Enterprise companies struggle to control security certificates, cryptographic keys

Certificate authority misuse, MiTM attacks, and problems with cryptographic key handling are now of serious concern to enterprise firms.

What have APT20 hackers been up to? Bypassing 2FA Chinese state-sponsored group APT20 has been busy hacking government entities and managed service providers.

Enterprise companies are struggling to contain the security and control implications of using multiple cryptographic keys and digital certificates, new research suggests. 

On Tuesday, Keyfactor and the Ponemon Institute released the 2020 "The Impact of Unsecured Digital Identities" report, which examines how cryptographic keys and certificates are handled in enterprise environments. 

Responses from over 600 IT and cybersecurity executives from organizations in the US and Canada were collected and analyzed across 14 industries.  

According to the report, as connectivity becomes enmeshed in modern business practices and operations -- including mobile devices, the Internet of Things (IoT), cloud technologies, and DevOps -- digital identity management and public key infrastructure (PKI) has become a minefield and has caused a "critical trust gap."

See also: UK government rolls out red carpet for infamous spyware vendor

Certificates and cryptographic keys are designed to promote secure, authenticated systems for accessing enterprise networks and resources. However, mismanagement of certificates and keys is also being blamed for an uptick in outages. 

In total, 73 percent of respondents said their organizations have experienced unexpected downtime or outages due to mismanaged digital certificates, and 55 percent said four or more certificate-related outages have occurred in the last two years. 

The majority of organizations may also be struggling with managing which keys and certificates -- including those that have been self-signed -- are in play, with 74 percent of survey respondents suggesting that their businesses do not know which are in use, where to find them, or when they expire. 

Failed audits and Certificate Authority (CA) compromise were cited as major causes for concern. On average, Keyfactor says that enterprise players have experienced CA compromise, Man-in-The-Middle (MiTM) attacks, or have been subject to phishing campaigns five to six times in the last 24 months. 

CNET: Everything you need to know about SIM swap fraud, plus one thing to do right now

When it comes to predicting future issues, 42 percent of respondents said code signing certificate or key misuse is a risk in the next two years; 41 percent cited failed audits, and 40 percent also indicated that server-side certificates may become a problem. In total, 25 percent of respondents believe that outages due to expired certificates could become a reality. 

Efforts are being made to comply with industry regulations and cybersecurity policies by adding additional layers of encryption, with 60 percent of those included in the research saying their organizations are doing so in order to better protect IoT devices. However, 46 percent also said that their companies have a "low" ability to maintain IoT device identities and cryptographic standards over a device's lifetime. 

TechRepublic: How Shadow IT could put your organization at risk

Staff shortages, too, are not making the lives of IT and cybersecurity professionals any easier. On average, 16 percent of annual security budgets are portioned away for PKI deployment, but only 38 percent of respondents said there are enough employees dedicated to the task. 

"This report reinforces cryptography's importance within the security agenda," said Chris Hickman, Keyfactor CSO. "In many cases, PKI remains a manual function with ownership split across IT and security teams. Growing connectivity has created an exposure epidemic. Without a clear PKI in-house or outsourced program owner and process to close critical trust gaps, the risk of outages and breaches will continue to rise."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0