SlideShare a Scribd company logo

Venafi 2012 risk audit survey findings

Download as PPTX, PDF
N
nickjplott
Technology
1 of 22
2012 Risk Audit Survey Findings Enterprise Key and Certificate Management (EKCM) February, 2012 © 2012 Venafi Proprietary and Confidential
2012 EKCM Audit and Best Practices Key Players • Survey, analysis, potential risks and best practices developed in conjunction with Osterman Research Michael Osterman – President and founder of Osterman Research Osterman Research is a leading analyst firm with expertise in research and survey methodology, providing analysis, white papers and other services. Jeff Hudson, CEO of Venafi Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi solutions manage digital certificates and SSH, symmetric and asymmetric keys. 1 © 2012 Venafi Proprietary and Confidential
Survey Methodology Methodology Venafi and Osterman Research surveyed more than 174 IT and Infosecurity professionals 2 © 2012 Venafi Proprietary and Confidential
Survey Results Unquantified and Unmanaged Risks • 54% acknowledge having an inaccurate or incomplete inventory of their SSL certificate population. • 44% admit their digital certificates are manually managed with spread- sheets and reminder notes. 3 © 2012 Venafi Proprietary and Confidential
Survey Results Operational Risks • 46% of respondents cannot generate a report to discover how many currently deployed SSL/digital certificates will expire during the next 30 days. • 70% do not have a certificate management system integrated with their directory; such integration allows for automatic notification escalations in the case of non- response to notification. 4 © 2012 Venafi Proprietary and Confidential
Survey Results Security Risks 43% of respondents do not have a centralized corporate policy mandating: Specific encryption-key • strengths • Lengths Validity periods Private-key management • Rotation • separation of duties Lack of policies and/or the ability to enforce them creates security vulnerabilities 5 © 2012 Venafi Proprietary and Confidential
Survey Results Audit and Compliance Risks • 54% do not have an automated, repeatable and on- demand way of providing a senior manager, vice president or auditor with a report of exactly how many certificates are present in the entire environment. • 62% do not have an automated process for ensuring compliance of corporate policies. 6 © 2012 Venafi Proprietary and Confidential
Survey Results Certificate Authority (CA) Compromise Risk • 72% do not have an automated process to replace compromised certificates if the Certificate Authority in use is compromised. 7 © 2012 Venafi Proprietary and Confidential
Authentication and Encryption Needs Expanding mobile cloud Applications and data Lack of knowledge is increasing Requirement for key management is accelerating 9 © 2011 Venafi Proprietary and Confidential
Industry Best Practices for Remediation 1. Educate all stakeholders on the seriousness of certificate breaches and related problems. 2. Clearly articulate the role and use cases of encryption in security. 3. Define and make easily accessible clear encryption certificate and key-management policies, processes and procedures. 10 © 2012 Venafi Proprietary and Confidential
Best Practices Continued 4. Implement a central inventory and monitoring system; identify owners for each asset; ensure notifications are sent regarding impending expiration, errors and other issues. 5. Replace manual steps in the lifecycle management of certificates and keys with automation. 6. Dedicate sufficient staff to manage the implementation and maintenance of central encryption-key and certificate-management policies and technologies. 11 © 2012 Venafi Proprietary and Confidential
Venafi Assessor™ © 2012 Venafi Proprietary and Confidential
Risk Self Diagnosis • Do you know where all the digital certificates are deployed on your network and who installed them? • Do you know when they are going to expire? • Do you separate access to public and private keys for system access? • Do all your encryption keys and certificates conform to policy? • How long would it take you to replace all your certificates? If target organizations cannot answer these questions they are going to experience a breach, an outage, or will fail an audit. 13 © 2012 Venafi Proprietary and Confidential
Quantify Your Risks Which Certificate Authority(ies) issued Where are all of our SSL these certificates? certificates installed? How many certificates do we have? What algorithms are in use? What encryption key length is being used? What date will certificates expire? Are we in compliance? 14
Venafi Assessor™ • What is Assessor? – Customer downloadable software – Ready to run – Fast and easy – Scans to find certificates and keys – Quantifies the certificate and key population present – 12 reports that identify type and severity of risks • Installation and operation – Runs in a virtual machine – Preconfigured, no special expertise required – Doesn’t modify environment – Doesn’t “phone home” • Assessor is available on February 22 – www.venafi.com/Assessor 15 © 2012 Venafi Proprietary and Confidential
Getting Accurate Certificate Data Three Easy Steps 3 View detailed reports 2 Enter addresses and run discovery 1 Download and deploy Assessor 16 © 2011 Venafi Proprietary and Confidential
What’s in Your Environment? Turn Assumptions into Hard Data – Number of manageable certificates – Issuing certificate authorities – Expiration dates – Certificate validity periods – Key lengths – Signing algorithms Assessor reports include indicated industry best-practice recommendations for remediation of issues discovered ignorance of the situation surrounding a critical security mechanism must be resolved 17 © 2012 Venafi Proprietary and Confidential
Certificate Days to Expiration Sample Assessor-generated Report Rapid assessment of downtime risk due to expiring certificates 18 © 2012 Venafi Proprietary and Confidential
Certificate Validity Periods Sample Assessor-generated Report Administrators turn over every year. Validity periods >1 year create significant security risk. 19 © 2012 Venafi Proprietary and Confidential
Issuing Certificate Authorities Sample Assessor-generated Report Unauthorized CAs create security and operational risk 20 © 2012 Venafi Proprietary and Confidential
Encryption Key Lengths Sample Assessor-generated Report Weak keys open risk of attacker deriving the key. NIST now stipulates 2048 bit length 21 © 2012 Venafi Proprietary and Confidential
? ? ? 22 Discussion

Recommended

CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 

Recommended

CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint SecurityAhmed Hashem El Fiky
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementMighty Guides, Inc.
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYCHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYChuck Davis
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
Gavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune SystemGavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune Systemcentralohioissa
 
Security on a budget
Security on a budget Security on a budget
Security on a budget nCircle - a Tripwire Company
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSouth Tyrol Free Software Conference
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Information Security
Information SecurityInformation Security
Information Securitydivyeshkharade
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Building a SOC - hackmiami 2018
Building a SOC - hackmiami 2018Building a SOC - hackmiami 2018
Building a SOC - hackmiami 2018Jose Hernandez
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningDell EMC World
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 
Enhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseEnhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseSymantec
 

More Related Content

What's hot

CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementMighty Guides, Inc.
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYCHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYChuck Davis
 
Gavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune SystemGavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune Systemcentralohioissa
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSouth Tyrol Free Software Conference
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Building a SOC - hackmiami 2018
Building a SOC - hackmiami 2018Building a SOC - hackmiami 2018
Building a SOC - hackmiami 2018Jose Hernandez
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningDell EMC World
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
 

What's hot (20)

Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint Security
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARYCHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
CHARLES E DAVIS SailPoint PROFESSIONAL SUMMARY
 
Csslp
CsslpCsslp
Csslp
 
Gavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune SystemGavin Hill - Lessons From the Human Immune System
Gavin Hill - Lessons From the Human Immune System
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacks
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
Information Security
Information SecurityInformation Security
Information Security
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Building a SOC - hackmiami 2018
Building a SOC - hackmiami 2018Building a SOC - hackmiami 2018
Building a SOC - hackmiami 2018
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response Planning
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEW
 

Similar to Venafi 2012 risk audit survey findings

Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 
Enhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseEnhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseSymantec
 
Intelligent Authentication
Intelligent AuthenticationIntelligent Authentication
Intelligent AuthenticationCA Technologies
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanationindianadvisory
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Mobile Device Mismanagement
Mobile Device MismanagementMobile Device Mismanagement
Mobile Device Mismanagementbreenmachine
 
Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Intel IT Center
 
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Software
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program AssessmentsJohn Anderson
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
VAPT | VAPT Testing | VAPT Services | Vulnerability Assessment and Penetratio...
VAPT | VAPT Testing | VAPT Services | Vulnerability Assessment and Penetratio...VAPT | VAPT Testing | VAPT Services | Vulnerability Assessment and Penetratio...
VAPT | VAPT Testing | VAPT Services | Vulnerability Assessment and Penetratio...Cyber Security Experts
 
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...Eric Vanderburg
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application SecurityOpSource
 

Similar to Venafi 2012 risk audit survey findings (20)

Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured World
 
Enhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseEnhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open Enterprise
 
Intelligent Authentication
Intelligent AuthenticationIntelligent Authentication
Intelligent Authentication
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanation
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Mobile Device Mismanagement
Mobile Device MismanagementMobile Device Mismanagement
Mobile Device Mismanagement
 
Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary
 
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program Assessments
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
Security Auditing
Security AuditingSecurity Auditing
Security Auditing
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
VAPT | VAPT Testing | VAPT Services | Vulnerability Assessment and Penetratio...
VAPT | VAPT Testing | VAPT Services | Vulnerability Assessment and Penetratio...VAPT | VAPT Testing | VAPT Services | Vulnerability Assessment and Penetratio...
VAPT | VAPT Testing | VAPT Services | Vulnerability Assessment and Penetratio...
 
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
Security Awareness: 360 empowerment for cyber defense - JurInnov - Eric Vande...
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
CCSK.pptx
CCSK.pptxCCSK.pptx
CCSK.pptx
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application Security
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Venafi 2012 risk audit survey findings

  • 1. 2012 Risk Audit Survey Findings Enterprise Key and Certificate Management (EKCM) February, 2012 © 2012 Venafi Proprietary and Confidential
  • 2. 2012 EKCM Audit and Best Practices Key Players • Survey, analysis, potential risks and best practices developed in conjunction with Osterman Research Michael Osterman – President and founder of Osterman Research Osterman Research is a leading analyst firm with expertise in research and survey methodology, providing analysis, white papers and other services. Jeff Hudson, CEO of Venafi Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi solutions manage digital certificates and SSH, symmetric and asymmetric keys. 1 © 2012 Venafi Proprietary and Confidential
  • 3. Survey Methodology Methodology Venafi and Osterman Research surveyed more than 174 IT and Infosecurity professionals 2 © 2012 Venafi Proprietary and Confidential
  • 4. Survey Results Unquantified and Unmanaged Risks • 54% acknowledge having an inaccurate or incomplete inventory of their SSL certificate population. • 44% admit their digital certificates are manually managed with spread- sheets and reminder notes. 3 © 2012 Venafi Proprietary and Confidential
  • 5. Survey Results Operational Risks • 46% of respondents cannot generate a report to discover how many currently deployed SSL/digital certificates will expire during the next 30 days. • 70% do not have a certificate management system integrated with their directory; such integration allows for automatic notification escalations in the case of non- response to notification. 4 © 2012 Venafi Proprietary and Confidential
  • 6. Survey Results Security Risks 43% of respondents do not have a centralized corporate policy mandating: Specific encryption-key • strengths • Lengths Validity periods Private-key management • Rotation • separation of duties Lack of policies and/or the ability to enforce them creates security vulnerabilities 5 © 2012 Venafi Proprietary and Confidential
  • 7. Survey Results Audit and Compliance Risks • 54% do not have an automated, repeatable and on- demand way of providing a senior manager, vice president or auditor with a report of exactly how many certificates are present in the entire environment. • 62% do not have an automated process for ensuring compliance of corporate policies. 6 © 2012 Venafi Proprietary and Confidential
  • 8. Survey Results Certificate Authority (CA) Compromise Risk • 72% do not have an automated process to replace compromised certificates if the Certificate Authority in use is compromised. 7 © 2012 Venafi Proprietary and Confidential
  • 9. Authentication and Encryption Needs Expanding mobile cloud Applications and data Lack of knowledge is increasing Requirement for key management is accelerating 9 © 2011 Venafi Proprietary and Confidential
  • 10. Industry Best Practices for Remediation 1. Educate all stakeholders on the seriousness of certificate breaches and related problems. 2. Clearly articulate the role and use cases of encryption in security. 3. Define and make easily accessible clear encryption certificate and key-management policies, processes and procedures. 10 © 2012 Venafi Proprietary and Confidential
  • 11. Best Practices Continued 4. Implement a central inventory and monitoring system; identify owners for each asset; ensure notifications are sent regarding impending expiration, errors and other issues. 5. Replace manual steps in the lifecycle management of certificates and keys with automation. 6. Dedicate sufficient staff to manage the implementation and maintenance of central encryption-key and certificate-management policies and technologies. 11 © 2012 Venafi Proprietary and Confidential
  • 12. Venafi Assessor™ © 2012 Venafi Proprietary and Confidential
  • 13. Risk Self Diagnosis • Do you know where all the digital certificates are deployed on your network and who installed them? • Do you know when they are going to expire? • Do you separate access to public and private keys for system access? • Do all your encryption keys and certificates conform to policy? • How long would it take you to replace all your certificates? If target organizations cannot answer these questions they are going to experience a breach, an outage, or will fail an audit. 13 © 2012 Venafi Proprietary and Confidential
  • 14. Quantify Your Risks Which Certificate Authority(ies) issued Where are all of our SSL these certificates? certificates installed? How many certificates do we have? What algorithms are in use? What encryption key length is being used? What date will certificates expire? Are we in compliance? 14
  • 15. Venafi Assessor™ • What is Assessor? – Customer downloadable software – Ready to run – Fast and easy – Scans to find certificates and keys – Quantifies the certificate and key population present – 12 reports that identify type and severity of risks • Installation and operation – Runs in a virtual machine – Preconfigured, no special expertise required – Doesn’t modify environment – Doesn’t “phone home” • Assessor is available on February 22 – www.venafi.com/Assessor 15 © 2012 Venafi Proprietary and Confidential
  • 16. Getting Accurate Certificate Data Three Easy Steps 3 View detailed reports 2 Enter addresses and run discovery 1 Download and deploy Assessor 16 © 2011 Venafi Proprietary and Confidential
  • 17. What’s in Your Environment? Turn Assumptions into Hard Data – Number of manageable certificates – Issuing certificate authorities – Expiration dates – Certificate validity periods – Key lengths – Signing algorithms Assessor reports include indicated industry best-practice recommendations for remediation of issues discovered ignorance of the situation surrounding a critical security mechanism must be resolved 17 © 2012 Venafi Proprietary and Confidential
  • 18. Certificate Days to Expiration Sample Assessor-generated Report Rapid assessment of downtime risk due to expiring certificates 18 © 2012 Venafi Proprietary and Confidential
  • 19. Certificate Validity Periods Sample Assessor-generated Report Administrators turn over every year. Validity periods >1 year create significant security risk. 19 © 2012 Venafi Proprietary and Confidential
  • 20. Issuing Certificate Authorities Sample Assessor-generated Report Unauthorized CAs create security and operational risk 20 © 2012 Venafi Proprietary and Confidential
  • 21. Encryption Key Lengths Sample Assessor-generated Report Weak keys open risk of attacker deriving the key. NIST now stipulates 2048 bit length 21 © 2012 Venafi Proprietary and Confidential
  • 22. ? ? ? 22 Discussion

Editor's Notes

  1. Mike
  2. 2011 has been the year of third-party trust compromises – as hackers and hacktivitist go after the highest value targets. This translates into five CA compromises, including Comodo and Digitinotar – great messaging opportunities for and the market is now more aware of the riskOf coruse big gusy like Verisign said they were too big to fail and be compromises, but look at RSA – another privider of thirs-party trustYear of good coverage from the press and analyst communitiesWorked cross-funtioanally to make this happen with mnay departmenttsRecent report from Gartner is their first in the certiificate maangment space and first to ackniolege the risks of poorly manged certificate management. Nice that they set the threshold at 200 certsRead to launch a full campaign to leverage their recommendations – as a demand tool
  3. Branding?
  4. CISO –Chief Information Security Officer
  5. Not an MPG player and iPod