What are the Venafi cybersecurity predictions for 2016? First we must take a quick look at where 2015 has brought us—there were increases in both the use of encryption and in attacks on cryptographic keys and digital certificates. In 2016, we expect both of these trends to continue. What does this mean for businesses? To maintain online trust and customer confidence, keys and certificates must be safeguarded so they can be relied upon as the foundation of online trust, used for secure communications, authentication, and authorization.
In 2015, encrypted traffic became mainstream. “HTTPS Everywhere” was a predominant theme, as enterprises came to realize that encrypted communications can no longer be optional, they must be the norm. The U.S. government also mandated the use of HTTPS for all publicly-accessible web services by the end of 2016 to ensure the authenticity and privacy of federal websites.
As the use of encryption increased, so did the attacks that misuse cryptographic keys and digital certificates, impacting everything from airline Internet services to laptop software to government certificate authorities (CAs) to apps for your car or your fridge to Google and banking sites and more (keep an eye out for our 2015 attack summary blog post coming soon).
The reality is that with more encryption comes more opportunities for the bad guys to use keys and certificates in their attacks. According to 2015 Ponemon Institute research, the average number of keys and certificates increased by 34% since 2013 to over 23,000 per enterprise. And every organization surveyed (100%) has been attacked using compromised keys and certificates for the last 4 years running. The likelihood that in 2016 most enterprises and government agencies will fall victim to an attack on trust—one that impacts cryptographic keys and digital certificates—is very high.
We can predict with strong confidence several new threats and trends for 2016:
- With more use of encryption in 2016, we'll see more misuse of the trust provided by keys and certificates.
Ironically, Edward Snowden called for more encryption two years ago, and now the U.S. government has mandated the use of HTTPS for all publicly-accessible web services by the end of 2016. We expect the private sector to strive towards HTTPS everywhere as well. Yet, as a result, bad guys will use HTTPS to disguise their efforts and either forge or compromise certificates to mount effective attacks.
Business impact: Implementing more HTTPS can create significant security gaps and operations nightmares if implemented incorrectly. Enterprises and government agencies will need SSL/TLS inspection to detect threats hidden in encrypted traffic and key and certificate lifecycle management to enforce policies and workflows and prevent outages. Organizations must also be prepared to detect the malicious use of forged, compromised, or fraudulent certificates across the Internet to stop spoofing and man-in-the-middle (MITM) attacks. If not detected, they will damage online trust and reduce customer confidence.
- IoT ransomware will become one of the cybercriminal’s attack vectors of choice.
Billions of Internet of Things (IoT) devices are coming online—20 billion by 2020 according to Gartner—and they rely upon keys and certificates for authentication and privacy. But if not protected, these keys and certificates can be compromised and IoT devices hijacked, allowing cybercriminals to demand a ransom before returning control. This risk was made real when security researchers demonstrated during Black Hat 2015 that the GM Onstar system could be hacked, and this was followed by news of similar vulnerabilities in other car apps. Similarly, we saw vulnerabilities involving certificates with Samsung’s smart refrigerators.
Using a MITM attack, cybercriminals can easily intercept traffic between the IoT device and mother ship (enterprise network), telling the IoT device to perform a malicious action (for instance, apply brakes on a car, change plane altitude, keep a coolant valve open on a power plant, apply too much morphine to a patient, etc.). Cybercriminals can also send firmware updates to brick a device or pwn the device via a malicious update.
Business impact: Cybercriminals will take full advantage of the connected IoT world and use hijacked IoT devices to take control over entire networks for financial and other nefarious gains, using mobile devices, smart home networks, and larger connected things in the enterprise.
These threats will necessitate stronger key and certificate security and careful use of keys and certificates in business apps to protect their customer use of these apps. As these risks become better known, businesses will start to be held accountable for damage done through their apps.
- Code-signing services for malicious code will become the norm.
Signing malware code with certificates can help the malware appear trustworthy and increase the chances of fooling its victims. The IBM Security X-Force has been tracking malware code-signing-certificates-as-a-service on the underground. There are even malware tools that bundle in code-signing certificates.
Intel Security has tracked close to 20 million unique pieces of malicious code signed and enabled by certificates. Digital certificates used by malware are also being tracked by the Common Computing Security Standards (CCSS) Forum. Overall, signed malware has grown by 50% per quarter and we expect this to continue to increase.
Business impact: Enterprises and government agencies can no longer rely solely on security controls that are designed to blindly trust keys and certificates. They must be able to determine whether to trust a certificate and be able to block or fix a certificate when needed. Organizations also need to safeguard the integrity of their own code-signing practices to protect their certificates and their brand and ensure that customers continue to have faith in the veracity of the software they offer.
- The Certificate Authority (CA) model will be broken and the value of certificates will be chipped away, resulting in diminished online trust.
More free certificates will be issued through services like “Let’s Encrypt” while CAs will continue to lose credibility as their certificates are spoofed by cybercriminals and as they issue legitimate certificates for fake websites (see Netcraft’s recent research that found fake banking websites using domain-validated SSL certificates issued by Symantec, Cloudflare, Comodo, and GoDaddy).
Business impact: The value of a certificate will not be in its issuance cost, but will be based on the value and reputation of the issuing CA and in the certificate’s purpose. To maintain that value, organizations must limit issuance of certificates to credible CAs and ensure the integrity and security of its certificates.
- CAs will be ranked across the user community, also adding to the lack of trust.
User communities as well as major browsers will start ranking CAs. For example, Google and Mozilla no longer acknowledge the China Internet Network Information Center (CNNIC) CA as a trusted root in their browsers, yet Apple and Microsoft still do. However, based on a Venafi survey conducted at BlackHat USA 2015, 24% of respondents said they removed CNNIC from their browsers as a trusted root, showing that user communities are starting to rank CAs themselves. And with research, such as that by Netcraft revealing that multiple CAs are issuing domain-validated SSL certificates for phishing sites, there will be ample reason for user communities to flag certain CAs as untrusted.
Business impact: Businesses will need to follow suit and no longer blindly trust CAs or certificates, but instead look to their reputation. With tools like certificate reputation, whitelisting, and blacklisting, businesses can use the guidance from user communities, the major browsers, and new reputation services to better protect their organizations.
- Large security vendors will lose customers, revenue, and overall credibility because they cannot see attackers lurking in encrypted traffic.
More encryption will once again grow the attack surface and leave our adversaries with more opportunities to attack by hiding in encrypted traffic. Most enterprises won’t be able to detect APT-like attacks and those that can detect these threats will often not remediate fully by replacing and revoking compromised keys and certificates, leaving them exposed to ongoing or future attacks.
Business impact: Enterprises will need to deploy security solutions that can decrypt and inspect traffic, both inbound and outbound, in real time. Without these capabilities they will suffer attacks that hide in encrypted traffic, have their networks and data compromised, and ultimately lose customers and revenue. Large security vendors that do not offer the ability to inspect encrypted traffic will decrease in value to their customers.
With increased use of encryption in 2016, and therefore more keys and certificates, cybercriminals will have more opportunities to carry out their attacks by hiding in encrypted traffic and conducting MITM attacks. They will also use keys and certificates to make their nefarious actions look more legitimate on phishing sites and in malware with code-signing certificates. Yet businesses can defend themselves. User communities and major browser vendors will provide guidance.
What are your main security predictions for 2016? Do you agree we’ll see more attacks on trust as more and more enterprises embrace 100% encryption?