sb-nz logo
Story image

CIOs put too much trust in TLS certificates - survey

03 Jul 2020

TLS certificates are generally seen as a way of ensuring secure communication between machines as part of an underlying system of trust – but like many other security systems, cybercriminals have taken advantage of this trust for their own nefarious means.

Cybercriminals often use TLS certificates to appear legitimate, so that they may slip past security defences. These tactics can result in compromised machine identities, with financial losses predicted to be as high as US$72 billion, according to security firm Venafi.

It is something to be concerned about, according to a recent poll of chief information officers (CIOs) from Australia, France, Germany, the United Kingdom and the United States.

In the Venafi survey, 97% of polled CIOs believe they will use 10-20% more TLS machine identities over the next year, with 93% saying they have at least 10,000 active TLS certificates in their firms. A further 40% say they have more than 50,000 TLS certificates in use. 

Despite the prolific usage of TLS certificates within organisations, far fewer (75%) of respondents are concerned about security risks associated with TLS machine identities.

In another drop, only 56% are worried about outages and business interruptions due to expired certificates, suggesting that CIOs are not giving TLS machine identity issues the attention they deserve.

This study indicates that many CIOs are likely significantly underestimating the number of TLS machine identities currently in use. As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organisation,” comments Venafi vice president of security strategy and threat intelligence, Kevin Bocek.

“Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound. The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network—and this includes short lived certificates that are used in the cloud, virtual and DevOps environments.”

Similar problems exist around SSL encryption. Venafi explains that attackers create malware families that use SSL-based command and control systems to avoid detection. On top of that, SSL channels have long been associated with phishing attempts and malware payload delivery.

Because organisations believe that SSL is often inherently trusted by CISOs and CIOs because they believe it is secure, when in fact it can be far from secure. This creates a major security spot in many organisations.
 

Story image
Cybersecurity market continues meteoric ascent
With the increase in cyberattacks, organisations are continuing to spend more money on security. However, without a focused cybersecurity strategy, they often spend it in the wrong areas.More
Story image
How cyber-attackers use Microsoft 365 tools to steal data
Vectra security research has recently identified how cyber-attackers use Microsoft Office 365 tools against organisations to steal data and take over accounts.More
Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More
Story image
Revealed: Imperva publishes research on decade old botnet, responsible for millions of attacks
Imperva Research Labs has revealed findings of a six-month intensive investigation into a botnet that has been exploiting CMS vulnerabilities.More
Story image
Why IT and HR must work together to help businesses weather the storm
Employers are striving to balance team productivity, security and employee engagement. If remote work is the new norm, it’s impossible to ignore the challenging nature of the situation, writes Gigamon manager for A/NZ George Tsoukas.More
Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More