Verizon's 2016 Data Breach Investigations Report found that 89 percent of breaches last year were motivated by greed or espionage. Since motives are increasingly financial, it makes sense that the financial institutions that underpin the world's economy are increasingly targeted. The Ponemon Institute found, on average, 83 percent of financial companies suffer more than 50 attacks per month. As a result, banks, credit unions, brokerage firms and exchanges — large and small — are shoring up their defences to prepare for the inevitability of a cyber-attack. One of the defensive measures they use is encryption, which protects the privacy and integrity of sensitive information by rendering it unreadable if stolen or intercepted.
The dark side of SSL encryption
Unfortunately, encryption also has a dark side; increasingly, cyber-attackers are using encryption to hide their exploits. A10 recently sponsored a survey by the Ponemon Institute, “Hidden Threats in Encrypted Traffic: Industry Verticals,” to dig into the risks posed by encrypted traffic. The results demonstrated that financial institutions may be woefully unprepared to protect against the attacks using encrypted traffic to hide their activity. As a baseline, respondents estimate 32 percent of their institution's outbound traffic is encrypted today; they expect that percentage to go up to 46 percent over the next 12 months. As that percentage increases, it's logical the percentage of threats in encrypted traffic will also go up. In fact, 58 percent of respondents think attackers will increase their use of encryption (to evade detection and bypass controls) over the next 12 months. When asked whether their institution recognises that malicious users leverage SSL encryption to conceal their exploits, only 41 percent agreed (23 percent were unsure and 36 percent disagreed). While this percentage may seem to imply there is a disconnect between the risk and an institution's recognition of that risk, it is probably more indicative of an institution's direct experience. Notably, 40 percent of the respondents confirmed that attacks on their institution had used encryption to evade detection. (81 percent acknowledged they had been a victim of a cyber-attack or malicious insider activity in the past 12 months.)
Gauging the importance of SSL inspection
So, perhaps institutions are waiting to see these attacks firsthand before they implement measures to prevent them? Despite 90 percent of the financial services respondents recognising that the inspection of SSL traffic is “Important” to “Essential” to their overall security infrastructure, only 42 percent are actually decrypting Web traffic to detect attacks, intrusions and malware. This can be a very dangerous game of chicken for financial institutions to play. Respondents indicated they knew their institutions were at risk:
- 70 percent were concerned or very concerned that encrypted traffic would leave their network vulnerable to hidden threats
- 71 percent felt that compromised insider credentials, due to malware hiding inside encrypted SSL traffic, could cause a data breach (18 percent were unsure)
- 61 percent agreed that the inability of their current security infrastructure to inspect encrypted traffic compromises their ability to meet existing and future compliance requirements.
- 33 percent felt their institution would be able to prevent costly data breaches and loss of intellectual property by detecting SSL traffic that is malicious
Your SSL decryption strategy
All told, 57 percent of the financial services respondents, which don't currently decrypt, have plans to decrypt and inspect traffic to uncover potential attacks. Before they can, however, they need to find solutions that truly meet their needs. They indicated the following features were “Important” to “Essential” in an SSL inspection tool:
- Securely manage SSL certificates and keys – 90 percent
- Scale to meet current and future SSL performance demands – 87 percent
- Maximise the uptime and performance requirements of the overall capacity of the security infrastructure – 84 percent
- Satisfy compliance requirements – 81 percent
- Granularly parse and control traffic based on custom-defined policies – 78 percent
- Categorise web traffic to ensure confidential or sensitive data remains encrypted (satisfy regulatory requirements) – 77 percent
- Intelligently route traffic to multiple security devices – 77 percent
- Interoperate with a diverse set of security products from multiple vendors – 75 percent
There are tools that provide the capabilities that companies are seeking, so there is no real reason not to introduce SSL decryption to enhance security.
Contributed by Duncan Hughes, systems engineering director EMEA, A10 Networks