As more and more traffic on the Internet is encrypted, the very encryption that is meant to protect data is also being used to hide malicious traffic. One very publicized example of this turns out to be the Equifax breach in 2017. In the August 2018 GAO report, it was disclosed that the breach was not detected for over two months because the files that were being exfiltrated were encrypted and because the system that was supposed to decrypt and inspect the files had an expired certificate and was not working.
Financial Institutions need to ensure that their controls include the ability to observe threats inside of encrypted data. Most security tools have the capability to do this, but institutions need to implement these for them to be effective. In this article, we will look at several examples of areas in which you should have the ability to inspect encrypted data:
Web Filter: Web filters all have the capability to block sites based on an index of categories so that known undesirable sites are blocked. But not all sites are indexed and many of these unindexed sites are encrypted. If a user clicks on an encrypted website containing malware, the traffic between the user and the bad site will be encrypted unless the web filter has the ability to decrypt the data before it gets to the user. Most enterprise web filters have the capability to perform this decryption, but the institution will normally need to configure this feature.
Email: Most email messages are encrypted today, which means that email security systems need the ability to decrypt both incoming and outgoing email messages. Encrypted incoming messages could contain malicious links or malware that negatively impact an institution. Encrypted outgoing messages could contain data that is being exfiltrated by an insider or by an external attacker.
Data Loss Prevention: Data Loss Prevention (DLP) systems inspect outgoing data for sensitive content and block that data from leaving the institution. If the data is encrypted, the DLP system may not be able to see the sensitive data. The DLP system needs to be able to decrypt data to inspect it, and it is best if the DLP system is configured to block any data that it cannot decrypt.
IDS/IPS System: An internal or external IDS/IPS can usually inspect data for suspicious behavior but needs the ability to see the data to perform this function well. An IPS that is able to inspect encrypted traffic is vital to stopping some of the more sophisticated types of attacks.
If your institution needs assistance in assessing how controls are implemented, Bedel Security can help! Contact us a support@bedelsecurity.com