In-depth

Why is SSL under attack?

Don't get sidetracked by a storm in the SSL teacup, warns Davey Winder...

SSL secure

SSL is under attack, not just from those who would do bad things unto thee but also from We The Media. The latest headline-grabbing threat was revealed in an OpenSSL security advisory last week which started with a high severity warning entitled "OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)."

This could impact users of the open source crypto library, well OpenSSL version 1.0.2 anyway, and to cut a very long and boring story short enable a Denial of Service attack to occur against the server. It enabled a malicious client to crash - and then reboot - the server with a NULL pointer deference when renegotiating with an invalid signature algorithm. I did warn you it was boring. Not, however, as boring as the IT security industry commenting spat that rolled out as a result.

Advertisement - Article continues below

Here's how these things tend to work: a security scare/advisory/patch is revealed and immediately the IT security vendors and industry players start providing comments to their marketing people who then spin these out to us press folk in the hope that we will use their client quote in a news or analysis piece with a mention of the company at worse and a link to their site or product at best.

Advertisement
Advertisement - Article continues below

There's nothing wrong in that, per se, and these comment releases can often be the starting point of some very interesting and informative follow up conversations for journalists covering the story. Where things can go a bit pear-shaped, though, is when a company has nothing of value to say, but the PR people spin the release out anyway. The OpenSSL advisory was no exception to the industry comment flood rule, and amongst the inevitable marketing dross there were a few real peaches. Just not, perhaps, for the intended reason.

Advertisement - Article continues below

On particular expert added to the hype around just how big the vulnerability was - via an embargoed press release to stir up the excitement further. A little while later, that opinion seemed to change to suggest it was preferrable to certain other forms of attack. 

I had to read the statement several times for it to sink in. Could a security outfit really be saying that one attack is preferred to another? This made me wonder whether we should be thinking in terms of preferred vulnerabilities at all. After all, if your organisation was taken out of play by a DDoS attack I'm pretty sure you wouldn't be thinking "phew, that was a close one, it could have been a data breach."

In the real world of tight budgets and tough choices, there has to be some form of risk analysis to determine where the money should be spent in terms of the data protected and the cost to the organisation if a breach were to occur. However, I'm not sure that this risk auditing should extend to a point of threat granularity whereby you determine that one attack mode is less worthy of prevention than another. Especially as the newly released Quarterly DDoS Trends and Analysis Report from Corero reveals that, in the case of DDoS, 79 per cent of the attacks it analysed for the research were less than 5Gbps in peak bandwidth utilisation. This suggests they were intended to distract corporate security teams while leaving enough bandwidth for a subsequent network breach attempt. This kind of blended threat, with a merging of attack types, makes it very hard to determine in advance if one vulnerability is less dangerous than another.

Advertisement - Article continues below

Ultimately, security should be viewed holistically as part of the process of doing business. A proper 360-degree perspective on securing the network and the data moving around within it is what businesses need to strive to achieve.

I do understand that risk needs to be assessed and budgets directed according to where the greatest risk to the business sits, but this has to be done within the context of a rounded view of the enterprise threatscape and bad actors inhabiting it.

Is your business prepared for new EU cyber security regulations? This whitepaper offers advice, insight and guidance on what to do next. Read it today here

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020