Unmanaged Cryptographic Keys and Certificates Pose Significant Risk

By Eric Noonan • March 11, 2016

Venafi, a product vendor for Internet Security, recently revealed results from a global survey of CIOs that believe security defenses are less effective and that they expect to suffer from an attack.  The underlying issue, according to Venafi, is due to the prevalence of unprotected and unmanaged cryptographic keys and digital certificates.  CIOs admitted in the survey that they are “spending millions of dollars on layered security defenses,” effectively trusting keys and certificates without being able to differentiate between trusted and compromised keys.

Even more troublesome is Gartner’s prediction that by 2017, approximately 50% of the attacks against an enterprise network will come from encrypted traffic, bypassing controls put in place to stop attacks.   This prediction means that tools like IDS, behavior-anomaly detection, next-generation firewalls will only function at about 50% capacity, letting through half of the attacks.   Additionally, the Ponemon Institute recently revealed that approximately 54% of organizations said: “they lack policy enforcement and remediation for keys and certificates.”

While the survey does point out worrying figures about the underlying digital trust that enterprises rely on, it is important to note that there are ways to rebuild confidence in your keys.

3 Steps to Rebuild Confidence in Your Cryptographic Keys and Certificates

1: Know and understand where your keys are located
Many CIOs in the survey admitted to not knowing where all of their keys and certificates are located.  Having a program in place to manage and monitor keys, who has access to them and most importantly, where they are located, will help build confidence in your cryptographic key management program.  Knowing that your keys are accounted for will help you reduce the risk of untrusted keys.

2: Establish policies and procedures for how certificates and keys are handled
Having policies and procedures for key management, including those that ensure formal assignment of key management responsibilities in a key custodian role, will make employees managing cryptography more accountable.  An established procedure will ensure that key management is handled the right way every time and when there is turnover, the next employee will be following the same procedure, and so on.  The main takeaway is that the policies must be, without doubt, enforceable, and the procedures must be known, aligned with policy, implemented, and followed accordingly by key management staff.

3: Log and document all key management activities
Every time key management activity is performed (updated, changed, expired), that activity needs to be logged and documented.  Metrics should be collected to get an idea of what is normal behavior and what is not.  Suspicious activity or suspected key compromise should be reported and investigated.

While these are just some of the ways to protect your keys and certificates, it goes without saying that attacks coming over SSL/TLS are a real concern (as evidenced by the Heartbleed bug).  The survey, which was conducted by an independent market research company, provides some important data on the health of cryptographic key management across industries, according to respondent CIO’s.  Given the reliance on cryptography to protect sensitive data, protecting cryptographic keys and understanding encrypted data flows are smart first steps to combating these evolving attacks designed to evade your perimeter defenses using the same techniques used to protect your sensitive data.

Did You Like This Post?  

Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO