Blue Coat reveals security risks hiding in encrypted traffic

Blue Coat Systems, Inc has announced that in a typical seven-day period, Blue Coat Labs receives over 100,000 requests from customers for security information about sites using HTTPS encryption protocol for command and control of malware.

The use of encryption across a wide variety of websites—both business and consumer -- is increasing as concerns around personal privacy grow. In fact, eight of the top 10 global websites1 as ranked by Alexa deploy SSL encryption technology throughout all or portions of their sites. For example, technology goliaths Google, Amazon and Facebook have switched to an “always on HTTPS” model to secure all data in transit using SSL encryption.

Business-essential applications, such as file-storage, search, cloud-based business software and social media, have long-used encryption to protect data-in-transit. However, the lack of visibility into SSL traffic represents a potential vulnerability in many enterprises where benign and hostile uses of SSL are indistinguishable to the casual observer. As a result, encryption enables threats to bypass network security and allows sensitive employee or corporate data to leak from anywhere inside the enterprise.

Revealing the Visibility Void
As Blue Coat’s latest security report, “The Visibility Void” explains, encrypted traffic is becoming more popular with cyber criminals because:
· Malware attacks, using encryption as a cloak, do not need to be complex because the malware operators believe the encryption prevents the enterprise from seeing the attack
· Significant data loss can occur as a result of malicious acts by hostile outsiders or disgruntled insiders, who can easily transmit sensitive information
· By simply combining short-lived websites, One-Day Wonders, with encryption and running incoming malware and/or outgoing data theft over SSL, organizations can be completely blind to the attack, and unable to prevent, detect or respond.

The growing blanket use of encryption means many businesses are unable to track the legitimate corporate information entering and leaving their networks, creating a growing blind spot for enterprises. In fact, over a 12 month period beginning in September 2013, between 11 percent and 14 percent of the security information requests that Blue Coat researchers received on average each week were asking about encrypted websites.

One example of an unsophisticated malware threat hiding in encrypted traffic is Dyre, a widely distributed, password-stealing Trojan originating in the Ukraine. Dyre succeeded one of the most popular one of the most successful Trojan horse malwares, Zeus, after authorities shut down the original malware, by simply adding encryption. Today Dyre exploits human behavior to target some of the world’s largest enterprises to compromise accounts that can expose Social Security numbers, bank account information, protected health information, intellectual property and much more.

“The tug of war between personal privacy and corporate security is leaving the door open for novel malware attacks involving SSL over corporate networks that put everyone’s data at risk,” said Hugh Thompson, chief security strategist for Blue Coat. “For corporations to secure customer data and meet regulatory and compliance requirements, they need the visibility to see the threats hiding in encrypted traffic and the granular control to make sure employee privacy is also maintained.”

How to Preserve Security and Privacy
Corporate security demands must be balanced with privacy and compliance requirements. Because employee privacy policies and compliance regulations vary geographically, per organization and per industry, businesses need flexible, customizable and targeted decryption capabilities to meet their unique business needs. To help enterprises to preserve employee privacy while combating threats hiding in encrypted traffic, Blue Coat has developed a list of key steps IT security departments must take. The full list of guidance is available in “The Visibility Void” report.