sb-as logo
Story image

CIOs put too much trust in TLS certificates - survey

03 Jul 2020

TLS certificates are generally seen as a way of ensuring secure communication between machines as part of an underlying system of trust – but like many other security systems, cybercriminals have taken advantage of this trust for their own nefarious means.

Cybercriminals often use TLS certificates to appear legitimate, so that they may slip past security defences. These tactics can result in compromised machine identities, with financial losses predicted to be as high as US$72 billion, according to security firm Venafi.

It is something to be concerned about, according to a recent poll of chief information officers (CIOs) from Australia, France, Germany, the United Kingdom and the United States.

In the Venafi survey, 97% of polled CIOs believe they will use 10-20% more TLS machine identities over the next year, with 93% saying they have at least 10,000 active TLS certificates in their firms. A further 40% say they have more than 50,000 TLS certificates in use. 

Despite the prolific usage of TLS certificates within organisations, far fewer (75%) of respondents are concerned about security risks associated with TLS machine identities.

In another drop, only 56% are worried about outages and business interruptions due to expired certificates, suggesting that CIOs are not giving TLS machine identity issues the attention they deserve.

This study indicates that many CIOs are likely significantly underestimating the number of TLS machine identities currently in use. As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organisation,” comments Venafi vice president of security strategy and threat intelligence, Kevin Bocek.

“Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound. The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network—and this includes short lived certificates that are used in the cloud, virtual and DevOps environments.”

Similar problems exist around SSL encryption. Venafi explains that attackers create malware families that use SSL-based command and control systems to avoid detection. On top of that, SSL channels have long been associated with phishing attempts and malware payload delivery.

Because organisations believe that SSL is often inherently trusted by CISOs and CIOs because they believe it is secure, when in fact it can be far from secure. This creates a major security spot in many organisations.
 

Story image
Software-based facial recognition in payments industry to dominate by 2025
There will be more than 1.4 billion users of facial recognition software used for payments alone in 2025, up from 671 million in 2020.More
Story image
Almost a third of malware threats previously unknown - HP report
A new report has found 29% of malware captured was previously unknown due to the widespread use of packers and obfuscation techniques by attackers seeking to evade detection. More
Link image
Virtual demo: Diagnose network cabling problems with the LinkIQ Cable+Network Tester
If you’re finding it difficult to install access points and cabling, or if you can’t pinpoint an issue with a video camera or end user, the LinkIQ Cable+Network Tester could be exactly what you need. Try a free, fully interactive demo now.More
Story image
Thycotic releases new integrations to bolster account governance
“Service accounts are often left defenceless, even by enterprises with established programs for privileged user security."More
Story image
IT leaders prioritising automation, Zero Trust and API-based security investments
"The study shows that a cocktail of multiplying threats, the proliferation of hybrid and cloud architectures, blended with a pandemic-fuelled explosion in distributed and remote work has created a perfect storm for network security teams."More
Story image
O365 a weak point ripe for exploit, say security professionals
71% of more than 1,000 security professionals have been on the receiving end of a Microsoft 365 account takeover, on average, seven times in the last year alone.More