2015 Cost of Failed Trust Report: Trust Online Is at the Breaking Point

2015 Cost of Failed Trust Report: Trust Online is at the Breaking Point

2015 Cost of Failed The Ponemon Institute’s Trust Report reveals most organizations believe the trust established by cryptographic keys and digital certificates, which they require for their businesses to operate, is in jeopardy.

Underwritten by Venafi Executive Summary

2015 Cost of Failed Trust Report 1 The alarming threat. But lurking close presents research from Ponemon behind in second place is the misuse of Institute, underwritten by Venafi, certificates used for enterprise mobility conducted with the help of 2,300 IT with applications like WiFi, VPN, and security professionals in Australia, MDM/EMM. France, Germany, the U.K., and the U.S. The research includes these important The world’s economy is built on the key findings: flow, sharing, and processing of data. • At the same time risk increases, Before the Internet could power the the number of keys and certificates global economy, trusting data to grows: be authentic, private, and unaltered Over the last two years, the was both a core requirement and an number of keys and certificates insurmountable barrier. The solution was deployed on infrastructure such as the use of cryptographic keys and digital web servers, network appliances, certificates to establish authenticity and cloud services has grown over and privacy online. Now the trust 34% to almost 24,000 per enterprise behind trillions of dollars in the world’s —and this doesn’t include those economy comes down to just a few used beyond the firewall with mobile kilobytes of cryptographic keys and their devices, mobile applications, or associated digital certificates. numerous devices that are part of the Internet of Things. After weathering a rising tide of attacks 2015 Cost of • Organizations are even more and vulnerabilities, the Failed Trust Report uncertain about what should be research shows the trusted: digital trust that underpins most of the Also up from 2013, 54% of world’s economy is nearing its breaking organizations admit to not knowing point, and there is no replacement where all keys and certificates are in sight. This research found that located, which means they don’t thousands of IT security professionals know how they’re being used or what believe that, over the next two years, should be trusted. the risk facing every Global 5000 from • Trust required to operate as a attacks on keys and certificates is at business is threatened: Now 50% least $53M. This is up 51% from the of security professionals, up from risk estimated in 2013. And for four 45% two years ago, believe the trust years running, all of the organizations their business requires to operate—in surveyed have responded to multiple communications, in their data center, attacks on keys and certificates. out to the cloud, on mobile devices, Security professionals rank a and for the Internet of Things (IoT)— Cryptoapocalypse -like event, a scenario is in jeopardy. where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight, as the most 2 Global Demographics: 100% Attacked

Over the last two years, and now for four 2,394 RESPONDENTS years running, all respondents involved In Global 5,000 Organizations in this research have responded to In Global 5,000 Organizations UK attacks using keys and certificates. This United States2,394 RESPONDENTS499UK Germany United646 States 499 Germany574 is the only publicly available research 646In Global 5,000 Organizations574 to track the breadth and scope of these UK attacks. United States 499 Germany 646 574 Australia The 2015 research survey was completed France Australia336 France339 336 by 2,394 IT security professionals. Most 339 respondents were from large enterprises Australia France with 59% from organizations with 5,000 339 336 or more employees. For the respondents’ roles, 42% were Administrators, 37% Managers to Supervisors, 17% Executive VP to Director, and 4% other. The largest 59% OF COMPANIES Have 5,000 or more employees verticals represented were financial Have 5,000 or more employees services (17%), government (11%), 59% OF COMPANIES professional services (8%), consumer Have 5,000 or more employees products (7%), and retail (7%). TOP 5 INDUSTRIES 17% Represented 17% Represented 11% TOP 511% INDUSTRIES Trust is at the breaking point: 8% 7% 7% 17% Represented8% 7% 7% Over the past two years a steady stream 11% of incidents has made it clear that keys Financial Government Professional8% Consumer7% Retail7% and certificates are under attack. In FinancialServices Government ProfessionalServices ConsumerProducts Retail Services Services Products one example from 2014, an SSL/TLS certificate representing a top 5 global Financial Government Professional Consumer Retail bank was found in the treasure trove of Services Services Products Russian cybercriminals’ weapons stash. The certificate was used to impersonate 23,922 KEYS & CERTIFICATES On average per company the bank, steal other user credentials, On average per company and help to execute the theft of 80M 2 23,922 KEYS & CERTIFICATESUP 34% FROM 2013 customer records. UP 34% FROM 2013 On average per company UP 34% FROM 2013

$1000 PRICE TAG For a stolen certificate For a stolen certificate in the underground in the underground $1000marketplace PRICE TAG Formarketplace a stolen certificate in the underground marketplace 3 54% ARE UNAWARE Most organizations do not know Most organizations do not know where all keys and certificates are located where all keys54% and ARE certificates UNAWARE are located UP FROM 50% Most organizations do not knowUP FROM 50% IN 2013 where all keys and certificates are locatedIN 2013 UP FROM 50% IN 2013

60% OF IT SECURITY TEAMS Believe their organization needs to Believe their organization needs to better respond to vulnerabilities 60%better OF respond IT SECURITY to vulnerabilities TEAMS involving keys and certificates Believeinvolving their keys organization and certificates needs to better respond to vulnerabilities involving keys and certificates

58% OF SECURITY TEAMS Need to better secure and Need to better secure and protect their keys and 58%protect OF their SECURITY keys and TEAMS certifiates Needcertifiates to better secure and protect their keys and certifiates $597M TOTAL IMPACT Total possible impact per Total possible impact per organizations for all attacks $597Morganizations TOTAL for IMPACT all attacks Total possible impact per organizations for all attacks

UP 2013 $398M 50% UP 2013 $398M 50% UP 51% 2015 - $53M 2013 - $35M UP 51%20132015 - $35M - $53M $53M RISK OF ATTACK 2013 - Over$35M the next 2 years per Over the next 2 years per organization $53Morganization RISK OF ATTACK Over the next 2 years per Risk = Probabilityorganization of attack x total impact Risk = Probability of attack x total impact

GREATESTRisk = Probability RISK of attack x total impact $22M Weak cryptographic exploit $22M Weak cryptographic exploit $11M Mobility certificate misuse GREATEST$11M Mobility RISKcertificate misuse $8.4M Code-signing certificate misuse $22M$8.4M WeakCode-signing cryptographic certificate exploit misuse $6.5M MITM attacks $11M$6.5M MobilityMITM attacks certificate misuse $3.1M SSH key misuse $8.4M$3.1M Code-signingSSH key misuse certificate misuse $1.9M Server certificate misuse $1.9M$6.5M ServerMITM attacks certificate misuse $3.1M SSH key misuse LARGEST$1.9M Server IMPACTcertificate misuse $126M Mobility certificate misuse $126M Mobility certificate misuse $114M Weak cryptographic exploit LARGEST$114M Weak IMPACT cryptographic exploit $102M Code-signing certificate misuse $126M$102M MobilityCode-signing certificate certificate misuse misuse $93M SSH key theft $114M$93M WeakSSH key cryptographic theft exploit $90M MITM attacks $102M$90M Code-signingMITM attacks certificate misuse $73M Server certificate misuse $93M$73M SSHServer key certificate theft misuse $90M MITM attacks $73M Server certificate misuse Types of Attacks Analyzed

This research examined six of the most common threats. The blueprint for attacks that use keys and certificates goes back to Stuxnet.3 In that attack, a compromised code- signing certificate from Taiwan was used to gain trusted status for malicious code inside of Iranian nuclear facilities. Today, a range of attacks are now in the arsenal of common cybercriminals.

Description of Attack Type Example of Real-world Attack

Server To impersonate public websites The theft of data on 4.5M Certificate and decrypt encrypted traffic, healthcare patients in 2014 Misuse attackers steal keys and started with the exploit of certificates. Heartbleed to steal an SSL/TLS key and certificate that encrypted sensitive data.4 Code-signing Attackers digitally sign The $1B theft by Carbanak Certificate malicious code to have it operators was enabled by Misuse trusted and run. signed malware that looked like trusted software.5 SSH Bad guys seeking to gain access APT operators like The Mask Key to the most sensitive systems stole SSH keys and used Misuse and data compromise SSH their privileged access to credentials. compromise networks for over seven years.6 Man-in-the- Cybercriminals compromise APT operators like Dark middle (MITM) Certificate Authorities (CAs) Hotel used a malicious CA Attack or forge new certificates and website certificates to to trick users and monitor get in and target executive communications. communications.7 Weak Adversaries target weak As part of the Flame malware, Cryptographic cryptography to create trusted Microsoft’s software update Exploit keys and certificates. service was spoofed by exploiting MD5-based signatures.8 Enterprise Misuse of these credentials An emerging threat that Mobility provides access to WiFi, VPN, security professionals believe Certificate or data protected by MDM/EMM needs to be watched closely. Misuse systems.

4 2,394 RESPONDENTS In Global 5,000 Organizations

UK United States 499 Germany 646 574 2,394 RESPONDENTS In Global 5,000 Organizations Australia France UK 336 United States 339 499 Germany 646 574

Australia France 336 59% OF339 COMPANIES Have 5,000 or more employees TOP 5 INDUSTRIES 17% 59%Represented OF COMPANIES Have 5,000 or more employees 11% 8% 7% 7% 2,394TOP 5 RESPONDENTS INDUSTRIES Financial17% GovernmentRepresentedProfessional Consumer Retail ServicesIn Global 5,000 OrganizationsServices Products 11% UK United States 499 Germany8% 7% 7% 646 574

Attacks and UncertaintyFinancial23,922 Grow KEYSGovernment & ProfessionalCERTIFICATES Consumer Retail Services Services Products On average per company Australia France 336 339 UP 34% FROM 2013

Over the last two years, the average 23,922 KEYS & CERTIFICATES number of SSL/TLS and SSH keys On average per company and certificates has grown 34% to at least 23,922. This growth is driven UP 34% FROM 2013 from an increasing number of needs: 59% OF COMPANIES Have 5,000 or more employees from more focus on privacy following $1000 PRICE TAG Edward Snowden’s NSA revelations For a stolen certificate (the BBC declared 2014 as the “Year of in the underground 9 TOP 5 INDUSTRIES Encryption” ) to Google ranking sites marketplace with SSL/TLS and digital certificates 17% Represented more highly in its search results 10 11%$1000 PRICE TAG algorithm. For a stolen8% certificate7% 7% As the number of keys and certificates in the underground 54% AREmarketplace UNAWARE grows, IT security teams are unable to Financial Government Professional Consumer Retail keep up with what’s trusted and what’s ServicesMost organizationsServices do notProducts know not. Now 54% of security professionals where all keys and certificates are located (up from 50% two years ago) said they UP FROM 50% don’t know where and how many keys IN 2013 and certificates are in use. However, 54% ARE UNAWARE most security analysts believe this 23,922Most organizations KEYS & CERTIFICATES do not know number to be grossly underestimated. where allOn keys average and certificates per company are located Accurate tracking is impossible when UP 34% UPFROM FROM 2013 50% most security teams are trying to IN 2013 manage this with spreadsheets. 60% OF IT SECURITY TEAMS Believe their organization needs to better respond to vulnerabilities Trust is at the breaking point: involving keys and certificates A vicious cycle is at play. We need more keys and certificates to protect privacy 60% OF IT SECURITY$1000 TEAMS PRICE TAG and businesses. The importance and Believe their organizationFor a stolen needs certificate to number of keys and certificates make better respond to invulnerabilities the underground them a target to exploit. More attacks involving keys andmarketplace certificates drive more use. Now cybersecurity experts at Intel predict that the next large-scale hacker marketplace will be in the sale of stolen digital certificates.11 In 2013, the price was almost $500.12 In 54% ARE UNAWARE 13 2014, the price grew to almost $1000. Most organizations do not know where all keys and certificates are located UP FROM 50% IN 2013 58% OF SECURITY TEAMS Need to better secure and protect their keys and 5 certifiates 60% OF IT SECURITY TEAMS Believe their58% organization OF SECURITY needs TEAMSto better respondNeed to to vulnerabilities better secure and involving keysprotect and theircertificates keys and $597M TOTALcertifiates IMPACT Total possible impact per organizations for all attacks $597M TOTAL IMPACT Total possible impact per organizations for all attacks

UP 2013 $398M 50%

UP 51% 2015 - $53M UP 2013 $398M 50%2013 - $35M58% OF SECURITY TEAMS Need to better secure and $53Mprotect RISK their OF keys ATTACK and UP 51% 2015Over certifiates- $53M the next 2 years per organization 2013 - $35M $597MRisk = Probability TOTAL$53M IMPACT RISK of attack OF ATTACK x total impact Total possibleOver impact the next per 2 years per GREATESTorganization RISK organizations$22M Weak cryptographic for all attacks exploit $11M Mobility certificate misuse $8.4MRisk Code-signing = Probability ofcertificate attack x misuse total impact $6.5M MITM attacks $3.1MGREATEST SSH key RISK misuse $1.9M$22M ServerWeak cryptographic certificate misuse exploit $11M Mobility certificate misuse LARGEST$8.4MUP Code-signing2013 IMPACT certificate$398M misuse $126M$6.5M50% MITM Mobility attacks certificate misuse $114M$3.1M SSHWeak key cryptographic misuse exploit $102M$1.9M ServerCode-signing certificate certificate misuse misuse UP$93M 51% 2015SSH - key $53M theft $90MLARGEST MITM IMPACT attacks $73M$126M 2013 ServerMobility - $35M certificate certificate misuse misuse $114M Weak cryptographic exploit $102M Code-signing$53M RISK certificate OF ATTACK misuse $93M SSHOver key the theft next 2 years per $90M MITMorganization attacks $73M Server certificate misuse Risk = Probability of attack x total impact GREATEST RISK $22M Weak cryptographic exploit $11M Mobility certificate misuse $8.4M Code-signing certificate misuse $6.5M MITM attacks $3.1M SSH key misuse $1.9M Server certificate misuse LARGEST IMPACT $126M Mobility certificate misuse $114M Weak cryptographic exploit $102M Code-signing certificate misuse $93M SSH key theft $90M MITM attacks $73M Server certificate misuse 2,394 RESPONDENTS In Global2,394 5,000 RESPONDENTS Organizations UK United InStates Global 5,000499 OrganizationsGermany 646 574 UK United States 499 Germany 646 574

Australia France 339 336 Australia France 339 336

59% OF COMPANIES 59%Have OF5,000 COMPANIES or more employees Have 5,000 or more employees TOP 5 INDUSTRIES 17% TOPRepresented 5 INDUSTRIES 17% Represented11% 8% 7% 7% 11% 8% 7% 7% Financial Government Professional Consumer Retail Services Services Products

Financial Government Professional Consumer Retail Services Services Products 23,922 KEYS & CERTIFICATES 23,922On average KEYS & per CERTIFICATES company On average per companyUP 34% FROM 2013 UP 34% FROM 2013

$1000 PRICE TAG For a stolen certificate $1000in the underground PRICE TAG marketplaceFor a stolen certificate in the underground marketplace

54% ARE UNAWARE Most organizations do not know where all keys54% and ARE certificates UNAWARE are located Most organizations do not know where all keys and certificates are locatedUP FROM 50% IN 2013 Heartbleed TakesUP FROM 50%its Toll IN 2013

In April 2014, the security of all SSL/TLS 60% OF IT SECURITY TEAMS keys and certificates became uncertain Believe their organization needs to 60% OF IT SECURITY TEAMS with the discovery of the Heartbleed better respond to vulnerabilities vulnerability. Experts from Bruce involvingBelieve their keys organization and certificates needs to better respond to vulnerabilities Schneier to Gartner implored enterprises to consider all keys and certificates involving keys and certificates 5, 6 compromised and replace them all.

Security teams scrambled to replace keys and certificates. For many, their first attempts took weeks and research shows most did not complete remediation and moved on.16

As a result, 60% of IT security teams believe their organization needs to better respond to vulnerabilities involving keys and certificates. Inline with this thinking, 58% of security teams agree that keys and certificates need to be better secured to deal with 58% OF SECURITY TEAMS the rise in attacks. Need to better secure and protect58% OF their SECURITY keys and TEAMS certifiatesNeed to better secure and protect their keys and Trust is at the breaking point: certifiates In August 2014, the details of a breach that leaked data on 4.5M patients from a Fortune 500 healthcare operator $597M TOTAL IMPACT became headline news. APT 18, a known Total possible impact per Chinese cyberespionage operator, began their attack by using Heartbleed organizations$597M TOTAL for IMPACT all attacks Total possible impact per to compromise a key and certificate organizations for all attacks used with an SSL VPN. The key and certificate were not replaced following Heartbleed, leaving the door open to attackers for months.4

UP 2013 $398M 50% UP 2013 $398M 50% UP 51% 2015 - $53M UP 51%20132015 - $35M - $53M 6 2013 - $53M$35M RISK OF ATTACK Over the next 2 years per organization$53M RISK OF ATTACK Over the next 2 years per organization Risk = Probability of attack x total impact GREATESTRisk = Probability RISK of attack x total impact $22M Weak cryptographic exploit $11MGREATEST Mobility RISKcertificate misuse $22M $8.4M Code-signingWeak cryptographic certificate exploit misuse $11M $6.5M MITMMobility attacks certificate misuse $8.4M $3.1M SSHCode-signing key misuse certificate misuse $6.5M MITM attacks $1.9M Server certificate misuse $3.1M SSH key misuse LARGEST$1.9M Server IMPACTcertificate misuse $126M Mobility certificate misuse $114MLARGEST Weak IMPACT cryptographic exploit $126M $102M Code-signingMobility certificate certificate misuse misuse $114M $93M SSHWeak key cryptographic theft exploit $102M $90M MITMCode-signing attacks certificate misuse $93M $73M ServerSSH key certificate theft misuse $90M MITM attacks $73M Server certificate misuse Threat of a Cryptoapocalyse

The steady stream of vulnerabilities and resulting attacks involving keys and certificates has weighed heavily on security professionals. The most alarming threat to security professionals 2015 in 2015 is now a cryptographic exploit MOST ALARMING THREATS leading to a meltdown in trust. A team of researchers presenting their findings (IN ORDER OF CONCERN) at Black Hat 2013 termed this event a Cryptoapocalypse: where in a matter 1. WEAK CRYPTOGRAPHIC EXPLOIT of days a cryptographic weakness 2. MOBILE CERTIFICATE MISUSE discovered by a researcher becomes the ultimate weapon, allowing websites, 3. CODE-SIGNING CERTIFICATE MISUSE payment transactions, stock trades, and even governments themselves to 4. MALICIOUS MITM CERTIFICATES be spoofed or surveilled.1 The resulting 5. SSH KEY MISUSE chaos and inability to trust much of the digital world could leave behind a global 6. SERVER CERTIFICATE MISUSE recession and worse.

Trust is at the breaking point: The idea of a Cryptoapocapyse is far from science fiction. Heartbleed was just a taste of what this could look like. Could a website be trusted? How many keys were compromised? Could an organization be trusted online? The era of cloud computing, parallel processing, and GPUs are being used to test these attacks. The cost to compromise a MD5- signed digital certificate is now $0.6517 in Amazon AWS, down from $200,000 in less than two years.18

7 MITM and Weak Crypto Exploits Hit Everyone

Most Frequent Most Expected The malicious use of certificates Attacks Over Attacks Over to execute MITM attacks and weak the Last Two the Next Two cryptographic exploits that allow Years* Years** communications to be spoofed were the two most common attacks over the MITM attacks Weak last two years. One or more of these 1 (1.4) cryptographic incidents were responded to by every exploit (18%) organization in the survey. Over the next two years, organizations expect Weak Enterprise they will respond most often to weak 2 cryptographic mobile cryptographic exploits and misuse of exploit (1.2) certificate enterprise mobility certificates. misuse (9%) Enterprise Code-signing mobility certificate 3 Trust is at the breaking point: certificate misuse (7%) MITM attacks are now a common misuse (0.4) attack tool. From organized Chinese Code-signing MITM attacks government efforts that occur on an 4 certificate (7%) almost daily basis to APT operators misuse (0.4) targeting executives in the Dark Hotel campaign,7 MITM attacks with valid or SSH key misuse SSH key misuse forged certificates are powerful attacks 5 (0.3) (4%) that undermine multiple layers of security. By getting in between users and what they believe are trusted websites, Server Server attackers can capture user credentials 6 certificate certificate and intellectual property en masse. misuse (0.3) misuse (3%) Facebook along with Carnegie Mellont found over 6,000 forged certificates * The number noted in “()” represents used for MITM operations with many the number of times a company 19 of them actively in use by attackers. responded to the type of attack over The power of this type of attack was the last two years. demonstrated when Lenovo included ** The percentage note in “()” represents adware that created a fake CA, which the likelihood a particular type of allowed MITM attacks to be conducted attack will occur over the next two on any website and go virtually 20 years. undetected.

8 2,394 RESPONDENTS In Global 5,000 Organizations

UK United States 499 Germany 646 574

Australia France 339 336

59% OF COMPANIES Have 5,000 or more employees TOP 5 INDUSTRIES 17% Represented 11% 8% 7% 7%

Financial Government Professional Consumer Retail Services Services Products

23,922 KEYS & CERTIFICATES On2,394 average RESPONDENTS per company In Global 5,000 OrganizationsUP 34% FROM 2013 UK United States 499 Germany 646 574

Australia France 336 $1000339 PRICE TAG For a stolen certificate in the underground marketplace 59% OF COMPANIES Have 5,000 or more employees 54% ARE UNAWARE Most organizationsTOP 5 INDUSTRIES do not know where17% all keys Representedand certificates are located 11% UP FROM 50% 8% 7% IN7% 2013

Financial Government Professional Consumer Retail Services Services Products 60% OF IT SECURITY TEAMS Believe their organization needs to better23,922 respond KEYS to vulnerabilities & CERTIFICATES involvingOn keys average and certificates per company UP 34% FROM 2013

$1000 PRICE TAG For a stolen certificate in the underground marketplace

54%58% ARE OF SECURITY UNAWARE TEAMS Need to better secure and Most organizations do not know protect their keys and where all keys and certificates are located certifiates UP FROM 50% IN 2013 $597M TOTAL IMPACT Total possible impact per organizations60% OF IT SECURITY for all attacks TEAMS Believe their organization needs to better respond to vulnerabilities Risks and Impact Surgeinvolving keys and certificates UP 2013 $398M 50%

As a result of increased attacks and the expectation that more will occur, UP 51% 2015 - $53M security professionals estimate that the average risk facing organizations from 2013 - $35M attacks on keys and certificates is now $53M, up 51% from 2013. Risk is the $53M RISK OF ATTACK possible damage of attacks occurring in Over the next 2 years per any given organization over the next two organization years (risk equals probability of attack times total impact). The total possible Risk = Probability58% OF of SECURITYattack x total TEAMS impact impact of all attacks now reaches Need to better secure and $597M, up 50% from 2013. protect their keys and GREATESTcertifiates RISK $22M Weak cryptographic exploit $11M Mobility certificate misuse Trust is at the breaking point: $8.4M Code-signing certificate misuse Greatest Risk $6.5M MITM attacks • $22M Weak cryptographic exploit $597M$3.1M SSH TOTAL key misuse IMPACT • $11M Mobility certificate misuse Total$1.9M Server possible certificate impact misuseper • $8.4M Code-signing certificate misuse organizations for all attacks • $6.5M MITM attacks LARGEST IMPACT • $3.1M SSH key misuse $126M Mobility certificate misuse • $1.9M Server certificate misuse $114M Weak cryptographic exploit $102M Code-signing certificate misuse Largest Impact $93M SSH key theft • $126M Mobility certificate misuse $90M MITM attacks • $114M Weak cryptographic exploit $73MUP Server2013 certificate misuse$398M • $102M Code-signing certificate misuse 50% • $93M SSH key theft • $90M MITM attacks • $73M Server certificate misuse UP 51% 2015 - $53M 2013 - $35M $53M RISK OF ATTACK Over the next 2 years per organization

Risk = Probability of attack x total impact GREATEST RISK $22M Weak cryptographic exploit $11M Mobility certificate misuse $8.4M Code-signing certificate misuse 9 $6.5M MITM attacks $3.1M SSH key misuse $1.9M Server certificate misuse LARGEST IMPACT $126M Mobility certificate misuse $114M Weak cryptographic exploit $102M Code-signing certificate misuse $93M SSH key theft $90M MITM attacks $73M Server certificate misuse Uncertainty Over Mobile Looms Large

Not only did security professionals find the misuse of enterprise mobility $126M certificates the second most alarming threat over the next two years—if TOTAL IMPACT OF AN EXPLOITED exploited, it’s likely to cost the most! ENTERPRISE MOBILITY CERTIFICATE—WIFI, Respondents place the total impact of an exploited enterprise mobility VPN, OR MDM/EMM certificate—one that’s used with WiFi, VPN, or MDM/EMM—at up to $126M and a two-year risk of $11M. With an expected increase of mobile devices across enterprises, security professionals are clearly uneasy with the increased risk $11M this creates. TWO-YEAR RISK OF AN EXPLOITED

ENTERPRISE MOBILITY CERTIFICATE Trust is at the breaking point: (PROBABILITY OF ATTACK TIMES Recent Forrester research found 77% of IT security professionals do not TOTAL IMPACT) have complete visibility into how their organizations are using mobile certificates for WiFi, VPN, and MDM/EMM. Add to this that 62% could not detect anomalous mobile certificate usage and the reasons why security teams are so alarmed by the misuse of enterprise 77% 21 mobility certificates becomes clear. IT SECURITY PROFESSIONALS THAT DO NOT HAVE VISIBILITY INTO MOBILE CERTIFICATE USAGE

10 Conclusion: The Breaking Point

The result of more attacks, vulnerabilities, and risk over the last two years is that IT Trust is in Jeopardy security professionals believe the trust they need in digital systems and data HALF OF IT SECURITY for their business to operate is now in PROFESSIONALS BELIEVE jeopardy. • TRUST ESTABLISHED BY KEYS AND Up from 45% two years ago, half of respondents agree the trust established CERTIFICATES IS IN JEOPARDY by keys and certificates is in jeopardy. Half believe the way we create trust is • THE WAY WE CREATE TRUST IS BROKEN broken. Half of IT security professionals • GARTNER IS RIGHT, “CERTIFICATES CAN now agree with Gartner’s 2012 research finding that “certificates can no longer NO LONGER BE BLINDLY TRUSTED.” be blindly trusted.”22

The over 2,300 IT security professionals that participated in this research have become figurative “canaries in the coal mine”—alerting the world and their senior management teams that the security technology we’ve relied on for over 20 years and built into every digital device and transaction is near the breaking point. With keys and certificates so broadly deployed, and so integral to the future, they must be better secured and protected. With no replacement in sight, failure is not an option. As security technology has adapted to today’s changing threatscape, new ways of ensuring the trust established by keys and certificates remains safe must be developed as a top IT security priority.

11 About Ponemon Institute About Venafi Ponemon Institute conducts independent Venafi is the leading cybersecurity research on privacy, data protection company in Next Generation Trust and information security policy. Our Protection. Venafi delivered the first trust goal is to enable organizations in both protection platform to manage, secure, the private and public sectors to have and protect cryptographic keys and a clearer understanding of the trends digital certificates that every business in practices, perceptions and potential and government depends on for secure threats that will affect the collection, communications, commerce, computing, management and safeguarding of and mobility. For more information, visit personal and confidential information Venafi.com. about individuals and organizations. Ponemon Institute research informs organizations on how to improve upon Copyright © 2015 Venafi, Inc. All rights reserved. Venafi, Inc. their data protection initiatives and enhance their brand and reputation as a Part number: 1-0039-0315 trusted enterprise. You can learn more by visiting Ponemon.org.

References Preparing for the Cryptopocalypse 1. Stamos, Alex, et al. Blackhat USA 2013. . July 2013. Russian Hackers Amass Over a Billion Internet Passwords 2. Perlroth, Nicole and Gelles, David. NYTimes.com. . August 5, 2014. Stuxnet: Zero Victims. 3. GReAT. Securelist. November 11, 2014. CHS Hacked via Heartbleed Vulnerability. 4. Davek. TrustedSec. August 19, 2014. Carbanak/Anunak in the BlueCoat Malware Analysis Appliance. 5. Fagerland, Snorre. Blue Coat Labs Blog. February 18, 2015. Kaspersky Lab Uncovers “The Mask.” 6. Kaspersky Lab. Virus News. February 11, 2014. Darkhotel: A Spy Campaign in Luxury Asian Hotels. 7. Drozhzhin, Alex. Kaspersky Lab Daily Blog. November 10, 2014. Flame Exploited Long-Known Flaw in MD5 Certificate Algorithm. 8. Lemos, Robert. eWeek. June 13, 2012. 2014: The Year of Encryption. 9. Rubens, Paul. BBC News. January 9, 2014. HTTPS as a Ranking Signal. 10. Ait Bahajji, Zineb and Illyes, Gary. Google Online Security Blog. August 6, 2014. Stealing Certificates to Sign Malware Will be the Next Big Market for Hackers. 11. Rosenquist, Matthew. Intel IT Expert Blog. December 23, 2014. Digitally Signed Malware 2013. 12. Monsted, Jonas. CSIS Blog. December 3, 2013. Malware is Coming to the Trusted Software Near to You – Trade in Code Signing Certificates is 13. Koyfman, Tanya. SenseCy. on the Rise on the Russian Underground. October 13, 2014. Heartbleed. 14. Schneier, Bruce. Schneier on Security. April 9, 2014 Heartbleed Exploit in OpenSSL – How Should You Respond? 15. Heidt, Erik T. Gartner Blog Network. April 9, 2014. UMD Cyber Experts Discover Lapses in Heartbleed Bug Fix. 16. Ventsias, Tom. University of Maryland, UMD Right Now. November 7, 2014. Crypto Attack that Hijacked Windows Update Goes Mainstream in Amazon Cloud. 17. Goodin, Dan. Ars Technica. November 5, 2014. Flame’s Crypto Attack May Have Needed $200,000 Worth of Compute Power. 18. Goodin, Dan. Ars Technica. June 11, 2012. 19. Huang, Lin-Shung, et al. Carnegie Mellon University and Facebook. IEEE Symposium on Security and Privacy (IEEE S&P). Analyzing Forged SSL Certificates in the Wild. 2014. Superfish Compromises All SSL Connections on Lenovo Gear. 20. Peters, Sara. InformationWeek Dark Reading. February 19, 2015. IT Security’s Responsibility: Protecting Mobile Certificates. 21. Forrester. June 2014. Maverick Research: Living in a World Without Trust: When IT’s Supply Chain 22. MacDonald, Neil and Valdes, Ray. Gartner. Integrity and Online Infrastructure Get Pwned. Gartner Doc: G00238476. October 5, 2012. 12