September 1, 2017 By Larry Loeb 2 min read

Digital security certificates have become a vital part of online communications. Combining cryptography with a standardized format, they have grown from simple assertions of identity to full authentication methods. But as important as they have become, security certificates remain fallible.

More Certificates, More Problems

According to a Venafi study, 79 percent of respondents suffered at least one certificate-related outage in 2016. Additionally, 38 percent suffered more than six, and 4 percent experienced 100 or more such outages last year. Unfortunately, response time is no better: 64 percent of respondents said that they were unable respond to a certificate-related security event in six hours or less.

All of this is exacerbated by the rise in the number of certificates that organizations use in their normal operations. This may be due to the increased number of devices that use corporate networks to connect to the internet. The more devices an organization has attached to its networks, the more certificates it will use.

Off Key With Certificate Management

When Venafi looked at the practices of some organizations, it was surprised to find that the average enterprise had over 16,500 unknown keys. That does not include the certificates or keys that were known to the organization — just the ones it did not realize it was responsible for.

The Venafi study also revealed that the vast majority of companies do not have control over their key and certificate inventory. Furthermore, these organizations do not use automation for the certificate renewal process. According to the study, this may be because two-thirds of companies have no existing centralized record of when their certificates will expire.

Even if a company does establish a central record of certificates, the study found that two-thirds of them use the visibility and security tools of the issuing certificate authority (CA). These tools are limited to certificates that have been issued by that CA, and there is no independent reliability check available to verify their efficacy.

The Scope of Security Certificate Struggles

Despite these concerns, Venafi vice president of security strategy Kevin Bocek remains hopeful. “The good news is that certificate-related outages are completely preventable, but you need to understand the scale and the scope of the problem,” he said in a press release.

The scope of the problem is at once simple and complex. Protecting a certificate from operational outage is simply a matter of ensuring that the certificate is valid and that it will be renewed before it expires. But it is difficult to know what certificates are in use inside an organization. These certificates can extend from the data center to the cloud and all the way to the Internet of Things (IoT) on the edge of networks. The scale of such a task calls for an automated process to discover, issue and remediate all the keys and certificates used by a business.

Certificates can fail for very simple reasons. It is up to security teams to come up with methods to make sure those preventable reasons are avoided.

 

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today