Information security is one of those big ideas that affects us at all levels, whether as individuals, businesses, nations, and even international relations. In most cases, these different perspectives bring equally different concerns and challenges to security. Yet today, the debate on encryption is replaying across the spectrum of information security.
The issue is that while everyone wants their own data to remain private, things get a bit murky when bad guys start using encryption to hide their actions. Law enforcement and intelligence agencies want the ability to peer into a suspect’s secrets in order to prevent a crime. Enterprise security likewise, wants to see into encrypted traffic in order to reveal malicious content and attacks.
Apple, the veritable epicenter of consumer technology, is sparring with the U.S. government over requests to access the company’s encrypted products. Apple is not alone in this debate. Law enforcement, intelligence agencies, and elected officials have all pressured technology vendors to provide a way to selectively break encryption in the name of national security.
The problem is that asking for security backdoors that only benefit the good guys is like asking for bullets that only hurt the bad guys. Legal and political wrangling aside, that’s simply not how encryption works. Math works equally well for everyone, and an encryption scheme is either sound or not. Vulnerabilities are available to anyone who finds them.
The recent incident of backdoors found in Juniper firewalls provides spot-on example. Juniper discovered that an unknown remote attacker compromised its firewalls by planting malicious code in its operating system. This vulnerability impacted a wide variety of organizations, from private enterprises to governments and the U.S. Department of Defense.
The irony is that early analysis indicates that the planted code was made possible due to an encryption backdoor that is believed to be the work of the NSA. Regardless of who was behind the original flaw, it’s a stinging example of how any vulnerability in encryption schemes, no matter how small, can lead to serious damage. The backdoor that allows you to spy can be used to spy on you.
A similar event continues to play out in enterprise networks, although in reverse. Organizations increasingly want to perform SSL decryption on their end-users’ traffic to find hidden exploits or malware that might be hiding inside.
The problem is that SSL decryption schemes make use of some of the same man-in-the-middle techniques that allow attackers to commit fraud. Cloud application vendors now implement various techniques to keep attackers from performing these attacks, which has made SSL decryption less viable. Again, the result is the same. The efficacy and trustworthiness of encryption cuts both ways.
However, all is not lost. New approaches to detecting threats are gaining momentum that doesn’t rely on breaking decryption in order to analyze or detect a threat. Instead of taking a “payload or bust” approach, new analysis models leverage metadata to reveal threats and malicious intent.
Instead of listening to tapped phone conversations, law enforcement agencies have learned to analyze patterns of communication to reveal criminal organizations and their underlying intent.
While phone calls might only reveal phone numbers and the length of calls, an analysis of network traffic provides a much deeper set of metadata to analyze. Close analysis of protocols show what type of communication is taking place and reveals important factors.
These factors can indicate if the endpoints are human or automated and reveal if one node is in control of another. Protocol anomalies can identify when a normally benign application or protocol is being abused by an attacker or malware. And all these things can be observed without peering into encrypted traffic.
These examples are really just the tip of the iceberg in terms of what’s possible. And while metadata analysis is unlikely to fully replace content inspection, it provides an important third option in the encryption/decryption debate.
Instead of focusing on self-destructive approaches that undermine strong security, we now have new options that allow us to detect threats while allowing security to do its job. That seems a far more productive outlet for our energies going forward.
Related Reading: To Improve Security Effectiveness, Look Inside