Justin Fox, Director of Software Engineering at NuData SecurityFeatured

Why HTTPS isn’t as secure as it seems — and what that means for your company

By Justin Fox, Director of Software Engineering at NuData Security

To most people, a site with “HTTPS” in the URL is automatically trustworthy. We’ve been taught to associate the little padlock next to the URL in our browser window with safety and security. In fact, most major browsers now warn you when you attempt to input personal information into a site without HTTPS.

However, HTTPS only protects against certain types of attacks. And malicious actors are increasingly taking advantage of users’ trust in the padlock: As of Q3 2020, 4 out of every 5 phishing sites used HTTPS, making use of HTTPS more common among phishing sites than legitimate ones. So many people have been tricked into entering their personal information into malicious HTTPS sites that the FBI (US Federal Bureau of Investigation) issued a warning about it in 2019.

Experts have been preaching the importance of HTTPS to security for years, and users have been listening. But the truth is a little more nuanced than what most users perceive — and it’s creating cybersecurity risk for many companies.

The rise of low-code in a COVID-19 world

New age of data privacy regulation: How businesses can prepare

HTTPS protects data in transit, but it doesn’t mean a site is secure

HTTPS is more secure than HTTP in one specific way: The transport layer security (TLS) encryption protocol used by HTTPS sites protects information transmitted between the site and the user from the prying eyes of malicious third parties. In other words, HTTPS is sort of like sealing a written letter in an envelope before you drop it in the mail, while HTTP is like writing your message on a postcard, where anyone can read it.

That’s why it’s recommended you avoid inputting confidential information like credit card numbers into HTTP sites. Their lack of encryption makes it easier for outside bad actors to intercept and exploit the information you share over HTTP. Hopefully, your company already uses an HTTPS connection on any web pages where it collects sensitive information from users.

But while it indicates secure transmission, HTTPS says nothing about the security of the site itself. That’s why phishing sites can still use HTTPS. To continue the mail metaphor, if you send a message to a scammer’s mailbox, it doesn’t matter whether it comes in the form of a postcard or a sealed letter. The scammer can read your message either way.

Your company can bolster security simply by educating employees about the fact that HTTPS sites aren’t always trustworthy. Even when a padlock appears, they should still check the site for signs of untrustworthiness. For example, many phishing sites add or change a letter in a familiar website URL to fool users. Before inputting sensitive information like their logins for work accounts, an employee should double-check that they’re actually looking at your company’s website and not a slightly different URL.

Because all cybersecurity protections are vulnerable to human error, securing your company’s systems ultimately relies on more than education. It only takes a single employee falling for a phishing site to cause a breach that compromises sensitive client information or infects your system with ransomware, encrypting your files and shutting down your operations for days or weeks.

The potential for human error is especially concerning now since the COVID-19 pandemic has significantly increased cyber risk. With more employees working remotely on their own devices and networks, attackers have more potential points of access to an organization’s systems. For example, some recent attacks have exploited known vulnerabilities in VPN servers that the victim hadn’t patched. The cost of such an attack can be devastating. According to one estimate, ransomware cost companies over $1 billion in financial damages during the pandemic alone.

A multi-layered security approach can limit damage from phishing attacks

The protections embedded in HTTPS are important for protecting sensitive data like credit card numbers in transit. However, attackers are increasingly exploiting the association between HTTPS and strong security to make their phishing sites more effective. While employee education is important, it won’t prevent all human error when it comes to cybersecurity. And with 22 billion records exposed in 2020 alone, it’s only a matter of time before a bad actor gains access to login credentials from one of your employees — one way or another.

When that happens, deploying multiple layers of security protection is the best way to mitigate the damage and limit attackers’ access to your systems. Here are a few solutions to consider.

  • Multi-factor authentication (MFA): By requiring users to input a one-time-use code or take another action to authenticate their identity at login, MFA makes it significantly more difficult for attackers to gain access to employee accounts. MFA is table stakes for enterprise cybersecurity at this point, and any organization that doesn’t use MFA at all is leaving itself vulnerable to attack.
  • Real-time anomaly detection: An attacker using compromised employee credentials often behaves very differently than an employee with authorized access. A real-time anomaly detection solution detects users showing high-risk behaviors such as downloading large quantities of data and automatically shuts them out of the system or takes other actions, like issuing a security challenge. This can prevent an attacker who gains access to your system from doing serious damage.
  • Passive biometrics: Passive biometrics validate user identity by looking at the user’s inherent behavior, such as how they type or hold their device. These characteristics are unique to each user and are incredibly difficult for an attacker to imitate, making it easier to identify when an employee’s account has been compromised. Rather than focusing on login, validation with passive biometrics can occur continuously in the background while an employee uses their device, making it largely friction-free. When a passive biometrics solution flags a user as suspicious, the system can revoke that user’s access or implement additional security measures to more directly authenticate identity.
  • Behavioral analytics: By looking at factors like the time of day a user generally logs in, where they log in from, and which files they tend to access, a behavioral analytics solution builds up a profile of a user that can be used to continuously validate their identity in the background, similarly to passive biometrics. When used in tandem, passive biometrics, and behavioral analytics can provide strong protection against attackers in possession of stolen employee credentials.

When it comes to preventing cybercrime, employee engagement and education can go a long way. For example, giving employees access to password management tools can help them avoid reusing passwords across multiple platforms and apps, reducing your organization’s vulnerability significantly. However, no amount of education will eliminate all human error.

When employee credentials are inevitably compromised, having multiple layers of security protection is the best way to protect your company from financial and reputational damage. By implementing solutions like MFA, real-time anomaly detection, passive biometrics and behavioral analytics, you’ll build a strong defense against any type of cyberattack.