A padlock icon in the browser's address bar indicates that a secure HTTPS connection has been established with a server by means of an SSL certificate from an acceptable certification authority (CA). Credit: Peter Sayer
The technology is there for companies to inspect the SSL traffic going in and out of their networks, but performance, management and privacy concerns combine to hinder its adoption -- allowing cyberattackers to hide their malicious activity in the encrypted traffic.
According to a new report by the Ponemon Institute, 41 percent of companies who were victims of a cyberattack said that the attacker used SSL encryption to hide their activities and to sneak data out of organizations.
And this percentage is likely to rise, experts say. Encryption tools are already available to the savviest criminals, and it's only a matter of time before they are commercialized, made easier to use, and become widely available to attackers.
"I've already seen some exploit kits with the options of using advanced encryption capabilities," said Chase Cunningham, director of cyber threat research at A10 Networks, which sponsored the Ponemon report.
But only 36 percent of security professionals say that their enterprises are capable of levering SSL encryption and inspection, according to the report.
Instead, the majority, 61 percent, said that they don't decrypt SSL traffic because of the potential performance hit on their networks. In addition, 47 percent pointed to a lack of security tools and 45 percent cited insufficient resources.
"There's a misconception that if they start looking at SSL traffic, that's going to be half the traffic in their network," said Cunningham. "If they start looking at it, that it will slow down the network enough to cause performance degradation."
Plus, managing SSL certificates can be a cumbersome chore, he said.
That's a problem, because more and more legitimate traffic is getting encrypted, including many of the public online services used to exfiltrate data. That means that the attackers and malicious insiders don't even have to do anything to benefit from the encryption -- the encryption is already there.
Some 70 percent of global Internet traffic will be encrypted this year, according to a report released this past spring by networking vendor Sandvine. And the main reason why the rest of the traffic isn't being encrypted is that it's streaming videos.
In the enterprise, most security executives report that between 25 and 50 percent of their network traffic is encrypted, and more than 80 percent said that they expect both inbound and outbound encrypted traffic to increase over the next couple of years, according to a study recently released by IDC and F5 Networks.
Sign up for CIO Asia eNewsletters.