You are here:  Home  >  Data Blogs | Information From Enterprise Leaders  >  Current Article

Encryption Broken by Laziness

By   /  August 15, 2018  /  No Comments

Click to learn more about author David Schlesinger.

Many readers of my previous blogs have failed to ask the question “Is there really an unbreakable cipher?”   Even though they have been silent, I know some of them stayed awake nights with this provocative question – I will answer it below.

In Hollywood movies, a bright hacker and a keyboard can break all encryption within minutes –after all, it is only a 90-minute film. Life, however, can be different.

Breaking Encryption Falls into Three Distinct Areas

One: Some developers thought of a clever way to encrypt their data, not realizing encryption is devilishly hard and a teenager will break their encryption one evening.

Two: The encryption system is great, but the systems under it are full of holes.  Examples are the unpatched laptop, vulnerable smart phone software, or the old non-updated router with built-in vulnerabilities. When you use the “clever” WSP access control option on your home Wi-Fi router to let friends login while you press a button, it exchanges your nice long network password with an 8-digit number. This is a failure of the WPS execution procedure and not failure of the network encryption.

Three: The encryption is broken by a hacker guessing or learning your password. A surprisingly large number of passwords are simple words chosen by thousands of other people; such as “letmein”, Password1*, a name of a sports team, or easily obtained (in Facebook) anniversary dates, birthdays of spouses or names of children.  You can look up the most used passwords list on the Internet.  Yours may be there.

Large Systems are Also Complex

The larger a computer system, the more elements that it has and the wider it is dispersed. A huge and complex system means that in any given point some aspect of it is under review, under repair, or has a vulnerability that has not yet been patched. Since it is an integrated computerized information system, a break anywhere is like an open side door in a bank vault. It doesn’t matter how you get in, it just matters that the thief got in.

It is simplistic to be in denial that your company will not ever lose data through a cyber-attack. This is why homeowners very often have theft insurance. With data, a system with a good security policy, adequate encryption, two-factor authentication to see sensitive information, and a thorough knowledge of where your sensitive enterprise data is actually stored, works much better than an insurance policy that only helps after the fact.

Encrypting your most sensitive information will give any thief fields full of gibberish along with some plaintext information   Yes, they might have a list of your customer names, but their login IDs are gibberish, as are their credit card numbers and passwords.  The stolen data is as valuable as a telephone directory.  (If you don’t know what that is, please ask somebody older.)

Locating sensitive and confidential data, using a professional system to protect it by encryption and then using the system properly can protect your organization from the worst kind of data-related damage. And, since your most sensitive data elements are not used all the time, there will be little performance hit to the unencrypted transactional data that you mostly use for reports and such.

Unbreakable Encryption

Oh, is there an unbreakable encryption system? Yes there is.  It is far too complex to discuss here, and it is impractical for a large corporation to implement with any degree of rigor or cost-containment.  (One three-letter agency used it back in the 1960’s at a cost of $10,000,000 a year.)  I just wanted to let you know it exists. It is called a One Time Pad.  Here’s a hint, it requires long lists of random numbers with 100% entropy.


About the author

David Schlesinger, CISSP, brings 27 years of experience in information technology and data security management to data security. He is certified in cybersecurity and is a past president of the Phoenix ISSA, a security professional association.  David has authored two US Patents for data governance methods that use Metadata classifications to audit and automate user rights and regulatory compliance. His book on finding hidden security and governance gaps in an enterprise, The Hidden Corporation, is published by Technics Publications.

You might also like...

Data Science in 90 Seconds: Random Forest

Read More →