KRACK’s warning for enterprise security

Earlier this fall, a couple of Belgian researchers revealed a security flaw that hackers could exploit to breach most of the Wi-Fi devices found in the world.

“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit, which was dubbed “KRACK,” short for “Key Reinstallation AttaCK.”

The authors were able to turn the vulnerability into proof-of-concept code to compromise WPA2— the security standard that protects all modern Wi-Fi networks - to steal data flowing between a wireless device and a targeted Wi-Fi network.

The news set off alarm bells because it meant that WPA2 was not as rock-solid as generally assumed and that hackers could purloin passwords, chat messages or photos.

There’s no indication that any organizations or individuals suffered actual harm. (Here’s a list the Computer Emergency Response Team keeps of manufacturers known to be affected by the flaw, along with links to any relevant advisories and patches.) In theory, the vulnerability can be overcome by incorporating software updates that patch the flaw. However, from a security point of view, there are important lessons to consider.

Staying Ahead of Threats

A single point of failure can expose entire networks. And given the multiplying number of contemporary endpoints inside - and outside - the workplace, by the time your security team gets one thing fixed, rest assured that something else will pop up tomorrow.

All types of devices are coming online as part of the Internet of Things. Also, employees now bring to work different devices running different operating systems versions. All it takes is one person with outdated protections to expose the organization’s entire network.

That puts added onus on security practitioners to adopt a broader approach to cyber security where the network is a key element in a multi-layered security approach. That means protecting data when it’s at rest and encrypting it when it’s in motion. Network traffic encryption helps ensure that employees and customers are protected from threats such as man-in-the-middle attacks.

The researchers who exposed the KRACK vulnerability acknowledged that SSL/TLS encryption would have helped. But it, too, isn’t enough on its own. Researchers warned that, “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations.”

The fact is that not all encryption is the same. HTTPS, and SSL/TLS in general, can be vulnerable, especially when devices or websites are not supporting the latest encryption protocols or strong ciphers that offer Perfect Forward Secrecy, a requirement in the next protocol standard, TLS 1.3.

No Rest for the Weary

Even after you’ve properly protected your endpoints with strong data encryption, however, don’t assume the job’s done. Cyber criminals are always looking for an angle and encryption can become their means to perpetrate bad stuff.

Malware, “command and control” attacks and data exfiltration are easily hidden within the same encryption that offers security and protects privacy. Once everything is encrypted and locked down, you may not be able to see when people are trying to attack you. And while data leakage may be the result of an external attack, it could also result when an employee innocently sends files they shouldn’t, evading Data Loss Prevention tools originally designed to block attackers.

As a result, enterprises need to simultaneously inspect data, encrypted or not, to find threats while preserving the integrity of the highly secure flows. Network Security tools need visibility into what is being encrypted to find hidden threats. The inspection enabling tools requires the ability to re-encrypt the data at the same, original encryption strength and send it along to its destination. If inspection downgrades the security of the TLS session, you may be taking on one risk to mitigate another.

Planning Next Steps

As you address the totality of an organization’s security needs, solid endpoint protection, strong encryption capabilities, and secure SSL inspection will be key components. But as you look for the right solution to fit your organization’s particular needs, also keep in mind the following:

• A best-in-breed approach for vendor selection is a wise way for your partners to optimize their security posture. However, don’t be oversold on single point solutions that over-promise.

• Don’t fall into the trap of thinking that tools can be repurposed to do things they’re not intended to do. No single solution does it all so you ought to strongly consider the benefits of a multi-layered and integrated approach.

• Find out how others are tackling security issues to prepare yourself for the next big thing. It may happen where you least expect it. Do your research. There’s a ton of analyst research out there and other sources you can find online.

If you need any additional help, feel free to reach out to us. We’ve got a lot of ideas how to help you prepare a strong cyber defense before the next big attack hits.