With SSL being increasingly used to encrypt online data, cybercriminals are now routinely using it to hide malware. Business organisations now need to find ways of inspecting SSL traffic as part of their overarching Security strategy in order to keep data secure.

Most of us are familiar with SSL, that vital piece of crypto-graphical kit that protects our online communications. It protects communications between the web browsers we use and the servers, where websites — such as this one — are hosted.

The Positives of SSL

SSL can broadly be considered a good thing. Any transaction involving financial information, such as online banking or e-commerce, typically uses SSL to keep your information private. In recent years there has been a drive to secure all internet traffic with SSL, not just traffic containing private/sensitive information, such as username/password combinations or financial data, but general traffic as well. Major worldwide news stories in recent years, such as the Edward Snowden global mass surveillance revelations, mean more users are demanding encryption online. This rings true even in areas traditionally considered less important and the providers are more than happy to oblige.

The end result is an increased use of SSL; most of the world’s most popular websites such as Google, Amazon and Facebook now have HTTPS switched on by default for all traffic. It’s estimated that today, over half the world’s internet traffic is encrypted.

The Challenges with SSL

Whilst there’s no doubt encrypting internet traffic will protect more of our sensitive data, it actually brings increased risks for enterprises. Many enterprise security devices are blind to what’s within the encrypted traffic, meaning malware can effectively bypass them without detection.

Firewalls, web gateways, intrusion prevention systems and other security measures can struggle to detect malware that arrives via encrypted traffic. Cybercriminals being able to hide malware within a supposedly secure transaction can turn out to be a nightmare situation for enterprises without adequate visibility into SSL. It’s not just about malicious data penetrating an environment, it’s also a major issue with data moving the other direction. Potentially sensitive information can be moved out of a seemingly secure environment in an encrypted transaction that most security tools would fail to notice.

One example of this was the Dyre banking malware. This malware was capable of stealing information before encryption kicked in and then sending it back to the command and control server under the guise of legitimate encrypted traffic. The session would appear secure with the reassuring padlock symbol displayed, but behind the scenes sensitive data is being vacuumed up.

Any dodgy website could potentially serve up ‘drive-by’ malware and if the session is encrypted, security tools may not be able to determine what the actual content of that traffic is, or where it’s going. Devices such as the proxy server or the URL filtering gateway would be completely blind to it.

Gartner figures indicate that less than 20% of organisations using firewalls (IPS or UTM) are decrypting SSL traffic. This means malware hidden within SSL would have a high chance of bypassing those security platforms altogether. Gartner also mentions that this year, over 50% of network attacks targeting enterprises will be using SSL in an attempt to bypass security.

Decryption, yes or no?

How do enterprises ensure they’re not caught out by malware hiding within encrypted traffic? The simple answer would be to decrypt that traffic, but the question is how to do that without invading privacy or leaving sensitive data open to attacks.

It now becomes a question of knowing which traffic should be decrypted. If a business is serving content out to users externally, it needs to use some sort of device to offload SSL traffic from the server and then insert protection into the traffic flow. This will break the SSL, but in an intelligent way; you don’t want to decrypt an internet banking session but you’d likely want to decrypt Instant Messaging or File Transfers.

Security needs to have the intelligence to understand where the traffic is going and then make a decision on whether it should be decrypted or left as it is. It is breaking SSL, but in a safe and intelligent way.

We believe a prudent Security strategy should include visibility into SSL traffic at no cost to performance.

Conclusion

If you aren’t already inspecting SSL traffic, or looking at finding a cost-effective and non-performance impacting solution to the problem, then we would recommend doing so.

This article provides a brief overview into SSL Inspection and Security. Our engineering team is always happy to have a more substantial and case-specific discussion with you about SSL Inspection and how it could fit in within your own environment.

Get in touch with us and we can arrange further discussion on the topic and answer any questions you may have.