[BreachExchange] Encryption – The good and the bad

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 20 18:46:30 EST 2018


Encryption exists to protect data from unauthorised access by translating
it into a format that is unreadable without a decryption or secret key.
However, the very method used to keep data safe is also being used to
compromise it.

The likes of Ransomware is becoming increasingly prevalent, with stories
about such attacks flooding newsfeeds on almost a daily basis. Once it has
infiltrated a system or network, Ransomware leverages encryption to hold
data hostage, demanding payment for the decryption key to release the data
back to the owner.

*The need to protect data*

Data is valuable, and there is an increasing need to protect it. Looming
regulations such as the Protection of Personal Information (PoPI) Act, and
the EU’s General Data Protection Regulation (GDPR) are driving forces
behind having proper mechanisms in place to protect personal information.

It’s also good common sense to ensure that data, particularly sensitive
data such as company information, proprietary data and personal data, is
protected. Perimeter security and firewalls are no longer sufficient in a
connected world where closing all the doors to your information is becoming
harder to do.

Many cyber-attacks are unwittingly initiated from within organisations
through users accidentally opening an infected webpage or link, heightening
the need for proper controls to be in place – controls such as encryption.

*How encryption works*

Encryption essentially converts plaintext data into something called
ciphertext using algorithms and an encryption key. There are two main types
of encryption: symmetrical and asymmetrical. Symmetrical encryption uses
the same key to encrypt and decrypt data, meaning the key used to encrypt
the data must be shared with the recipient to decrypt the file – similar to
when your password lock a word document.

Asymmetric encryption makes use of two different encryption keys, a private
and public key. The keys are usually large numbers that have been paired
together but are not identical. Either of the keys can be used to encrypt a
message, however the opposite key from the one used to encrypt the message
is used for decryption.

*Best practice for better control*

Encryption is one of the tools that is used to protect data, but should
form part of a data security strategy which defines various controls to
keep data safe.

For organisations to protect data, it is important that they understand
their data, knowing what data they are protecting and where that data
resides. After all, you can’t effectively protect something if you don’t
know where it is, and it wastes resources and time to protect data that
doesn’t need protection.

There are two main types of data: data at rest and data in transit. From a
data in transit point of view, data is encrypted as it traverses various
networks. Data at rest, however, requires different levels of protection
for maximum effectiveness.

Data at rest – which is data residing in a business’s data centre, backup
storage, network and various machines such as computers or mobile devices –
needs to be classified in order to define the level of protection required.
This includes basic rights management and access control regarding who may
access what data, an under what conditions.

More often, organisations are employing controls such as multi factor
authentication, which combines two or three of three elements: password,
physical card or token and biometrics. Regardless of the controls in place,
encryption is still required at every data access point to protect against
unauthorised access, use or dissemination. In this way, even if an
individual gains access to data, they are unable to read it or, in any way,
use or abuse the data.

*Beating Ransomware*

Ransomware is predicted to escalate in the upcoming years, especially with
services such as Ransomware-as-a-Service (RaaS) being offered on the Dark
Web. The rise of Ransomware means that organisations need to make plans to
protect themselves against attack, while also considering a plan of action
for if they are successfully targeted.

Most IT security companies and professionals strongly advise against paying
to restore data. Not only does this drive the success of Ransomware,
fuelling the rise of cybercrime, but paying the ransom does not guarantee
that a business will recover its data. With this in mind, companies need to
be prepared in other ways.

Preparation includes introducing a strict and well communicated IT security
policy, with aligned security mechanisms, which educates and informs all
stakeholders of the dangers of Ransomware and how to prevent infiltration.
It also means having a solid backup solution in place which enables
multiple data copies to be created and kept, and which shows evidence of
strong security and encryption in place as well.

If Ransomware breaches an organisation’s security measures, organisations
can fall back on a backup. It is important, however, that the business
chooses a backup solution which offers quick data restoration time, as well
as the safety net of an offline backup, too. No organisation which uses the
Internet (basically every business) is completely immune to Ransomware, and
if a business’s backup is also compromised, having an offline backup could
be the difference between continuing with business as usual, or shutting up
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180220/ef0a6f4e/attachment.html>

More information about the BreachExchange mailing list