A Custom Technology Adoption Profile Commissioned By Venafi

Attacks On Trust: The Cybercriminals New Weapon

July 2013
The Keys That Open The Doors To The Kingdom for Cybercriminals
The trust established by cryptographic keys and certificates is critical to enabling just about every electronic interaction and
process that businesses and governments rely on today. Much like a nations currency, people who use these keys and certificates
need to trust their value if theyre to be accepted and facilitate transactions. Yet, this trust can easily be exploited. Cybercriminals
have identified keys and certificates as a weak spot for many organizations today; cybercriminals can become trusted users on
your networks, in your clouds, or on mobile devices, evading a multitude of technical controls and gaining undetected access.
In 2013, were seeing cybercriminals accelerate the exploitation of keys and certificates to steal data or enable other attacks
against victims. Weve seen several high-profile cases that point to magnitude and seriousness of this threat. Recently, rogue
Microsoft digital certificates allowed Flame malware to make its way past Windows controls.
1
This year, attackers gained access
to security firm Bit9s trusted certificate and used it to sign malware.
2
Google also discovered an unauthorized certificate
impersonating Google.com for a man-in-the-middle attack.
3
Cybercriminals are also known to steal SSH keys or manipulate
which keys are trusted to gain access to source code and other valuable intellectual property.
4

Failing To Secure And Protect Keys And Certificates Puts Your Enterprise At Risk
Attackers are targeting keys and certificates to get to your data. Personally identifiable information of customers and intellectual
property are the two most common data types compromised in a breach (see Figure 1). Globally, the cost of a data breach
currently averages $136 per compromised record; in the US, this figure averages $194 per compromised record.
5
Yet today,
enterprises are lacking when it comes to addressing security and control over their keys and certificates. Consider that:
Data security investments dont adequately address trust-based attacks. Data security is a hot area of investment today,
taking up roughly 16% of the security budget within very large enterprises (see Figure 2). Much of the spending and
attention for data security goes toward encryption and DLP. Currently, only 39% of organizations have invested in
centralized key and certificate management (see Figure 3). However, while its promising to note that 13% indicate plans to
invest, this still leaves a very large gap between the pressing need to better secure and protect keys and certificates and the
actual ability of many enterprises to do so. This gap enables a situation that is every attackers dream: 1) The enterprise has
no visibility into the problem, and 2) the enterprise has no controls to respond to an attack. Basically, the enterprise is a
sitting duck.
Next-generation security solutions only address a portion of the threat. Solutions for advanced persistent threat (APT)
detection/prevention are top of mind and very important for 61% of enterprises as a part of their security strategy today
(see Figure 4). Advanced threat detection provides an important layer of protection but is not a substitute for securing keys
and certificates that can provide an attacker trusted status that evades detection.

Forrester Consulting
Attacks On Trust: The Cybercriminals New Weapon
Page 2
Enterprise awareness of attacks on keys and certificates is in its infancy; most dont understand how to detect or
respond to an attack. Headlines about attacks on keys and certificates have 60% of firms asking if their organization is
susceptible to such an attack, while 44% indicate they have already experienced such an attack (see Figure 5). In addition,
57% of firms indicate that key and certificate management is very important for their security strategy, which is promising
to note. Yet, your average enterprise is unlikely to have an incident response plan for an attack on keys and certificates. For
example, NIST 800-61 Rev 2 is considered the guidebook for incident response, but it doesnt offer guidance on key and
certificate attack.
6
In 2012, the National Institute of Standards and Technology (NIST) Information Technology
Laboratory did publish high-level guidance in its ITL Bulletin for July 2012 on how best to prepare and respond to a
certificate authority compromise, but this has not yet been incorporated into NISTs incident response standards.
7
For a
typical enterprise, it can take days to resolve and recover from an attack. This doesnt count the elapsed time between
when the attack actually occurred and the time of discovery, which could be months.
The risk established by this gap wouldnt be tolerated elsewhere today. No CISO could consider having tens of thousands of
unknown network ports open and have no way to control them. But thats the alarming reality today with regards the trust
established by keys and certificates that every government and business depends on today. There is simply a lack of visibility and
control over the hundreds and thousands of keys and certificates responsible for creating the confidence and security in todays
modern world that weve all taken for granted.
Figure 1
PII And IP Are The Two Most Commonly Compromised Types Of Data In A Breach

Base: 154 US and European IT security decision-makers from firms with 10,000 or more employees
Source: Forrsights Security Survey, Q2 2012, Forrester Research, Inc.
Forrester Consulting
Attacks On Trust: The Cybercriminals New Weapon
Page 3
Figure 2
Data Security Takes Up One Of The Largest Pieces Of The Security Budget Pie

Base: 200 US and European IT security decision-makers from firms with 10,000 or more employees
Source: Forrsights Security Survey, Q2 2012, Forrester Research, Inc.
Forrester Consulting
Attacks On Trust: The Cybercriminals New Weapon
Page 4
Figure 3
Although Enterprises Are Investing In Data Security, They Put Themselves At Risk By Neglecting Key And Certificate
Management

Base: 178 US and European IT security decision-makers from firms with 10,000 or more employees
Source: Forrsights Security Survey, Q2 2012, Forrester Research, Inc.
Figure 4
Advanced Persistent Threat Detection/Prevention Is Top Of Mind, But Key And Certificate Management Is Not Far Behind

Base: 100 US and European IT security decision-makers from firms with 10,000 or more employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Venafi, June 2013
Forrester Consulting
Attacks On Trust: The Cybercriminals New Weapon
Page 5
Figure 5
Sixty Percent Of Firms Wonder If They Are Susceptible To An Attack On Their Keys And Certificates; 44% Have Been Attacked

Base: 100 US and European IT security decision-makers at firms with more than 10,000 employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Venafi, June 2013
As Trust-Based Attacks Escalate, Enterprises Must Close The Gap
The floodgates have been opened. Cybercriminals see the promise of trust-based attacks using compromised keys and
certificates. As these attacks escalate, enterprises must be ready. Close the gap between understanding this risk and implementing
the necessary controls to mitigate the risk. Enterprises can achieve this if they:
Gain visibility into threats. Only about half (52%) of organizations know how many keys and certificates are in use, what
theyre used for, and who is responsible for them.
8
You cant control what you dont know you have.
Enforce policy to establish norms and detect anomalies. Once an organization has gained visibility, it can begin to
enforce policies and establish a norm. This makes detecting anomalies easier, whether theyre accidental policy violations
by a well-intentioned developer or a malicious attack.
Automate key and certificate functions to gain control and reduce risk. A typical large enterprise has thousands of keys
and certificates to secure and protect. Work smarter, not harder, by automating security for processes like key generation,
certificate requests, monitoring for changes and anomalies, and other related tasks. This automation not only streamlines
and centralizes this process, but helps to establish the necessary control to reduce risk, shrink the threat surface of attack,
and help the organization respond to attacks faster. This is also part of establishing a norm that can be monitored for
possible anomalies and attacks.
Analyze data to gain intelligence. Analysis of data gained from securing keys and certificates will provide a wealth of
information and insight that can help to identify opportunities to reduce risk. By looking at the data generated, firms can
spot patterns of potentially suspicious activity or anomalies that require further investigation. It may also help identify keys
and certificates that may be problematic, such as those that are about to expire or are no longer needed.
As cloud services and user mobility increase, there will be new and expanding use cases for cryptographic keys and digital
certificates. With this increased dependency, the surface area of attack for every government and business also increases. Much
of your companys value will be protected by these keys and certificates. Your future the trust in and control over your cloud
services, mobile devices, and data depends upon on how you secure keys and certificates.

Forrester Consulting
Attacks On Trust: The Cybercriminals New Weapon
Page 6
Methodology
This Technology Adoption Profile was commissioned by Venafi. To create this profile, Forrester leveraged its Forrsights Security
Survey, Q2 2012. Forrester Consulting supplemented this data with custom survey questions asked of 37 US, 33 German, and 30
UK IT security decision-makers at firms with more than 10,000 employees. Survey respondents included decision-makers
specifically involved in strategy, implementation, or management of encryption keys and digital certificates. Respondents were
asked survey questions regarding current security solutions, threats to and incidents involving IT security, and details related to
their organizations deployment of keys, certificates, and crypto technologies. The auxiliary custom survey was conducted in
June, 2013. For more information on Forresters data panel and Tech Industry Consulting services, visit www.forrester.com.
Appendix A: Endnotes

1
Source: Kelly Jackson Higgins, Flame Burns Microsoft With Digital Certificate Hack, Dark Reading, June 4, 2012
(http://www.darkreading.com/attacks-breaches/flame-burns-microsoft-with-digital-certi/240001452).
2
Source: John E. Dunn, Bit9 customers attacked after firm fails to protect its own digital certificate, Techworld, February 9,
2013 (http://news.techworld.com/security/3425282/bit9-customers-attacked-after-firm-fails-to-protect-its-own-digital-
certificate/).
3
Source: Kim Zetter, Google Discovers Fraudulent Digital Certificate Issued for Its Domain, Wired.com, January 3, 2013
(http://www.wired.com/threatlevel/2013/01/google-fraudulent-certificate/).
4
Source: John Leyden, Hackers break into FreeBSD with stolen SSH key, The Register, November 20, 2012
(http://www.theregister.co.uk/2012/11/20/freebsd_breach/).
5
Source: Data Breach Trends & Stats, In Defense of Data (http://www.indefenseofdata.com/data-breach-trends-stats/).
6
Source: Computer Security Incident Handling Guide (http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736).
7
Source: Paul Turner, William Polk, and Elaine Barker, ITL Bulletin For July 2012, NIST
(http://csrc.nist.gov/publications/nistbul/july-2012_itl-bulletin.pdf).
8
Source: A commissioned study conducted by Forrester Consulting on behalf of Venafi, June 2013.








About Forrester Consulting
Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a
short strategy session to custom projects, Forresters Consulting services connect you directly with research analysts who apply expert insight to your
specific business challenges. For more information, visit www.forrester.com/consulting.
2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions
reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are
trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com.
[1-M6GXL2]