Ponemon - Cost of Failed Trust: Threats and Attacks

817 views
696 views

Published on

Every enterprise is exposed to losing up to $400 million over two years from attacks against cryptographic keys and digital certificates—yet few enterprises are managing these critical resources, which are the foundation of trust. The “Cost of Failed Trust” on demand webinar reveals new threats and challenges, and quantifies the costs of key and certificate management security failures.

View the on-demand webinar at http://www.venafi.com/cost-of-failed-trust-webinar/?cid=70150000000noHV

Published in: News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
817
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ponemon - Cost of Failed Trust: Threats and Attacks

  1. 1. Cost  of  Failed  Trust:  Attacks  on  Failed  Key  &  Certificate  Management    30  April  2013  
  2. 2. Today’s  Learning  Objectives  §  How  is  trust  established?    Why  is  trust  the  perfect  target  of  attack?    §  Are  we  losing  control  over  trust?    §  What  new  attack  methods  are  criminals  exploiting?    §  How  widespread  are  these  attacks?  What  is  the  financial  impact?    §   What  strategies  are  available  to  mitigate  risk?  
  3. 3. Today’s  Presenters  Jeff  Hudson  CEO    Larry  Ponemon  Chairman  &  Founder  
  4. 4. Jeff  Hudson  Poisoning  Trust  
  5. 5. How  is  Trust  Established?    
  6. 6. Reality  of  Establishing  Trust  Today  
  7. 7. How  Do  We  Establish  Trust?  Encryption  &  Authentication  Key  Pairs  Digital  Certificates  
  8. 8. How  Do  We  Rely  On  Key  &  Certificates?    
  9. 9. Rise  of  Advanced  Persistent  Threats  §  100%  of  attacks  involved  compromised  credentials  §  Keys  and  certificates  used  as  poison  -­‐  Dozens  of  rogue  certificates  identified  -­‐  Untold  number  of  keys  and    certificates  stolen  or  misused  
  10. 10. Keys  and  Certificates  Poisoned  Encryption  &  Authentication  Key  Pairs  Digital  Certificates  
  11. 11. APT  Target  Recipe  Lack  of  Visibility  Inability  to  Respond  
  12. 12. APT  Target  Recipe  Lack  of  Visibility  Inability  to  Respond  No  awareness  No  monitoring  No  detection  No  controls  No  response  Digital  certificates  Encryption  &  authentication  key  pairs  SSH  keys  
  13. 13. 2010-­‐2011:  Storm  Clouds  Form  Duqu  &  Stuxnet  proved  misuing  keys  and  certificates  effective  to  enabling  attacks    
  14. 14. 2011-­‐2012:  Dangerous  Waves  Attackers  target  Certificate  Authorities:  ✘ Comodo  ✘ DigiNotar  ✘ DigiCert  ✘ TurkTrust  -­‐  And  probably  more  not  reported…    
  15. 15. 2013:  All  out  Attack  Criminal  attacking  trust  at  will:  ✘ Buster  banking  malware  on  the  loose  in  Brazil  ✘ Texas  certificate  signs  Java  malware  in  Germany  ✘ 35+  Korean  developer  certificates  enable  aerospace  attacks  ✘  New  attacks  being  reported  every  week    
  16. 16. Microsoft  Sounds  the  Alarm  “PKI  is  under  attack”  Scott  Charney,  Microsoft  @  RSA2013    
  17. 17. Are  We  Losing  Control?  How  many  keys  &  certificates?  How  widespread  are  attacks?    What  attacks  do  we  expect?    What’s  the  financial  impact?  What’s  the  most  alarming  attack?  What  strategies  can  help?    
  18. 18. Dr.  Larry  Ponemon  Cost  of  Failed  Trust  
  19. 19. Failed  Cost  of  Trust  Research  First  ever  primary  research  to  measure  and  quantify  impact  of  attacks  on  failed  key  and  certificate  management    Download  now  @    venafi.com/ponemon    
  20. 20. About  the  Ponemon  Institute  •  Found  in  2002  •  Leaders  in  privacy  and  IT  security  research  •  Perform  global  primary  research  •  Promote  thought  leadership  with  Responsible  Information  Management  Council  Presenting  Cost  of  Failed  Trust  research  at  RSA2013  in  San  Francisco  
  21. 21. A  Global  Perspective  67%  from  organizations  with  over  10,000  employees  
  22. 22. How  Big  Is  the  Challenge?  Average number of server keys andcertificates in a Global 2000 organization17,807
  23. 23. Do  We  Have  Control  Over  Trust?  Don’t know how many keys and certificates arein use by their organization51%
  24. 24. Investigating  the  Financial  Impact  How  do  you  evaluate  cost  of  a  new  emerging  threat?    Possible  Costs  •  Incidence  response  •  Lost  productivity  •  Lost  revenue  •  Brand  damage  Expected  Attack  Rate    How  many  attacks  in  next  24months  X   =   RISK  
  25. 25. Trust  Exploits  Investigated  CAcompromiseSSHattacksKey theftWeakcrypto
  26. 26. What’s  the  Size  of  The  Problem?  
  27. 27. Attack  Rates  Weak  crypto  exploit  Server  key  theft  CA  compromise    SSH  attacks  Attacks  over  last  24  months   1.3   0.4   1.1   0.3  Expected  attacks  in  next  24  months  18%   5%   7%   3%  
  28. 28. Risk  for  Every  Organization  Weak  crypto  exploit  Server  key  theft  CA  compromise    SSH  attacks  Attacks  over  last  24  months   1.3   0.4   1.1   0.3  Expected  attacks  in  next  24  months  18%   5%   7%   3%  Quantified  risk  over  next  24  months  $22M   $6.7M   $4.8M   $2.0M  
  29. 29. What  Attack  Is  Most  Alarming?  #1Most  Alarming  Key  &  Certificate  Management  Threat  SSHCritical  for  establishing  trust  and  control  in  the  cloud  
  30. 30. How  Could  We  Do  a  Better  Job?  Getting key and certificate management rightfirst, solves security, operations, andcompliance problems of using encryption59%
  31. 31. Jeff  Hudson  Saving  Trust  
  32. 32. Would  You  Allow  this  Today?    No  Visibility  17,000+  open  ports,  but  not  sure  No  Control  Can’t  set  policies,  respond  to  attacks  
  33. 33. Poison  on  Your  Network?  No  Visibility  17,000+  keys  and  certificates,  but  not  sure  No  Control  Can’t  set  policies,  respond  to  attacks  
  34. 34. Would  You  Allow  this  Today?    No  Visibility  17,000+  userids  and  passwords,  but  not  sure  No  Control  Can’t  set  policies,  respond  to  attacks  
  35. 35. Poison  on  Your  Network?  No  Visibility  17,000+  userids  and  passwords,  but  not  sure  No  Control  Can’t  set  policies,  respond  to  attacks  
  36. 36. Strategies  to  Regain  Control  
  37. 37. A  Strategy  to  Save  Trust  AUTOMATEREPORT &AUDITESTABLISHPOLICYDISCOVERASSETSANALYZEFOR INSIGHTCONNECTPEOPLEGain  Visibility   Reduce  Risk   Establish  Control  
  38. 38. Suggested  Resources  §  NIST’s  “Preparing  &  Respond  to  CA  Compromise”    venafi.com/NIST  §  “Key  &  Certificate  Management  Best  Practices”  venafi.com/best-­‐practices/        
  39. 39. Failed  Cost  of  Trust  Research  First  ever  primary  research  to  measure  and  quantify  impact  of  attacks  on  failed  key  and  certificate  management    Download  now  @    venafi.com/ponemon    
  40. 40. Q&A  
  41. 41. Download  your  copy  of  Cost  of  Failed  Trust  research  at  venafi.com/ponemon  Thank  You  

×