Ponemon - Cost of Failed Trust: Threats and Attacks

  • 440 views
Uploaded on

Every enterprise is exposed to losing up to $400 million over two years from attacks against cryptographic keys and digital certificates—yet few enterprises are managing these critical resources, …

Every enterprise is exposed to losing up to $400 million over two years from attacks against cryptographic keys and digital certificates—yet few enterprises are managing these critical resources, which are the foundation of trust. The “Cost of Failed Trust” on demand webinar reveals new threats and challenges, and quantifies the costs of key and certificate management security failures.

View the on-demand webinar at http://www.venafi.com/cost-of-failed-trust-webinar/?cid=70150000000noHV

More in: News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
440
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cost  of  Failed  Trust:  Attacks  on  Failed  Key  &  Certificate  Management    30  April  2013  
  • 2. Today’s  Learning  Objectives  §  How  is  trust  established?    Why  is  trust  the  perfect  target  of  attack?    §  Are  we  losing  control  over  trust?    §  What  new  attack  methods  are  criminals  exploiting?    §  How  widespread  are  these  attacks?  What  is  the  financial  impact?    §   What  strategies  are  available  to  mitigate  risk?  
  • 3. Today’s  Presenters  Jeff  Hudson  CEO    Larry  Ponemon  Chairman  &  Founder  
  • 4. Jeff  Hudson  Poisoning  Trust  
  • 5. How  is  Trust  Established?    
  • 6. Reality  of  Establishing  Trust  Today  
  • 7. How  Do  We  Establish  Trust?  Encryption  &  Authentication  Key  Pairs  Digital  Certificates  
  • 8. How  Do  We  Rely  On  Key  &  Certificates?    
  • 9. Rise  of  Advanced  Persistent  Threats  §  100%  of  attacks  involved  compromised  credentials  §  Keys  and  certificates  used  as  poison  -­‐  Dozens  of  rogue  certificates  identified  -­‐  Untold  number  of  keys  and    certificates  stolen  or  misused  
  • 10. Keys  and  Certificates  Poisoned  Encryption  &  Authentication  Key  Pairs  Digital  Certificates  
  • 11. APT  Target  Recipe  Lack  of  Visibility  Inability  to  Respond  
  • 12. APT  Target  Recipe  Lack  of  Visibility  Inability  to  Respond  No  awareness  No  monitoring  No  detection  No  controls  No  response  Digital  certificates  Encryption  &  authentication  key  pairs  SSH  keys  
  • 13. 2010-­‐2011:  Storm  Clouds  Form  Duqu  &  Stuxnet  proved  misuing  keys  and  certificates  effective  to  enabling  attacks    
  • 14. 2011-­‐2012:  Dangerous  Waves  Attackers  target  Certificate  Authorities:  ✘ Comodo  ✘ DigiNotar  ✘ DigiCert  ✘ TurkTrust  -­‐  And  probably  more  not  reported…    
  • 15. 2013:  All  out  Attack  Criminal  attacking  trust  at  will:  ✘ Buster  banking  malware  on  the  loose  in  Brazil  ✘ Texas  certificate  signs  Java  malware  in  Germany  ✘ 35+  Korean  developer  certificates  enable  aerospace  attacks  ✘  New  attacks  being  reported  every  week    
  • 16. Microsoft  Sounds  the  Alarm  “PKI  is  under  attack”  Scott  Charney,  Microsoft  @  RSA2013    
  • 17. Are  We  Losing  Control?  How  many  keys  &  certificates?  How  widespread  are  attacks?    What  attacks  do  we  expect?    What’s  the  financial  impact?  What’s  the  most  alarming  attack?  What  strategies  can  help?    
  • 18. Dr.  Larry  Ponemon  Cost  of  Failed  Trust  
  • 19. Failed  Cost  of  Trust  Research  First  ever  primary  research  to  measure  and  quantify  impact  of  attacks  on  failed  key  and  certificate  management    Download  now  @    venafi.com/ponemon    
  • 20. About  the  Ponemon  Institute  •  Found  in  2002  •  Leaders  in  privacy  and  IT  security  research  •  Perform  global  primary  research  •  Promote  thought  leadership  with  Responsible  Information  Management  Council  Presenting  Cost  of  Failed  Trust  research  at  RSA2013  in  San  Francisco  
  • 21. A  Global  Perspective  67%  from  organizations  with  over  10,000  employees  
  • 22. How  Big  Is  the  Challenge?  Average number of server keys andcertificates in a Global 2000 organization17,807
  • 23. Do  We  Have  Control  Over  Trust?  Don’t know how many keys and certificates arein use by their organization51%
  • 24. Investigating  the  Financial  Impact  How  do  you  evaluate  cost  of  a  new  emerging  threat?    Possible  Costs  •  Incidence  response  •  Lost  productivity  •  Lost  revenue  •  Brand  damage  Expected  Attack  Rate    How  many  attacks  in  next  24months  X   =   RISK  
  • 25. Trust  Exploits  Investigated  CAcompromiseSSHattacksKey theftWeakcrypto
  • 26. What’s  the  Size  of  The  Problem?  
  • 27. Attack  Rates  Weak  crypto  exploit  Server  key  theft  CA  compromise    SSH  attacks  Attacks  over  last  24  months   1.3   0.4   1.1   0.3  Expected  attacks  in  next  24  months  18%   5%   7%   3%  
  • 28. Risk  for  Every  Organization  Weak  crypto  exploit  Server  key  theft  CA  compromise    SSH  attacks  Attacks  over  last  24  months   1.3   0.4   1.1   0.3  Expected  attacks  in  next  24  months  18%   5%   7%   3%  Quantified  risk  over  next  24  months  $22M   $6.7M   $4.8M   $2.0M  
  • 29. What  Attack  Is  Most  Alarming?  #1Most  Alarming  Key  &  Certificate  Management  Threat  SSHCritical  for  establishing  trust  and  control  in  the  cloud  
  • 30. How  Could  We  Do  a  Better  Job?  Getting key and certificate management rightfirst, solves security, operations, andcompliance problems of using encryption59%
  • 31. Jeff  Hudson  Saving  Trust  
  • 32. Would  You  Allow  this  Today?    No  Visibility  17,000+  open  ports,  but  not  sure  No  Control  Can’t  set  policies,  respond  to  attacks  
  • 33. Poison  on  Your  Network?  No  Visibility  17,000+  keys  and  certificates,  but  not  sure  No  Control  Can’t  set  policies,  respond  to  attacks  
  • 34. Would  You  Allow  this  Today?    No  Visibility  17,000+  userids  and  passwords,  but  not  sure  No  Control  Can’t  set  policies,  respond  to  attacks  
  • 35. Poison  on  Your  Network?  No  Visibility  17,000+  userids  and  passwords,  but  not  sure  No  Control  Can’t  set  policies,  respond  to  attacks  
  • 36. Strategies  to  Regain  Control  
  • 37. A  Strategy  to  Save  Trust  AUTOMATEREPORT &AUDITESTABLISHPOLICYDISCOVERASSETSANALYZEFOR INSIGHTCONNECTPEOPLEGain  Visibility   Reduce  Risk   Establish  Control  
  • 38. Suggested  Resources  §  NIST’s  “Preparing  &  Respond  to  CA  Compromise”    venafi.com/NIST  §  “Key  &  Certificate  Management  Best  Practices”  venafi.com/best-­‐practices/        
  • 39. Failed  Cost  of  Trust  Research  First  ever  primary  research  to  measure  and  quantify  impact  of  attacks  on  failed  key  and  certificate  management    Download  now  @    venafi.com/ponemon    
  • 40. Q&A  
  • 41. Download  your  copy  of  Cost  of  Failed  Trust  research  at  venafi.com/ponemon  Thank  You