Advertisement

Let’s Talk Encryption

By on

Click to learn more about author David Schlesinger.

Wait! I promise – no math!

Really! How encryption happens is not your job, and you may be excused from knowing the algorithms, remembering who discovered what, and why there is a secret key.

Encryption systems scramble data into gibberish for protection, and then the gibberish can be unscrambled later. That’s all you need to know. If the hacker steals encrypted data, they have not stolen any real information.

“Wait!” You respond, “The information is there, just not accessible.”

Not really.

If you are using a proven encryption system (AES, Serpent, and Twofish come to mind), there are only clues in the encrypted gibberish that would lead to the reconstruction of the original data were it correctly incorporated into the right decryption program with the correct decryption key. But alone, the file holds no information available to mere mortals.  (That is, unless your password is “Password1”.)

In about 12% of all penetration tests by security experts hired by a company to test their firewalls, the experts find that the company has already been hacked with evildoers working deep inside their network.  Computer systems are inherently complex, and complexity is the enemy of good security. Something in every large network is unpatched, out of date, or misconfigured.   Determined hackers often spend weeks knocking on every door, picking every lock looking for a loophole.

If you are interested in exploring your data protection using encryption, here are some tips regarding securing and protecting sensitive enterprise data.

        1. Getting hacked is a matter of “when”, and not “if”. It is the apparent invisibility of cyber threats that allow managers to believe that allocating budget for the extra security of encryption is not feasible. Only later, after the data is exposed on the Internet, do they discover the real cost of data loss. Lawsuits of course eat up millions of dollars, and then they need to spend several million more dollars just to buy the annual security reviews for the thousands customers whose data was impacted. Oh, about 70% of those impacted customers cease being customers.

     

        1. While it might at first seem easier to encrypt everything, there are psychological and operational, not to mention financial, problems with this approach. Only encrypt data you would most hate to lose. This is faster, cheaper and more effective than trying to protect data that has little value or interest to anybody. Most of your data is business operational and not highly sensitive. Customer data, employee data, trade secrets, and financial information are usually the most sensitive information.

     

        1. You cannot hope to turn even your most brilliant programmers into effective cryptographers. This is a beginner’s mistake. (Remember WEP, the old Wi-Fi “encryption” scheme that can be broken in a few minutes?) Cryptography is difficult, takes many years to learn, and even then, remains tricky. Your programmers are babes in the cryptographic woods. Use them for implementation of a package.

     

        1. Buy a crypto package from a company that is been in the business for some time, by then they’ve worked out all the bugs and found all the loopholes. (Did I mention that good cryptography is extremely complex?) They will also take care of your cryptographic keys, something that you do not want to do unless you have an extensive security department that is immune from layoffs and re-organizations.

     

        1. If the new encryption requires your top executives to carry around devices, this is a tough requirement. Top execs are used to doing things fast and will not believe that they are vulnerable, high-value, targets. While this last belief is ridiculous, they will still fight the requirement for them to press buttons on a dongle to access their data. You must recruit corporate security and corporate counsel to make this point. If you can get a proximity dongle, such as they have for their automobiles, it might be a slam-dunk. However, to protect your enterprise data you need to fight their reluctance and win this fight.

     

    (Tip: Allow duplicate authorization devices for the top execs admins. The execs will like this. Your security consultants will object – tell them that it is a “calculated risk” you must take. They will not understand. Give them T-shirts. You see, top execs and their administrative assistants are actually a team. This team has been sharing passwords and computers for many, many years, and you have trusted this team to manage your company for a very long time. You can certainly trust these same admins sufficiently to carry duplicate security devices.  It is truly, a calculated risk, but a low risk).

        1. When another program needs to access encrypted data, it must be included in the highest security infrastructure. If a Web server needs access to encrypted field inside the firewall (Hopefully in the DMZ), make sure a stored procedure only decrypts one record at a time, and only for a certain number of requests a second or it locks them out. Also, make sure this stored procedure produces an audit trail.

    Remember, the successful hacker will first probably elevate himself to have Admin rights on one of your Web servers. Here is where you can bring your security team to the implementation meetings and ask them for secure ways to perform this data access and implement selective encryption. They will surprise you with their amazing tools and devious methods.  Give them T-shirts. They prefer black.

    Good luck.

Leave a Reply