The U.S. government made a massive shift in the way it secures its many .gov websites — used by millions of Americans everyday — but the move may also harbor a dangerous unintended consequence; it enables a new class of cyberattacks, says Kevin Bocek, VP of security strategy and threat intel at cybersecurity firm Venafi.
In a word, the change could be exploited by hackers. Less than a week after a catastrophic data breach at the Office of Personnel Management (OPM) that reportedly exposed social security numbers and other personal information of millions of federal employees, the Fed instituted a previously approved mandate causing all government websites to now use HTTPS protocol for their websites.
The protocol is used to authenticate communication and protect against snooping and imposter websites. Up front, it’s a necessary, and perhaps overdue, security measure. Unfortunately, things may not be that simple.
In the future, due to this shift, cyberattacks will need to use keys/certificates whether they be forged or stolen to access the data on these sites — meaning that they would be coming over encrypted traffic. “If you’re not inspecting (and using all of your keys and certificates) then bad guys will be able to hide and your FireEye, NGFW, IDS/IPS will be useless,” Bocek told DC Inno.