Ponemon: SSL Inspection Not a Priority for Federal Agencies
Insights from the Ponemon Institute Survey “Hidden Threats in Encrypted Traffic”
The Director of National Intelligence recently warned that cyber issues have surpassed terrorism as the No. 1 threat facing the nation. You only have to read the latest headlines to understand how prolific cyberattacks are in today’s connected world.
Federal agencies are no different from any other industry — experiencing an uptick over the past few years in attack activity that shows no signs of slowing. In 2015 alone there were 77,000 reported attacks on federal agencies.
Public sector victims
A recent study, “Hidden Threats in Encrypted Traffic: Industry Verticals,” by the Ponemon Institute, sponsored by A10 Networks, found that 77 percent of public sector respondents had been a victim of a cyberattack, cybercrime or malicious insider activity in the past 12 months.
For more detail, read the executive summary, “6 Discoveries IT Security Pros Need to Know about SSL Inspection,” that outlines the findings or download the interactive eBook, “Uncovering Hidden Threats within Encrypted Traffic.”
Hackers, who may be sponsored by nation states with political intentions or criminal rings with financial motives, will likely continue to target federal agencies because the payoff can be big. A successful attack can take down public services, disrupt economic activity, or cripple competitive advantages on a wide scale, as well as steal valuable information on individual citizens.
As a result, we’ve seen the government attempt to beef up security measures, both on the policy and technology fronts. (The U.S. federal government budgeted $14 billion for cybersecurity measures in 2016 alone.)
However, it’s never as simple as we would like. The worldwide shortage of cyber security expertise is hitting federal agencies hard, making it very difficult to recruit and retain qualified cybersecurity personnel.
In addition, a lack of basic measures has been making it easier than it should be for hackers to find a weak link. Congressional hearings held after some of the bigger breaches (e.g., IRS and OPM) found that the implementation of security measures, such as multi-factor authentication and encryption, could have slowed, if not entirely prevented the incidents.
Encryption is a foundational tool in a federal agency’s arsenal to protect the integrity and privacy of sensitive data. It’s a best practice that can help keep data safe and make it more difficult for hackers to steal classified information.
Today, according to a new Ponemon Institute study, approximately 42 percent of an agency’s inbound Web traffic and 32 percent of their outbound traffic is encrypted. Public sector respondents indicated those percentages would likely increase to 43 percent and 35 percent, respectively, in the next year.
Threats hiding inside SSL encryption
Unfortunately, encryption can also present agencies some real security challenges. Increasingly, hackers are using SSL-encrypted traffic to hide their attacks and bypass an organization’s defenses (such as next-generation firewalls, intrusion prevention systems (IPS), unified threat management (UTM) platforms, etc.). In fact, 50 percent of malware attacks are expected to be delivered via encrypted channels and 80 percent of organizations are not inspecting their SSL traffic.
The Ponemon survey found the public sector respondents that indicated they had been attacked in the past 12 months, believed that 43 percent of those attacks used encryption to evade detection.
Lack of SSL decryption, inspection
Unfortunately, while 93 percent of public sector respondents recognize that inspection of SSL traffic is “Important” to “Essential” to their agency’s overall security infrastructure, only 38 percent decrypt Web traffic to detect attacks, intrusions and malware. Of those who said they don’t decrypt, only 50 percent have plans to implement SSL decryption and inspection over the next 12 months.
As a result, many are not confident in their ability to be able to protect against attackers using encrypted traffic to obscure their activity. 74 percent feel that compromised insider credentials, due to malware hiding inside encrypted SSL traffic, could cause a data breach within their agency. 64 percent are uncertain of their agency’s ability to prevent costly data breaches and loss of intellectual property by detecting SSL traffic that is malicious.
When probed on why they are not inspecting more encrypted traffic, respondents to the Ponemon survey cite lack of enabling security tools (57 percent), insufficient resources (42 percent), and performance degradation (39 percent). Independent tests show that most security devices experience an 80 percent performance degradation when they decrypt and re-encrypt traffic.
The problem is compounded with Elliptic Curve Cryptography (ECC), which is increasingly designated as the method of choice for Google and Apple. Many devices experience a 75 percent performance degradation over and above other SSL methods when ECC is used. As a result, agencies are often forced to only selectively decrypt or forgo decryption altogether to ensure ongoing availability of their overall infrastructure.
Scaling proven SSL inspection
What agencies need is a solution that enables them to scale SSL inspection to identify potential threats, without impacting the overall performance, productivity or availability of their information systems. Ponemon probed to identify the features that were most important to the public sector, which included a solution’s ability to:
- Scale to meet current and future SSL performance demands – 89 percent
- Securely manage SSL certificates and keys – 88 percent
- Maximize the uptime and performance requirements of the overall capacity of the security infrastructure – 82 percent
- Satisfy compliance requirements – 81 percent
- Interoperate with a diverse set of security products from multiple vendors – 77 percent
- Granularly parse and control traffic based on custom-defined policies – 76 percent
- Categorize web traffic to ensure confidential or sensitive data remains encrypted (satisfy regulatory requirements) – 76 percent
- Intelligently route traffic to multiple security devices – 71 percent