Recently, the federal government’s focus on encryption has been mainly about gaining access to it through backdoors. But in spite of that focus, some agencies may have left the front door open. In an open letter to Dana Deasy, the new CIO of the U.S. Department of Defense, U.S. Sen. Ron Wyden, D-Ore., urges "immediate action to require the adoption of cybersecurity best practices on all publicly accessible Department of Defense (DoD) web services.”
Sen. Wyden’s letter was a recap of things you wish that you didn’t know, kind of like when I learned that U.S. nuclear missiles were still run on floppy disks. Only a few DoD websites—the Army, Air Force and the National Security Agency— “implement HTTPS by default and use certificates trusted by major web browsers.” The rest, (including: The Navy, The Marines and CIO Deasy’s office website) lack a secure HTTPS connection.
Moreover, they are proving their authenticity using certificates issued by the DoD’s own certificate authority, which Google Chrome (the browser favored by more than half of all North Americans, regardless of device) and other browsers do not trust. In other words, come July, when Chrome starts to evaluate the trustworthiness of certificates in order to warn users about the sites with weak security, the aforementioned sites are likely to be flagged as unsafe. It’s no surprise that Sen. Wyden asks Deasy for an action plan by July 20.
Problem Is Everywhere
Today, Derek Hawkins, national cybersecurity reporter for The Washington Post, writes in his Cybersecurity 202 newsletter that more than three-quarters of federal agencies do not have cybersecurity programs in place that can protect against cyber intrusions in their networks, according to a new report from the White House Office of Management and Budget.
As disturbing as this news is, this problem is not confined to federal agencies. Nick Hunter, senior manager of threat intelligence at Venafi, says this problem extends far beyond the DoD and other government agencies. “The reality is that many private organizations have not implemented HTTPS or have but are not aware that their implementations are using weak encryption configurations. It’s also true that for many of these organizations, including many major brands, don’t understand that the ramifications of insecure encrypted communications and privacy can be profound,” he says.
This situation, both at the DoD and elsewhere, is mind-boggling. On this blog, we’ve harangued you about the importance of securing web transactions with HTTPS. As Scott Carter writes in a recent post:
SSL/TLS certificates are critical to the security of web transactions, such as online banking and e-commerce. These certificates create an encrypted connection between a web browser and web server. If cyber criminals gain access to these critical machine identities, they can eavesdrop on encrypted traffic or impersonate a trusted system in a phishing attack.
Closing All Doors
It’s disturbing that the DoD and so many critical government agencies could be making it easier for cybercriminals and nation-state attackers to break into agency networks. At the same time, however, HTTPS in itself isn’t a cure-all to this problem. After all, threat actors increasingly are leveraging HTTPS to camouflage attacks. Guest blogger Jack Walker points out:
Hackers now use HTTPS encryption to cover their tracks and get past firewalls, sandboxing technologies and behavior analytics tools. And, ultimately, it is a great and easy way to get malware onto the network without ringing any alarm bells, … and this is because defensive measures once thought effective are no longer properly doing their job. Firewalls, anti-malware solutions and IDS tools will often let HTTPS-traffic straight through, with even modern sandboxing technologies and behavioral analytics not configured to detect and neutralize HTTPS attacks.
In other words, grabbing a certificate so that your website has a green padlock isn’t enough. You need a comprehensive machine identity protection program that provides enterprise-wide visibility and automated control of every machine identity to be truly protected.
Is this the situation you’re currently facing? If so, we understand why you might be holding off on a Band-Aid HTTPS patch because you’re thinking about how to put a good machine identity protection solution in place. If that’s the case, then contact us. We’ve helped plenty of organizations, including government agencies, with their machine identity protection challenges and would welcome the opportunity to help you!