Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Reducing the risk of encrypted communications in Fintech

by jcp
Editorial & Advertiser disclosure

By Simon Mullis, CTO of Venari Security

For highly regulated industries, like finance, protecting sensitive data is not only a foundational requirement of regulation but it must also be prioritised due to the heavy weight of the duty-of-care that organisations have for their customers. Personal financial information is a highly coveted, valuable and ultimately saleable asset for cybercriminals looking to maximise profit, making the industry a prime target. As we’ve seen from past high-profile incidents, and examples of poor network security practices, the reputational damage and financial penalties for organisation found to be breaking data security legislation can be severe – like JPMorgan’s $200M fine for failure to monitor employee data practices.

While the core tenets of privacy are understood universally, the growing volume of data that firms are required to process and safeguard, and the speed in which they are required to do so in the digital age, presents significant operational challenges. In response, governments and regulators are now mandating organisations to implement best-practice encryption, with financial ramifications for data leaks.

This has subsequently driven a massive uptake in encryption to ensure compliance and the security of customer data. However, whilst encryption can absolutely support privacy, and is often required for regulatory compliance, it can also introduce its own risks that businesses need to be mitigating against.

Growing adoption of encrypted communications

This affirmative action is evidenced with 62% of the top 1,000 global websites now supporting TLS 1.3, the current best-practice standard that ensures strongly encrypted communications. Apple is also no longer supporting the initial versions of TLS 1.0 and TLS 1.1, now only supporting TLS 1.2 and strongly encouraging the adoption of TLS 1.3.

Nevertheless, some of the more esoteric aspects of applying strong encryption are still poorly understood – and this is becoming a growing issue for security teams. Data is put at risk when organisations have an inadequate configuration of encryption protocols. However, in many cases, finance companies do not have a full view of what is or isn’t encrypted and whether they meet the standards set by regulators and governments. This is sometimes due to legacy infrastructure, but it is often because nobody ‘owns’ encryption within an enterprise. Therefore, ultimately no one group or function ends up as accountable.

Encryption isn’t a silver bullet

Encryption provides clear advantages to application security teams looking to protect sensitive financial data, to provide better privacy for customers and to ensure compliance with various data regulations. However, it is not a silver bullet or an appropriate catch-all solution for every network security challenge.

We are increasingly seeing attackers that breach an organisation’s perimeter are able to hide malicious activity within legitimate encrypted network traffic. This introduces a substantial blind spot for security teams. In the first three quarters of 2021 alone, attacks over encrypted channels increased by 314% from the previous year. These attacks aren’t necessarily cutting edge, but the lack of visibility into encrypted traffic gives intruders much greater freedom to operate on private networks with reduced risk of being caught. So, active decryption and inspection could be the answer. However, significant costs and complexities are created by trying to decrypt vast traffic volumes. What’s more, modern-day encryption protocols use Perfect Forward Secrecy, an encryption style that produces temporary private key exchanges between servers and clients, making generic decryption even harder.

Clearly, this presents a significant and very dangerous blind spot for security teams. End-to-end encryption renders many of the established means of detection and counter measures for malware detection ineffective. The sheer volume of data that organisations hold, and the speed and frequency at which it is shared with different IT environments, makes it nigh impossible for teams to rely on decryption to detect all malicious activity using encryption across their networks.

Mitigating against this hidden threat

When tasked with protecting sensitive customer financial data there is no one-size-fits-all solution for finance organisations to grasp. While encryption will continue to play a significant role in protecting customer data, the volume and speed of data sharing makes it almost impossible to monitor malicious traffic and presents new opportunities for cybercriminals to exploit.

Encrypted Traffic Analysis (ETA) is an emerging method of identifying and detecting suspicious or anomalous behaviour hidden in encrypted traffic without decryption. It uses a combination of artificial intelligence, machine learning, and behavioural analytics to analyse encrypted traffic without decryption. It ultimately improves encrypted network traffic visibility, while causing no impact on latency or privacy infringement. It also understands the behaviour of traffic across networks and provides alerts in near real-time, allowing security teams to react immediately rather than after the fact. This significantly increases the rate at which suspicious activity can be identified in encrypted traffic, thereby reducing business risk.

The network visibility gained by employing an ETA platform can also help organisations to ensure that their encrypted estate is as secure as they intend. Many organisations will use static analysis to understand the certificate, but this approach does not provide critical information required on what is actively negotiated and used for the individual sessions.

Overcoming security risks in an encrypted world

Organisations shouldn’t consider just regulatory compliance as the final goal. While encryption is the minimum action that network security teams should take, they also need to account for the additional security risks that TLS 1.3 and encryption present. To help overcome this, security teams need to adopt a “measure and mitigate” approach rather than one of “decrypt and detect”. This will enable security teams to understand what’s happening in the moment and gain visibility into activity on their encrypted networks, so that effective action can be taken before malicious traffic becomes an incident.

You may also like