[BreachExchange] The Best Data Breach Tactics to Deploy Now
Destry Winant
destry at riskbasedsecurity.com
Fri Dec 28 08:43:38 EST 2018
https://www.infosecurity-magazine.com/opinions/data-breach-tactics-deploy/
A top-of-mind question for business leaders across all industries is
how to eliminate the risk of a data breach. In addition to removing
sensitive data from your business process, there are two other tactics
you should deploy: application-level encryption and strong
authentication.
Though it is generally accepted that encrypting sensitive data will
protect your organization, most people in the security business don’t
realize that not all encryption is equal. Even when using
NIST-approved algorithms with the largest key sizes available, data is
still at risk.
How is that possible? Well, all other things being equal in the
cryptographic sense, two design decisions matter when encrypting data:
1) Where the data is being cryptographically processed and 2) How are
cryptographic keys being managed?
First, let’s address processing. If data is encrypted and decrypted in
any part of the system (e.g., the hard disk drive, operating system,
database) other than the business application using that data,
significant residual risks remain despite the encryption.
An attacker needs to only compromise a software layer above the
encrypting layer to see unencrypted (plaintext) data, because the
decrypting layer below will already have decrypted the sensitive data
before sending it to layer above in the stack.
Since the application layer is the highest layer in the technology
stack, this makes it the most logical place to protect sensitive data,
as it affords the attacker the smallest target (in order to compromise
sensitive data within the application layer, the attacker will have
had to find a vulnerability within the application – or the
administrator's credential - and access regions of memory accessible
only to the application or the administrator).
This also ensures that, once data leaves the application layer, it is
protected no matter where it goes (and conversely, must come back to
the application layer to be decrypted).
In terms of how cryptographic keys are managed and protected, if you
use a general-purpose file, keystore, database or device to store your
keys, this would be the equivalent of leaving company cash in a
general-purpose desk or drawer. In the same way that you need a safe
to store cash in a company, you need a purpose-built key management
solution designed with hardened security requirements to protect
cryptographic keys.
These solutions have controls to ensure that, even if someone gains
physical access to the device, gaining access to the keys will range
from very hard to nearly impossible. If the key management system
cannot present sufficiently high barriers, even billion-dollar
companies will fail to protect sensitive data – as many recently have
and continue to do.
Though the details and complexity of cryptography can seem taxing, it
is important to recognize that an encryption solution provides the
last bastion of defense against determined attackers. It is well worth
a company’s time to give both application-level encryption and key
management the proper attention.
While encryption is a best practice, so is strong authentication. In
fact, it should be the first line of defense. Strong authentication is
the ability to use different cryptographic keys combined with secure
hardware (in the possession of the user) to confirm that the user is
who they claim to be.
While digital certificates on smartcards provided such capability for
over two decades, they are expensive and difficult to use and support,
even in highly technical environments. The FIDO Alliance is attempting
to simplify this problem by eliminating passwords entirely; some early
solutions have already made it to market this year, with successful
deployments under way.
With strong authentication as the first line of defense and
application-level encryption backing it up, even if an attacker
managed to slip past network defenses – as they always seem to do –
there will be little opportunity to compromise sensitive data.
While no security technology is absolutely fool-proof, when
implemented correctly, these two security technologies raise the bar
sufficiently high to “encourage” the vast majority of attackers to
move onto easier targets.
More information about the BreachExchange
mailing list