sb-as logo
Story image

CIOs put too much trust in TLS certificates - survey

03 Jul 2020

TLS certificates are generally seen as a way of ensuring secure communication between machines as part of an underlying system of trust – but like many other security systems, cybercriminals have taken advantage of this trust for their own nefarious means.

Cybercriminals often use TLS certificates to appear legitimate, so that they may slip past security defences. These tactics can result in compromised machine identities, with financial losses predicted to be as high as US$72 billion, according to security firm Venafi.

It is something to be concerned about, according to a recent poll of chief information officers (CIOs) from Australia, France, Germany, the United Kingdom and the United States.

In the Venafi survey, 97% of polled CIOs believe they will use 10-20% more TLS machine identities over the next year, with 93% saying they have at least 10,000 active TLS certificates in their firms. A further 40% say they have more than 50,000 TLS certificates in use. 

Despite the prolific usage of TLS certificates within organisations, far fewer (75%) of respondents are concerned about security risks associated with TLS machine identities.

In another drop, only 56% are worried about outages and business interruptions due to expired certificates, suggesting that CIOs are not giving TLS machine identity issues the attention they deserve.

This study indicates that many CIOs are likely significantly underestimating the number of TLS machine identities currently in use. As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organisation,” comments Venafi vice president of security strategy and threat intelligence, Kevin Bocek.

“Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound. The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network—and this includes short lived certificates that are used in the cloud, virtual and DevOps environments.”

Similar problems exist around SSL encryption. Venafi explains that attackers create malware families that use SSL-based command and control systems to avoid detection. On top of that, SSL channels have long been associated with phishing attempts and malware payload delivery.

Because organisations believe that SSL is often inherently trusted by CISOs and CIOs because they believe it is secure, when in fact it can be far from secure. This creates a major security spot in many organisations.