sb-eu logo
Story image

CIOs put too much trust in TLS certificates - survey

03 Jul 2020

TLS certificates are generally seen as a way of ensuring secure communication between machines as part of an underlying system of trust – but like many other security systems, cybercriminals have taken advantage of this trust for their own nefarious means.

Cybercriminals often use TLS certificates to appear legitimate, so that they may slip past security defences. These tactics can result in compromised machine identities, with financial losses predicted to be as high as US$72 billion, according to security firm Venafi.

It is something to be concerned about, according to a recent poll of chief information officers (CIOs) from Australia, France, Germany, the United Kingdom and the United States.

In the Venafi survey, 97% of polled CIOs believe they will use 10-20% more TLS machine identities over the next year, with 93% saying they have at least 10,000 active TLS certificates in their firms. A further 40% say they have more than 50,000 TLS certificates in use. 

Despite the prolific usage of TLS certificates within organisations, far fewer (75%) of respondents are concerned about security risks associated with TLS machine identities.

In another drop, only 56% are worried about outages and business interruptions due to expired certificates, suggesting that CIOs are not giving TLS machine identity issues the attention they deserve.

This study indicates that many CIOs are likely significantly underestimating the number of TLS machine identities currently in use. As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organisation,” comments Venafi vice president of security strategy and threat intelligence, Kevin Bocek.

“Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound. The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network—and this includes short lived certificates that are used in the cloud, virtual and DevOps environments.”

Similar problems exist around SSL encryption. Venafi explains that attackers create malware families that use SSL-based command and control systems to avoid detection. On top of that, SSL channels have long been associated with phishing attempts and malware payload delivery.

Because organisations believe that SSL is often inherently trusted by CISOs and CIOs because they believe it is secure, when in fact it can be far from secure. This creates a major security spot in many organisations.
 

Story image
Five Eyes nations want legal access to backdoors to fight 'illegal content'
The nations argue that encryption can make the enforcement of public safety difficult, particularly when it comes to serious problems like child exploitation. More
Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More
Story image
Commvault expands Metallic SaaS portfolio
Metallic Cloud Storage Service brings together technology from Commvault and Microsoft Azure for security and scale.More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Fujitsu new tech ensures inter-business data trust
The technology can verify when and by whom the data was created, and whether it has been tampered with, to ensure trusted data exchange.More