In the ever daunting crusade to secure the Internet, it's often two steps forward, one step back. Each time the good guys achieve a notable advance, the bad guys uncannily find flaws in the maneuver and strike swiftly to take advantage.
The latest example has to do with encryption. When we bank or shop online, a robust form of encryption protects our data from being intercepted. It is called HTTPS, for Hypertext Transfer Protocol with an 'S' added to indicate security.
HTTPS has been used since 1994 to protect online financial transactions. But over the past few years the tech sector--led by Google, Facebook and Twitter--has implemented HTTPS far and wide to secure virtually all of our online searches, social media banter and mobile apps.
Adding to that, many government, health care and media web sites have now jumped on the HTTPS bandwagon, in no small part due to the post-Snowden era demand for privacy. There's still a long way to go. That said, even wider business use of HTTPS to protect sensitive data is correctly viewed as a laudable goal.
But now here's the alarming irony: hackers have discovered that HTTPS is tailor-made for cloaking their cyber attacks.
A recent report from A10 Networks and the Ponemon Institute shows perhaps as many as half of the cyber attacks aimed at businesses in the past 12 months used malware hidden in encrypted traffic.
Fresh attack vector
This is a major new vector cyber criminals have begun to probe in order to subvert powerful technology that has taken decades to disperse widely. Essentially, cyber criminals are using HTTPS to bypass the cutting-edge firewalls, sandboxing technologies and behavior analytics tools designed to detect and neutralize malicious traffic--technology companies have spent billions to install.
"Sadly enterprise spending on sexy security systems is completely ineffective to detect this kind of malicious activity," says Kevin Bocek, security strategist at Venafi, a supplier of encryption-related technologies. "A cyber criminal using encrypted traffic is given a free pass by a wide range of sophisticated, state-of-the-art security controls."
The A10/Ponemon report outlines how criminals are using HTTPS to go undetected as they carry out phishing and ransomware campaigns, take control of network servers and exfiltrate data. Of the more than 1,000 IT and IT security practitioners surveyed, some 80% acknowledged that their organizations had sustained a cyber attack in the past year, and nearly half said their attackers had used encryption to evade detection.
The good news is that there is technology already on the market that can look one-level deeper into network traffic to spot malicious, or suspicious, HTTPS content. The technique is called 'HTTPS deep-packet inspection."
"This is relatively new technology that has been out for about four or five years now," says Corey Nachreiner, chief technology officer at WatchGuard Technologies. "There are many organizations that don't have this HTTPS inspection capability, yet, so they're missing around half the attacks out there."
Due diligence required
Don't get me wrong, no one in the security community is calling for reducing the use of encryption in business networks--quite the opposite. That said, the ability of cyber criminals to manipulate encryption techniques for nefarious purposes is something businesses of all sizes need to understand and come to grips with.
Small and mid-sized businesses should begin looking into adding HTTPS protection. This can be done directly on premises, or via a managed security services provider. For SMBs, there are many credible security vendors out there worthy of review. But you have to commit to doing the due diligence.
Large enterprises face a bigger challenge. HTTPS uses Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to encrypt traffic. This revolves around the issuing and managing of encryption keys and digital certificates at a scale that can stir confusion in big companies.
"The challenge of gaining a comprehensive picture of how encryption is being used across the enterprise and then gathering the keys and certificates that turn on HTTPS is daunting for even the most sophisticated organizations," Venafi's Bocek says. "Insufficient resources and automated controls are creating a nearly insane situation."
Again, the good news is that technology to efficiently address this emerging exposure is available. First comes awareness of the problem, followed by the tough job of prioritizing and marshalling company resources to address it. One thing is certain: hackers will not relent, and ignoring this exposure is perilous.