Does your department or agency have a bird’s eye view of the company network or is its activity viewed ‘through a glass darkly’?
For many Australian government organisations, it’s the latter and that can be to their detriment.
Historically, a visible environment has been the safest and most efficient sort to have, both for network administrators looking to optimise network traffic and systems performance, and cyber-security specialists seeking to keep high-tech infiltrators at bay.
The latter is no easy task.
Government agencies around the globe, remain firmly in the sights of hackers and cyber-criminals and, to date, the defences haven’t always held firm.
According to the Australian Signals Directorate, the agency which leads the government’s operational response to cyber incidents, the Australian government experienced more than 1097 incidents affecting unclassified and classified government networks, in the 2015 to 2018 financial years.
Australian Cyber Security Centre head Alastair MacGibbon has noted the ever-growing complexity of threat and attacks profiles and, in 2018, was reported as stating the failure of some cyber defences was inevitable.
A clear view
Lack of visibility is the key security challenge faced by organisations of all stripes, according to recent research from SDxCentral. Breaches such as February 2019’s successful cyber- attack on the federal Department of Parliamentary Services, thought to have been perpetrated by a foreign government, highlight its importance.
But is resolving to increase the visibility of traffic the key to improved security, or is the situation somewhat more complex? Evolving information exchange protocols appear to have made it so.
It could be argued the enterprise computing world is heading towards a situation in which privacy, rather than security, is the predominant focus, courtesy of the advent of Perfect Forward Security (PFS) protocols and the potential fading of time-tested RSA keys.
PFS handshakes make deep analysis of transaction-level details tricky for security teams. If the team was formerly using an out-of-line, passive approach to decrypt internal traffic for inspection, that approach likely won't work anymore. This could create a permanent blind spot or force a costly re-architecting of their decryption technology. Worse still, it could push more organisations toward in-line, or "man-in-the-middle" decryption schemes, which research has shown to introduce more security risk than they mitigate.
In a PFS system, unique session keys are generated for each and every session, which means even if a key were to fall into the wrong hands, it could not be used to decrypt any prior or future sessions–it is limited to the single session for which the key was created.
Conversely, under the legacy RSA key exchange system, an individual key would be used across many sessions over an extended period of time. If one such key is lost or compromised, it can potentially provide unauthorised access to a wealth of sensitive information.
Cyber-security professionals and IT operations staff are likely to have differing views on the merits of the two approaches.
Under a PFS-driven regime, attackers may not be able to decrypt data but, on the other hand, the IT team can also effectively be locked out – a problem if they’re seeking to identify anomalies and ensure the smooth running of the network.
Following the crowd
IT industry heavyweights appear to have voted with their feet on this issue. Google, Twitter, WhatsApp and Facebook Messenger have all been offering PFS for several years now and Apple Store recently mandated PFS-supporting protocols for all its apps. Where the big players lead, others follow, which means it’s highly likely the industry’s new norm is already being bedded down.
Back in 2014, the Internet Engineering Task Force elected to get rid of RSA keys for Transportation Layer Security (TLS) 1.3 and maintained only PFS supporting protocols would be supported in later iterations.
Technology is the challenge – and the solution
Technology may well hold the key to achieving the optimum balance between privacy and security in the PFS-driven future. In fact, the technology now exists to decrypt PFS traffic out-of-line, without compromising performance or taking the risks introduced by in-line solutions. This is a new capability, not offered by many vendors, but it provides the ideal solution to the security challenges introduced by PFS.
Down the track, security staff can reasonably expect to find themselves in the position where decrypting everything is no longer necessary or desirable. Only that traffic which presents as suspicious will require unlocking and analysing. Targeted, out-of-band decryption of PFS traffic for security analysis is a possibility today, and is being adopted rapidly by forward-thinking organisations.
Neither open-to-the-world visibility nor encrypted opacity entire – the optimum solution to this security conundrum may well be somewhere midway between the two.
Striking a safer balance
Cyber-threats are a real and rising danger to organisations of all stripes. Australia’s public sector agencies will continue to be a key target for hackers and cyber-criminals intent on accessing and exploiting the plethora of sensitive and valuable data in their keeping.
To further muddy the water, Australia's enacted new, controversial laws around encryption in 2018, compelling businesses to provide the government with access to decrypted messages. This may prompt many businesses to reconsider their overall stance and technology decisions around decryption.
In any case, staying abreast of network security developments and striving to achieve a workable visibility/privacy balance will see agencies better placed to maintain the stringent protection standards citizens expect from their government in 2019 and beyond.