Venafi, the leading provider of enterprise key and certificate management (EKCM) solutions, today announced that scans performed on 450 Global 2000 companies reveal an alarming trend. On average, nearly one in five digital security certificates deployed by these organizations rely on a technology that makes them open targets for Flame-, Stuxnet- and Duqu-style malware breaches.
Digital certificates are a network security cornerstone and are deployed at enterprises of all sizes and within all industries. Their primary purpose is to facilitate safe, secure and trusted communications between servers, applications, network systems, mobile devices and humans.
Statistical data gathered by Venafi indicates that nearly all Global 2000 organizations have deployed weak, easily-hacked MD5-signed certificates in their environments. MD5 is the broken certificate-signing algorithm used by Microsoft, which allowed hackers to bypass Microsoft security and infect thousands of computers with Flame malware. Once infected, Flame was able to gather sensitive information from the targeted devices.
Enterprises need to proactively defend their global networks against breaches that result from weak security by locating and replacing all vulnerable, MD5-signed certificates. To do this, organizations can download Venafi MD5 Certificate Assessor™, an easy-to-install and cost-free software solution that scans the network to:
- Identify all digital certificates deployed on the network
- Locate all MD5-signed certificates and highlight where they are
- Identify encryption keys that are out of compliance and assess their strengths and weaknesses
- Assess certificate validity periods that are creating the greatest risk
- Determine each certificate’s issuing certificate authority (CA)
Global 2000 Network Scan Methodology and Findings
Scans performed on the internal and external networks of 450 Global 2000 companies were conducted with Venafi Assessor™ and Venafi Encryption Director™ 6, which are patented, Gartner Cool Vendor technologies that automatically identify weak digital certificate and encryption keys. Specifically, scans revealed:
- All networks scanned had varying levels of certificates signed with MD5
- Some had as many as 78 percent of their internal certificates signed with MD5
- Overall, 17.4 percent of scanned internal and external certificates were signed with MD5
"The risks are no longer hypothetical," said Jeff Hudson, Venafi CEO. "MD5 certificates were the open door that allowed Flame to penetrate networks and gather information. Microsoft closed their door by issuing a security patch. Your door, however, remains wide open. Intrusion detection systems, firewalls, antivirus and other security measures do not address these open doors on your network. Organizations need to take specific action immediately to remove MD5.”
What the experts are saying:
Said Richard Stiennon, recognized industry luminary and author of Surviving Cyber War:
"Flame may have been a state-backed attack, but it demonstrated to cybercriminals that weak digital certificates can be used to easily infect computer systems with malware that can siphon off valuable information. Yesterday, it was Middle East governments under attack; right now, it could easily be private enterprises in the U.S. Anyone who says this is not a big deal is not watching closely enough."
Said Eric Ogren, principal analyst with Ogren Group:
"Cybercriminals and are exceptionally creative, financially organized, and highly motivated to steal confidential information. Organizations focused on reducing security risk need to do all they can to close as many open doors and to change as many locks as they can. Free tools such as this one being provided by Venafi to track down weak certificates could provide an advantage in staying a step ahead of the attackers."
Wrote Andy Kellett, Senior Analyst with Ovum:
“Once again supposedly secure security MD5 certificates are being put at risk of impersonation from Flame-based malware. Even though the Flame attack methodology is well understood the problems continue because most organizations fail to maintain control over the certificates they own. Microsoft has addressed part of the problem, but more is needed as other areas remain vulnerable. Venafi’s MD5 assessment software solution can be used to help organizations identify existing certificates, determine which are at most risk, and highlight the actions needed.”
Wrote Derek Brink, vice president and research fellow for IT Security and IT GRC, Aberdeen Group:
"What should concern you (security and risk professionals) are the findings published last week by Venafi, the Utah-based solution provider of Certificate Manager, who aggregated scanning data from the networks of 450 Global 2000 companies and found that nearly 1 out of 5 (17%) certificates scanned were signed with MD5. I have written previously – see Too Trusted to Fail: Attacks on SSL Server Certificate Infrastructure (October 2011) – about the sobering topic of attacks on the global foundation of trust provided by SSL Server Certificates, and the fact that so many enterprise certificates are at risk to the MD5 vulnerability should be cause for immediate attention." Source: http://blogs.aberdeen.com/it-security/hash-with-your-certificates-bad-for-you-md5-that-is/