In-depth

Why is SSL under attack?

Don't get sidetracked by a storm in the SSL teacup, warns Davey Winder...

SSL secure

SSL is under attack, not just from those who would do bad things unto thee but also from We The Media. The latest headline-grabbing threat was revealed in an OpenSSL security advisory last week which started with a high severity warning entitled "OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)."

This could impact users of the open source crypto library, well OpenSSL version 1.0.2 anyway, and to cut a very long and boring story short enable a Denial of Service attack to occur against the server. It enabled a malicious client to crash - and then reboot - the server with a NULL pointer deference when renegotiating with an invalid signature algorithm. I did warn you it was boring. Not, however, as boring as the IT security industry commenting spat that rolled out as a result.

Here's how these things tend to work: a security scare/advisory/patch is revealed and immediately the IT security vendors and industry players start providing comments to their marketing people who then spin these out to us press folk in the hope that we will use their client quote in a news or analysis piece with a mention of the company at worse and a link to their site or product at best.

There's nothing wrong in that, per se, and these comment releases can often be the starting point of some very interesting and informative follow up conversations for journalists covering the story. Where things can go a bit pear-shaped, though, is when a company has nothing of value to say, but the PR people spin the release out anyway. The OpenSSL advisory was no exception to the industry comment flood rule, and amongst the inevitable marketing dross there were a few real peaches. Just not, perhaps, for the intended reason.

On particular expert added to the hype around just how big the vulnerability was - via an embargoed press release to stir up the excitement further. A little while later, that opinion seemed to change to suggest it was preferrable to certain other forms of attack. 

I had to read the statement several times for it to sink in. Could a security outfit really be saying that one attack is preferred to another? This made me wonder whether we should be thinking in terms of preferred vulnerabilities at all. After all, if your organisation was taken out of play by a DDoS attack I'm pretty sure you wouldn't be thinking "phew, that was a close one, it could have been a data breach."

In the real world of tight budgets and tough choices, there has to be some form of risk analysis to determine where the money should be spent in terms of the data protected and the cost to the organisation if a breach were to occur. However, I'm not sure that this risk auditing should extend to a point of threat granularity whereby you determine that one attack mode is less worthy of prevention than another. Especially as the newly released Quarterly DDoS Trends and Analysis Report from Corero reveals that, in the case of DDoS, 79 per cent of the attacks it analysed for the research were less than 5Gbps in peak bandwidth utilisation. This suggests they were intended to distract corporate security teams while leaving enough bandwidth for a subsequent network breach attempt. This kind of blended threat, with a merging of attack types, makes it very hard to determine in advance if one vulnerability is less dangerous than another.

Ultimately, security should be viewed holistically as part of the process of doing business. A proper 360-degree perspective on securing the network and the data moving around within it is what businesses need to strive to achieve.

I do understand that risk needs to be assessed and budgets directed according to where the greatest risk to the business sits, but this has to be done within the context of a rounded view of the enterprise threatscape and bad actors inhabiting it.

Is your business prepared for new EU cyber security regulations? This whitepaper offers advice, insight and guidance on what to do next. Read it today here

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
'Robin Hood' hackers donate stolen Bitcoin to charity
ransomware

'Robin Hood' hackers donate stolen Bitcoin to charity

21 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020