Malicious Security—Can You Trust Your Security Technology?
Blog Article Published: 10/16/2014
By Gavin Hill, Director, Product Marketing And Threat Intelligence, Venafi Encryption and cryptography have long been thought of as the exemplars of Internet security. Unfortunately, this is not the case anymore. Encryption keys and digital certificates have become the weakest link in most organizations’ security strategies, resulting in diminished effectiveness of other security investments like NGFW, IDS/IPS, WAF, AV, etc. In my previous post, I discussed the difference between key management and key security. The problem today is not that encryption and cryptography are broken, but rather that there are mediocre implementations to secure and protect keys and certificates from theft. Worse yet, most organizations cannot even tell the difference between rogue and legitimate usage of keys and certificates on their networks or stop attackers from using them. Bad actors and nation states continue to abuse the trust that most have in encryption, but very few in the security industry are actually doing something about it. Undermining Your Critical Security Controls The threatscape has changed:
- Gartner estimates by 2017, 50% of all network attacks will use SSL.
- McAfee, shows in its 2014 first quarter threat report the use of stolen certificates to sign malware continues to increase at a rate of nearly 50% quarter over quarter since 2012.
- Kaspersky Labs this year discovered multi-year APT campaigns, like Carreto and Windigo, stealing SSL and SSH keys.
- Over 90% of externally-facing servers impacted by Heartbleed have not been fully remediated.
- IBM X-Force is still seeing over 7,000 attacks per day against its customers using the Heartbleed vulnerability.
- MY: A certificate store that holds certificates with the associated private keys
- CA: Certificate authority certificates
- ROOT: Root certificates
- SPC: Software Publisher Certificates
- Opens the MY certificate store
- Allocates 3C245h bytes of memory
- Calculates the actual data size
- Frees the allocated memory
- Allocates memory for the actual data size
- The PFXExportCertStoreEx function writes data to the CRYPT_DATA_BLOB area to which the pPFX points
- Writes data (No decryption routine is required when it writes the content of the certificate store)