Security Pros Failing to Inspect Encrypted Traffic

Written by

A quarter (23%) of information security professionals have no idea how much of their organization's encrypted traffic is decrypted and inspected for threats, according to new stats from Venafi.

The key management and certificate vendor polled over 1500 security pros at RSA Conference 2017 and found a worrying lack of visibility when it came to their encryption processes.

Some 41% revealed that they encrypt at least 70% of their internal network traffic, while over half (57%) said they encrypt 70% or more of their external web traffic.

While that would seem to be encouraging news, hackers are increasingly using unprotected keys and certificates to hide inside encrypted traffic, which means malware and exploits are masked from inspection by traditional tools.

Only 19% of respondents claimed they decrypt and inspect all of their encrypted traffic.

Kevin Bocek, chief security strategist for Venafi, described the findings as “alarming”.

“Encryption offers the perfect cover for cyber-criminals,” he added.

“It’s clear that most IT and security professionals don’t realize the security technologies they depend on to protect their business are useless against the increasing number of attacks hiding in encrypted traffic.”

To make matters worse, respondents displayed an overconfidence in their ability to combat threats.

Despite the average firm taking 99 days to detect a cyber-attack, 41% of respondents to the Venafi poll claimed they could detect and respond to a cyber-attack hidden in encrypted traffic within one week, and 20% said they could do the same in just a day.

Bocek argued that it was clear many information security professionals just don’t have the necessary strategies in place to combat malicious encrypted traffic.

“The problem is that attackers lurking in encrypted traffic make quick responses even more difficult,” he added. “This is especially true for organizations without mature inbound, cross-network, and outbound inspection programs.”

Earlier this year, Mozilla announced that more web pages are loaded by Firefox using HTTPS than not; a landmark moment.

What’s hot on Infosecurity Magazine?