IEEE Technology and Society Magazine - December 2020 - 69

correctly encrypted and protected, they would not need
to inform their users should they suffer a cyberattack.
Unfortunately, the situation has major downside.
According to Ixia's 2018 Security Report, encrypted traffic has already become one of the most significant niches for cybercrime, and cybercriminals are starting to
carry out assaults in this kind of traffic. According to
Gartner, 50% of the cyberattacks that use malware in
2019 will utilize some encryption; the figure is supposed
to rise to 70% by 2020 [28]. A survey by Vanson Bourne
found that 90% of the studied organizations either had
experienced or expected to experience a network attack
using the commonly deployed Secure Sockets Layer
(SSL) or Transport Layer Security (TLS) encryptions.
Although the increased use of encryption in general
seems like a reasonable thing to do, there emerges one
serious, rapidly-growing problem - malware can be
encrypted and hidden, too. According to [28], two things
should be considered particularly worrying: first,
encrypted malware can be found on platforms that have
encrypted traffic. The users, believing them to be safe,
trust the platform and by letting their guard down
become more vulnerable. Second, malware can hide its
true nature and some cybersecurity systems do not
detect it until it is too late [28]. This is so as encrypted
data can only be seen by the intended recipient - and
thus, it cannot be accessed by existing security systems
and security tools cannot inspect encrypted traffic for
malware. Consequently, encrypted traffic becomes a
perfect place for hiding any kind of malicious traffic by
threat actors. The whole situation poses challenge for
organizations; they must follow the GDPR recommendations but still be able to detect encrypted malware. In
addition to this, they must do it without decrypting the
traffic, which would represent a huge breach in data privacy by giving organizations access to private user and
customer data in plain text. Naturally, this would mean
a transgression of the GDPR too [29].
There are a few recommendations for companies
that wish to avoid attacks that use encrypted malware.
The following are a series of measures to follow to keep
cybersecurity safe:
1) Vigilant browsing: Employees who are browsing the
Internet must exercise caution; even on private,
encrypted platforms. They may seem safe to browse;
but employees have to remain as vigilant as in any
other circumstances.
2) Monitoring of processes: Encrypted malware has the
ability to slip past some traditional protection solutions. Thus, the ability to constantly monitor whatever is happening on the system in real time,
proactively detect anomalous activity, and stop infections before they happen is of key importance.
DECEMBER 2020

∕

Recommendations for companies
to avoid attacks that use encrypted
malware: vigilant browsing, process
monitoring, and offline backups.
3) Offline backups and online files: Increasingly companies decide to double up when it comes to safeguarding
their information. They do it by storing significant parts
of their information in the cloud and storing secure
backups offline. Consequently, their physical devices
and backups are not affected in case of infection.
Although encrypted traffic is of key importance to
making networks more secure and helps keep data
safe, it is not immune to attacks. Thus, more proactive
precautions are exercised, the more sophisticated
cybercriminals become [28].
In addition to the encryption issues, pseudonymization also is sadly no cure-all. Although it theoretically
should be enough to protect data, there is sometimes the
risk of re-identifying it. Osterman [21] characterizes reidentification as one of the " major privacy threats in our
modern data driven society. " The term refers to a situation where any piece of information that may distinguish
one person from another (even such data as call usage
patterns or consumption preferences) is used to re-identify anonymous data, i.e., re-anonymize it. Politou et al.
[25] quote many scientific studies conducted on mobile
privacy that helped reveal privacy threats. For example,
one study showed that most applications leaked the
device ID, and it is possible to find detailed information
about the habits of a user based on it. If there is any
additional data that makes it possible to tie a device ID
to a particular user, the privacy risk becomes even greater. It has been proved that it is possible to identify people
based only on their ZIP code, gender, or date of birth, or
on less obvious data, such as publicly accessible Internet
resources, e.g., recreational genetic genealogy databases. It is all the more worrying that apart from using personally identifiable information such as names or social
security numbers, malicious adversaries are able to do
the same based on information that is not usually classified as personally identifiable. For example, Narayan and
Shmatikov proved that it is possible to re-identify individuals based on anonymous film ratings on Netflix. In
other words, even if data is pseudonymized one must not
be off one's guard, because it may not still be completely
impossible to re-identify it, and as it still may count as
personal data, it should be highly protected.

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

IEEE Technology and Society Magazine - December 2020

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - December 2020