The ‘Secrets’ of Robust Encryption

Data breaches, such as those resulting from the release of the WannaCry ransomware, are hitting the headlines on an increasingly regular basis and encryption is often part of the debate around why the breach occurred and what has been compromised. While several years ago it was simply the question of whether the data had been encrypted, we’ve now moved on to a conversation around what was encrypted and how.

For example, there was much debate on the TalkTalk breach regarding the fact that customer financial information was not encrypted because the company was not legally required to do so. Also in the more recent Yahoo cyber-attack, while passwords were only breached in a hashed form, the security questions and answers were not encrypted and could have been used on many other sites. So, what is the ‘secret’ of robust encryption?

Encryption: Not All Created Equal
At a basic level, encryption means that something is unreadable without a secret key or password that enables you to decrypt the content. This could be anything from an encrypted database to encrypted data itself; the latter of which is far more granular and secure. What’s more, keys can be secured to different levels. For example, a key exchange could require someone to prove their identity, it may also require the user to be in a certain location, and in some cases may even need the permission of other users. Encryption has essentially become a web of secrets to protect yet more secrets.

Access to a key and the data it decrypts must also be related to time. Just because a user is granted access to a file once, does not mean that this should be an ‘access at all times pass’ or indeed an ‘access all areas pass’. Circumstances may change; an employee could leave or the data contained in the file could become more sensitive – in both cases, the security protecting it should change. 

Protecting data at this sophisticated level, however, is not always easy. For example, operations teams often include a number of people, on different shifts, in different countries that all need access to a file or system to maintain business continuity. It is essential that these users still have to conform to security checks, or else attackers could hijack their credentials and wreak havoc within a network.

An example of this is in the Sally Beauty Supply breach where hackers were able to gain access to public drives, network administrator credentials and, through this, every single point of sale (POS) system that Sally Beauty Supply ran. The two key takeaways in this breach are that one set of admin credentials had access to every POS system and, secondly, these credentials were accessible to everyone inside the network on a public drive. In this situation, the only real defense the company had was a firewall. Once breached, the hacker had access to the ‘keys of the kingdom’. 

The rise of connected devices and machine-to-machine communication makes encryption even more complex. More data is being collected, stored and shared and the number of encryption key exchanges taking place is increasing. For example, there has been an incident where connected lightbulbs contained a key that was used globally to authenticate software sent to it. Once it was figured out how to remove the key from the lightbulb, however, a skeleton key was effectively created that could control any of those lightbulbs anywhere in the world. While this level of control is worrying, there is also the risk that the lightbulbs could be turned into an agent for a distributed denial-of-service (DDoS) attack – similar to what happened in the DynDNS hack. 

Managing a Web of Secrets
Encryption on a data-level should be delivered as standard, as in no case should users be able to access bulk stores of information, but beyond this it is all about how well the web of secrets is managed.

Awareness of security and encryption is of huge importance. To some extent this will be done through the headlines of successive data breaches, but it is also vital for enterprises to understand, put in place and educate employees at all levels on the necessary safe computing policies to ensure users understand these rules and that they apply to everyone, and why access to certain files will require more security checks than others. 

The usability of security solutions should go hand in hand with this, as employees are likely to be inclined to find ways to work around technology which makes them jump through too many hoops. For example, as software develops and companies push for quicker and more frequent deployments, a basic level of security needs to be automated and built-in from the start.

In the longer term, systems are likely to minimize the number of secrets needed. For instance, by moving to reproducible builds that give a set of source code, protection will be more resilient and standardized.  

One way of doing this is to deploy end-to-end security in applications that prevents the company ever seeing the data being transmitted. As in the case of WhatsApp, it only adds data storage and privacy risk if the company can see the content in plain text.

As with any other technology, encryption is more complex than ‘plug-and-play’; it needs to be usable, but also take into consideration the sensitivity of the data held. It is no longer good enough to rely on compliance to ensure a company has deployed enough security defenses. The stakes are much higher than that, with more stringent compliance, financial penalties, reputational damage and loss of business driving companies to focus on the security of data more than ever before. 

What’s Hot on Infosecurity Magazine?