Removing the blindfold to inspect encrypted communications

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
 

Connecting state and local government leaders

By

Without visibility into encrypted communications, IT managers can see only a portion of their network traffic, making them unable to identify and defend against threats.

Given the growing number of system and application vulnerabilities, zero-day attacks, and high-profile hacks and data breaches, the need to inspect and monitor communications in and out of enterprise networks might seem obvious.

Unfortunately, many organizations have visibility into only a portion of that suspicious or malicious traffic. Their security tools and analysts are essentially blind to encrypted communications, which makes them unable to identify and defend against malicious activity, data exfiltration and other threats such as viruses, worms or other malware.

If you are responsible for information security, it is crucial that you take steps to remove the blindfold. By understanding the challenges with cryptographic protocols, organizations can embrace encrypted communications while ensuring that they have the necessary visibility to inspect and protect corporate systems and data.

The Secure Sockets Layer protocol released in 1995 provides communication security between two hosts within a network or across the Internet. It was initially used to secure e-commerce and online banking over public networks. Now SSL and its successor, Transport Layer Security, are increasingly being adopted because of their simplicity and flexibility. SSL/TLS is used to secure most cloud-based applications, web-based email and many other online services.

Although these cryptographic protocols protect end-user data and solve many security problems related to data integrity and confidentiality, they also create blind spots within the network that are only getting larger.  

In 2016, more than two-thirds of North America's Internet traffic will be encrypted, according to Sandvine, a Canadian networking equipment company. Although encryption was previously cost-prohibitive or added enough overhead to limit its value where its use was not critical, that is no longer the case, and companies are now designing their websites to use encryption by default.  

In June, the Office of Management and Budget issued a memorandum that requires secure connections across all federal websites and web services. Further, the Let's Encrypt service from the Internet Security Research Group will likely accelerate adoption of encryption on commercial and personal sites with the goal of delivering SSL/TLS everywhere by providing a free, automated and open-source certificate authority.  

With the continued expansion of encrypted Internet communications, it's important to understand the challenges, impacts and risks they can create. Blind spots could be ignored if they are known to be of no value, but that is not the case with encrypted communications. In fact, Gartner says that by 2017 more than half the network attacks targeting enterprises will use encrypted traffic to bypass controls, and most advanced persistent threats already use SSL/TLS encryption.

Specifically, adversaries can use encryption to deliver malicious software if security controls can only scan decrypted traffic. They can also use encrypted communications to exploit vulnerable end-user applications such as web browsers, PDF viewers, Microsoft Office products, Flash or Java.

After a successful infection, SSL and TLS can mask the command and control functions that adversaries use to maintain communications with compromised systems within the target network. The exfiltration of credentials or other sensitive information can be hidden within the same SSL/TLS-encrypted sessions. If those communications are not decrypted for inspection, systems and employees responsible for monitoring and defending against that type of event cannot effectively spot compromises.

To optimize and standardize the security of external Internet connections to federal agencies, OMB established the Trusted Internet Connections initiative in 2007. The associated TIC Reference Architecture identifies mandatory critical and recommended capabilities based on evolving technologies and threats, including a specific requirement for encrypted traffic inspection. That requirement, which can be seen in the TIC Reference Architecture v2.0, states that any TIC access provider (TICAP) must have "a documented procedure or plan that explains how it inspects and analyzes encrypted traffic" and must include "defensive measures taken to protect TICAP clients from malicious content or unauthorized data exfiltration when traffic is encrypted."

As a critical and mandatory requirement, no federal agency should be without such procedures and plans for inspecting encrypted traffic.

To effectively identify and implement procedures for inspecting encrypted communications in and out of a corporate network, it is important that the process is appropriately planned, communicated and coordinated with stakeholders. Here are six key recommendations for providing the necessary visibility into encrypted communications.

1. Identify encrypted traffic flow

Before attempting to choose or implement a solution, identify where and how encrypted traffic flows in and out of the network. The location and amount of encrypted communications and the types of encryption protocols used must be understood to ensure appropriate visibility and correctly develop a solution that minimizes degradation of performance.

Although web and email communications are primary threat vectors, do not forget about file transfers and other communications with external trusted and untrusted partners.  

2. Existing technologies can help but might not be enough

Existing technologies such as web and email gateways, proxy devices and application load balancers might have the ability to decrypt encrypted communications. However, those tools are often designed to monitor and analyze specific traffic and could degrade network performance when attempting to also handle decryption of large amounts of data.

More important, those technologies are usually not optimized to support a visibility architecture in which decrypted communications can also be made available to other network- and endpoint-monitoring tools, such as intrusion detection and prevention system sensors, data loss-prevention systems and advanced forensics.  

3. Obtain top-level support and work closely with legal counsel

Although warning banners should already include appropriate language informing users that their rights to privacy are limited when using agency systems and networks, inspection of encrypted communications can often be a sensitive subject. Thus, it is imperative that policies be backed by organizational leaders and legal counsel to ensure support and compliance with corporate and government regulations.

4. Prepare for exceptions

Although the goal is to have the ability to decrypt and inspect all encrypted communications, there will be exceptions, and it is critical that processes and procedures are established to support those exceptions. For example, some proprietary encrypted voice and video communications might not function properly if interrupted by a decryption and inspection process between the client and server. Similarly, client-side certificates often create complications that many SSL/TLS decryption technologies cannot handle.

Additionally, exceptions might be required for particularly sensitive data, such as health care, banking/financial or law enforcement/legal information. Even if such data is inspected with system tools, it might not be appropriate for the IT staff to be able to read it or store and maintain it.

5. Confirm and convey certificate validity

A critical component of establishing encrypted communication is confirming the validity of the external system by exchanging and validating certificates. It is important that SSL/TLS decryption technologies do not put clients at increased risk by requiring them to validate the legitimacy of the site to which they are connecting. The inspection capability should perform the validation of external certificates and convey the results of the validation to the client.

6. Decryption is not enough

Remember that decrypted data is only valuable if it is made available to appropriate inspection technologies and is properly analyzed to identify threats. Therefore, officials must ensure that appropriate staff and technologies have access to the decrypted data required to defend the enterprise.

As noted by FBI Director James Comey, "The development and robust adoption of strong encryption is a key tool to secure commerce and trade, safeguard private information, promote free expression and association, and strengthen cybersecurity," but it also creates a problem that law enforcement calls "going dark." Therefore, it is critical that encryption technologies be maintained while ensuring the necessary visibility and inspection to defend the enterprise.

As attacks that use encrypted traffic to bypass controls continue to increase, agencies should remove any blindfold that limits network visibility.

NEXT STORY: Can feds give cybersecurity the attention it deserves?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.