Security Experts:

Trust-Based Attacks Against SSH, SSL Cost Firms Big Money: Report

How much does a breach of trust cost? Almost $400 million per organization, according to a new report looking at how organizations manage online trust with digital certificates and cryptographic keys.

"Trust-based" attacks, such as the ones against certificate authorities, stolen encryption keys, and digital certificates, can cost an organization up to $398 million per incident, according to the 2013 Annual Cost of Failed Trust Report by Ponemon Institute. The study of 2,342 Global 2000 enterprises in Australia, France, Germany, the United Kingdom, and the United States is the first extensive study of how failures in digital certificate and cryptographic key management affect organizations, according to the institute.

Encryption KeysOrganizations are not controlling trust and paying enough attention to certificate and key management, putting the entire enterprise at risk. All enterprises in the survey admitted to having suffered at least one trust-based attack as a result of poor key and certificate management. Based on the respondents' expectations, organizations are projected to lose an average of $35 million over the next 24 months, according to the report.

The report set out to answer the question, "What are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?" Larry Ponemon, founder and chairman of Ponemon Institute Research, said in a statement.

The costs include unplanned outages, loss of productivity, brand damage, and other expenses associated with data breaches. The financial impact of these compromises were previously "unknown and unquantified," said Venafi CEO Jeff Hudson. Venafi sponsored the report.

More than half of the companies surveyed in the report did not know how many keys and certificates they had, or where they were stored. The report estimated that enterprises have on average 17,807 keys and certificates per organization.

Organizations rely on keys and certificates to provide the bedrock of trust for all business and government activities online, and criminals are exploiting these trust mechanisms "at an alarming rate," Ponemon said.

Attacks on trusted certificate authorities, such as impersonating trusted identities to launch man-in-the-middle attacks, cost organizations $73 million on average, the report said.

Cyber-criminals understand how poorly organizations manage their trust infrastructure, which is why they target digital certificates and SSH keys, Hudson told SecurityWeek. Nearly 18 percent said they expected attackers to target weak keys, the report found. Having weak cryptographic keys could cost an organization $125 million in a single attack.

“Cyber criminals understand how fragile our ability to control trust has become and, as a result, they continue to target failed key and certificate management," said Hudson.

Most people struggle with how trust works online, Hudson said. People trust someone new they meet based on a variety of factors, such as having mutual friends, sharing common interests, or other ephemeral reasons. That doesn't really translate well to the online realm without something specific for machines to trust, Hudson noted.

"Why should my machine trust your machine?" Hudson asked. This is why certificates and keys are so important.

If trust is the "number one vulnerability," the most targeted element must be the SSH key, Hudson said. SSH keys, used to remotely log in to servers and access cloud services such as Amazon EC2 and Microsoft Azure, present the most alarming threat to organizations at this time. Organizations are generally not good at monitoring who is using the private keys, who is generating new keys, and who those keys are being shared with, he said. Without this level of visibility, organizations cannot tell if someone has unauthorized access to the server infrastructure.

"When trust is compromised, business stops," Hudson said.

More than half, or 59 percent of the participants said proper key and certificate management would help them regain control over their trust infrastructure.

Many organizations are moving critical applications to the cloud, but they are also making the mistake of handing over the key management duties to the cloud provider. With the provider controlling the keys, the organization loses all control, Hudson said. Hudson envisioned the future of the data center as one where everything was in the cloud, except for one sole server kept on-premise which contained all the keys and certificates.

"As our world becomes more connected and more dependent on cloud and mobile technologies, maintaining control over trust by managing keys and certificates must be a top priority for all CEOs, CIOs, CISOs and IT security managers," Hudson said.

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.
view counter