IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Why is SSL under attack?

Don't get sidetracked by a storm in the SSL teacup, warns Davey Winder...

SSL secure

SSL is under attack, not just from those who would do bad things unto thee but also from We The Media. The latest headline-grabbing threat was revealed in an OpenSSL security advisory last week which started with a high severity warning entitled "OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)."

This could impact users of the open source crypto library, well OpenSSL version 1.0.2 anyway, and to cut a very long and boring story short enable a Denial of Service attack to occur against the server. It enabled a malicious client to crash - and then reboot - the server with a NULL pointer deference when renegotiating with an invalid signature algorithm. I did warn you it was boring. Not, however, as boring as the IT security industry commenting spat that rolled out as a result.

Here's how these things tend to work: a security scare/advisory/patch is revealed and immediately the IT security vendors and industry players start providing comments to their marketing people who then spin these out to us press folk in the hope that we will use their client quote in a news or analysis piece with a mention of the company at worse and a link to their site or product at best.

There's nothing wrong in that, per se, and these comment releases can often be the starting point of some very interesting and informative follow up conversations for journalists covering the story. Where things can go a bit pear-shaped, though, is when a company has nothing of value to say, but the PR people spin the release out anyway. The OpenSSL advisory was no exception to the industry comment flood rule, and amongst the inevitable marketing dross there were a few real peaches. Just not, perhaps, for the intended reason.

On particular expert added to the hype around just how big the vulnerability was - via an embargoed press release to stir up the excitement further. A little while later, that opinion seemed to change to suggest it was preferrable to certain other forms of attack. 

I had to read the statement several times for it to sink in. Could a security outfit really be saying that one attack is preferred to another? This made me wonder whether we should be thinking in terms of preferred vulnerabilities at all. After all, if your organisation was taken out of play by a DDoS attack I'm pretty sure you wouldn't be thinking "phew, that was a close one, it could have been a data breach."

In the real world of tight budgets and tough choices, there has to be some form of risk analysis to determine where the money should be spent in terms of the data protected and the cost to the organisation if a breach were to occur. However, I'm not sure that this risk auditing should extend to a point of threat granularity whereby you determine that one attack mode is less worthy of prevention than another. Especially as the newly released Quarterly DDoS Trends and Analysis Report from Corero reveals that, in the case of DDoS, 79 per cent of the attacks it analysed for the research were less than 5Gbps in peak bandwidth utilisation. This suggests they were intended to distract corporate security teams while leaving enough bandwidth for a subsequent network breach attempt. This kind of blended threat, with a merging of attack types, makes it very hard to determine in advance if one vulnerability is less dangerous than another.

Ultimately, security should be viewed holistically as part of the process of doing business. A proper 360-degree perspective on securing the network and the data moving around within it is what businesses need to strive to achieve.

I do understand that risk needs to be assessed and budgets directed according to where the greatest risk to the business sits, but this has to be done within the context of a rounded view of the enterprise threatscape and bad actors inhabiting it.

Is your business prepared for new EU cyber security regulations? This whitepaper offers advice, insight and guidance on what to do next. Read it today here

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Salaries for the least popular programming languages surge as much as 44%

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022