and threat intelligence, Kevin Bocek, will explore how organizations are exposed to these types of attacks at the 29th Annual FIRST Conference in San Juan, Puerto Rico on June 14. The following is a brief glimpse at some of the cyber security trends that he will discuss in a speech entitled, Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates.
Experts say the next black market is digital certificates. But most businesses don’t fully understand how these digital assets are used by cybercriminals, hacktivists, and nation states to infiltrate and remain undetected. In addition, expired certificates can also cause outages, negatively impacting reliability and availability. However, Security Operations and Incident Response teams often do not look to cryptographic keys and digital certificates as one of the core instruments for attacks or outages. Or if suspected, a lack of visibility and control delay recovery.
Specifically, Kevin will share how certificates are misused in attacks and the frequency and impact of certificate-related outages—including guidance on how to use this knowledge to develop an incident response program that enables both preventive and corrective actions.
Here’s an overview of some of the ways that digital certificates are misused:
- Untrustworthy CAs: Security risks are created by untrustworthy certificate authorities (CAs), including those owned and operated by governments.
- Misuse of certificates in government communications: An investigation into Secretary Hillary Clinton’s email server, using a certificate reputation service to go back in time, showed the server did not use digital certificates and encryption for the first 3 months of term.
- Government / law enforcement ability to demand key and certificate disclosure: Apple vs. FBI set the stage for current debates on how other countries would have dealt with a similar situation, highlighting the differences in disclosure laws.
- Certificate vulnerabilities and attacks that misuse certificates: Organizations may not realize their full exposure to threats that result from SSL/TLS vulnerabilities, such as WannaCry, DROWN and continued Heartbleed issues.
- Certificate-related outages: Recent research investigated the average downtime, number of CAs used, actual and expected certificate growth and other factors that impact certificate-related outages.
Interested in learning more? See Kevin Bocek speak at the 29th Annual FIRST Conference, June 11-16, 2017.