Most of the organizations have already moved on to SSL (Secure Sockets Layer) to protect their data in motion. We like to believe that once SSL protocol is implemented our data is safe from the hackers. However, the hackers too have learned to take advantage of this technology for their benefit. It is not just the hackers, but also the security agencies, the government, and many other organizations, who are using SSL to snoop on data and communications. A well-known case of a whistleblower in 2014 exposed that the government of a country was injecting surveillance software in web traffic. This ‘leak’ has led to a rise in attacks that are hidden in the SSL traffic.
Why is there a risk in SSL?
Encryption makes the network and all the software and devices on it, blind to the data. Except for the sender and the final receiver, who has the decoding key, no one can see the data including the cybersecurity software and devices. Cybersecurity works by analyzing data streams. They look for patterns in data and digital signatures to identify the known viruses, malware, and ransomware. Once these malware travel over SSL, they also appear as gibberish to the security software, and it becomes ineffective in identifying the infection. The receiving program decodes the encrypted data, which then may turn out to be malware and jump onto the other programs or data on the computer. This way the cyber infection can spread over any channel that uses SSL such as secured web pages, email attachments, Instant messages, etc. Let’s look at some of these threat sources and varieties in a bit more detail.
DDoS attack: Once a malware enters a network via SSL, it can spread across servers and computers. Now, most of the organizations protect themselves against external threats but rarely do they take precautions against internal, validated software and tools. This leaves them vulnerable to internal attacks, DDoS being the most common one. The nature of attack makes it more difficult to locate and isolate. Such an attack can affect multiple internal corporate servers and effectively bring down the whole corporate infrastructure which requires a complicated recovery procedure.
Insider Abuse for Data Exfiltration: While the cyber defense systems cannot look at incoming encrypted data, they also cannot look at the outgoing encrypted data. Most of the web-based email, file sharing services use SSL encryption. Employees can use these to send confidential data out of the corporate network without being detected by the organization’s defense systems. It is nothing less than irony that the most significant assets of the company, the employees, become the greatest threat to it.
Social Media: Facebook, Twitter, LinkedIn, the web interface of WhatsApp, all use SSL encryption. While many organizations actively control access to certain social networks, some other sites are made an exception considering them harmless. . Similarly, WhatsApp is being used for instant communication within teams on the go. Organizations tend to not block the web interface of WhatsApp. However, all these social media tools have been known to carry malware. With these sites moving onto SSL, it has become harder for cyber defense systems to detect the encrypted malware coming in from these sites.
Protecting against the SSL threat
Organizations need to decrypt the encrypted data and inspect inbound and outbound data. To start with; organizations can deploy SSL inspection platforms that decrypt SSL traffic and send it to the third party organizations for inspection. For outbound data, the enterprises own the endpoints, and these should be monitored rigorously. Extra care needs to be taken to allow access to social media sites using corporate infrastructure. It’s best to rent cloud-based storage which is effectively under organization’s control for sharing files and information beyond the organization’s network. Firewalls are still very effective in blocking access from unknown sources and can be forced to remove encryption on data coming from known sources. It can then be presented for inspection to cyber defense tools of the organization.
Encryption is a great way to secure cyber infrastructure against attacks from unknown sources. However, enterprises must realize that encryption alone cannot protect them against all threats out there. They must continue to be vigilant of threats and compromise of new defense mechanisms to adequately protect themselves.