Last week Mozilla data revealed that half of all web traffic on Firefox is now encrypted. This is a giant step forward in privacy and secure communications. But it’s not such good news for many internet security solutions, which are still taking baby steps. Most traditional security tools are not built to be encryption aware. So, they aren’t equipped to detect malicious activity that happens inside encrypted tunnels.
This gap between encryption and protection effectively aids and abets cyber criminals by allowing them to hide in encrypted traffic. As Kevin Bocek, VP of security strategy at Venafi notes, “We’re actually not safe as we think: The security systems designed to defend businesses were destined for a world with little encryption. Encryption creates tunnels. And traditional security isn’t prepared to look inside these tunnels to detect threats that may be hiding there.”
This SC Magazine article outlines potential threats that leverage encryption, such as man-in-the-middle, ransomware, watering holes, and DDS attacks. Cyber criminals are taking note of these opportunities notes Bocek, “Cybercriminals from Chinese military units to Russian cyber gangs, have caught on to the fact that most organizations are unable to defend against attacks using encryption.”
While encryption is the right move to protect the privacy of communications, the way you manage it can impact the success of your efforts; poorly managed encryption can actually undermine your security.
Bocek warns that the root of this new problem is that the system that authenticates machines depends on the availability of cryptographic keys and digital certificates: “If your cyber defenses do not have access to the right keys and certificates, then they can’t look in encrypted tunnels, making them useless. Yet the industry is largely failing to wake up to this danger.”
Security vendors are scrambling to integrate encryption support into their security solutions. In the meantime, many organizations are worried about how to keep their expanding encryption environments safe. “Research has shown that 85% of CIOs are concerned that attackers are increasingly hiding in encrypted traffic, and they are right to be concerned. Security experts believe in short order 70% of attacks will use the encryption we’ve put in place to protect us,” Bocek cautions.
To prevent your encrypted tunnels from being misused in an attack, you’ll need to take a more active role in managing and protecting and them. But first you need to understand the nuances of your encryption environment. Bocek advises, “The only way to safely implement encryption is to maintain control – you need to make sure security systems have access to the keys they require to inspect your traffic for threats. This requires automation that industry still must catch up on.”
If your security solutions don’t have access to your keys and certificates, they may not be able to detect threats that travel through encrypted traffic. Do you have the automation you need to make your keys and certificates available to your security solutions?