Encrypted communications is very en vogue post-Snowden, but there can be unintended consequences. The growing use of encryption to address privacy concerns is creating perfect conditions for cyber-criminals to hide malware inside encrypted transactions, and even reducing the level of sophistication required for malware to avoid detection.
That’s the word from Blue Coat Systems, who found in a recent study that encryption enables threats to bypass network security and allows sensitive employee or corporate data to leak from anywhere inside the enterprise. That’s because encryption makes communications private—and the lack of visibility into SSL traffic represents a potential vulnerability in many enterprises where benign and hostile uses of SSL are indistinguishable to many security devices.
“The tug of war between personal privacy and corporate security is leaving the door open for novel malware attacks involving SSL over corporate networks that put everyone’s data at risk,” said Hugh Thompson, chief security strategist for Blue Coat, in a statement. “For businesses to secure customer data and meet regulatory and compliance requirements they need the visibility to see the threats hiding in encrypted traffic and the granular control to make sure employee privacy is also maintained.”
Overall, the growing use of encryption means many businesses are unable to track the legitimate corporate information entering and leaving their networks, creating a growing blind spot for enterprises. In fact, over a 12-month period beginning September 2013, between 11% and 14% of the security information requests that Blue Coat researchers received on average each week were asking about encrypted websites. And in a typical seven-day period, Blue Coat Labs receives over 100,000 requests from customers for security information about sites using HTTPS encryption protocol for command and control of malware.
Malware attacks, using encryption as a cloak, do not need to be complex because the malware operators believe the encryption prevents the enterprise from seeing the attack, Blue Coat said. So, significant data loss can occur as a result of malicious acts by hostile outsiders or disgruntled insiders, who can easily transmit sensitive information.
Blue Coat noted that one example of an unsophisticated malware threat hiding in encrypted traffic is Dyre, a widely distributed, password-stealing trojan originating in the Ukraine.
“After authorities shut down Zeus, one of the most successful Trojan horse malwares, Dyre quickly took its place by simply adding encryption,” the firm noted. “Today, Dyre exploits human behavior to target some of the world’s largest enterprises to compromise accounts that can expose Social Security numbers, bank account information, protected health information, intellectual property and much more.”
Further, by simply combining short-lived websites with encryption and running incoming malware and/or outgoing data theft over SSL, organizations can be completely blind to the attack, and unable to prevent, detect or respond.
“Corporate security demands must be balanced with privacy policies and applicable compliance requirements,” Blue Coat said. “Because corporate policies and applicable compliance regulations can vary geographically on a-per organization and per industry basis, businesses need flexible, configurable, customizable and targeted decryption capabilities to meet their unique business needs.”