Orgs predict $53M risk, on average, from crypto key, digital cert attacks
Security pros provided their two-year outlook on the cost of cryptographic key and digital certificate attacks.
A group of IT security pros were asked to determine the “cost of failed trust” as it pertains to attacks targeting cryptographic keys and digital certificates, and they predicted that the average risk facing enterprises was $53 million over the next two years.
The study (PDF), released Thursday by the Ponemon Institute and underwritten by Venafi, included the responses of 2,300 individuals in Germany, France, Australia, the UK and the U.S. In the report, “risk” was defined as the possible damage of attacks occurring in any given organization looking two years ahead.
Overall, the estimated risk of attacks on keys and certs increased from the last time the survey was conducted in 2013. This year, the average risk was $53 million, up from $35 million in 2013 – a 51 percent increase. Broken down by cost, respondents believed the most costly attacks for organizations would involve misuse of mobile certificates ($126 million), weak cryptographic exploit ($114 million) and code-signing certificate misuse ($102 million).
Secure shell (SSH) key theft ($93 million), man-in-the-middle attacks ($90 million) and server certificate misuse ($73 million) also made the list.
Respondents also estimated that the total impact of an exploited enterprise mobility certificate, used with Wi-Fi, a virtual private network (VPN) or for mobile device management (MDM)/ enterprise mobility management (EMM), could cost an organization up to $126 million.
“Over the last two years, the average number of SSL/TLS and SSH keys and certificates has grown 34% to at least 23,922,” the report said. “This growth is driven from an increasing number of needs: from more focus on privacy following Edward Snowden's NSA revelations... to Google ranking sites with SSL/TLS and digital certificates more highly in its search results algorithm. As the number of keys and certificates grows, IT security teams are unable to keep up with what's trusted and what's not.”
The survey found, for instance, that 54 percent of IT security professionals didn't know where all of their keys and certificates were located. In 2013, fewer respondents (50 percent) faced the problem.