HTTPS encryption for all federal websites requires new endpoint protection concepts

13 June 2015

Starting in 2017, all federal websites that are publicly accessible in the US should have HTTPS encryption as the standard secure communication protocol.

This directive, issued by The White House Office of Management and Budget (OMB), is a real game-changer because it makes it harder for attackers to intercept sensitive communications or to steal personal data that is entered on federal web sites.

I just finished my preparations for my ISO 27001 Information Security Officer exam when I read the announcement in a LIFARS post. ISO 27001 deals with cryptographic controls in Annex 10.1. In the related chapter A.10.1 of ISO 27002 you learn:

When developing a cryptographic policy the following should be considered:

g. the impact of using encrypted information on controls that rely on content inspection (e.g. malware detection).

Encryption means death for all traditional malware protection systems. Traditional malware detection tries to match patterns in a data stream with patterns stored in the pattern database of the anti-malware system. Since the patterns in the data stream are encrypted matches are no longer found. Game-Over!

This has only a minor impact on enterprises. They can use already available technology that breaks the SSL encryption for inspection, but this is too expensive for end-users.

Vendors of endpoint protection systems have to develop new concepts to protect consumers of unknown malware hidden in the encrypted data stream. And federal agencies have to grow their efforts to make sure that data exchanged through their websites does not contain malware.

‘HTTPS everywhere’ is indeed a real game-changer. Hopefully someone in the OMB has thought of the impact on endpoint protection.

Don’t panic… and have a good weekend.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s