The cost of cryptography
Ponemon has now undertaken some research into failures in control and trust, and surveyed over 2,400 companies from the Global 2000 in Australia, France, Germany, the UK and the US, and found that attacks on trust could lead to every organization losing up to $400 million. They identified that one of the major weaknesses in enterprise security is often the lack of management over encryption keys and certificates.
This they report is down to them:
- Not knowing the number of keys and certificates they have. In fact, the majority (51%) don’t know how many are in use.
- Not knowing if they have strong enough hashing algorithms.
- Not knowing if their encryption is compliant with organisational policy.
This is alarming, especially as there is a move to Cloud-based systems, where a large-scale data breach can be caused by a single loss of an encryption key. Overall Ponemon found that Global 2000 companies had an average of 17,807 keys and certificates issued. They also reported that trust-based attacks would be hard to detect and would attack critical processes, and that an attack on SSH services would allow other organisations to take direct control of their data and their Cloud-based processes.
Also, Ponemon found that 18% – nearly one-in-five – of companies survey thought that they expected to fall prey to a legacy cryptography attack over the next two years. And what about fixing easy problems? For this they found that the expected cost of an easily preventable key management failure was $125 million. The easy win would be for them to establish control over their trust infrastructure, with 59% of the sample organisations saying that a refresh of key and certificate management would allow them to significantly reduce their security risks.
Things are not good on compromised Certificate Authorities (CAs) too, and where certificate impersonation is likely to expose each company to a cost of $73 million over two years.
So what is the cost of the trust attack? Ponemon reported on
- Incident response.
- Loss of productivity.
- Revenue cost.
- Brand and reputational damage.
In terms of detail of breaches in the past 24 months, the reported levels were:
- 7% for man-in-the-middle (CA compromise).
- 3% for SSH key theft.
- 5% for server key theft.
- 18% for weak cryptography threat.