2020 brings unique levels of PKI usage challenges

Organizations are rapidly increasing the size, scope and scale of their data protection infrastructure, reflected in dramatic rises in adoption of public key infrastructure (PKI) across enterprises worldwide, according to Entrust research.

PKI usage

PKI is at the core of nearly every IT infrastructure, enabling security for critical digital initiatives such as cloud, mobile device deployment, identities and the IoT.

The annual study is based on feedback from more than 1,900 IT security professionals in 17 countries.

IoT, authentication and cloud, top drivers in PKI usage growth

As organizations become more dependent on digital information and face increasingly sophisticated cyberattacks, they rely on PKI to control access to data and ascertain the identities of people, systems and devices on a mass scale.

IoT is the fastest growing trend driving PKI application deployment, up 26 percent over the past five years to 47 percent in 2020, with cloud-based services the second highest driver cited by 44 percent of respondents.

PKI usage surging for cloud and authentication use cases

TLS/SSL certificates for public-facing websites and services are the most often cited use case for PKI credentials (84 percent of respondents).

Public cloud-based applications saw the fastest year-over-year growth, cited by 82 percent, up 27 percent from 2019, followed by enterprise user authentication by 70 percent of respondents, an increase of 19 percent over 2019. All underscore the critical need of PKI in supporting core enterprise applications.

The average number of certificates an organization needs to manage grew 43 percent in the 2020 study over the previous year, from 39,197 to 56,192 certificates, highlighting a pivotal requirement for enterprise certificate management.

The rise is likely driven by the industry transition to shorter certificate validity periods, and the sharp growth in cloud and enterprise user authentication use cases.

Challenges, change and uncertainty

The study found that IT security professionals are confronting new challenges to enabling applications to use PKI. 52 percent cited lack of visibility of an existing PKI’s security capabilities as their top challenge, an increase of 16 percent over the 2019 study.

This issue underscores the lack of cybersecurity expertise available within even the most well-resourced organizations, and the need for PKI specialists who can create custom enterprise roadmaps based on security and operational best practices.

Respondents also cited inability to change legacy applications and the inability of their existing PKIs to support new applications as critical challenges – both at 51 percent.

When it comes to deploying and managing a PKI, IT security professionals are most challenged by organizational issues such as no clear ownership, insufficient skills and insufficient resources.

PKI deployment figures from the study clearly indicate a trend toward more diversified approaches, with as-a-service offerings even becoming more prevalent than on-premise offerings in some countries.

The two greatest areas of PKI change and uncertainty come from new applications such as IoT (52 percent of respondents) and external mandates and standards (49 percent). The regulatory environment is also increasingly driving deployment of applications that use PKI, cited by 24 percent of respondents.

Security practices have not kept pace with growth

In the next two years, an estimated average of 41 percent of IoT devices will rely primarily on digital certificates for identification and authentication. Encryption for IoT devices, platforms and data repositories, while growing, is at just 33 percent – a potential exposure point for sensitive data.

Respondents cited several threats to IoT security, including altering the function of IoT devices through malware or other attacks (68 percent) and remote control of a device by an unauthorized user (54 percent).

However, respondents rated controls relevant to malware protection – like securely delivering patches and updates to IoT devices – last on a list of the five most important IoT security capabilities.

The US National Institute of Standards and Technology (NIST) recommends that cryptographic modules for certificate authorities (CAs), key recovery servers and OCSP responders should be validated to FIPS 140-2 level 3 or higher.

Thirty-nine percent of respondents in this study use hardware security modules (HSMs) to secure their PKIs, most often to manage the private keys for their root, issuing, or policy CAs. Yet only 12 percent of respondents indicate the use of HSMs in their OSCP installations, demonstrating a significant gap between best practices and observed practices.

“PKI underpins the security of both the business and the consumer world, from digitally signing transactions and applications to prove the source as well as integrity, to supporting the authentication of smart phones, games consoles, citizen passports, mass transit ticketing and mobile banking, says Larry Ponemon, founder of the Ponemon Institute.

“The 2020 Global PKI and IoT Trends Study shows a surge in the use of PKI credentials for cloud-based applications and enterprise user authentication, underscoring the criticality of PKI in supporting core enterprise applications.”

“We are seeing increasing reliance on PKI juxtaposed with struggles by internal teams to adapt it to new market needs — driving changes to traditional PKI deployment models and methods,” says John Grimm, vice president strategy for digital solutions at Entrust.

“In newer areas like IoT, enterprises are clearly failing to prioritize security mechanisms like firmware signing that would counter the most urgent threats, such as malware.

“And with the massive increase in certificates issued and acquired found in this year’s study, the importance of automated certificate management, a flexible PKI deployment approach, and strong best practice-based security including HSMs has never been greater.”

A look at the top threats inside malicious emails

Web-phishing targeting various online services almost doubled during the COVID-19 pandemic: it accounted for 46 percent of the total number of fake web pages, Group-IB reveals.

threats inside malicious emails

Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analyzed contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.

Downloaders, intended for the installation of additional malware, and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.

Opened email lets spy in

According to the data, in H1 2020, 43 percent of the malicious mails on the radars of Group-IB Threat Detection System had attachments with spyware or links leading to their downloading.

Another 17 percent contained downloaders, while backdoors and banking Trojans came third with a 16- and 15-percent shares, respectively. Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.

These findings confirm adversaries’ growing interest in Big Game Hunting. Ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.

Top-10 tools used in attacks were banking Trojan RTM (30%); spyware LOKI PWS (24%), AgentTesla (10%), Hawkeye (5%), and Azorult (1%); and backdoors Formbook (12%), Nanocore (7%), Adwind (3%), Emotet (1%), and Netwire (1%).

The new instruments detected in the first half of the year included Quasar, a remote access tool based on the open source; spyware Gomorrah that extracts login credentials of users from various applications; and 404 Keylogger, a software for harvesting user data that is distributed under malware-as-a-service model.

Almost 70 percent of malicious files were delivered to the victim’s computer with the help of archives, another 18% percent of malicious files were masked as office documents (with .doc, .xls and .pdf file extensions), while 14% more were disguised as executable files and scripts.

Secure web-phishing

In the first six months of 2020, a total of 9 304 phishing web resources were blocked, which is an increase of 9 percent compared to the previous year. The main trend of the observed period was the two-fold surge in the number of resources using safe SSL/TLS connection – their amount grew from 33 percent to 69 percent in just half a year.

This is explained by the cybercriminals’ desire to retain their victim pool – the majority of web browsers label websites without SSL/TLS connection as a priori dangerous, which has a negative impact on the effectiveness of phishing campaigns.

Experts predict that the share of web-phishing with insecure connection will continue to decrease, while websites that do not support SSL/TLS will become an exception.

threats inside malicious emails

Pandemic chronicle

Just as it was the case in the second half of 2019, in the first half of this year, online services like ecommerce websites turned out to be the main target of web-phishers. In the light of global pandemic and the businesses’ dive into online world, the share of this phishing category increased to remarkable 46 percent.

The attractiveness of online services is explained by the fact that by stealing user login credentials, threat actors also gain access to the data of bank cards linked to user accounts.

Online services are followed by email service providers (24%), whose share, after a decline in 2019, resumed growth in 2020, and financial organizations (11%). Main web-phishing target categories also included payment services, cloud storages, social networks, and dating websites.

The leadership in terms of the number of phishing resources registered has persistently been held by .com domain zone – it accounts for nearly a half (44%) of detected phishing resources in the review period. Other domain zones popular among the phishers included .ru (9%), .br (6%), .net (3%) and .org (2%).

“The beginning of this year was marked by changes in the top of urgent threats that are hiding in malicious emails,” comments CERT-GIB deputy head Yaroslav Kargalev.

“Ransomware operators have focused on targeted attacks, choosing large victims with a higher payment capacity. The precise elaboration of these separate attacks affected the ransomware share in the top threats distributed via email en masse.

“Their place was taken by backdoors and spyware, with the help of which threat actors first steal sensitive information and then blackmail the victim, demanding a ransom, and, in case the demand is refused, releasing the info publicly.

“The ransomware operators’ desire to make a good score is likely to result in the increase of the number of targeted attacks. As email phishing remains the main channel of their distribution, the urgency of securing mail communication is more relevant than ever.”

Reduced lifespan of TLS certificates could cause increase in outages

Beginning September 1st, all publicly trusted TLS certificates must have a lifespan of 398 days or less. According to security experts from Venafi, this latest change is another indication that machine identity lifetimes will continue to shrink.

TLS certificates lifespan

Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations.

“Apple’s unilateral move to reduce machine identity lifespans will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing.

“It seems inevitable that certificate-related outages, similar to those that have haunted Equifax, LinkedIn, and the State of California, will spiral out-of-control over the next few years.”

Certificate lifespans

The interval between changes in the length of certificate lifespans has been shrinking over the last decade:

  • Pre-2011: Certificate lifespans were 8–10 years (96 months)
  • 2012: Certificate lifespans were shortened to 60 months (five years), a reduction of 37%. This change was preplanned in CA/Browser Forum Baseline Requirements.
  • 2015: Certificate lifespans were shortened to 39 months (3 years), a reduction of 35%. This change happened three years after the five-year limitation was adopted.
  • 2018: Certificate lifespans were shortened to 27 months (two years), a reduction of 30%. This change happened two years after the three-year limitation was adopted.
  • 2020: Certificate lifespans were shortened to 13 months, a reduction of 51%. This change happened one year after the two-year limitation was adopted.

Bocek continued: “If the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to 6 months by early 2021 and perhaps become as short as three months by the end of next year.

“Actions by Apple, Google or Mozilla could accomplish this. Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”

Digital keys and certificates act as machine identities

They control the flow of sensitive data to trusted machines in a wide range of security and operational systems.

Enterprises rely on machine identities to connect and encrypt over 330 million internet domains, over 1.8 billion websites and countless applications. When these certificates expire unexpectedly, the machines or applications they identify will cease to communicate with other machines, shutting down critical business processes.

Unfortunately, eliminating certificate-related outages within complex, multitiered architectures can be challenging. Ownership and control of these certificates often reside in different parts of the organization, with certificates sometimes shared across multiple layers of infrastructure.

These problems are exacerbated by the fact that most organizations have certificate renewal processes that are prone to human error. When combined, these factors make outage prevention a complex process that is made much more difficult by shorter certificate lifetimes.

Phishing gangs mounting high-ticket BEC attacks, average loss now $80,000

Companies are losing money to criminals who are launching Business Email Compromise (BEC) attacks as a more remunerative line of business than retail-accounts phishing, APWG reveals. High-ticket BEC attacks Agari reported average wire transfer loss from BEC attacks smashed all previous frontiers, spiking from $54,000 in the first quarter to $80,183 in Q2 2020 as spearphishing gangs reached for bigger returns. Scammers also requested funds in 66 percent of BEC attack in the form of … More

The post Phishing gangs mounting high-ticket BEC attacks, average loss now $80,000 appeared first on Help Net Security.

Chrome 86 will prominently warn about insecure forms on secure pages

Entering information into and submitting it through insecure online forms will come with very explicit warnings in the upcoming Chrome 86, Google has announced.

The new alerts

The browser will show a warning when a user begins filling out a mixed form (a form on a HTTPS site that does not submit through an HTTPS channel) and when a user tries to submit a mixed form.

Chrome insecure forms

“Before M86, mixed forms were only marked by removing the lock icon from the address bar. We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms,” Shweta Panditrao, a software engineer with the Chrome Security Team, explained.

The last warning will be especially impossible to miss, as it will be shown on a full page:

Chrome insecure forms

The submission of the info will be temporarily blocked and it’s on users to decide if they want to risk it and override the block to submit the form anyway.

Google is also planning to disable the autofill feature of the browser’s password manager on all mixed forms except login forms (forms that require users to enter their username and password).

“Chrome’s password manager helps users input unique passwords, and it is safer to use unique passwords even on forms that are submitted insecurely, than to reuse passwords,” Panditrao explained the rationale for that exception.

Simultaneously, Google encouraged developers to fully migrate forms on their site to HTTPS to protect their users.

Google’s push towards HTTPS and blocking mixed content

For many years, Google has been working on making HTTPS the standard for any and every online action.

In 2014, the company started prioritizing websites using HTTPS in Google Search results.

In 2017, Chrome started labeling sites that transmit passwords or credit cards information over HTTP as “Not secure”. Later that same year, Chrome started showing the same alert for resources delivered over the FTP protocol.

Then, in 2018, Chrome began explicitly marking all HTTP sites as “not secure”.

In 2019, Google published roadmap for Chrome’s gradual but inexorable push towards blocking mixed content (insecure HTTP subresources – images, audio, and video – loading on HTTPS pages).

Earlier this year, it did the same for mixed content downloads, and effort that is supposed to be finalized in Chrome 86, which is slated to be released in October 2020.

TLS 1.3: Slow adoption of stronger web encryption is empowering the bad guys

For twelve years, the standard internet encryption has been Transport Layer Security (TLS) 1.2. Following its roots takes you back to the first version of the Secure Sockets Layer (SSL) protocol, which was developed in 1995 by Netscape but never released due to it being riddled with security vulnerabilities. SSL 2.0 and 3.0 quickly followed and were released but also had their issues.

TLS 1.3

The first iteration of TLS – 1.0 – was based upon SSL 3.0, and was published in 1999 by the Internet Engineering Task Force (IETF). While there are differences, the two protocols share enough similarities that SSL and TLS are often used interchangeably.

In 25 years, we’ve seen the protocols improve, but it’s been incredibly slow going. That’s because TLS, and SSL before it, are both formed on open standards and, in order for them to effectively evolve, they need to be adopted en masse. Device manufacturers, web browser providers, applications (Facebook and its servers, for instance), all have to adopt to ensure there aren’t gaps – but that involves millions of moving parts.

That’s why, despite TLS 1.3 being around since 2018 and offering greater security that TLS 1.2, the latter that remains the de facto standard. There is a big push from US organizations for its widespread adoption, but it’s going to take time.

Other standard protocols that continue to be used are the Domain Name System (DNS) and Hypertext Transfer Protocol (HTTP). The former is often referred to as the “phonebook of the internet’”and is effectively a huge database filled with IP addresses. The latter is used to send data over the connection. Both naturally use clear text, meaning any man-in-the-middle (MITM) attack can quite easily identify what sites a user is attempting to access.

Why the push for TLS 1.3?

TLS provides secure communication between web browsers, end-user facing applications and servers by encrypting the transmitted information, preventing eavesdropping or tampering attacks. The full process relies on two types of encryption: asymmetric, which requires a public and private key, and symmetric, which uses a shared key.

Asymmetric encryption is used during the “handshake”, which takes place prior to any data being sent. The handshake determines which cipher suite to use for the session – in other words, the symmetric encryption type – so that both browser and server agree. The TLS 1.2 protocol took multiple round trips between client and server, while TLS 1.3 is a much smoother process that requires only one trip. This latency saving shaves milliseconds off each connection.

Another characteristic of TLS 1.3 is that it can operate alongside DNS over HTTPS (DoH). This protocol sees the URL / IP request sent across an encrypted Hypertext Transfer Protocol Secure (HTTPS) connection and hides it within regular traffic, meaning snoopers can’t identify the requests. Therefore, they don’t know what sites the individual is attempting to access and also can’t tamper with the connection.

It is also seen by some as the solution to mass censorship in certain countries, as ISPs would be unable to block access to particular sites. However, this ability is actually hindered by shortfalls elsewhere and those claiming it have been criticised for providing individuals with a false sense of security.

How cybercriminals are exploiting the gaps in adoption

When fully adopted, TLS 1.3 will make the internet a safer place but until that happens, the fractured uptake is empowering the bad guys.

One attack that keeps rearing its ugly head is the “Bleichenbacher”. Named after a Swiss cryptographer, the attack variant has seen numerous versions which target the RSA decryption algorithm. While TLS authors have attempted to make it harder to uncover the RSA decryption key, each new Bleichenbacher variant manages to do it. As such, any device that uses TLS-based features is vulnerable. TLS 1.3 attempts to limit RSA usage but ad hoc adoption means downgrading to TLS 1.2 often takes place and attacks are rife.

There are also many that argue that DoH is actually weakening cybersecurity efforts, with more and more botnets using its encryption capability to bypass traditional DNS measures and other legacy technology. Encrypted requests mean that they fly under the radar of typical measures and prevent corporate cybersecurity tools that rely on local DNS servers and DNS monitoring from blocking certain access requests. This could potentially result in employees landing on malware-ridden sites.

What should companies be doing to protect themselves?

Businesses must take steps to ensure all of their devices, servers and everything under their control supports TLS 1.3. However, the likely downgrading to 1.2 when dealing with external points means the vulnerabilities of the older protocol still need to be managed. Fortunately, 1.3 has an in-built feature that flags when this reversion has taken place so that companies can address the situation.

Going deeper, companies need to ensure network monitor tools are set up to cope with the added encryption TLS 1.3 brings and how it may be used by attackers to gain an advantage. Typically, companies would use a MITM middlebox which would analyze requests made in TLS 1.2 and decide whether a request was genuine or not before issuing the relevant certificate. But this process is impossible with 1.3 as it encrypts the aspects that were used by the middlebox to judge requests. As such, businesses should look to strengthen endpoint security to help mitigate initial intruder access onto networks, while also ensuring that security teams receive up-to-date response training and access to real-time intelligence to identify and analyze attacks.

The move to TLS 1.3 will reduce latency and remove the vulnerabilities present in TLS 1.2. But businesses can’t simply adopt it, then sit back and relax. With older protocols still widely used and their vulnerabilities exploitable, organizations must enhance endpoint security measures and the expertise of their security teams.

Let’s Encrypt will revoke 3m+ TLS/SSL certificates

Starting with 20:00 UTC (3:00pm US EST), today (March 4), the non-profit certificate authority Let’s Encrypt will begin it’s effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software.

Preliminary investigation suggests the bug was introduced on July 25, 2019, but a more detailed investigation is under way – though, for now, it seems that “it’s not likely that there was any significant mis-issuance as a result of this incident.”

Nevertheless, affected certificate owners have been urged to renew and replace their certificate(s) so that their sites don’t end up showing this type of alert to visitors:

revoke TLS/SSL certificates

About the CAA rechecking bug

As explained by Let’s Encrypt engineer (and Senior Staff Technologist at EFF) Jacob Hoffman-Andrews, the software in question – named Boulder – checks for CAA records at the same time it validates a subscriber’s control of a domain name.

“Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (…), so any domain name that was validated more than 8 hours ago requires rechecking,” he noted.

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”

Of the 3 million+ certificates affected, about 1 million are duplicates of other affected certificates (i.e., they cover the same set of domain names).

Are you affected?

Let’s Encrypt, which is run by Internet Security Research Group (ISRG), has been emailing affected subscribers for whom they have contact information, but many might still not be aware of the situation. If they don’t manage to get a new, valid certificate in place before the revocation, visitors might end up losing trust in the safety of their websites.

The CA has provided a tool for checking whether one is using an affected certificate and additional instructions.

Security researcher Scott Helme has made available a list of affected domains.

Almost three-quarters of all phishing sites now use SSL protection

The total number of phishing sites detected by the Anti-Phishing Working Group (APWG) worldwide in October through December 2019 was 162,155, following the all-time-high of 266,387 attacks recorded in July through September 2019.

Most menacing, however, were targeting trends exhibited by cybercrime gangs focusing on: users of web-hosted email and social media to multiply the numbers of potential victims; and Business Email Compromise (BEC) schemes of increasing sophistication to exploit key executives’ broader access to corporate resources – and greater payments authority.

phishing SSL

Other interesting findings

By most other measures, 2019 was one of the most dangerous years on record for online users. During the course of 2019, the number of phishing incidents in Brazil increased 232 percent. APWG member company Axur recorded these attacks against Brazilian brands and services that are available in Portuguese in Brazil, noting an increase around the Black Friday shopping weekend.

Similarly, APWG member company Agari recorded criminals perpetrating Business Email Compromise (BEC) attacks and using gift cards to cash out during the holiday shopping season.

phishing SSL

“The amount of money that an attacker can make by getting gift cards is significantly less than with a wire transfer. During Q4, the average amount of gift cards requested by a BEC actor was more than $1,600. But for wire transfer BEC attacks, the average amount requested in Q4 was over $55,000,” the report points out.

“One of the really notable things we saw during the Q4 was a change in the types of gift cards requested. Google Play was still the most-requested gift card, but decreased from 27 percent to 15 percent of requests,” said Crane Hassold, Agari’s Senior Director of Threat Research.

“We saw increases in requests for gift cards for eBay, Target, Best Buy, and Sephora. The increase could be due to the fact that all of these companies sell physical goods, and the attacks took place during the holiday season. It may indicate that scammers are looking to launder money by using the cards to buy physical goods that they can then sell, rather than putting the money into online cryptocurrency exchanges, which is also a popular laundering option.”

APWG contributor OpSec Security saw attacks against more than 325 different brands (companies) per month in Q4. Stefanie Wood Ellis, Anti-Fraud Product & Marketing Manager at OpSec Security, noted that the most frequent targets of phishing attacks continued to be Webmail, payment, and bank sites, but that “phishing against Social Media targets grew every quarter of the year, doubling over the course of 2019.”

SSL use for more effective phishing

The researchers at APWG member PhishLabs documented the rising use of SSL certificates on phishing websites. Almost three-quarters of all phishing sites now use SSL protection. This was the highest percentage since tracking began in early 2015, and is a clear indicator that users can’t rely on SSL alone to understand whether a site is safe or not.

APWG member RiskIQ analyzed 2,149 confirmed phishing URLs reported to APWG in Q4 2019, and found that the most popular top-level domains used by the phishers are the generic .com, .org, .net and .info TLDs.

What is flowing through your enterprise network?

Since Edward Snowden’s revelations of sweeping internet surveillance by the NSA, the push to encrypt the web has been unrelenting.

firewall TLS inspection

Bolstered by Google’s various initiatives (e.g., its prioritizing of websites that use encryption in Google Search results, making Chrome mark HTTP sites as “not secure,” and tracking of worldwide HTTPS usage), CloudFlare’s Universal SSL offer and the advent of Let’s Encrypt, nearly seven years later various sources put the percentage of encrypted internet traffic between 80% and 90% across all platforms.

That’s good news for end users who wish their interactions with various websites to be safe from eavesdropping by third parties – whether they be hackers, companies or governments.

Exploited encryption

But with the sweet comes the sour: criminals are exploiting users’ erroneous belief that a site with HTTPS in its URL can be considered completely safe to trick them into trusting phishing sites.

According to SophosLabs, nearly one-third of malware and unwanted applications enter the enterprise network through TLS-encrypted flows.

Also, nearly a quarter of malware now communicates over HTTPS connections, making it more difficult for businesses to spot active infections within their networks, especially because – a recent survey has revealed – only 3.5% of organizations are actually decrypting their network traffic to properly inspect it.

Why so few? What’s stopping them? The number one reason is that they are concerned about firewall performance, but they also cite privacy concerns, degraded user experience (websites not loading properly) and complexity as important factors for their decision to not do it.

Covert malicious activity

Malware that communicates via TLS-secured connections includes well-known and nasty malware families like TrickBot, IcedID and Dridex.

The use of transport-layer encryption is just one of the methods for keeping the malware’s existence on compromised systems secret, but it helps it covertly download additional modules and configuration files and send the collected data to an outside server.

“We’ve also observed that, increasingly, more malicious functions are being orchestrated from the command and control server, rather than implemented in the malware binary, and the C2s make decisions about what the malware should do next based on the exfiltrated data, which increases the volume of network traffic,” Sophos researcher Luca Nagy pointed out.

“Malware authors also want to empower their binaries with newer features and refresh them more often, which also increases the need for secure network communication, to prevent network-level protection tools from discovering an active infection inside the network every time it downloads an updated version of itself.”

Performance before protection? It doesn’t have to be

Some respondents in the previously mentioned survey were also unaware of the need to decrypt network traffic, even though it’s (or should be) common knowledge that malware often uses encrypted connections for communication.

Connections to “safe” destinations like financial websites may, perhaps, be exempted from inspection, but most other encrypted traffic coming in and going out of the corporate network should be decrypted and analyzed.

The problem with this is that many firewall offerings are not up to the task of inspecting a huge volume of encrypted sessions without causing applications to break or degrade network performance.

Not all, though: Sophos’ XG Firewall, with its new “Xstream” architecture, was architected from the ground up with performance in mind, allowing users to decrypt and see all traffic at a performance level that is just about wire speed.

A new firewall for your traffic decryption needs

“With Sophos XG Firewall, IT managers can immediately deploy TLS inspection without concerns over performance or breaking incompatible devices on the network, and they can turn it on for different parts of the network with flexible policy setting options,” Dan Schiappa, chief product officer at Sophos, told Help Net Security.

firewall TLS inspection

“We’ve created the ability to inspect all TLS traffic across all protocols and ports, eliminating enormous security blind spots. Sophos XG Firewall scans all TLS encrypted traffic – not just web traffic. This is important because criminals are constantly trying to avoid attention and use non-standard communication ports to evade detection.”

Other new features include support for TLS 1.3 (which many other solutions don’t have); FastPath policy controls that accelerate performance of SD-WAN applications and traffic, including Voice over IP, SaaS and others, to up to wire speed; and an enhanced Deep Packet Inspection (DPI) engine that dynamically risk-assesses traffic streams and matches them to the appropriate threat scanning level.

Schiappa also said that they’ve wired data science and threat intel much deeper than ever before: AI-enhanced threat intelligence from SophosLabs provides insights needed to understand and adjust defenses to protect against a constantly changing threat landscape.

Finally, user-friendliness should not be discounted: Sophos XG Firewall is simple to use and manage on a single cloud-based platform – Sophos Central – where organizations can easily layer and manage multiple firewalls as well as synchronize their security applications.

Trusted certificates make phishing websites appear valid

There has been a rampant growth of look-alike domains, which are often used to steal sensitive data from online shoppers. Venafi analyzed suspicious domains targeting 20 major retailers in the U.S., U.K., France, Germany and Australia and found over 100,000 look-alike domains that use valid TLS certificates to appear safe and trusted. According to the research, growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four … More

The post Trusted certificates make phishing websites appear valid appeared first on Help Net Security.