[BreachExchange] Why we need to encrypt everything
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Apr 12 14:02:45 EDT 2017
http://www.infoworld.com/article/3188865/encryption/why-we-need-to-encrypt-
everything.html
If you've been paying attention lately, you've likely noticed that more of
your everyday websites are going HTTPS by default: Twitter, Facebook,
LinkedIn, and even your favorite search engine.
This is a good development. For years, critics have derided default,
widespread HTTPS encryption and authentication as unnecessary and
performance-wasting. But now that we've seen most of the biggest websites
go HTTPS, led by Google, the world is finding out it isn't such a bad idea.
In fact, it's great. It's time for us to go all the way and encrypt and
authenticate everything!
At a time where the U.S. Congress is allowing ISPs to continue spying on
users' private sessions, we need default HTTPS to protect our privacy. We
need to incorporate security and privacy protections in all our
communications, whether over the internet, telephone, cable, mobile phones,
instant messaging -- any form of networked communications. We should demand
constant protection of all that. It's the only way to make the internet
truly more secure and private.
Tell it to the CIA
Computer security students use the acronym of CIA -- aka "confidential,
integrity, availability" -- to describe why computer security is needed.
Confidentiality refers to keeping information from being seen by
unauthorized parties. Integrity means making sure a person or computer is
who they say they are (or that content has been unmodified since it's
intended distribution). Availability is ensuring that a computer asset is
accessible to authorized parties, thanks to such practices as preventing
denial-of-service attacks.
We should apply the security CIA triad to all computing and network
communications. That doesn't mean we have to apply the strongest and most
expensive security to everything; security measures should be commensurate
with data they protect. You wouldn't protect a website containing public
information as strenuously as you'd protect weapon systems or classified
information. But in general, all websites and services should have some
basic level of encryption and integrity.
Why is default security needed?
Conventional wisdom dictates that protecting assets and content that don't
seem to demand strong computer security is wasteful, unnecessary, and
performance-killing. As a result, only content that supposedly needs better
protecting receives it. What we end up with is a hodgepodge of protection,
often within the same site or service.
We're all accustomed to connecting to banking websites that start off
unprotected, then switch to protected for a logon or transaction, often
with single pages that contain a mix of protected and unprotected content.
Sometimes it's hard to determine which is which. The complexity of
sustaining differing levels of protection on the same site is confusing to
us and our browsers.
As it turns out, it's simply easier for developers, browsers, and users to
protect everything all the time.
I liken it to file-based encryption. With file-based encryption, either you
or the system encrypts files on a file-by-file or folder-by-folder basis.
This supports the idea that only certain items need to be protected. But
file-based encryption almost always fails as true protection over the long
run. Objects that should be protected don't get protected. Sensitive data
leaks out. A simple application crash can leave confidential data exposed.
Moreover, it's difficult to remove all confidential data even if you try,
especially in today's growing world of memory storage media (which doesn't
even let the operating system choose what data to delete or encrypt).
Volume- and disk-based encryption is becoming the norm. You turn it on, and
every file, every data bit remnant is protected by default. This approach
makes an unintended data reveal much less likely, and usually the
protection is invisible to the user. We need to take lessons learned in the
storage arena and apply them to the rest of the world. Widespread, default,
pervasive protection works best.
Default security
Getting rid of all HTTP connections and moving to (or even requiring) HTTPS
is a good way to start. HTTPS gives us encryption and integrity during
network transmission. We need to require default, total media encryption on
all disks and storage media. No USB key or camera memory card should be
without it.
We also need to move from one-factor authentication to two-factor (or
greater) authentication. Stronger authentication doesn't prevent all
attacks, but it stops the phishing of credentials, which is very prevalent
right now.
It's also important to authenticate all content to protect its integrity,
although this flies in the face of conventional thinking. Why protect
content anyone can acquire? Mainly because it's easier to encrypt
everything, but also because all content needs integrity protection.
Suppose a government agency offers public documents that anyone can have,
use, and share. It's important that what users download and share is
authentic. You don't want someone changing a public document to say
something else and disseminate it as if it were the genuine article.
You might argue that many documents, where the original author or
distributor doesn't mind any modification, shouldn't be
integrity-protected. Again I'll argue that it's easier, more accurate, and
cheaper to protect everything than singling out winners and losers.
Even availability issues need to be worldwide. You might think it's OK for
your site or service to go down, but in today's world, you never know what
upstream or downstream entity is integrating with your offering. Besides,
almost everything in the cloud is redundant already, and it's cheaper to
protect everything rather than a few bits.
It's inevitable that enabling security universally, such as HTTPS or
default encryption, will break some objects, especially those that were
built before these security options were available or pervasive. So what?
Welcome to the real world. If something breaks, it's time to fix it or
forget it. Pervasive computer security shouldn't be held back by dinosaur
apps and services.
The fallout
All spies dislike the idea of pervasive encryption and other security
protections. Again, so what? The ability to protect our personal privacy
should trump any other societal need.
I and millions of others don't buy that government must be able to
infiltrate every digital transaction to protect society from criminals and
terrorists. Let me be clear: We are willing to put up with the idea that
pervasive security makes it harder for law enforcement to do its job.
That said, I'm not suggesting that default, pervasive security is a
panacea. If a bad group successfully breaks into your computer or into a
website, it can pretty much do anything it wants, including disabling
default security.
But having good security always turned on as default means even those
events are less likely to happen. Requiring seat belts in cars and helmets
on motorcycle riders doesn't stop car or motorcycle deaths. But it
absolutely, significantly reduces the number of deaths and horrible,
disabling injuries.
The internet and every device connected to it will one day have built-in,
pervasive security, turned on by default. It's already happening. I want us
all to recognize it, hop on the bandwagon, and get it done. It's the only
way the internet has a chance to be significantly more secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170412/ea5a8dab/attachment.html>
More information about the BreachExchange
mailing list