Monthly Archives: March 2019

The impact of unsecured digital identities (an expired certificate was partly to blame for Equifax)

Larry Ponemon

The Impact of Unsecured Digital Identities, sponsored by Keyfactor, was conducted to understand the challenges and costs facing organizations in the protection and management (or mismanagement) of cryptographic keys and digital identities. Ponemon Institute surveyed 596 IT and IT security practitioners in the United States who are familiar with their companies’ strategy for the protection of digital identities.

As shown in Figure 1, 74 percent of respondents say digital certificates have caused and still cause unanticipated downtime or outages. Seventy-three percent of respondents are also aware that failing to secure keys and certificates undermines the trust their organization relies upon to operate. And, 71 percent of respondents believe their organizations do not know how many keys and certificates they have.

 

According to the findings, the growth in the use of digital certificates is causing the following operational issues and security threats:

 

  • Operational costs are increasing with the need to add additional layers of encryption of critical data that requires securing keys and the management of digital certificates to comply with data protection regulations.

 

  • Failed audits and lack of compliance are the costliest and serious threats to an organization’s ability to minimize the risk of unsecured digital identities and avoid costly fines.

 

  • The risk of unsecured digital identities is undermining trust with customers and business partners.

 

  • Unanticipated downtime or outages caused by digital certificates are having significant financial consequences in terms of productivity loss, including the diminishment of the IT security team’s ability to be productive.

 

  • Most organizations do not have adequate IT security staff to maintain and secure keys and certificates, especially in the deployment of PKI. Further, most organizations do not know how many keys and certificates that IT security needs to manage.
  • Pricing models can prevent organizations from investing in solutions that cover every identity across the enterprise.

 

  • Organizations have difficulty in securing keys and certificates through all stages of lifecycle from generation, request, renewal, rotation to revocation.

 

The total cost for failed certificate management practices

 

The research reveals the seriousness and cost of the following five cybersecurity risks created by ineffective key or certification management problems. For the following five scenarios, respondents were asked to estimate operational and compliance costs, the cost of security exploits and the likelihood they will occur over the next two years:

 

  • The cost of unplanned outages due to certificate expiration is estimated to average $11.1 million, and there is a 30 percent likelihood organizations will experience these incidents over the next two years.

 

  • The cost of failed audits or compliance due to undocumented or unenforced key management policies or insufficient key management practices is estimated to average $14.4 million, and there is a 42 percent likelihood that organizations will experience these incidents over the next two years.

 

  • The cost of server certificate and key misuse is estimated to average $13.4 million, and there is a 39 percent likelihood that organizations will experience these incidents over the next two years.

 

  • The cost of code signing certificate and key misuse is estimated to average $15 million, and there is a 29 percent likelihood that organizations will experience these incidents over the next two years.

 

  • The cost of Certificate Authority (CA) compromise or rogue CA for man-in-the-middle (MITM) and phishing attacks is estimated to average $13.2 million, and there is a 38 percent likelihood that organizations will experience these incidents over the next two years.

 

Based on respondents’ estimates, the average total cost to a single company if all five scenarios occurred would be $67.2 million over a two-year period. The costliest scenarios would be code signing certificate and key misuse and failed audits or compliance due to undocumented or unenforced key management policies or insufficient key management practices (an average of $15 million and $14.4 million, respectively). The research also reveals how likely these scenarios are to occur and how many times organizations represented in the study have experienced these attacks over a period of 24 months.

CLICK HERE TO DOWNLOAD THE COMPLETE STUDY

 

 

 

 

 

 

Equifax: ‘This is … the big one we’ve all been waiting for’ — Breach podcast season 2

Bob Sullivan

“This is, potentially, the motherload. The big one we’ve all been waiting for.” — Ron Lieber, The New York Times “Your Money” columnist.

So begins our second season of Breach, which just dropped this month. We begin with an episode titled “Why, Equifax?” — which means all the things you think it means.

How could a company with so much precious information lose it all in what ultimately turned out to be a cascade of errors? A patch that was never applied, software that didn’t work because a certificate wasn’t updated for 19 months, an IT team that relied on the “honor system” to implement security measure. Then, there’s the biggest irony of all: Hackers broke in through the very system — the dispute resolution portal — that was designed to help American consumers fix errors in their credit reports.

But let’s back up, to the biggest question most people had when Equfax was hacked: Who the heck is Equifax and why does it have all my most intimate personal information?

If those sound like old questions, they aren’t. We have answers — along with ideas about bigger questions, like “What now?” and “Has our privacy been murdered once and for all?”

Alia Tavakolian and I have spent six months researching what many believe is the most important hack ever, along with a team of researchers and producers at Spoke Media, led by Janielle Kastner.  I’m very proud of the result and I think you’ll like it.

Breach is a sponsored podcast paid for by Carbonite; but you’ll glad to know Carbonite didn’t meddle in what say or report on in the podcast.

This season, we are releasing six episodes, one week at a time, each one about 30 minutes.  We’ll explain the history of the credit bureau industry, the run-up to the breach, the bungling of the breach response, and the individuals who are fighting back in the most creative ways possible (wait until you hear what happens in small claims court).  We are also running a great experiment with consumer lawyer Joel Winston where we try to get every credit report on a single consumer (Think you have three? You might have dozens, or even hundreds.)

Then we’ll explain why, I believe, privacy isn’t dead. But it is on life support, and we have no time to waste.

You can listen to episode one by clicking play below, if that embedded link works for you.   If not, click :

here for the Stitcher page
https://www.carbonite.com/podcasts/breach/s02e01-Equifax-data-breach
or

here for our iTunes page
https://itunes.apple.com/us/podcast/breach/id1359920809?mt=2