Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Venafi: Heartbleed has lead to the weaponisation of certificates in new security war

Allan Swann | Nov. 17, 2014
Venafi says that website certification and keys remain a critical weakness even after Heartbleed.

The SSL 'handshakes' that occur between online entities when conducting transactions, the companies that certify and offer keys, and their customers, are the new targets for cybercriminals, says Venafi's CISO Tammy Moskites.

She joined the company at the beginning of this year, after roles as CIO at Time Warner and Home Depot. Venafi specialises in a newer segment of the security market that it calls 'trust protection', namely, the ability to monitors SSL traffic for anomalies and protect systems.

Moskites estimates that most companies have around 17,000 keys or certificates floating in their environment, but as much as 51 per cent of companies surveyed had no firm grasp of exact numbers.

Certificates, especially during online transactions such as internet shopping, are a foundational aspect of online retail, and have increasingly been targeted by hackers. Even encrypted data can be intercepted at this level -- where the two systems make their 'handshake'.

Moskites believes that the famous Stuxnet worm may have been spread by compromising online certificates, and major Dutch certificate authority, Diginotar, declared bankruptcy in 2011, after it was hacked and 500 fake DigiNotar certificates were found -- causing all the major Web browsers to block sites using the company's certificates.

The Heartbleed SSL catastrophe has meant that there has been a fundamental rethink with regards to security, Gartner research recently adding that 'certificates can no longer be blindly trusted".

[Update: Since the time of this story, the revelation of Microsoft's own SChannel SSL vulnerability, which dates back to Windows 95, proves the point further]

Venafi's threat centre produced a whitepaper that researched just how many companies had taken these threats seriously and taken action to protect their web facing entities.

"We found that around 387 of the global 2000 that we looked at on a regular basis had taken remediation -- that means that they replaced all of their web facing certificates. Another 1252 we found were still vulnerable," Moskites said.

The remainder is made up of entities that aren't threatened, and government entities that Venafi chooses not to reveal.

"These threats are across the board globally. There is no one specific country that is better off, or any specific type of business, such as retail. In general, you could point to any type of industry; government, public industry and private industry are all about the same."

She recommends for any managers looking to ensure best of class security for their web facing entities, they visit which has a list of 20 critical security controls you can use as benchmark guidelines to ensure they are best in class -- especially data leakage protection (DLP).

Its not just good business practise, it may be vital for any security audits your company may face.


1  2  Next Page 

Sign up for Computerworld eNewsletters.