This blog is an excerpt from GovLoop’s recent industry perspective Investment in Custom Security Processing Units Pays off Huge Dividends for Federal Security. Download the full perspective here.
Federal agencies are a natural target for cyber criminals and nation-state actors due to the services they perform along with the troves of information their systems may hold. According to a 2016 Ponemon Cost of Data Breach Study: Global Analysis security study, government was the fourth most popular hacking target in 2016, preceded by the fields of healthcare, manufacturing, and financial services. A successful attack against the government has the potential to disrupt public services, expose classified information, and steal the personally identifiable information (PII) of millions of citizens. One need only look as far as the 2015 hack against the Office of Personnel Management (OPM) databases, in which the information, including in some cases highly detailed security clearance applications, of as many as 22 million people was stolen.
Encryption is an essential tool that federal agencies must employ to protect their networks and both the transient and maintained data on said networks.
Encryption works like this: Conversion of digital data into a code that requires a key or passcode to decipher, which ensures the authenticity of the sender and nonrepudiation, and Establishment of an encrypted link between two parties. However, cyber criminals and hackers are increasingly exploiting encryption to conceal malware as benign messages to circumvent established security perimeters, hiding in plain sight from intrusion-protection systems; gaining access to networks, sensitive data, and command and control functions while trusted insiders are using it for the exfiltration of stolen PII and internal IP addresses; and all the while putting personal, proprietary, and other sensitive information at risk.
With web-based transactions, the primary issue continues to be the trustworthy, longtime standard for securing our online communications, Secure Sockets Layer (SSL) encryption, most notably identified by the “s” in “HTTPS” at the beginning of a URL. Utilizing SSL, all transmitted information is encrypted and thereby protected. Without its utilization, information such as names, social security numbers, and credit card information is exposed in plain, readable text.
The question is, then, how can the government effectively implement encryption to protect federal networks and data while simultaneously blunting its use by malicious actors?
“The answer lies in decrypting and inspecting both incoming and outgoing SSL Web traffic to identify threats,” said Matthew Miller, U.S. Federal Channel Manager at Fortinet, in an interview with GovLoop. “With the right tools, any agency can implement this process, closing a developing gap in network defenses and avoiding false choices between security and privacy.”
However, the encryption/decryption and inspection of incoming and outgoing SSL web traffic places a tremendous burden on the network security infrastructure. Traditionally, network security products were reliant on shared CPU resources and the network administrator was required to “over buy” to actualize the performance required to meet demands from users and of applications.
Fortinet has taken a distinct approach to addressing the SSL challenge with the development of the security processing unit (SPU) for hardware acceleration of SSL encryption/decryption traffic. In recognizing general-purpose hardware was not sufficient to address the most difficult and upcoming security challenges, Fortinet reached a strategic decision to invest in custom hardware application-specific integrated circuit (ASIC) research and development to pioneer SPU technology. The dividends of the investment have been realized as Fortinet offers groundbreaking performance for SSL encryption/decryption at a low cost, removing the necessity to “over buy” that administrators had encountered.
In this industry perspective, created in partnership with Fortinet, you will learn more about the ASIC SPU chip; how hackers are using encryption to subvert edge defenses; and how governmental agencies may utilize the newly created SPU technology for a cybersecurity solution that can be employed for SSL decryption and inspection to thwart cyberattacks.
Using Encryption to Thwart Edge Defense
Encryption has become an increasingly popular way for criminals to conceal their attempts to access federal networks. A recent Ponemon Institute survey determined 77% of public-sector respondents reported being the victim of some form of cyberattack in the previous year, and 43% of those attacks exploited encryption to sidestep detection.
Whether it is cyber criminals looking for monetary gain or hackers acting on behalf of a nation state, the appeal is evident: The encryption used ostensibly to protect organizations, users, and their data is doing the hackers’ work for them, concealing their attempts to get inside, and masking any data they might remove or replace.
The problem is certain to intensify with government agencies’ increasing use of web-based interactions and cloud services in its varying manifestations, such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). Websites and cloud based operations currently host items/documents such as permit applications to email services to an Amazon Web Services cloud infrastructure shared by the 17 agencies within the intelligence community. With no decrease in cloud-based operations on the horizon, by at least one estimate as much as 92% of online activity will be processed by cloud services by 2020. This means, in addition to formal online transactions, applications, or email, the increasingly popular user-generated content and custom applications will also be able to become exploited to introduce encrypted malware into a system.
Meanwhile, a June 2015 mandate from the White House established HTTPS as a requirement for all public-facing federal websites. While this improves security from one perspective, it also puts greater strain on essential cyberdefenses.
Reducing New Encrypted Attacks
A solid defense against these tactics is Secure Inspections at the Edge, which is an analysis of decrypted packets of information to ensure they do not pose a threat prior to re-encryption with allowance to traverse the network, allowing for the identification and handling of both valid and malicious traffic. However, it must be noted, tough choices must be made by many agencies, federal and civilian alike, due to the degradation of performance when employing this solution. It is not necessarily a case of viewing SSL encryption as a set it and forget it security blanket but rather an outgrowth of the complicating factors of running and maintaining a safe and secure network.
Shortages in qualified, knowledgeable personnel and limited funds to apply critical network defense while juggling ever present security concerns, along with users’ requirement for near constant uptime and dependable network performance, constantly plague federal IT administrators and engineers.
With the wrong equipment, decrypting and inspecting traffic strains network resources, slowing performance. The volume and sophistication of SSL security places a burden on the tools in a comprehensive security system, such as intrusion prevention and threat detection to maintain the pace.
In addition to hiding malware within web transactions, hackers and cyber criminals can also gain network access through the theft of SSL certificate keys, the electronic documents issued by credible certificate authorities and designed to ensure the authenticity of the sender. The certificate keys—and therefore the contents of a message—are trusted by the parties involved, allowing a stolen one to be used to encrypt malicious code in emails, websites, or applications. The process of managing many certificates may be cumbersome to some organizations, which ultimately may lead to complacency.
While HTTPS increases cyber security from one perspective, it has the potential to undermine a fundamental security strategy that is used and highly valued by the highest-end security organizations in the world.
To learn more about the benefits of custom security processing units and the tools that are needed for better SSL inspections and SPUs, download the full perspective here.