Venafi, the leading provider of enterprise key and certificate management (EKCM) solutions, today announced that scans performed on 450 Global 2000 companies reveal an alarming trend. On average, nearly one in five digital security certificates deployed by these organizations rely on a technology that makes them open targets for Flame-, Stuxnet- and Duqu-style malware breaches.
Digital certificates are a network security cornerstone and are deployed at enterprises of all sizes and within all industries. Their primary purpose is to facilitate safe, secure and trusted communications between servers, applications, network systems, mobile devices and humans.
Statistical data gathered by Venafi indicates that nearly all Global 2000 organizations have deployed weak, easily-hacked MD5-signed certificates in their environments. MD5 is the broken certificate-signing algorithm used by Microsoft, which allowed hackers to bypass Microsoft security and infect thousands of computers with Flame malware. Once infected, Flame was able to gather sensitive information from the targeted devices.
Enterprises need to proactively defend their global networks against breaches that result from weak security by locating and replacing all vulnerable, MD5-signed certificates. To do this, organizations can download Venafi MD5 Certificate Assessor™, an easy-to-install and cost-free software solution that scans the network to:
Scans performed on the internal and external networks of 450 Global 2000 companies were conducted with Venafi Assessor™ and Venafi Encryption Director™ 6, which are patented, Gartner Cool Vendor technologies that automatically identify weak digital certificate and encryption keys. Specifically, scans revealed:
"The risks are no longer hypothetical," said Jeff Hudson, Venafi CEO. "MD5 certificates were the open door that allowed Flame to penetrate networks and gather information. Microsoft closed their door by issuing a security patch. Your door, however, remains wide open. Intrusion detection systems, firewalls, antivirus and other security measures do not address these open doors on your network. Organizations need to take specific action immediately to remove MD5.”
Said Richard Stiennon, recognized industry luminary and author of Surviving Cyber War:
"Flame may have been a state-backed attack, but it demonstrated to cybercriminals that weak digital certificates can be used to easily infect computer systems with malware that can siphon off valuable information. Yesterday, it was Middle East governments under attack; right now, it could easily be private enterprises in the U.S. Anyone who says this is not a big deal is not watching closely enough."
Said Eric Ogren, principal analyst with Ogren Group:
"Cybercriminals and are exceptionally creative, financially organized, and highly motivated to steal confidential information. Organizations focused on reducing security risk need to do all they can to close as many open doors and to change as many locks as they can. Free tools such as this one being provided by Venafi to track down weak certificates could provide an advantage in staying a step ahead of the attackers."
Wrote Andy Kellett, Senior Analyst with Ovum:
“Once again supposedly secure security MD5 certificates are being put at risk of impersonation from Flame-based malware. Even though the Flame attack methodology is well understood the problems continue because most organizations fail to maintain control over the certificates they own. Microsoft has addressed part of the problem, but more is needed as other areas remain vulnerable. Venafi’s MD5 assessment software solution can be used to help organizations identify existing certificates, determine which are at most risk, and highlight the actions needed.”
Wrote Derek Brink, vice president and research fellow for IT Security and IT GRC, Aberdeen Group:
"What should concern you (security and risk professionals) are the findings published last week by Venafi, the Utah-based solution provider of Certificate Manager, who aggregated scanning data from the networks of 450 Global 2000 companies and found that nearly 1 out of 5 (17%) certificates scanned were signed with MD5. I have written previously – see Too Trusted to Fail: Attacks on SSL Server Certificate Infrastructure (October 2011) – about the sobering topic of attacks on the global foundation of trust provided by SSL Server Certificates, and the fact that so many enterprise certificates are at risk to the MD5 vulnerability should be cause for immediate attention." Source: http://blogs.aberdeen.com/it-security/hash-with-your-certificates-bad-for-you-md5-that-is/
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.