There is something comforting about the padlock icon on a browser when visiting a “secure” web site using HTTPS. A confidence that the traffic is encrypted and therefore cannot be snooped on by strangers, or worse by hackers/cybercriminals. Indeed, SSL/TLS, the protocol for secure client to server communication, has rapidly increased its footprint in the Internet. The classic SSL/TLS handshake for establishing a new session is pretty neat and elegant. Public key encryption for exchanging pre-master secrets followed by encrypted information flow through symmetric keys. HTTPS pages constitute 42 percent of all web visits today according to a cited statistic. In 2016, more than two-thirds of North America’s Internet traffic was encrypted, according to another research source.
Further, the Let’s Encrypt service from the Internet Security Research Group is accelerating adoption of encryption in order to deliver SSL/TLS everywhere by providing a free, automated, and open-source certificate authority. Google too seems to have thrown its hat into the ring. It is believed that Google gives higher marks to websites that use encryption while penalizing those that don’t.
So there is definitely a push for more and more SSL/TLS.
However, there is the flip side to this matter. Encryption has become a handy tool for the bad guys for slipping in malware disguised within encrypted information flows, thereby evading detection by typical enterprise network defenses. More than 25 percent of outbound web traffic is said to be encrypted while as much as 80 percent of organizations reportedly do not inspect their SSL/TLS traffic, making it easier for hackers to use SSL/TLS to cover their tracks. Per Gartner, more than half the network attacks targeting enterprises in 2017 will use encrypted traffic to bypass controls, and most advanced persistent threats already use SSL/TLS encryption.
An example of the perils of encryption is ransomware. Public keys were intended to encrypt data in motion between clients and servers as part of SSL/TLS. Enter the ransomware band of digital pirates who turned that around to encrypt data at rest on the victim’s machine. Then on, the private key became a weapon (AES 256-bit encryption, no less) to hold computers and their valuable data hostage. Pay up or walk the plank, the choice is yours, was the message! And pay up, many did. Providing a lucrative business model to the perpetrators. Also command and control servers are increasingly using encrypted communication to control malware on the network and unleash their botnet armies for exploits that include data exfiltration and DDOS attacks.
So far, there has been the regular Internet that we all know and the so called dark Internet or dark Web, the nefarious digital underworld. When you look at enterprise networks, there are the regular, expected information flows. Then (potentially) there are the clandestine flows between compromised computers: that includes both east west traffic as the malware spreads within the network as well as north south flows to the controlling servers. Black and white is what the picture appears to be, on first glance.
Though today, black and white seems to be converging to a shade of gray. Traffic that looks benign but isn’t. Digital certificates that seem trustworthy but aren’t. Emails that appear to be legit but are phishing, spear-phishing attacks instead. End points that seem to be regular and valid but are instead compromised nodes that are sending out sensitive information.
Into this cybersecurity concoction, add the public cloud. Providers like Amazon, Google, and Dropbox are known to convey security and trust. Clearly their cybersecurity defenses are second to none. But when you have hundreds to thousands of tenants, it is hard to keep up. Spinning up VMs in the cloud is a convenient tool for folks running Command and Control centers and distributing malware. Indeed, 10% of repositories hosted by cloud providers, including some on Amazon and Google, are said to be compromised. Certainly nothing like the cloak of cloud-based familiarity when it comes to hiding cybersecurity exploits.
When it is the likes of Amazon and Google that you are dealing with, everything is expected to be hunky dory. After all the cloud is a foundational pillar of the increasingly digital world we are heading to. Nevertheless, with the rapid increase in Shadow IT and everyone signing up for cloud services will-nilly, it is certainly tough for enterprise IT to stay on top of the goings on.
For the security professional, zero trust is therefore becoming the operative word. Perimeter-based security is going the way of the dodo. Trust but verify is the slogan being adopted by one and all. Ironical that it is the translation of a Russian proverb. Evidently, things are not what they seem.