Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Venafi: Heartbleed has lead to the weaponisation of certificates in new security war

Allan Swann | Nov. 17, 2014
Venafi says that website certification and keys remain a critical weakness even after Heartbleed.

Another key issue is staff leaving the business or moving departments and retaining access to sysadmin passwords and logins (and thus, keys and certificates), which can then be used, either inadvertently or deliberately, to allow unauthorised access.

The simplest solution for certificates is to just replace them, or, at a more basic level, have them automatically expire and need to be renewed, perhaps even yearly. Most companies don't do this, Moskites said.

"We never change them. We don't have an asset inventory, we don't have a common way to order them, however, this is entrusted secure traffic. How do you protect something you don't know about? How do you stop any attacks if you can't detect them? There's no policy.

"Best practise is that you should have your certificates expire anyway. But no one cares, because they've just checked a box that enables a secure certificate in your environment. No policy, no control, no awareness, no audit, no audit guidelines.

"Every business, every hour, this kind of data is going out."

Gartner predicts that 50 per cent of all network attacks will come via SSL by 2017.

"This statistic was released before Heartbleed. I haven't talked to Gartner about this since, but even before Heartbleed I said 'this is not right', because more than 50 per cent are getting attacked today," she said.

The goal of the Venafi platform is about taking back control, she said. It builds inventory lists, replaces vulnerable keys, and it forces policy. It monitors, detects and alerts anomalies, and gives you complete visibility into your SSL traffic. The key advantage to her company's software is that it is certificate agnostic. Venafi does not produce any certificates of its own.

"By not being able to quickly respond, and have the awareness and availability, and the visibility into your keys and certificates, it undermines all your other security infrastructure," Moskites said.

"That goal of having trusted traffic -- it never ceases."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.