SSL Is Under Attack – What Can You Do?

One of the major aspects of the internet has been the trust engendered from SSL. In an Internet that promises zero anonymity at best, it has been one of the last bastions of trust. Now this is in jeopardy or possibly is gone some might say.

It is ironic that one of my favorite security writers Schneier on Security gave a talk about the Death of Cryptography. In this article you can see how he predicts it’s demise and on the wake of Heartbleed and Shellshock it is not hard to see why.

I would say that IT security is as much about Disaster Recovery and Business Continuity Planning as it is about IT Security. You have to assume that you either are hacked or will be. So if this is the case, how fast can you recover and stay operational when an IT Security event happens to you? When reviewing this article I couldn’t help but think that our new breed of hackers are really extortionist entrepreneurs. These type of ransom attacks are up 700% this year.

How would being infected with Cryptolocker impact you? Does your CEO know even what this means? It is my guess that most large company CEOs understand and (in my opinion) most small to medium market CEOs don’t.

Meg Whitman, CEO of Ebay is quoted as on youtube saying:

“When I am with my fellow CEOs…these are three areas that me and my colleagues are worried about…Every CEO lives in fear of a Big Data breach, loss of data, a hack into the system that compromises our company’s reputation. And reputations take years and years to build and can be destroyed overnight.” Attribution

I wrote earlier about JP Morgan’s CEO Jamie Dimon’s letter to shareholders regarding his increase in IT Security Investments in 2014. His spending for IT Security in 2012 as compared to 2014 is stunning in my opinion. Since when has have CEOs been concerned about IT Security? Times have changed. I recently watched a presentation to CEOs by the head of FFIEC and the title of the talk was What Every CEO Needs to Know about the Threats They Don’t See. I am not sure how this presentation given in the late spring 2014 will bleed into IT Security regulations over the next couple of quarters.

Shellshock and Hearltbleed

With Shellshock bug and Heartbleed bug vulnerabilities we are looking at big problems that have wide ranging impacts. Although some claim that Shellshock is a bigger problem than Heartbleed. You can learn more about the mechanics of the Shellshock virus in a short 2 minute video which you can watch here.

Some of the major news sources talk about the impact of Shellshock as vulnerability from a layman perspective here as it could impact 500 million devices on the internet. Wash Post

Poodle Vulnerability – POODLE (Padding Oracle On Downgraded Legacy)…..funny name. Poodle (is a security vulnerability not a bug like heartbleed) essentially mimics a man-in-the-middle attack. Here is a good explanation of it.

CryptoWall –and CryptoLocker

Sadly search engines and advertisers are making security worse. With Google and Yahoo in control of all of the advertising on the Internet the have kept Managed Security Service Providers busy responding to users infected with Digitally signed versions of Cryptowall coming from Ads/Banners. Of course Google (and others) forces their advertising traffic and email through SSL which bypasses firewalls unless one has SSL deep packet inspection/decoding. This unfortunate action nicely trashed the well planned defense in depth security you have implemented (Thanks Google). This infection mimics a real ‘logged-in user’ which means they don’t need to steal anything or attempt privilege escalations. Essentially it is quite easy to destroy and environment due to ‘special folks’ like CEOs and Sr VPs bypassing normal IT Security like Content Filtering for example.

What tools are needed to combat these attacks on SSL?

Real-time threat management and reviewing of logs using threat and log manager.
It is also very important to secure IT Admin Passwords| Source
Manage SSL very aggressively. Inspect and rip apart SSL at the network edge|Source1, Source2 DPI/SSL
Monitoring and managing behavioral heuristics of what users and systems are doing on your files.| Source1, Source 2
Backups – It is not enough to listen to people say that their backups are fine. It must be proven. All IT operations need to be able to fail-over to good clean backups in the event a