Admitting there are security problems with encryption is the first step toward a solution

Technology used to protect privacy becomes an attack tool in cyber criminals’ hands

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ed note_Venafi_Kevin BocekNew­ly released find­ings from the Ponemon Insti­tute and A10 Net­works reveal that near­ly half of cyber attacks in the past 12 months used encryp­tion to evade detec­tion and dis­trib­ute mali­cious soft­ware. These find­ings chal­lenge how we think about the pow­er­ful tech­nol­o­gy we use to pro­tect pri­va­cy, secu­ri­ty and authen­tic­i­ty. It also demon­strates very effec­tive­ly how this secu­ri­ty tech­nol­o­gy has been sub­vert­ed into a pow­er­ful weapon for cyber criminals.

This research is anoth­er damn­ing piece of evi­dence that a sig­nif­i­cant chunk of enter­prise secu­ri­ty spend­ing is not effec­tive. Pos­si­bly half, or even more, of our secu­ri­ty tech­nol­o­gy is doing lit­tle to effec­tive­ly iden­ti­fy bad guys hid­ing with­in encrypt­ed traf­fic. And because the increas­ing reg­u­la­tions around encryp­tion will con­tin­ue to dri­ve a dra­mat­ic increase in the vol­ume of encrypt­ed traf­fic, the num­ber of oppor­tu­ni­ties for bad guys to hide in plain sight is increas­ing expo­nen­tial­ly. We’re fix­ing one ill­ness but cre­at­ing a new disease.

Relat­ed video: Encryp­tion keys move to the cloud

Trans­port Lay­er Secu­ri­ty (TLS) and its pre­de­ces­sor, Secure Sock­ets Lay­er (SSL) encrypt traf­fic. TLS and SSL turn on the pad­lock in our web browsers—they are the most wide­ly relied upon indi­ca­tors for con­sumers that a trans­ac­tion is “secure.” This tech­nol­o­gy is used to hide data traf­fic from would-be hack­ers, but it also hides data from the lat­est, hot-sell­ing secu­ri­ty tools.

Since busi­ness­es now are being required to turn on encryp­tion by default, encryp­tion keys and cer­tifi­cates are grow­ing at least 20 per­cent year over year—with an aver­age of 23,000 TLS/SSL keys and cer­tifi­cates now used in the typ­i­cal Glob­al 2,000 company.

Vol­ume over­whelms secu­ri­ty efforts

As enter­pris­es add more keys and cer­tifi­cates and encrypt more traf­fic, they are increas­ing­ly vul­ner­a­ble to mali­cious encrypt­ed traf­fic. Admin­is­tra­tors sim­ply do not have the tools to keep up with the grow­ing num­ber of keys and cer­tifi­cates. Venafi cus­tomers report­ed find­ing near­ly 16,500 unknown TLS/SSL keys and cer­tifi­cates. This dis­cov­ery rep­re­sents a huge vol­ume of encrypt­ed traf­fic on their own net­works that orga­ni­za­tions don’t even know about.

Sad­ly, enter­prise spend­ing on next-gen­er­a­tion fire­walls, sand­box­ing tech­nolo­gies, behav­ior ana­lyt­ics and oth­er sexy secu­ri­ty sys­tems is com­plete­ly inef­fec­tive to detect this kind of mali­cious activity.

What does a next-gen­er­a­tion fire­wall or sand­box sys­tem do with encrypt­ed traf­fic? It pass­es the traf­fic straight through. If a cyber crim­i­nal gains access to encrypt­ed traf­fic then they are giv­en a free pass by a wide range of sophis­ti­cat­ed, state-of-the-art secu­ri­ty controls.

Inspec­tion a for­mi­da­ble task

The hard work of SSL/TLS inspec­tion is at the core of today’s cyber­se­cu­ri­ty dynam­ics, but it remains large­ly over­looked in most enter­pris­es. The chal­lenge of gain­ing a com­pre­hen­sive pic­ture of how encryp­tion is being used across enter­pris­es and then gath­er­ing the keys and cer­tifi­cates that turn on HTTPS is daunt­ing for even the most sophis­ti­cat­ed organizations.

Throw in the chal­lenge of keep­ing keys and cer­tifi­cates updat­ed as they are renewed and replaced, and most enter­pris­es can’t keep up. Even if mul­ti­ple full-time employ­ees are applied to the prob­lem, they won’t be able to move at a pace that will enable them to iden­ti­fy bad guys hid­ing in encrypt­ed traffic.

Unfor­tu­nate­ly, as an indus­try we con­tin­ue to ignore this gap­ing blind spot. For exam­ple, when the fed­er­al government’s chief infor­ma­tion offi­cer issued require­ments for pro­tect­ing all gov­ern­ment web­sites with HTTPS by Dec. 31, 2016, no guid­ance was pro­vid­ed on how to defend against cyber crime that uses encryp­tion as an attack vector.

As an indus­try, we’ve got to acknowl­edge and elim­i­nate this blind spot. We need to be able to inspect traf­fic and auto­mate the secure issuance and dis­tri­b­u­tion of keys and cer­tifi­cates. The tech­nol­o­gy is avail­able to solve these prob­lems so we can use encryp­tion safely.

But before we can solve any prob­lem we first need to admit that we have one.

More sto­ries relat­ed to encryption:
Encryp­tion must be strong, used prop­er­ly to reli­ably pro­tect data
Non­com­pli­ance with data secu­ri­ty best prac­tices can cost com­pa­nies plenty
Con­trol your encryp­tion keys when using cloud services