SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
AU & NZ: An event worse than Y2K, are you protected?
Wed, 7th Sep 2016
FYI, this story is more than a year old

On January 1st, 2017, an event significantly worse than Y2K will take place.

Over time, SHA-1 has become vulnerable and in January next year, browsers such as Google Chrome and Microsoft Explorer will start rejecting SHA-1 certificates.

Cyber security company Venafi is advising Australian and New Zealand businesses to migrate to SHA-2 before the expiry date, and before it's too late.

If you're not already familiar, SHA-1 is one of several cryptographic hash functions, most often used to verify that a file has been unaltered.

Jeff Hudson, CEO of Venafi a market leading cyber security company, says the SHA-1 expiration will be 1,000 times worse than Y2K.

“People were ready and understood Y2K, even though it turned out to be a non-event,” states Hudson.

He explains that SH-1 was introduced back in 1995 but the internet was a very different place back then.

“Looking forward to now, computer power is far more advanced and SHA-1 is now known to be vulnerable to attack,” he explains.

“As technology progresses so must our security instruments,” he says.

Hudson explains that by the 1st of January, websites that haven't migrated will not be authenticated properly.

“The effect will be that websites will not be trusted and the users will be notified of that. It will look very bad to web site visitors and will do brand and reputation damage,” he says.

The cyber security CEO adds that there are three cryptographic mistakes businesses are making today.

Number one is not having viability on where their keys and certificates are located, the next is having zero automation in place to ensure certificates and keys don't expire, and the third is not having the ability to move fast enough when something goes wrong.

“Any organisation needs to ensure their network is safe, and to ensure this is happening you need to have visibility on every certificate,” explains Hudson.

“This is impossible for humans to manage, because of the sheer volume of certificates and the speed at which changes occur. It requires a platform that can provide intelligent visibility and automate the secure lifecycle,” he says.

While it's imperative that businesses migrate to SHA-2, Hudson says that it is a bit of an arduous task (but with obvious benefits).

“We are finding this is taking months for some companies. For many Venafi clients, the migration took place in a matter of days,” he says.

“SHA1 is a real threat, but people don't understand and are not ready for the repercussions of what is going to happen on January 1st 2017.