Most IT security professionals are failing to take action about the risks associated with untrustworthy digital certificates and cryptographic keys, a survey has revealed.

This is despite the fact these risks are acknowledged and understood by most, according to a survey of 300 IT security professionals at the BlackHat USA 2015 security conference in Las Vegas.

The survey by security firm Venafi also reveals some information security pros do not understand what security services certificate authorities (CAs) do and do not provide.

Nearly two-thirds of those polled do not know CAs do not secure certificates and cryptographic keys. Venafi notes CAs only issue and revoke certificates, but do not monitor their use beyond that and cannot provide any security for them.

There are hundreds of CAs issuing digital trust worldwide and the average organisation has over 23,000 keys and certificates, according to Ponemon Institute research.

The Venafi/Ponemon survey is also corroborated by a similar research presented at the Association for Computing Machinery Internet Measurement Conference in Tokyo <here>.  (the article appeared in Dark Reading posts <here>)