Security CTO Offers Insights On Danger Of Uninspected HTTPS

This week’s report on encrypted malware evading security through uninspected HTTPS. With enterprises grappling with an increasing remote workforce and how to properly secure their employees, there is a greater focus on making sure basic security measures are taken.


EXPERTS COMMENTS
Bob Rudis, Chief Data Scientist,  Rapid7
June 26, 2020
Inspecting HTTPS is not necessary and is potentially dangerous
This is dangerous advice. Security teams tend to (ironically) be the worst at protecting data and — as a result — PITM'ing HTTPS will invariably cause a breach (and has, just not publicly stated) in many orgs. Orgs have also shown that they are terrible at managing certificates and the god-like certs that have to be installed and used to enable PITM of HTTPS will also invariably be protecte ....
[Read More >>]
Kowsik Guruswamy, Chief Technology Officer,  Menlo Security
June 26, 2020
Moving a workforce almost entirely remote only compounds the issue.
It’s no surprise that malware and other threats are being delivered via seemingly secure connections by hiding under the false security of HTTPS to evade traditional AV measures. When enterprises don’t perform adequate SSL inspections, they are vulnerable to malicious attacks and susceptible to malware deliveries such as the ones described in this research. Hackers can simply host phishing ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article