18 April 2019

The safer internet may be dangerous: encryption is to blame


With commonly used computer network protection tools, organizations are either unable to view encrypted communication or can only achieve the desired visibility with great difficulty and at a disproportionately high cost. A better way is to integrate some new components into the existing essential security technology.

Today data encryption is an integral part of Internet communication, allowing us to safely shop or perform banking transactions online. Without encryption anyone could view the transferred data and easily access, for instance, passwords or personal data. Nowadays, almost all website operators are gradually starting to use security certificates.

Measurements by the Soitron Security Sensor system show that at least 60% of the communication in today’s organizations is encrypted. Typically, however, it is around 80%, which corresponds to the global estimates of 80% of all internet traffic being encrypted in 2019. For the sake of comparison, two years ago only less than half of the Internet was encrypted.

Blinded administrators

With more and more websites and services being encrypted, the encryption methods are also changing and new, improved protocols for protecting the network communication are emerging (e.g., CAA, DANE, TLS 1.3, eSNI, and DoT).

The newer and more modern protocols are designed to protect data against any inspection, even if for legitimate purposes. If we also take into account the significant increase in the network capacity and thus also the volume of data transmitted, we realize that today companies and public organizations face a tsunami of strongly encrypted communication.

Audits also often lead to a significantly compromised encryption quality. For instance, a study entitled “The Security Impact of HTTPS Interception” showed that only one out of twelve devices received a satisfactory rating.

What does it mean for IT departments?

In short, it means new challenges in administration and securing IT against cyber threats. Older security tools that didn’t count with encrypted communication inspection do not provide administrators with the necessary operation visibility, thus opening new possibilities for hackers to spread malicious code or send instructions for already infiltrated malware.

In addition, some (especially mobile) applications reject even legitimate inspections of security certificates in organizations. Attackers now successfully exploit the weakened capabilities of immature security solutions to scrutinize encrypted communication.

According to the cloud service provider Zscaler, last year the number of phishing attacks hidden in encrypted communications increased by 400% year-on-year. In general, in about half of the cyber-attacks encrypted traffic was exploited to spread malware. There is no reason to believe that this proportion would decrease in the future.

An inspection with no reading

The good news is that there are ways to make seemingly invisible and well-encrypted communication at least partially transparent. A number of security technology vendors have come up with solutions based on Encrypted Traffic Analytics (ETA) that is able to identify potential threats concealed in encrypted data with great accuracy and without compromising the user convenience.

They are not trying to crack the encryption and “read” the entire content of the communication; something like that would be technically difficult and not acceptable in terms of privacy protection. The purpose of technologies for gaining visibility into an encrypted environment is to detect any abnormal behaviour based on, for example, behavioural analyses of network communication and alert you to any suspicious communication. An advantage is that this approach also helps to identify unknown threats that have not yet been described. There are no signatures available, and we know nothing about them.

With the share of the encrypted Internet traffic approaching 100% in the next few years, the cracks in existing security architectures will only grow. This does not mean that IT departments have to throw away and replace their existing resources. Rather, sooner or later, they will need to add new tools which are able to identify threats in their data traffic which would otherwise be invisible to the naked eye. The sooner they do this, the fewer threats they expose themselves to.

Stanislav Smolár

Security Business Unit Manager