5 Ways to Prevent Unauthorized Access of Misused Mobile Certificates

By Patriz Regalado, Product Marketing Manager, Venafi

Mobile devices and mobile applications are becoming more dangerous threat vectors against the corporate network. Android devices seem to be continually under attack with new reports of malware appearing at an astounding rate of 197% from 2012 to 2013, based on Fourth Quarter 2013 McAfee Labs research. And according to the Verizon Data Breach Report, 71% of compromised assets in 2013 involved users and their endpoints.

Today, enterprises are turning to certificates to secure mobile devices, applications, and users. Digital certificates authenticate mobile users to applications, VPNs, and WiFi networks. However, many organizations have little to no control or visibility into their mobile certificate inventory and they’re unaware to which mobile certificates their users have access. A number of security risks from misused or orphaned mobile VPN certificates to unauthorized access by terminated employees or contractors can be easily exploited. Cybercriminals take advantage of mobile certificates and pose as trusted users, thereby infiltrating your network and stealing intellectual property.

Remember that mobile certificates issued to users serve as trusted credentials for secure access to your critical networks, applications, and data. So the biggest threat to your enterprise isn’t necessarily the mobile malware, but rather the unauthorized users who may access your information.

Here are 5 ways you can prevent unauthorized access of misused mobile certificates.

  1. Get visibility into your entire mobile and user certificate inventory
    With clear insight into your full mobile and user certificate inventory, you can identify duplicate, orphaned, and unneeded certificates. By mapping users to the certificates they are issued, you can identify certificates that are exposed to unauthorized user access. This will enable you to establish a baseline of known certificates and normal usage.
  2. Automatically enforce policies for mobile certificate issuance
    Issuing certificates to mobile devices and mobile applications according to centralized IT security policies is paramount. By enforcing cryptographic policies that control attributes such as key length, validity period, and approved CAs and by applying workflow processes to mobile certificate issuance, you can reduce your organization’s attack surface.
  3. Go beyond Mobile Device Management capabilities for certificates
    Although Mobile Device Management (MDM) solutions can provide capabilities such as deploying applications, remotely wiping devices, or deploying certificates for mobile devices, protecting mobile certificates and keys extends beyond the scope of MDMs. MDMs alone cannot remove potentially orphaned or compromised mobile certificates. As organization adopt new mobile applications, they must have the ability to enforce IT security policies to establish norms and detect mobile certificate-based anomalies such as orphaned or duplicate certificates. They must also respond quickly by revoking a user’s certificates across multiple CAs. Furthermore, users do not always receive mobile certificates through MDMs. They may request certificates using other tools or even multiple CAs. Therefore you must implement a solution that is capable of enforcing certificate and key policies consistently across your entire environment.
  4. Immediately revoke mobile certificates when authorized use is concluded
    In the event that an employee is terminated, leaves the company without notice, or reassigns, you should immediately revoke all mobile and user certificates associated with that employee in order to prevent unauthorized access to your network. Also, keep in mind that wiping a mobile device using your MDM solution is not sufficient, because the employee could have made a copy of the certificate and key before leaving the company. Rapid revocation of all certificates, whether deployed through an MDM solution or some other means, is critical in these situations.
  5. Ensure secure end-user self service If your organization enables users to request certificates using enrollment portals, you must provide a secure self-service portal that enables your end users to quickly request certificates for WiFi, VPN, email, browser, or other applications. You need a mechanism that governs user certificate issuance to ensure certificates comply with security policies, to eliminate guesswork on the part of inexperienced users, and to prevent errors.

As mobile devices continue to become more prevalent, it is important for you to take a strategic approach to securing your organization’s mobile device certificates. Following these 5 steps will help you to avoid misuse of these certificates and protect your organization against trust-based attacks that use mobile devices as an attack vector. But you don’t have to do it alone. Venafi offers a solution that can help you develop an approach to securing your mobile certificates.

Related Resources:

Have You Budgeted for the Next Heartbleed?

By Gavin Hill, Director/Product Marketing and Threat Intelligence, Venafi

Last month the Heartbleed vulnerability took the world by storm. IT groups across the globe scrambled to patch systems that were susceptible to the OpenSSL vulnerability known as Heartbleed. Y2K—the millennium bug—has been dwarfed in comparison to the impact the Heartbleed vulnerability has had on the world. Let’s face it, software has vulnerabilities and cybercriminals will take advantage of them. We can expect another “Heartbleed-like” vulnerability and should prepare—now. The question is, have you budgeted for it?

IT Security Budget

Have you considered the costs associated with responding to the Heartbleed vulnerability? I’m not talking about the financial impact from the theft of intellectual property or brand damage but the man-hours and salary costs to respond.

Before doing so, here’s a quick recap on the severity of the Heartbleed vulnerability:

  1. An attacker can steal keys and certificates without a trace.
  2. The stolen keys and certificates can then be used in trust-based attacks like phishing, man-in-the-middle (MITM), and replay attacks.
  3. The only way to remediate is to patch susceptible OpenSSL systems and replace all keys and certificates.
  4. Replacement of all keys and certificates is recommended, because you don’t know which systems—even non-OpenSSL ones—may have had keys and certificates stolen via stepping-stone attacks. You must assume all keys and certificates have been stolen!

The average large enterprise has in excess of 17,000 encryption keys and certificates. Consider the monumental task of changing all 17,000 encryption keys and certificates in an enterprise network. This task is especially burdensome, because most organizations manually manage their public key infrastructure (PKI) via spreadsheets or basic tracking software to detect expiring certificates. To replace a certificate on a system, an administrator needs to perform multiple manual steps:

  1. Generate a new key
  2. Issue a certificate signing request (CSR)
  3. Install the new key and certificate on the respective system
  4. Revoke the old certificate

The average large enterprise takes up to four hours to perform the necessary steps to replace a certificate on a single system. The median salary for a system administrator responsible for administering the PKI is U.S. $60,000. When extrapolating the cost to respond to the Heartbleed vulnerability, it costs the organization $115.00 per certificate. To replace 17,000 encryption keys and certificates it will cost your organization $1.95 million—in labor costs alone!

And 17,000 keys and certificates is a moderate estimate for the average enterprise network. At Venafi, we have customers that have replaced all of their keys and certificates within their networks and this equaled hundreds of thousands of keys and certificates per customer.


It seems that the world is still very much in a vulnerable state. Research published by Netcraft shows that 86% of public websites susceptible to compromise from the Heartbleed vulnerability have not correctly been remediated.

Last month, I published a blog detailing how any organization can use Venafi Trust Protection Platform to expedite and automate the remediation of Heartbleed and drastically reduce the response time from hours to minutes. You can read about it here.

By using Venafi TrustAuthority™, organizations can quickly identify systems impacted by the Heartbleed vulnerability and then determine how many keys and certificates are in use, where they are used, and who is responsible for them. Venafi TrustForce™ enables automated remediation of keys and certificates. This includes the installation and validation on impacted systems.

Whether you were impacted by Heartbleed or preparing to defend against the next crippling vulnerability, now is the time to implement a solution that enables your organization to quickly and efficiently replace all keys and certificates. Can you really afford not to?

Related resources:

SOC in 5 Simple Steps

By Ryan Dean, Senior Associate

As an audit firm, we are frequently contacted by service organizations that know they need a SOC report (usually by way of a client request), but don’t know where to begin. With that in mind, I have broken down the process of obtaining a SOC report into five simple steps:

Determining the Scopesoc-in-5-simple-steps
The first step in obtaining a SOC report for your company (the service organization) is to define the scope. A few questions to ask the stakeholders are:

  • What service(s) do you need a SOC report for?
  • What systems are involved in providing those service(s)?
  • Are the services provided from a single location or several?
  • Is the report intended for all users or only one specific customer?

For service organizations that specialize in one particular service, scope definition is fairly straightforward. However, many organizations offer a variety of services to their clients, and it is necessary to narrow down the scope. While some services can be combined into a common report (i.e. the various payroll processing services of a payroll company), it is not uncommon for a service organization to have separate SOC reports for the different services they offer.

Choosing a Report
The next step is to determine which type of report(s) will best suit your company’s needs, and perhaps more importantly, your customers’ needs. The most common report is the SOC 1 report (SSAE 16 or the historic SAS 70), but SOC 2 and SOC 3 reports continue to gain traction. The need for SOC reports is often driven by a service organization’s customers and/or their customers’ auditors. It is therefore important to ensure that the type(s) of report(s) a service organization pursues will satisfy their customer needs. Frequently, the type(s) of SOC reports that a customer would like the service organization to provide is included as a contractual requirement for doing business, but keep in mind this is not always the case.

If specific requirements or requests are not made by contractual agreements and/or client requests, the service organization should select the SOC report that meets their needs:

  • SOC 1 – Detailed report of controls placed into operation for services relevant to financial reporting
  • SOC 2 – Detailed report of controls placed into operation for services concerning security, availability, processing integrity, confidentiality, and/or privacy
  • SOC 3 – High-level report, including seal, that is made publicly available to users with a need for confidence in the service organization’s controls

In addition to SOC reports, service organizations are often either required (i.e. PCI DSS) or elect (i.e. ISO 27000) to obtain various other attestation or compliance reports to showcase their adherence to different compliance requirements. In such cases, service organizations should consider the efficiencies and cost savings that can be attained by using a “single vendor” approach for their compliance reporting needs.

Preparing for the Assessment
Prior to the commencement of an actual SOC assessment, service organizations can take steps to help ensure they are well-prepared for the actual assessment. For clients that have never undergone an assessment before, it is often recommended to undergo a readiness assessment. A readiness assessment is intended for management use only, and will help the service organization identify both strengths and weaknesses with respect to the control environment. Regardless of whether it is a service organization’s first SOC report or tenth, management should always review and update their policies and procedures to ensure they reflect current practices and make sure employees are aware of the upcoming assessment.

It’s SOC Time!
Whether your organization is undergoing a SOC 1, 2, 3, or some combination thereof, the auditor will be working closely with you to help ensure a smooth assessment process. After agreeing upon fieldwork (testing) dates, the overall SOC report process can be outlined in a few basic steps:

  • Service auditor provides a list of requested evidence (usually a month in advance of fieldwork)
  • Service audit team arrives onsite at service organization to perform testing (that includes interviews, walkthroughs, and documentation review)
  • Service auditors document testing results and work with service organization to clarify any testing exceptions
  • Service auditor provides SOC report to service organization

Next Steps
Most service organizations that undergo a SOC assessment do so on an annual basis. In order to continually improve the quality of the SOC report and control activities contained within, service organizations should consider feedback from both their service auditors and the users of the report (customers and their auditors.) Service audit firms will often provide their clients with a list of observations made during SOC fieldwork. Such observations are not part of the actual SOC report; rather, they are an internal use listing of opportunities for improvement that the service organization might consider implementing in their control environment. If implemented, additional control activities can be added to the SOC report in subsequent assessments. Management should also consider feedback from their customers in terms of making sure the report is meeting their (and their auditors’) needs. Finally, because the majority of SOC reports are of the Type 2 variety (Type 2 reports span a review period compared to Type 1 reports, which are point in time), it is important that service organizations consistently execute their control activities throughout the year. This will help ensure that when the SOC auditors return for the next year’s assessment, testing exceptions are not discovered as a result of a lax control environment.


About the Author:
Ryan Dean is a Senior Associate with BrightLine where he has performed Service Organization Controls (SOC) reporting projects for clients in a wide range of industries, including financial services, healthcare, information technology, and manufacturing. Ryan has also provided professional services to multiple Fortune 1000, publicly traded, and regional companies during the course of his career.


April 30, 2014
By Brandon Cook, director of product marketing (@BCookshow)
Skyhigh Networks

We are incredibly excited to feature a Q+A session with George Do, CISO of Equinix, as the first in our new monthly Skyhigh Networks Cloud Security Innovators blog series.  Every month we will interview a new maverick in the cloud security space who is taking an innovative approach to securing data and systems as business increasingly moves to the cloud.

Q: How do you view the cloud? Friend? Foe? Necessary Evil?
A: Friend – embrace the cloud or get left behind.

Q: What is the top security challenges surrounding cloud services?
A: The security posture of vendors, specifically the protection of customer data and reputation.

Q: Are there any advantages to using cloud apps as it relates to security?
A: A big benefit we see is availability – we have access from anywhere from almost any device at any time.

Q: For your industry, are there any specific privacy, regulatory or compliance requirement that make it more challenging to embrace the cloud?
A: Yes absolutely. Various (foreign) government regulations have strict requirements on the protection of data that are not friendly to cloud services. Separately, high-security environments are nervous about going to cloud based on their own risk profile. Cloud companies need to improve and attest to their security posture before nervous customers can come around.

Q: There is lot of press around “encryption” as the silver bullet to address security issues relating to the cloud? Do you see “encryption” as the panacea?
A: Encryption is one big piece of the solution only – certainly not a panacea. There are many other pieces that need focus and attention as well such as access control, reputation/brand protection, and security infrastructure.

Q: As you look into your crystal ball, how will cloud security evolve over the next 2-3 years?
A: This will be very interesting. I think companies will be slow to improve security unless there are significant headlines on data compromises / hacks.  We’re seeing some of this now (think Heartbleed). In the end I think the cloud industry will get there, but it will take some time.

Q: It is said that every journey begins with a single step.  What practical advice would you give to your peers as it relates to cloud security?
A: Step 1 is to get visibility as most companies don’t even have that right now. Then you need a program to manage the enforcement of policy that’s customized to the business.

Q: Where do you go for information regarding cloud security?  Any particular websites, blogs, visionaries and publications you find particularly useful?
A: Skyhigh, SANS, US-CERT, and various security blogs.

Q: Moving beyond cloud, what’s the big concern for CISOs today – i.e., what kept you up last night?
A: The shift of data and users to cloud. Overall, I’m concerned with the speed of technology and lack of security architecture at various layers.

Q: What drives the compliance requirements for your business and how to ensure compliance in the cloud?
A: It’s really the business that drives compliance at Equinix such as SOX and ISO27001. Ensuring compliance in the cloud is a new challenge for us as it is with most other organizations. We recognize that and are beginning to put focus on it.

Q: What’s is your favorite book you have read recently?
A: Multiplies by Liz Wiseman.

See more at: http://bit.ly/1lWqZaQ

Heartbleed Changed the Security Landscape, but Few Organizations Realize It

With the media no longer focusing on the Heartbleed vulnerability, most people think that organizations have adequately addressed the problem, and the threat has passed. Because most people don’t understand the full impact of Heartbleed, however, they don’t realize that the fallout from this one vulnerability is likely to continue, not just for weeks but possibly for months to come.

The problem is that most organizations responded to the Heartbleed vulnerability tactically, just as they would respond to any known vulnerability: they identified the systems using OpenSSL and patched them. These organizations did not understand that the Heartbleed vulnerability undermines the very trust on which every business and government relies to secure its data. It gives hackers privileges that they can use to compromise other, seemingly secure systems. Because most organizations didn’t understand the “big picture,” they failed to fully remediate the problem. They did not revoke and replace all of their digital certificates, leaving their systems vulnerable to ongoing trust-based attacks.

Unfortunately, I don’t believe the Heartbleed vulnerability is an isolated incident. Malicious attackers recognize the value of targeting digital assets, which is why trust-based attacks have significantly increased over the last several years. These malicious actors will continue to look for and target trust-based vulnerabilities, so organizations should not be wondering if another Heartbleed will occur; they should be preparing now to respond more quickly when the next event occurs.

Organizations that took a tactical approach to addressing the Heartbleed vulnerability (simply patching the systems they thought were affected) will be ill-prepared for the next trust-based crisis. Because these organizations don’t yet understand the danger of trust-based attacks, they will continue to focus on what they perceive is the greatest danger on the cyber-security landscape—Advanced Persistent Threats (APTs)—and rely solely on traditional security tools such as packet-inspection tools and Intrusion Detection System/Intrusion Protection System (IDS/IPS) solutions to protect their environment. All of which are inadequate against trust-based attacks. They will not realize that trust-based attacks are all too often the key component of APTs. Therefore, any security solution that does not detect and mitigate trust-based attacks is inadequate. Despite what some security vendors claim, detecting and remediating trust-based vulnerabilities such as Heartbleed requires more than just monitoring traffic and patching systems. Organizations must have a solution that inventories all certificates and digital keys in use on the network, detects anomalous usage, and helps administrators swiftly revoke and replace all certificates.

This is, of course, exactly what Venafi does best. In talking to our customers using Venafi TrustAuthority™ and TrustForce™, we found that these customers were able to respond quickly to Heartbleed, identifying susceptible systems, revoking and replacing all their certificates, as recommended by Gartner. When their Chief Executive Officers (CEOs), Chief Information Officers (CIOs), and even the Board of Directors asked, “What are you doing about this problem?” the Chief Information Security Officers (CISOs) at these organizations were able to say with complete confidence, “We have successfully remediated Heartbleed with Venafi. We have identified and patched all systems impacted, replaced private keys with new ones and issued new certificates.”

As more events such as the Heartbleed vulnerability occur, trust is going to become a top-of-mind issue for all CISOs. Protecting trust will quickly evolve from a nice-to-have to a must-have. Organizations are going to have to know where all the keys and certificates are in their environment, and they are going to have to have the agility to react to trust-based threats almost immediately. Organizations ignorant of the threat posed by trust-based attacks—organizations without a solution to combat these attacks—are going to struggle again and again.

However, CISOs who understand what hackers are looking for when they exploit a vulnerability like Heartbleed—those ever-so-critical keys and certificates—can rise above the struggle. When I meet with customers to discuss the challenges of trust-based attacks, I’ve often seen them experience a kind of “light bulb” moment, as they realize that they have to go beyond removing malware and beyond patching vulnerabilities. They have to restore the trust that the hackers compromised. I joined Venafi because I love being part of these “light bulb” moments. And I love being able to reply, when customers ask how they can possibly revoke and renew thousands or even tens of thousands of keys and certificates, that Venafi has a solution.


Tammy Moskites, Venafi CISO