sb-eu logo
Story image

CIOs put too much trust in TLS certificates - survey

03 Jul 2020

TLS certificates are generally seen as a way of ensuring secure communication between machines as part of an underlying system of trust – but like many other security systems, cybercriminals have taken advantage of this trust for their own nefarious means.

Cybercriminals often use TLS certificates to appear legitimate, so that they may slip past security defences. These tactics can result in compromised machine identities, with financial losses predicted to be as high as US$72 billion, according to security firm Venafi.

It is something to be concerned about, according to a recent poll of chief information officers (CIOs) from Australia, France, Germany, the United Kingdom and the United States.

In the Venafi survey, 97% of polled CIOs believe they will use 10-20% more TLS machine identities over the next year, with 93% saying they have at least 10,000 active TLS certificates in their firms. A further 40% say they have more than 50,000 TLS certificates in use. 

Despite the prolific usage of TLS certificates within organisations, far fewer (75%) of respondents are concerned about security risks associated with TLS machine identities.

In another drop, only 56% are worried about outages and business interruptions due to expired certificates, suggesting that CIOs are not giving TLS machine identity issues the attention they deserve.

This study indicates that many CIOs are likely significantly underestimating the number of TLS machine identities currently in use. As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organisation,” comments Venafi vice president of security strategy and threat intelligence, Kevin Bocek.

“Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound. The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network—and this includes short lived certificates that are used in the cloud, virtual and DevOps environments.”

Similar problems exist around SSL encryption. Venafi explains that attackers create malware families that use SSL-based command and control systems to avoid detection. On top of that, SSL channels have long been associated with phishing attempts and malware payload delivery.

Because organisations believe that SSL is often inherently trusted by CISOs and CIOs because they believe it is secure, when in fact it can be far from secure. This creates a major security spot in many organisations.
 

Story image
Internet outages drastically increased during COVID-19 lockdowns, report finds
Global internet disruptions increased 63% in March, with internet service providers hit the hardest. This is according to the 2020 Internet Performance Report from ThousandEyes, the internet and cloud intelligence company.More
Story image
Why greater network visibility is needed to reduce the threat posed by IoT in the enterprise
At home and abroad, organisations have joined the rush to embrace Internet of Things (IoT) technology, but a new survey shows they’re only just beginning to wake up to the enormous risk those devices pose, writes ExtraHop A/NZ Regional Sales Manager Glen Maloney.More
Story image
One Identity & Ping Identity join forces on identity management
The partnership brings together Ping Identity's access management technology with One Identity’s identity governance and administration (IGA) technology.More
Story image
Just 6,000 accounts responsible for over 100,000 email attacks - report
Barracuda has today released a report detailing how 6,170 malicious accounts that use Gmail, AOL, and other email services were responsible for more than 100,000 business email compromise (BEC) attacks on nearly 6,600 organisations. More
Story image
Machine identities increasingly exploited, new research finds
Venafi, the provider of machine identity management, finds that malware attacks using machine identities doubled from 2018 to 2019, including high-profile campaigns such as: TrickBot, Skidmap, Kerberods and CryptoSink.More
Story image
10 billion records sit in unsecured databases - China leads the pack
A white hat hacker hacker uncovered a total of 9517 unsecured databases worldwide, collectively containing more than 10 billion entries.More