How secure is SSL? – the answer might surprise you

Enterprises and online businesses face mounting challenges as the use of secure web based content and applications continue to grow. Easy-to-access, highly mobile, and social are the new user mantras of today’s IT. The proliferation of new mobile applications, advanced threats, and encrypted traffic are putting pressure on traditional security defences. Web attacks have become more targeted, sophisticated, and clandestine. Internet fraud, cyber-attacks, and more recently complex advanced threats have made “security” a heightened and more important topic for today’s enterprise business.

The 2012 Cyber Crime and Security Survey: Systems of National Interest, published by the Australian Government, discloses some of the cyber security measures that key infrastructure sectors have in place. 255 organisations surveyed in Australia's banking and finance, communications, energy, resources, transport, and water sectors reported that over 90% deployed firewalls, anti-spam filters, and security software in their networks. However, 20% of the same respondents described some form of ''cyber incident'' that occurred in 2012, and that harmed the confidentiality, integrity or availability of the network data.

So the question really is what protective armour do businesses need to defend themselves?
One important aspect of today’s enterprise security is Secure Sockets Layer (SSL). The use of encryption, more commonly known as SSL, has been exploding for a number of years. Websites today commonly use SSL encryption to protect web transactions, whether it is by email, web 2.0 or ecommerce. Yet, encryption is not a panacea for today’s security. While SSL secures the link between the user and the web server and enables more secure transactions, it reduces security by creating blind spots for security applications. Cybercriminals are aware of this, and often make use of encrypted channels for covert command and control communications for botnets, as well as data exfiltration from the corporate network.

The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to, protecting data from hackers and identity thieves. Cybercrime, and advanced threats in particular, increasingly leverage encrypted SSL tunnels to hide their malicious communications as this traffic (over port 443) in rarely inspected. In fact, levering SSL is a very effective method for the reason is encryption, the very thing that keeps content secure and unreadable, makes it nearly impossible for IT administrators to see, understand, or manage as well. 

Harmful malicious code can be masked by this encryption and this raises pertinent security questions that need to be addressed.

  • Is the content running over SSL truly secure? Are there hidden threats inside encrypted traffic that users are inadvertently accessing?
  • Can external users “break” the protocol or “listen in” on secure communications over SSL?
  • How do I know that our existing security applications and mechanisms are working properly?
  • What is the best way to determine what our most critical vulnerabilities are?

Today most enterprise and cloud-based applications use HTTPS to secure the user. In fact, more and more internet websites and mobile apps also using HTTPS technology and it’s estimated that SSL is growing by more than 20% year/year. The prevalence of web sites using HTTP – such as Google and Facebook – means that the percentage of SSL traffic on corporate networks continues to expand, accounting for between 25% to 50% of an enterprise’s traffic mix. 

Today Enterprises use many (inline and passive) network and security appliances for perimeter protection, internal security and compliance. Such a distributed approach to SSL interception has developed over time and adds complexity. Adding a single control to manage SSL traffic not only provides a simpler management solution, but can reduce the complexity by consolidating SSL interception at a single controlled point in the network

A single control point is less complex if it can provide simultaneous bi-directional SSL support. Ideally it should:

  • work together with outbound security solutions(i.e. network-based anti-virus) to protect your internet and cloud apps.
  • work together with inbound (i.e. data loss protection) security solutions to protect your enterprise apps and your data

Many SSL inspection platforms require separate solutions for each direction. A single solution that can feed decrypted traffic to each of these security solutions avoids the complexity of supporting SSL on each of these separate appliances and reduces complexity.

Finally, SSL interception should be policy based. Some applications cannot be decrypted or are not allowed to be decrypted such as banking apps or personal privacy apps. So we need to have policy-based control with exceptions. IT needs to have the flexibility to choose what content to decrypt and what to not decrypt.

Below are a few best practice tips for organisations electing to address the growing regulatory and technical gap of truly securing SSL traffic within their networks:

1) Single point to control SSL – simplify your network by using a single solution that can feed decrypted traffic to each application (Internet/cloud apps, enterprise apps)

Implement a single security solution to provide simultaneous bi-directional SSL support protecting outbound and inbound data.

2) Stop attacks at the gateway – Block and detect known threats commonly known as ‘commercial’ malware’ on the world-wide web. 

Implement an advanced web gateway solution that scans ALL web traffic and protects all types of user access and devices while integrating with a real-time global cloud intelligence network for fast and effective protection.

3) Contain and analyse new threats – Investigate and block new threats in real-time such as executables on premise to mitigate more advanced threats that can pass through the traditional inspection of AV, IDS/IPS, or firewalls.

Install high performance and accurate sandboxing technology on premise that complements the gateway solution. On site malware analysis

4) Prevent and remediate breaches- In the event of a breach, organisations need to be able to investigate and remediate breaches almost instantly with threat
Utilise a holistic approach towards security leveraging intelligent visibility across all data to solve problems while maximising IT investments.

A number of organisations lack the ability to inspect and control SSL-encrypted traffic. This needs to change. Any solution implemented must understand and control native SSL traffic in real-time, closing all doors to cybercrime. This type of lifecycle defence approach will help organisations seamlessly embrace new technology confidently. If you’re considering advanced threat protection, consider re-evaluating your SSL inspection and decryption capabilities by making SSL visibility and control a foundation of your modern Enterprise defense.

Join the CSO newsletter!

Error: Please check your email address.

Tags 2012 cyber crime and security surveysecurityencryptionadvanced threatsSSL

More about FacebookGoogleIPS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jonathan Andresen

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts