This content is part of the Conference Coverage: RSA Conference 2015 special coverage: News, analysis and video
News Stay informed about the latest enterprise technology news and product updates.

Port monitoring critical to detecting, mitigating attacks using SSL

As SSL traffic increases, so inevitably will the number of attacks using it to hide. A session at RSA Conference 2015 explained why hackers love SSL, and how enterprises can defend against them.

SAN FRANCISCO -- SSL has been all over the news in the past year. And hackers love it, according Grant Asplund, director of evangelism at Blue Coat Labs. If employees and users are the Bilbo Bagginses of a security Lord of the Rings, Asplund intoned, SSL gives attackers the "one ring."

"Bilbo wasn't trying to do anything bad; he wasn't trying to exploit anyone. But there's a few times where he had to slip on [the one ring] to go stealth. I think that's a really good representation of why hackers love SSL."

Statistics show HTTP traffic is down and HTTPS traffic is up. Additionally, 69% of the top 50 most-visited sites and 100% of the top 10 most-visited sites use HTTPS.

Yet few enterprises are "peeling the onion" and investigating SSL traffic traversing their networks. And according to Asplund, there are plenty of well-intentioned rubes out there, users easily duped by social engineering techniques.

"I'm telling you, this has got to change," Asplund said. "It's a very dangerous point of exploit on the part of the bad guys."

Asplund showed a slide of a fake Dyre SSL certificate next to a real Google SSL certificate used in July 2014. The fake certificate lists Google's location as Miami, Fla. -- across the country from its real Mountain View, Calif. home.

Dyre SSL certificate on left, legitimate Google SSL certificate on right
Dyre SSL certificate on left, legitimate Google SSL certificate on right

A security person may notice this, Asplund said, but "the vast majority of users wouldn't have a clue what it meant."

The next slide showed Dyre command and control certificates with gibberish, "key-mash" details, "evidence of how brazen the bad guys can be."

Fake SSL certificate with key-mash details
Fake SSL certificate with key-mash details

What can be done to defend against attackers hacking SSL?

"It's critical for us to insulate and protect users," Asplund said. "We would all be better served if we got a little more draconian with our users. Because at the end of the day, it's your [enterprise's] intellectual property."

Regarding BYOD, "it's your network," Asplund said. "You need to be more controlling, more authoritative, more enforcing."

Enterprises are being naive, Asplund added, especially if they believe SSL traffic is secure, even if it traverses "safe" ports.

Over a seven-day period, Blue Coat researchers found 1.1 million sites classified with potentially unwanted software, most of which used Port 443 -- a commonly trusted port -- and had legitimately purchased SSL certificates.

"It's not just Port 443. You're foolish if you think other ports are not being exploited," Asplund said.

In fact, Blue Coat researchers found the 10 most commonly used port numbers for SSL traffic were to servers classified as "botnet C&C". Nearly 75% used port 9001, with only 5.45% using 443.

Asplund concluded with statistics revealing bad guys can attack and compromise a network 84% of the time in hours, minutes or even seconds. And 78% of the time it takes weeks, months or even years for enterprises to discover these attacks. Port monitoring and improved visibility can change this.

"I believe that timeline is going to change drastically if you make sure you have full visibility into all of what we previously trusted," Asplund said.

Next Steps

Learn about some of the latest SSL/TLS vulnerabilities, including WinShock, POODLE and Heartbleed

Uncover how trusted and forged SSL certificates work

Dig Deeper on VPN security