On Aug. 29, the Traverse City, Mich.-based Ponemon Institute and the San Diego-based A10 Networks released a study, “Uncovering Hidden Threats Within Network Traffic,” produced for the Ponemon Institute by A10 Networks. The authors of the study have found that “The risk to financial services, healthcare and other industries stems from growing reliance on encryption technology.” Among the study’s key findings: 80 percent off organizations were victims of cyber attacks during past year; nearly half of cyber attacks used malware hidden in encrypted traffic to evade detection; and 75 percent of IT experts surveyed admit malware could steal employee credentials from their networks.
The two organizations surveyed 1,023 “IT and IT security practitioners in North America and Europe, highlighting the overwhelming challenges these professionals face in preventing and detecting attacks on encrypted traffic in and out of their organizations’ networks.”
Key statements from the survey’s summary include the following:
> “Half of all known cyberattacks used SSL encryption to evade detection in the last 12 months.”
> “The inability to inspect encrypted traffic will compromise capacity to meet existing and future compliance requirements.”
> “Most don’t believe their organization can properly inspect SLL traffic.”
> “Encryption of inbound and outbound web traffic will continue to increase.”
> “Use of SSL encryption to mask malicious activity will parallel this growth.”
> “Three common barriers to implementing proper SSL inspection are a lack of security tools, insufficient resources, and performance degradation.”
> “SSL bandwidth requirements diminish the effectiveness of existing security controls.”
Meanwhile, the report notes, “More than half of all respondents (62 percent) admit that their organization does not currently decrypt Web traffic. Why?” For 45 percent, the reason is a lack of insufficient resources; another 45 percent cited performance degradation. Still, among the 62 percent of respondents who said that their organization does not currently decrypt Web traffic, 51 percent said they planned to do so within the next 12 months.
Another challenge cited by respondents from across industries, is around inspection strategies. The survey found that “For organizations that are inspecting decrypted traffic, most haven’t found a seamless or cost-effective manner of implementing the process. Many,” the report noted, “are using a blend of commercial-grade solutions, in-house technology, and labor-intensive manual inspection.”
The survey found that, among those organizations that are inspecting decrypted traffic:
> 53 percent are making use of a commercial solution with Deep Packet Inspection (DPI)
> 44 percent are using a commercial solution that utilizes big data
> 35 percent are engaged in homegrown traffic monitoring
> 28 percent are resorting to manual inspection
What are IT and IT security leaders looking for in potential solutions? The survey found that they want the following:
> 79 percent are looking for SSL certificate management
> 68 percent want scalability
> 63 percent are looking for compliance requirements
> 62 percent want uptime, performance and security
> 54 percent desire multi-vendor security integration
Most significantly, the report found, “Although 75 percent of survey respondents say their networks are at risk from malware hidden inside encrypted traffic, roughly two-thirds admit that their company is unprepared to detect malicious SSL traffic, leaving them vulnerable to costly data breaches and the loss of intellectual property. Among the IT professionals responding to the survey, the largest percentage work in financial services, followed by healthcare and the public sector — three industries most in need of protecting sensitive data. Moreover, the threat is expected to get worse as the volume of encrypted data traffic continues to grow, with the majority of respondents expecting network attackers to increase their use of encryption over the coming year to evade detection and bypass controls. Many companies may be caught off guard, as their security solutions collapse under the weight of tremendous SSL vulnerabilities.”
Indeed, alarmingly, 80 percent of survey respondents said that their organization had already been victims of a cyberattack within the past 12 months, with nearly half reporting that the attack had leveraged SSL traffic to evade detection, while another 15 percent were unsure about that fact.
The survey, conducted online, with online and phone-based responses, encompassed all industries, with the largest group of respondents working in the banking and financial services industry, and with 11 percent each coming from healthcare and from government.
Shortly after the study was released online, Chase Cunningham, Ph.D., director of cyberthreat operations at A10 Networks, spoke with HCI Editor-in-Chief Mark Hagland regarding the results of the survey and the study’s broader implications, especially for healthcare.
Looking at a key result of the survey underlying the study—32 percent of respondents reported being “very concerned,” 36 percent were “concerned,” 22 percent were “somewhat concerned,” and only 9 percent were “not concerned,” that encrypted communications would leave their network vulnerable to hidden threats, how do you read that result?
The interesting point is that nearly half of the people who responded said that yes, we know there are bad things taking place using encrypted channels, and three-quarters of individuals don’t know exactly what’s going on. So they concede that there’s some sort of sickness, but most don’t know what it is, and that’s not good.
What is behind that gap?
There are two things going on there. On the one hand, business organizations have spent a lot of time and money putting in external defenses to keep the bad guys out. On the other hand, it’s likely that they have things already inside their environment, some kind of infection inside their network. And if you can’t look at encrypted traffic, you are missing anywhere from 30-40 percent of the traffic bouncing around your network. And how secure are you not knowing about almost half of the traffic taking place in your network? And interestingly, if you ask people why they’re not inspecting SSL traffic, it’s not that they don’t realize it’s important; it’s that they don’t’ have the technical capability to do it at scale or at speed.
What should we know about existing web-based attacks, and the ability of inspection of decrypted traffic, to figure out where the problems are?
Well, it used to be that web-based attacks used to be things that people did to say, “I can do this.” But the reality is that web traffic is of dominant importance, and if your organization can’t focus on the web-based application side of things, you’re missing a huge set of threats. Most organizations still use SSL Version 1, an old, outdated security protocol, though it’s better than nothing. You need to be able to look at SSL-encrypted traffic. So given that most enterprises’ websites have SSL traffic on them, but can’t analyze their traffic, how operationally functional are you?
The bad news is that healthcare is probably 10-15 years behind the power curve, compared to other industries, in this context. Government and financial services organizations have put together a pretty robust security portfolio, because they’ve been getting hammered for the past decade. Healthcare is just now getting to the point where they understand that they have to fix the security problems. But there’s a learning curve there, and it’s going to take a decade or more to catch up to banking and government.
Why do you believe that the healthcare industry is a full decade behind the financial services industry and government?
If you look at how fast technology is developing and is being deployed in healthcare space, healthcare IT leaders have to catch up there first, and then they have to understand that finance and government have been doing it and have been getting beaten up since 2000. So it will take at least six to eight years to play catch up.
What steps do healthcare IT leaders need to take to catch up, then?
The number-one thing is to start now. They can’t sit back and wait for requirements to come from the federal government. They should understand that this is paramount to the security of their business and how they take care of their patients. So they should start now and not wait. The second part of this is that you have to address your security relative to how the threat addresses you. You could spend a billion dollars on this, but if you don’t do it systematically in the right ways, with the right technologies, that actually stop threat actors, you won’t be successful. I often use the following metaphor: I talk about the zombie marathon, where I don’t have to outrun the zombies, I just have to run faster than the guy next to me, so that I don’t get eaten.
That’s a pretty colorful metaphor to use here.
Well, the reality is that if the bad guys go somewhere else, I’ve won. I don’t have to be the super-security emperor of the universe, I just have to make sure they go somewhere else.
So what are the first steps that healthcare IT leaders should be taking in all this?
Begin by understanding what’s bouncing around in your environment. You wouldn’t get on an airplane and expect it to fly if you only knew 70 percent of it was functional, right? And not only can you not throw solutions onto a problem, you also have to integrate services with what you have.
So you have to mesh your internal operations with outside consultant and vendor services and products?
Yes, that’s exactly right.
Do the IT leaders at healthcare organizations need to make use of security operations centers, or SOCs?
Yes; they need to go outside for SOC-type services; it’s not necessary, or even valuable, to try to create those services full-time, in-house. They should turn to a managed security services provider, an outsourced security provider. But most organizations don’t need to go off and staff up a security operations center; they need one from a consultant company.
One of the key problems in all this remains the vulnerability that patient care organizations face because of their countless number of end-users, and because of phishing strategies on the part of hackers, correct?
Yes; end-users will always be a pretty massive problem for any organization to manage. But it’s interesting that companies and organizations are trying to technically fix their way out of a problem that originates with humans. So if they’re not doing training of their workforce, they’re missing something very important.
Do you see anything unique about the end-user vulnerability in healthcare?
I think that it speaks to how far behind healthcare is, and the fact that medical people are concerned with helping patients. So the power curve is extremely vertical.
How can we combat the rise of ransomware?
The simplest way is to train your workforce to understand what you’re clicking on, because you could literally be the person who brings down your corporate network.
So it really comes down to basic, continual training of end-users, then?
I’m retired military, and in the military, we had a saying: train how you fight and fight how you train. So if you train your people to understand those threats, that’s very important.
Could you offer a few pieces of explicit advice around this to CIOs, CISOs, and other healthcare IT leaders?
Yes, work with the providers giving you technology to make sure that it addresses an actual threat space, and not just to plug a hole. You may not necessarily need the latest whiz-bang coordinated threat intelligence platform; you may really need something that helps you analyze your web traffic. And the most important thing is to move forward now. The worst possible thing is to sit back and assume that legislation will push them forward. It’s only going to get worse.
What will happen in the next five years in healthcare, around this subject?
I think that healthcare organizations will continue to get pummeled for years, and there will be growing problems before they catch up. And medical devices are a whole new area of threat. I’m waiting for the day when somebody gets the wrong dosage from a pump or that their pacemaker’s settings are wrongly set; it’s coming. Unfortunately, pain is the biggest teacher, and things will happen.
So you believe that some hackers could purposely try to maliciously harm patients, through the manipulation of medical devices?
Well, if somebody wanted to make something bad happen, my guess is that you could end up causing real physical harm to people, and that would be a really bad thing.
Is there anything you’d like to add?
Just that CISOs and others, if they are not able to look at SSL traffic and encrypted traffic bouncing around their network, they’re missing almost half of the traffic on their network. And why would you let that go when you don’t know what half of it is?