THE VISIBILITY VOID Attacks through HTTPS can be a vulnerability for enterprises - Security Empowers Business - Cision
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Security Report
Security
Empowers
Business THE VISIBILITY VOID
Attacks through HTTPS can be a
vulnerability for enterprises
The Visibility Void
The use of encryption protocols, Transport Layer
Security (TLS) or Secure Sockets Layer (SSL), to
protect web and email content is now entering its
second decade. Research conducted by Canadian
broadband management company Sandvine, found
the number of Internet users encrypting their online
communications has doubled in North America and
quadrupled in Latin America and Europe over the past
year alone.1 Thankfully, encryption is here to stay, but
it is not without its risks.
To identify hidden threats to the business, enterprises
need complete visibility into encrypted traffic.
However, to comply with local privacy regulations and
their own acceptable use policies, enterprises must
have the means to selectively decrypt this traffic. An
encrypted traffic management strategy must consider
various business needs, established corporate
policies, and compliance mandates.
1
https://www.sandvine.com/downloads/general/global-internet-phenomena/2014/1h-2014-global-
internet-phenomena-report.pdf
2
The Visibility Void
The dawn of a digital dark age TOP 10 MOST VISITED WEBSITES
As privacy concerns reach an all-time high, the industries where data represents Growing Use of Encryption
a prized commodity – social media, mobile, and communications – have
understandably responded by broadly adopting encryption. Personal privacy
1 Google.com
concerns have led to goliaths such as Google, Amazon and Facebook switching
2 Facebook.com
to an “always on HTTPS” model to protect data in transit (see Fig 1.).
3 Youtube.com
Every minute, at least 4,000,000 Google searches; 2,460,000 shares on
4 Yahoo.com
Facebook; 48,000 Apple app downloads; and 23,300 hours of Skype
5 Baidu.com Encrypted
conversations take place2 – all of which take place protected by SSL encryption.
6 Wikipedia.com Sites
Google has recently announced that HTTPS sites are more positively weighted in
7 Amazon.com (HTTPS)
Google search results.3 Sites Not
8 Twitter.com
All this increased adoption of “transport encryption” takes place in an
Encrypted
9 Linkedin.com
environment where use of encryption technology in general is becoming routine. 10 Qq.com
For example, technology giant Apple recently announced its iOS 8 operating
system will encrypt all data, by default, on its phones and tablets; the protected
data includes photos, messages, contacts, reminders and call history. The Figure 1: 8 out of the Top 10 global websites use HTTPS (Source: Alexa)
explosion of data created by an ever-connected world and growing concern
about data privacy means much more opportunity for serious cyber threats and
data loss.
2
DOMO, Data Never Sleeps 2.0
3
http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html
3
The Visibility Void
BY 2017 MORE THAN But does encrypted mean safe?
In a typical seven-day period, Blue Coat found that 69% of the top 50 websites
HALF THE ATTACKS visited by its customers use HTTPS by default. Only sites focusing on publishing
ON NETWORKS WILL
daily news or entertainment (e.g. ESPN, BBC News, CNN, or Pandora), use
the easily-monitored unencrypted HTTP protocol. Of the top 10 most visited
EMPLOY SOME FORM OF
customer sites globally, as ranked by Alexa, nearly all use encryption to deliver
at least some content. In order to try and manage encrypted traffic, some
ENCRYPTED TRAFFIC companies block traffic to these sites, despite employee requests to browse
those websites during working hours.
TO BYPASS SECURITY. While a benefit for privacy purposes, the blanket use of encryption means that
many businesses are unable to govern the legitimate corporate information
entering and leaving their networks, creating a growing blind spot for enterprises.
This growing visibility void also creates opportunities for attackers to deliver
malware directly to users, bypassing network security tools. The lack of visibility
into SSL traffic represents a potential threat especially given the fact that benign
and hostile uses of SSL are indistinguishable to many security devices.
The tug of war between personal privacy and corporate security is unfortunately
leaving the door open for novel malware attacks involving SSL over corporate
networks. For corporations to secure customer data, they need visibility to make
sure they can see the threats hiding in encrypted traffic.
The hostile use of encryption is set to increase in the coming years. Gartner
believes by 2017 more than half the attacks on networks will employ some form
of encrypted traffic to bypass security.4 This in part will be due to large web
properties and hosting services making a switch to the HTTPS protocol. While
banks and shopping sites already protect data using such encryption, HTTPS is
becoming the rule, rather than the exception.
4
Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, Jeremy D’Hoinne and Adam
Hills, December 9, 2013
4The Visibility Void
The good news: You can maintain privacy and still be secure IN A TYPICAL 7 DAY PERIOD
Of great concern is the low level of sophistication malware coders need to The Global Intelligence Network Receives…
compromise a network using encryption. Why? Many enterprises are under Weekly Planner
the illusion that what they can’t see can’t hurt them. Malware attacks, using Sunday
Over 40,000 requests to
encryption as a cloak, do not need to be complex because the malware
Monday newly classified malicious
operators believe that encryption prevents the enterprise from seeing what they
hosts over HTTPS – a strong
are doing. Tuesday
indication of new infections
Blue Coat’s Global Intelligence Network routinely observes encrypted traffic used
Wednesday
for the delivery and command and control of malware, as well as other types
of malevolent activity, such as phishing. Some of these attacks not only steal Over 100,000 requests to
Thursday
personal data from the infected machine, but leverage that machine’s position known malware servers over
within the corporate network to pivot and steal sensitive enterprise information. Friday
HTTPS – a strong indication of
exfiltration in progress
Knowing that no one wants to stop encrypting traffic, enterprises need a way to
Saturday
stop threats that are being delivered through encrypted traffic. The good news
is that maintaining the privacy of employee personal information and adhering
to compliance regulations is possible, while still protecting the enterprise from Figure 2: In a typical seven-day period, Blue Coat Labs receives around
unwanted intrusions and threats. A policy-based solution decrypts and inspects 100,000 requests for information about sites using HTTPS protocol for command
only targeted traffic, to enhance network security while complying with laws and control of malware.
and policies. Open and transparent security protocols, along with tight controls
limiting the use of decrypted data (e.g., network security), can be combined with Encrypted Traffic Management allows organizations to protect stakeholders
regional and tailored IT monitoring notices to employees to maintain compliance by being smart about what is seen and what is not. Encryption isn’t the enemy
with privacy protocols. – it protects your business, customers and employees. Encrypted Traffic
Management is essential to ensuring the safety of virtually anything worth
The true risk for an enterprise is to consider privacy and security as mutually
protecting. Services such as email, banking and finance, cloud-based services,
exclusive. Privacy should not be a trade-off for security. Legitimate business
and industrial systems control some of the most important data in any company.
justifications allow the enterprise to keep the network secure and IP protected
while maintaining integrity of personal data.
5The Visibility Void
DECRYPTION AND
However, the dangers associated with this protective wrapper around messaging,
file-transfer technologies and cloud applications cannot be ignored. Significant
PRIVACY CAN CO-EXIST. data loss can occur as a result of malicious acts by hostile outsiders or
disgruntled insiders, who can easily transmit sensitive information. Today a
watchful team of security incident responders is required or the consequences
can be serious.
Closing the curtains
As already mentioned, malware hiding in encrypted traffic is typically
unsophisticated, presenting an opportunity for businesses to easily find and
block attacks once decrypted.
Despite concerted effort from government and private enterprises against cyber
criminals’ intent on exploitation, the onslaught is unforgiving. After authorities
effectively shut down Zeus5, one of the most successful Trojan horse malware in
a coordinated raid, criminals intent on data theft needed an alternative. Dyre, a
widely distributed, password-stealing Trojan originating in the Ukraine, is trying
to take over the power vacuum left behind when Zeus shut down. With a cyber
equivalent of Whack-A-Mole taking place, Dyre quickly replaced Zeus using the
same infection mechanisms, and achieving the same goals, with the help
of encryption.
All of Dyre’s command-and-control traffic is, by default, communicated back
to an infrastructure over TLS/SSL. Without decryption the bot can enter an
enterprise network undetected, luring targets into clicking links to malware
contained in phishing emails. Once in, criminal organizations extract user
information under the cover of encryption so they can sell it to the highest bidder.
5
http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)
6The Visibility Void
Encryption and Visibility
As a result of recent massive data breaches and the regular use of encryption Best Practices for Managing Encrypted Traffic
that can mask the criminal exfiltration of proprietary information, encrypted traffic Security demands must be balanced with privacy and compliance requirements.
needs to be properly managed. Encrypted Traffic Management is a mechanism to Because employee privacy policies and compliance regulations vary
responsibly use encryption to protect data, whilst preventing actors with hostile geographically, per organization and per industry, businesses need flexible,
customizable and policy-driven decryption capabilities to meet their unique
intent from abusing these services.
business needs. To preserve employee privacy while combating threats hiding in
Decryption does not have to compromise privacy; rather it provides enterprises encrypted traffic IT security departments should:
a way to effectively manage traffic. The risk of a security incident, which could • Take inventory and plan for growth – Assess the volume of SSL encrypted
ultimately lead to serious data loss, is not something that just happens to other network traffic in your organization (we typically see 35 percent – 45 percent of
companies. It is time to take charge of privacy instead of turning a blind eye to network traffic being encrypted), including the mix of traffic types (not just web/
the growing volume of encrypted traffic. The visibility void created when the web HTTPS traffic), current volume and projected increase.
turns its lights out on network traffic has serious implications for the enterprise, • Evaluate the risk of un-inspected traffic – In addition to malware coming
yet holds the key to data privacy. By approaching encrypted traffic with a clear into the enterprise, examine what type of data is at risk from both a security
policy-driven management approach, businesses can take to the frontline in (exfiltration) and privacy standpoint. Share insights across IT, security, HR and
cyber warfare. legal departments.
• Create an action plan – Evaluate employee “acceptable use” policies, privacy
requirements and compliance regulations and create formal policies to control
and manage encrypted traffic based on traffic type, origination and other
security and privacy vulnerabilities.
• Apply granular policy control – Selectively identify, inspect, and decrypt web-
based SSL traffic according to your established policies. Decrypted data can
then be processed by the security tools you have already invested in on the
network, such as network antivirus, advanced treat protections solutions, DLP
and others.
• Monitor, refine and enforce – Constantly monitor, refine and enforce the
privacy and security policies for encrypted applications and traffic in and
out of your network and make sure it is in synch with corporate policy and
regulations.
7Security
Empowers
Business
© 2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos,
ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse,
Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV,
ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee,
“See Everything. Know Everything.”, “Security Empowers Business”, and BlueTouch
are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in
the U.S. and certain other countries. This list may not be complete, and the absence
of a trademark from this list does not mean it is not a trademark of Blue Coat or that
Blue Coat has stopped using the trademark. All other trademarks mentioned in this
document owned by third parties are the property of their respective owners. This
document is for informational purposes only. Blue Coat makes no warranties, express,
implied, or statutory, as to the information in this document. Blue Coat products,
technical services, and any other technical data referenced in this document are
subject to U.S. export control and sanctions laws, regulations and requirements, and Blue Coat Systems Inc.
may be subject to export or import regulations in other countries. You agree to comply www.bluecoat.com
strictly with these laws, regulations and requirements, and acknowledge that you Corporate Headquarters
have the responsibility to obtain any licenses, permits or other approvals that may be Sunnyvale, CA
required in order to export, re-export, transfer in country or import after delivery to you. +1.408.220.2200
v.BC-THE-VISIBILITY-VOID-EN-v1f-1114 EMEA Headquarters
Hampshire, UK
+44.1252.554600
APAC Headquarters
Singapore
+65.6826.7000 8You can also read
