TRUST, Can You Put a Price On It?

April 29, 2013

The Ponemon Institute recently published the first-ever research on the cost of losing control of trust—that is, losing control of the cryptographic keys and digital certificates that underlie trust for all transactions in our digital age. How intertwined are these encryption assets and trust? Consider two major exploits of this year alone: the Bit9 certificate theft and the DigiCert compromise. In both cases, hackers managed to obtain legitimate certificates to sign their malware. Their malware perfectly masqueraded as legitimate software because to users’ systems, which rely on certificates to determine whether to throw up system warnings or automatically install software, the malware was legitimate. The financial impact of such an exploit can hardly be exaggerated.

The cyber-criminals behind these exploits understand that each cryptographic key and certificate deployed in an organization is a valuable asset ripe for exploitation. Yet according to the findings, 51 percent of organizations don’t know the most fundamental facts about their own keys and certificates: they don’t know how many keys and certificates the organization has, where they are deployed, what they are protecting, or who has access to them.

It’s not that IT security professionals are simply falling down on the job. In many organizations, policies quite properly require the deployment of keys and certificates for just about every service. As a result, the average enterprise has more than 17,000 of them. No IT staff can manage such a large volume of keys and certificates manually without errors and oversights that completely undermine the supposed value of the mission-critical security and authentication instruments. Yet more than 60 percent of global 2000 organizations do manage their encryption assets manually; we’re talking about spreadsheets that list whatever keys and certificates application admins happen to report and not much more. IT security professionals know things can’t go on like this. Like coal miners listening to the timbers creak and watching the ceilings bulge, they know disaster looms, but their reports to the surface often go unheeded by management.

Too many business executives, locked in yesterday’s security constructs of armed guards, gates and cameras, think of this issue—if they think of it at all—as an annoying management problem for IT security teams to handle. They think the organization is simply losing track of assets that remain intrinsically valuable. They fail to understand that the assets’ value is trust. Lose track of the certificates and keys, and you can no longer trust them. Their value—and the trust that makes all other IT assets valuable—simply evaporates. Worse, compromised assets become liabilities, weapons to be used against the organization.

McAfee recently learned this lesson the hard way. One of their digital certificates was revoked, trust broke down, and Mac users could no longer determine when an application could be trusted or not–to the detriment of the McAfee brand.

The average organization can expect to learn the hard way too:

• The threats are likely—One in five organizations expects failures in key and certificate management to lead to exploits and infiltrations.

• The costs will be high—The average global 2000 organization can expect an estimated $U.S. 124 million in cost exposure from a server cryptographic theft incident. And such an incident is just one of the many that could occur.

• It’s already happening—In the last 24 months, organizations have experienced at least one of these trust exploits due to their key and certificate management failures:

• IT security will continue to fall behind, especially in the cloud—The risks of manual key and certificate management will only multiply as businesses continue to seek the benefits of cloud computing.

Most cloud systems, including Amazon’s and Microsoft’s solutions, rely on SSH to establish secure channels through untrusted networks. SSH provides managers with remote root access to a server and its shell services. It also provides servers with such access to each other. This level of access lets the cloud solution do powerful things, but the more power you give admins and computer systems, the more you must trust them.

Yet SSH has no equivalent to a CA to tell systems which SSH keys to trust. IT staff must manage these trust relationships on their own. To ensure the integrity of the system, the staff should rotate keys often; Amazon Web Services recommends a 90-day period.

Already overburdened IT staff must rotate thousands of keys every 90 days. Is that going to happen? Not manually.

Trust is the foundation of all relationships: trust between admins and servers, between servers and users, between servers and other servers—and between enterprises and the markets they serve. As our world becomes more connected and more dependent on cloud and mobile technologies, CEOs, CIOs, CISOs and IT security managers must make it their top priority to maintain control over trust by managing keys and certificates. When trust is compromised, business stops.

Our hope is that the Ponemon Institute Cost of Failed Trust Report validates the many IT security professionals who already suspect the risks of losing control of trust and that the report better quantifies the costs for them. We also hope that the report motivates business and IT executives to look beyond the problem toward solutions. You can take action to guarantee the hundreds of millions of dollars at risk: make sure your organization has control over trust by implementing a full key and certificate lifecycle management solution.

Via SecurityWeek

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

The growing threat of insider fraud not a top security priority for organizations

March 5, 2013

An Attachmate sponsored Ponemon Survey indicates the growing threat of insider fraud is not a top security priority for organizations which is proving to be a costly mistake.

On average, organisations experience approximately one fraud event per week, according to information from the second annual Attachmate and Ponemon Institute survey, “The Risk of Insider Fraud

However, only 44% of respondents say their organisation views insider fraud prevention as a top security priority, a perception which has declined since 2011.

The average cost of a data breach in a 2011 study was $194 per lost or stolen record

The survey reveals some alarming data security trends:

  • On average, it takes 87 days to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud.
  • 79% of respondents say that in their organization a privileged user has or is very likely to alter application controls to access or change sensitive information and then reset the controls.
  • 73% of respondents, an employee’s malfeasance has caused financial loss and possibly brand damage.
  • 81% say they already had an employee use someone else’s credentials to gain elevated rights or to bypass separation-of-duty control
  • 48% of respondents say that BYOD has resulted in a significant increase in fraud risk
  • 77% of respondents say the lack of security protocols over edge devices presents a significant security challenge and risk

This data demonstrates the invisibility of employee actions across an enterprise,” said Larry Ponemon, chairman and founder of Ponemon Institute. “While organizations may have policies and procedures to thwart insider fraud, it doesn’t mean employees will remain compliant, particularly with the rise of Bring Your Own Device (BYOD) practices

Data security and insider threats continue to be a challenge for organizations, particularly as BYOD brings complexity to enterprise risk management,” said Christine Meyers, director of Attachmate’s enterprise fraud management solutions. “Next-generation enterprise fraud management solutions, such as Attachmate Luminet, are able to correlate cross-channel activity, score risk and provide a screen-by-screen replay of what actually occurred. Add to that the proven deterrence factor that arises from being able to see and monitor use and abuse, and you can see why customers choose to deploy this technology for fraud detection

Fraud statistics

  • On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months
  • More than one-third say that employees’ use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26% it is very likely to occur
  • 61% rate the threat of insider risk within their organization as very high or high
  • 23% say insider fraud incidents existed six months or longer before being discovered and 9% could not determine when they occurred.
  • 55% of organizations say their organization does not have the ability/intelligence to determine if the off site employee’s non-compliance is due to negligence or fraud

Threats from BYOD, Mobility & Edge Devices

For the first time the study asks questions about the effect Bring Your Own Device (BYOD), mobility and edge devices have on the risk of insider fraud. We define BYOD as the employees’ use of their personally owned mobile devices (typically smart phones, tablets and laptops) for both work and non-work activities.

An edge device is a physical device that can pass packets between a legacy network (like an Ethernet network) and an ATM network, using data link layer and network layer information. An edge device does not have responsibility for gathering network routing information. It simply uses the routing information it finds in the network layer using the route distribution protocol. An edge router is an example of an edge device.

Edge devices and BYOD make it difficult to identify insider fraud

58% agree that BYOD makes it more difficult for the security or compliance department to have complete visibility of employees’ access and computing activities. The majority of respondents (78%) do not agree that employees’ access and possible misuse of edge devices is completely visible to the security or compliance department (100% – 32% of strongly agree/agree responses).

The study defined insider fraud as the malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors. Typically, the objective of such attacks is the theft of financial or information assets, which include customer data, trade secrets and intellectual properties. Sometimes, the most dangerous insiders are those who possess strong IT skills or have access to an organization’s critical applications and data.

With this research, we want to reiterate that organizations are not immune,” said Meyers. “The threat of insider fraud is a growing risk that can result in tangible financial loss to businesses. And the longer an organization takes to address it, the more costly it can become

The insider fraud survey includes results from more than 700 individuals at leading global organisations.

 

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 751 other followers