Verizon’s 2016 Data Breach Investigations Report found that 89 percent of breaches last year were motivated by greed or espionage. Since motives are increasingly financial, it makes sense that the financial institutions that underpin the world’s economy are increasingly targeted. The Ponemon Institute found, on average, 83 percent of financial companies suffer more than 50 attacks per month. As a result, banks, credit unions, brokerage firms and exchanges — large and small — are shoring up their defenses to prepare for the inevitability of a cyberattack. One of the defensive measures they use is encryption, which protects the privacy and integrity of sensitive information by rendering it unreadable if stolen or intercepted.
Unfortunately, encryption also has a dark side; increasingly, cyber attackers are using encryption to hide their exploits. A10 recently sponsored a survey by the Ponemon Institute, “Hidden Threats in Encrypted Traffic: Industry Verticals,” to dig into the risks posed by encrypted traffic. The results demonstrated that financial institutions may be woefully unprepared to protect against the attacks using encrypted traffic to hide their activity. As a baseline, respondents estimate 32 percent of their institution’s outbound traffic is encrypted today; they expect that percentage to go up to 46 percent over the next 12 months. As that percentage increases, it’s logical the percentage of threats in encrypted traffic will also go up. In fact, 58 percent of respondents think attackers will increase their use of encryption (to evade detection and bypass controls) over the next 12 months. When asked whether their institution recognizes that malicious users leverage SSL encryption to conceal their exploits, only 41 percent agreed (23 percent were unsure and 36 percent disagreed). While this percentage may seem to imply there is a disconnect between the risk and an institution’s recognition of that risk, it is probably more indicative of an institution’s direct experience. Notably, 40 percent of the respondents confirmed that attacks on their institution had used encryption to evade detection. (81 percent acknowledged they had been a victim of a cyberattack or malicious insider activity in the past 12 months.)
So, perhaps institutions are waiting to see these attacks firsthand before they implement measures to prevent them? Despite 90 percent of the financial services respondents recognizing that the inspection of SSL traffic is “Important” to “Essential” to their overall security infrastructure, only 42 percent are actually decrypting Web traffic to detect attacks, intrusions and malware. This can be a very dangerous game of chicken for financial institutions to play. Respondents indicated they knew their institutions were at risk:
Why aren’t they decrypting encrypted traffic to look for attacks it may hide? Respondents cited a lack of enabling security tools (53 percent), insufficient resources (43 percent) and performance degradation (42 percent) as the main reasons they don’t decrypt and inspect their Web traffic. Unsurprisingly, 50 percent noted their institution’s security solutions are collapsing under growing SSL bandwidth demands and SSL key lengths.
All told, 57 percent of the financial services respondents, which don’t currently decrypt, have plans to decrypt and inspect traffic to uncover potential attacks. Before they can, however, they need to find solutions that truly meet their needs. They indicated the following features were “Important” to “Essential” in an SSL inspection tool:
These are capabilities that the A10 Thunder® SSLi® can provide. SSLi offloads SSL decryption and re-encryption from third-party security devices to enhance the performance of the overall infrastructure and ensure malware and insider threats hidden in SSL are detected. With SSLi, financial services firms can eliminate blind spots created by SSL to protect their sensitive data, meet compliance (e.g., PCI, GLBA, SOX) requirements and improve their network’s overall performance — all with a lower total cost of ownership (TCO). For more details on our SSLi offering, you can download our solution brochure.