Why is SSL under attack?
Don't get sidetracked by a storm in the SSL teacup, warns Davey Winder...
SSL is under attack, not just from those who would do bad things unto thee but also from We The Media. The latest headline-grabbing threat was revealed in an OpenSSL security advisory last week which started with a high severity warning entitled "OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)."
This could impact users of the open source crypto library, well OpenSSL version 1.0.2 anyway, and to cut a very long and boring story short enable a Denial of Service attack to occur against the server. It enabled a malicious client to crash - and then reboot - the server with a NULL pointer deference when renegotiating with an invalid signature algorithm. I did warn you it was boring. Not, however, as boring as the IT security industry commenting spat that rolled out as a result.
Here's how these things tend to work: a security scare/advisory/patch is revealed and immediately the IT security vendors and industry players start providing comments to their marketing people who then spin these out to us press folk in the hope that we will use their client quote in a news or analysis piece with a mention of the company at worse and a link to their site or product at best.
There's nothing wrong in that, per se, and these comment releases can often be the starting point of some very interesting and informative follow up conversations for journalists covering the story. Where things can go a bit pear-shaped, though, is when a company has nothing of value to say, but the PR people spin the release out anyway. The OpenSSL advisory was no exception to the industry comment flood rule, and amongst the inevitable marketing dross there were a few real peaches. Just not, perhaps, for the intended reason.
On particular expert added to the hype around just how big the vulnerability was - via an embargoed press release to stir up the excitement further. A little while later, that opinion seemed to change to suggest it was preferrable to certain other forms of attack.
I had to read the statement several times for it to sink in. Could a security outfit really be saying that one attack is preferred to another? This made me wonder whether we should be thinking in terms of preferred vulnerabilities at all. After all, if your organisation was taken out of play by a DDoS attack I'm pretty sure you wouldn't be thinking "phew, that was a close one, it could have been a data breach."
In the real world of tight budgets and tough choices, there has to be some form of risk analysis to determine where the money should be spent in terms of the data protected and the cost to the organisation if a breach were to occur. However, I'm not sure that this risk auditing should extend to a point of threat granularity whereby you determine that one attack mode is less worthy of prevention than another. Especially as the newly released Quarterly DDoS Trends and Analysis Report from Corero reveals that, in the case of DDoS, 79 per cent of the attacks it analysed for the research were less than 5Gbps in peak bandwidth utilisation. This suggests they were intended to distract corporate security teams while leaving enough bandwidth for a subsequent network breach attempt. This kind of blended threat, with a merging of attack types, makes it very hard to determine in advance if one vulnerability is less dangerous than another.
Ultimately, security should be viewed holistically as part of the process of doing business. A proper 360-degree perspective on securing the network and the data moving around within it is what businesses need to strive to achieve.
I do understand that risk needs to be assessed and budgets directed according to where the greatest risk to the business sits, but this has to be done within the context of a rounded view of the enterprise threatscape and bad actors inhabiting it.