Organisations have always been told that strong encryption is their friend. When applied to internet traffic, encryption secures the connection between user and website, locking the bad guys out and foiling the hijackers attempting to spoof legitimate sites or eavesdrop on communications.
So when Mozilla recently revealed that the majority of web pages loaded by Firefox used the secure HTTPS protocol, it seemed like a good news day for information security. Naturally, the story is far more complex than that.
The truth is that the hackers are getting increasingly adept at hiding in these encrypted ‘tunnels’ – which disguises their attacks from even the best defences. For example, roughly 90% of CIOs have already been attacked, or expect to be, by hackers hiding in encrypted traffic.
>See also: Enterprises using IoT aren’t securing sensitive data – Thales
Businesses urgently need to improve their management of encrypted tunnels, or they risk compromising the effectiveness of our cyber security defences. But for that to happen, organisations must first gain visibility and control over their expansive estates of digital keys and certificates.
These keys and certificates are the cryptographic assets that form the foundation of encryption, allowing machines to identify each other in the same way usernames and passwords work for human users.
CISOs do not accept having limited visibility over identity and access management for all their users– the same rigorous oversight needs to be extended to keys and certificates.
Inside the tunnel
The growth of HTTPS is both a positive and negative thing. Encryption is the primary tool used to keep internet transactions out of the reach of prying eyes, and we’ve seen increased adoption over the past few years, partly driven by revelations of mass state surveillance exposed by NSA whistleblower Edward Snowden.
HTTPS protects the sensitive data of hundreds of millions of users around the world, offering protection against man-in-the-middle attacks and attackers looking to spoof trusted sites.
Encrypted traffic is beginning to become the norm, rather than the exception, and a survey from this year’s RSA Conference showed that this trend will continue: two-thirds (66%) of attendees said that their organisation is planning to increase encryption usage.
>See also: Who owns your company’s encryption keys?
But what happens when a hacker manages to get into encrypted traffic? This is not a hypothetical problem – a third (32%) of security professionals at RSA said that they are either “not confident” or have only “50% confidence” in their organisations’ ability to protect and secure encrypted communications.
And once a hacker does get into encrypted traffic it will offer the same protections, but this time against the organisation’s security tools. Intrusion detection and prevention systems, firewalls and similar tools are rendered useless, unable to inspect the traffic going in and out of the organisation.
A hacker could hide malware or web exploits from these tools to launch an attack and then use the encrypted tunnel to ferry stolen data out again.
A foundation of trust
The problem ultimately boils down to the digital keys and certificates that form the Internet’s base of cyber security and trust. Today, this system is used to secure everything from online banking to mobile apps and the Internet of Things (IoT). There’s just one problem: our foundation is built on sand.
The volume of keys and certificates has exploded over recent years, thanks to virtualisation and the growth in mobile devices, cloud servers and now the IoT. Everything with an IP address depends on a key and certificate to create a secure connection.
>See also: Network security doesn’t just begin and end with encryption
But organisations simply can’t keep track of this explosive growth, often leaving them unsecured and managed manually. This has allowed cyber criminals to sneak in and use unprotected keys and certificates for their own ends.
The problem will only get worse as the number of IoT devices grows. Gartner recently claimed 8.4 billion connected devices will be in use globally by the end of 2017, up 31% from 2016, and reach a staggering 20.4 billion by 2020.
Additionally, half of the organisations Venafi polled last year said they saw key and certificate usage grow by over 25%. And one in five claimed it had increased by more than 50%.
Shining a light
As keys and certificates grow, so do the opportunities for the hackers. But there is hope. If we’re able to provide our security tools with the all-important keys, then they can open up and inspect encrypted traffic to ensure it doesn’t contain anything malicious.
This is easier said than done; especially given the hundreds of thousands of keys and certificates a typical organisation must manage. New keys and certificates are retired and created every day.
What organisations need is centralised intelligence and automation system. This will ensure that all security tools are provided with a continuously updated list of all the relevant keys and certificates they need in order to inspect encrypted traffic.
>See also: Keys to the castle: Encryption in the cloud
By automatically discovering every key and certificate generated by your organisation as they are created, and integrating this data into security tools, you can finally shine a light on encrypted tunnels.
The result? IT leaders will not only benefit from improved resilience from cyber attacks, data breaches and the like, but also finally gain full value from their technology investments.
With encrypted traffic growing all the time and 85% of CIOs expecting criminal misuse of keys and certificates to get worse, businesses can’t afford to hang around.
Sourced by Kevin Bocek, chief cyber-security strategist at Venafi
Nominations are now open for the Tech Leaders Awards 2017, the UK’s flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!