Technology poses a constant dilemma to companies every day. On one hand, it makes our lives easier and in many cases more efficient. On the other hand, it leaves those who don’t understand or respect the need for data security vulnerable to cyber criminals.
No organization is immune to the threat of security breaches, but implementing data encryption is a major safeguard in gaining visibility in order to protect confidential information such as patient data, credit card holder data, and most of all protect your organization’s reputation.
In this month’s blog, we turn our attention to the need for encryption/decryption in your environment.
Encryption technologies allow us to have reasonable security when performing financial transactions and conducting business with trusted agents. We are ensured that the communication cannot be deciphered by a third party, and the data is only shared with appropriate parties.
Decryption is the process of being able to decode this traffic to render it for consumption; however, between the sender and receiver, all data are transmitted in a cyphered traffic stream.
This technology allows for secure communications; however, more and more, it’s being used to mask or hide what is traversing your network, including botnets, command and control traffic, malware, viruses, etc. When you cannot inspect this encrypted traffic, you run into the old adage of you cannot stop what you cannot see, and what you cannot see can be dangerous or damaging. And if you are in a typical environment, anywhere between 45-60% of your traffic is encrypted as it flies through your firewall on the way to the Internet.
The goal of in-line decryption is to provide access to the packet data so that traffic may be inspected. But, what kinds of traffic should be decrypted and inspected? For starters, web-based email, traffic to unknown sites, communication with business partners, and online storage and file sharing. Administrators would decrypt it for several reasons, including protecting network assets from malware, data loss prevention, and conformance to data sharing policies. (e.g., where should I be seeing PII transferred?)
Some traffic should not be decrypted. As an administrator, you are responsible for what your systems are logging and collecting; therefore, traffic that should not be decrypted includes the following:
- Credit card data, bank account information, and most financial transactions
- Health and human services information
- Online shopping from reputable (known) shopping sites
- Some government and legal communications
Encrypted traffic poses a threat to your data security. Primarily, you will have a lack of visibility into what traffic is egressing your network. You will also be ignoring a potentially large threat vector, having no insight into attachments and no insight into the actual applications that are running over SSL. Also, a single SSL session may have multiple applications, and some of those applications may not be desirable on your network (e.g., peer-to-peer traffic, BitTorrent, etc.).
As you are aware, attachments often contain very bad things: macros, scripts, malware, etc. The use of SSL makes attachments undetectable and uninspectable. Finally, SSL can be used for tunneling traffic and data exfiltration, all out of site and under the radar.
There are ways to implement SSL decryption in your own environment, and we recommend working with a qualified security analyst and architect to design a solution that best fits your needs. For starters, an administrator can take steps to limit what is happening with traffic they cannot see using criteria that is actually visible, for example, by using URL filtering to block known malware sites. Next, take steps towards full traffic visibility, including in-line decryption, proxy decryption, and even wire traffic monitoring.
Also, a word of warning: it is best to bite off SSL decryption bit by bit. Don’t try to swallow the whole elephant in one bite. Start with a beta group and test all variables. Then expand your test base to include user groups and a wider range of applications. Finally, after you have decrypted traffic, you may need to adjust your application-based security policies, as applications previously defined as “SSL” will now be identified.
NETSource offers a wide range of security products specifically tailored to improve your security posture. We call it “Secure by Design.” Our team delivers a complete end-to-end solution to include security, network, compute, storage, and services leveraging local resources for faster response. NETSource cultivates and maintains relationships with “Best in Class” IT Vendors, including emerging and disruptive technologies. We pride ourselves on taking an IT agnostic approach to solving customers’ challenges and or needs.
About the Author: Craig Lockhart is a Security and Networking Professional with over 20 years of enterprise information technology experience specializing in state-of-the-art network security solutions. He works with small to large Fortune 200 enterprises alike, to design and improve the customer’s network security posture, with a focus on security network design, implementation, and education. He is dedicated to providing strong technical guidance to ensure his customers have a firm understanding of the decisions they are making. Craig holds a BA from the University of Colorado, an MA in Psychology from The Seattle School, and is a Certified Information Systems Auditor (CISA).