By Rui Ataide, RSA Advanced Cyber Defense Advisory Practice Consultant
More and more we hear about mobile app/phone companies and other cloud-based services acting as a sort of “man-in-the-middle” attack with their services. Some are well perceived and even accepted, others are not. The common point in all of them is the reason why they were implemented, to improve one or more aspects of the service being provided, be it by compression, faster response times or any other invoked reason. Most end-users in these cases tend to accept the situation as long as they were informed when or before they start using the service or application. The debate in some cases is the clarity of the notification or how far it was buried in the small print.
As a security conscious individual, I’ve learned to educate people on the advantages of encryption. Personally, I’m a great believer of its need and one of its many users. I hardly ever access or provide personal information over any non-encrypted method. In some cases, I even refuse to provide that same information with the use of encryption if ultimately the data will be decrypted and used or placed somewhere I don’t trust. However, these days I’m often faced with having to defend the advantages of NOT always using encryption.
“Why?” you may ask. One of those reasons is cost. Encryption still has a high cost given its computational needs when dealing with large volumes of data. If you don’t believe me, just look at the number of large sites that still only offer encryption for things like authentication and then default to clear-text for additional content.
Up until recently, most social networks and large providers had “Use SSL” as a checkbox hidden somewhere in your profile and not enabled by default. Some sites don’t even offer the option. Their reasons go on and on… Why use encryption to transfer data that is not stored encrypted and publicly available to most anyway? Why pay more for a wildcard certificate if all we want to protect is our store’s payment transactions because regulations force us to do it?
As security engineers, I think we’ve all had to fight this and similar battles at one point in time, probably on either side of the field depending on the situation.
I’m currently involved on a lot of security analytics, security response, and other defensive activities. While encryption provides a level of protection when it comes to defense, it also causes a lack of visibility when analyzing network traffic.
More and more, even the “bad guys” are using encryption to cover their tracks and avoid detection. It’s therefore no surprise that more and more organizations are using SSL inspection devices to monitor their traffic and infrastructure. I actually find myself recommending that they do use the technology and how to best implement it.
SSL inspection devices are nothing more than a well designed man-in-the-middle attack that breaks the encryption into two separate encrypted streams. Therefore, they still provide an adequate level of protection to end-users while allowing security analysts and devices to properly monitor and alert when malicious or unwanted activity takes place. This could be something as simple as a user uploading a confidential document to his/her personal webmail account or more elaborate as someone using an SSL VPN to connect back to a host using a Dynamic DNS name service (a technique commonly used by current malware and advanced attackers).
In most organizations, these SSL “decryption” devices are normally deployed in the outbound path of traffic, are low latency, provide the ability to block traffic that can’t be decrypted, include lists of exclusions (e.g. online banking, airlines, well-known online retailers), and are considerably easy to justify not to mention the added bonus of providing visibility into previously unseen threats. Yes, it does cause issues with users’ privacy and data protection laws but most of these laws account for the fact that if the users are properly notified about the use of business systems, then they’re covered.
In summary, if you are responsible for protecting your organization’s assets, you should definitely consider the pros and cons of using this technology. It is something I find myself recommending to my clients more and more often. Next time I’ll discuss in more detail the advantages of SSL decryption and will provide details of before and after scenarios.
Rui Ataide is Advisory Practice Consultant for the RSA NetWitness Incident Response / Discovery (IR/D) Practice at RSA. In this capacity, Rui is responsible for delivering holistic incident response services using state-of-the-art host and network-based tools. Using these tools, combined with advanced methodologies, Rui is able to assist clients in obtaining situational awareness and rapidly identifying threats as part of tactical responses to intrusions involving sophisticated adversaries that target intellectual property and other critically sensitive data.