TRUST ONLINEIS AT THE BREAKING POINT

The trust established by cryptographickeys and digital certificates is in jeopardy

58% OF COMPANIESNeed to better secure and protect their keys and certifiates

60% OF IT SECURITY TEAMSBelieve their organization needs to better respond to vulnerabilities involving keys and certificates

100% ATTACKEDAll survey respondents reported that they have responded to attacks

using keys and certificates within the last 2 years—this is a costly problem that is just getting worse.

WHAT’S THE RESULT?

$597M TOTAL IMPACTTotal possible impact per organizations for all attacks

2013UP 50%

$53M RISK OF ATTACKOver the next 2 years per organization

2015 - $53M

2013 - $35M

UP 51%

Risk = Probability of attack x total impact$398M

WHAT’S THE RESULT?

2,394 RESPONDENTSIn Global 5,000 Organizations

Australia

336France

339

Germany

574

UK

499United States

646

WHO DID WE ASK?

TOP 5 INDUSTRIESRepresented

Financial Services

17%

Government

11%

Professional Services

8%

Consumer Products

7%

Retail

7%

59% OF COMPANIESHave 5,000 or more employees

WHO DID WE ASK?

23,922 KEYS & CERTIFICATES On average per company

UP 34% FROM 2013

$1000 PRICE TAGFor a stolen certificate in the underground marketplace

WHAT CAUSES THIS RISK?

54% OF ORGANIZATIONS ARE UNAWAREMost organizations do not know

where all keys and certificates are located

UP FROM 50% IN 2013

WHAT CAUSES THIS RISK?

CRYPTOAPOCALYPSEMost alarming threat to security professionals in 2015 is a Cryptoapocalypse: a discovered cryptographic weakness that becomes the ultimate weapon, allowing websites, payment transactions, stock trades, and governments to be spoofed or surveilled (term was coined by researchers presenting their findings at Black Hat 2013).1

1. Stamos, Alex, et al. Blackhat USA 2013. Preparing for the Cryptopocalypse. July 2013.

WHAT ARE THE MOST ALARMING THREATS?

GREATEST RISK$22M Weak cryptographic exploit$11M Mobility certificate misuse$8.4M Code-signing certificate misuse$6.5M MITM attacks$3.1M SSH key misuse$1.9M Server certificate misuse

LARGEST IMPACT$126M Mobility certificate misuse$114M Weak cryptographic exploit$102M Code-signing certificate misuse$93M SSH key theft$90M MITM attacks$73M Server certificate misuse

WHAT ARE THE MOST ALARMING THREATS?

!

THREAT TO MOBILE LOOMS LARGE Enterprise mobility certificates— used with WiFi, VPN, and MDM/EMM$11M - #2 Greatest Risk $126M - #1 Largest Impact

WHAT ARE THE MOST ALARMING THREATS?

HALF OF IT SECURITY PROFESSIONALS BELIEVE• Trust established by keys and certificates is in jeopardy• The way we create trust is broken• Gartner is right,“Certificates can no longer be blindly trusted”2

2. Gartner. Maverick Research: Living in a World Without Trust: When IT’s Supply Chain Integrity and Online Infrastructure Get Pwned. Gartner Doc: G00238476. October 5, 2012.

TRUST IS IN JEOPARDY

Know what’s being used: find all keys and certificates

Always know what’s trusted, what’s not: continuously monitor, check reputation for all

1

3

Establish what should be trusted: enforce policy, automate security

Remediate what’s not trusted: fix and replace vulnerable keys and certificates

2

4

4 RECOMMENDATIONS FOR SECURITY TEAMS

Protecting the trust established by keys and certificates must be a security priority

Read the full report, 2015 Cost of Failed Trust Report

Venafi.com/FailedTrust

KEYS & CERTIFICATES MUST BE BETTER SECURED & PROTECTED