Connect with us

Hi, what are you looking for?


Incident Response

Trust-Based Attacks Against SSH, SSL Cost Firms Big Money: Report

How much does a breach of trust cost? Almost $400 million per organization, according to a new report looking at how organizations manage online trust with digital certificates and cryptographic keys.

How much does a breach of trust cost? Almost $400 million per organization, according to a new report looking at how organizations manage online trust with digital certificates and cryptographic keys.

“Trust-based” attacks, such as the ones against certificate authorities, stolen encryption keys, and digital certificates, can cost an organization up to $398 million per incident, according to the 2013 Annual Cost of Failed Trust Report by Ponemon Institute. The study of 2,342 Global 2000 enterprises in Australia, France, Germany, the United Kingdom, and the United States is the first extensive study of how failures in digital certificate and cryptographic key management affect organizations, according to the institute.

Encryption KeysOrganizations are not controlling trust and paying enough attention to certificate and key management, putting the entire enterprise at risk. All enterprises in the survey admitted to having suffered at least one trust-based attack as a result of poor key and certificate management. Based on the respondents’ expectations, organizations are projected to lose an average of $35 million over the next 24 months, according to the report.

The report set out to answer the question, “What are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?” Larry Ponemon, founder and chairman of Ponemon Institute Research, said in a statement.

The costs include unplanned outages, loss of productivity, brand damage, and other expenses associated with data breaches. The financial impact of these compromises were previously “unknown and unquantified,” said Venafi CEO Jeff Hudson. Venafi sponsored the report.

More than half of the companies surveyed in the report did not know how many keys and certificates they had, or where they were stored. The report estimated that enterprises have on average 17,807 keys and certificates per organization.

Organizations rely on keys and certificates to provide the bedrock of trust for all business and government activities online, and criminals are exploiting these trust mechanisms “at an alarming rate,” Ponemon said.

Attacks on trusted certificate authorities, such as impersonating trusted identities to launch man-in-the-middle attacks, cost organizations $73 million on average, the report said.

Advertisement. Scroll to continue reading.

Cyber-criminals understand how poorly organizations manage their trust infrastructure, which is why they target digital certificates and SSH keys, Hudson told SecurityWeek. Nearly 18 percent said they expected attackers to target weak keys, the report found. Having weak cryptographic keys could cost an organization $125 million in a single attack.

“Cyber criminals understand how fragile our ability to control trust has become and, as a result, they continue to target failed key and certificate management,” said Hudson.

Most people struggle with how trust works online, Hudson said. People trust someone new they meet based on a variety of factors, such as having mutual friends, sharing common interests, or other ephemeral reasons. That doesn’t really translate well to the online realm without something specific for machines to trust, Hudson noted.

“Why should my machine trust your machine?” Hudson asked. This is why certificates and keys are so important.

If trust is the “number one vulnerability,” the most targeted element must be the SSH key, Hudson said. SSH keys, used to remotely log in to servers and access cloud services such as Amazon EC2 and Microsoft Azure, present the most alarming threat to organizations at this time. Organizations are generally not good at monitoring who is using the private keys, who is generating new keys, and who those keys are being shared with, he said. Without this level of visibility, organizations cannot tell if someone has unauthorized access to the server infrastructure.

“When trust is compromised, business stops,” Hudson said.

More than half, or 59 percent of the participants said proper key and certificate management would help them regain control over their trust infrastructure.

Many organizations are moving critical applications to the cloud, but they are also making the mistake of handing over the key management duties to the cloud provider. With the provider controlling the keys, the organization loses all control, Hudson said. Hudson envisioned the future of the data center as one where everything was in the cloud, except for one sole server kept on-premise which contained all the keys and certificates.

“As our world becomes more connected and more dependent on cloud and mobile technologies, maintaining control over trust by managing keys and certificates must be a top priority for all CEOs, CIOs, CISOs and IT security managers,” Hudson said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...