Encryption:
The Security of Last Resort
Why Encryption Is the Security of Last Resort
You
may have noticed that companies with encrypted data still get hit with
embarrassing breaches. In this article, I’ll explain why encryption is the weak
link in any security policy, and how to make your data harder to steal.
Encryption Is the Weak Link
I
was teaching a security segment to the team at a public utility on the East
Coast a few weeks ago. I asked one of the managers (I’ll call him Paul), “Do
you take that laptop home at night?” When he said yes, I asked, “Can it be used
to access any control systems?” Paul replied, “Yes, but we use a VPN, so it’s
safe.” I smiled, because now the demonstration I was about to do would be a lot
of fun.
My
demo computer was already connected to the projector, and my screen was
displayed for everyone to see. This computer has an unpatched vulnerability,
and I taught the class how to exploit it. There were about a half dozen people
connected to my machine at the same time, and there was no visible clue on the computer’s desktop.
I
had the “attackers” go into a specific folder, and let them create, modify,
copy, and delete files. Everyone was watching my computer on the big screen. I
checked email. Then I opened a web browser. Still no sign of any monkey
business.
“Okay,”
I said, “let’s think about this. Paul, suppose you visit an infected website
and your laptop gets compromised. Now someone has a backdoor into your laptop
with full administrative privileges. Now – when you VPN into the company
network, are you still sure it’s safe?”
You
see, the attacker doesn’t need to know the encryption key for your VPN. The
attacker doesn’t even need to know your password. All the attacker needs to do
is sit back and let you connect for him/her. Encrypted data on your server?
Well, it’s not encrypted when it’s displayed on your screen.
Encryption is the weak link because your credentials will decrypt
the data for the attacker.
How to Make Your Data Harder to Steal
Fortunately,
the utility company where I was teaching has other security measures in place,
which will remain confidential. Trying to access Paul’s laptop will present a
few more difficulties to a would-be attacker. So, without giving away this
utility’s secrets, how do we make your data safer?
The
usual answer – the obvious one – is stronger
authentication. Since encryption melts away in the presence of an
authenticated user, we need to deploy multi-factor authentication. I recommend
authenticating devices, as well as users. For example, Paul wouldn’t be able to
connect from his personal computer if the company laptop is the only device in
his possession that can authenticate. Now, even if an attacker in another
country learns your login credentials, they’re still locked out because they
don’t have an approved device.
But
multi-factor authentication still doesn’t
protect you from the piggy-back attacker who has a back door into an
approved device. A compromised machine is still a wide-open entrance point to
the data, or to the ability to control remote systems.
Strong Data Policy is Essential
Since
strong authentication is still not enough to protect your data, you need a
solution that goes even deeper. That solution is a strong data policy. What I’m going to say next is tough. It’s a
hard pill to swallow, as they say.
Some data shouldn’t be available via the Internet, or sometimes
even via private circuits.
In
this exciting age of cloud storage, remote workers, and globally distributed
teams, it seems like a step backwards to require someone to come to the office
to access certain information, or to control certain systems. Security and
convenience have always had an inverse relationship. They still do.
Conclusion
Encryption isn’t enough.
Authentication isn’t enough. You need to evaluate your data before a breach and determine what risks
are acceptable, what you want to protect, and how you’re going to protect it.
You need a data policy in place, with the
full support of upper management, that incorporates the conflicting values
of security and convenience, in a way that best suits the needs and risk
tolerance of your company.
--Bob Young
FIFO Networks
Need help
with your network or cybersecurity? Contact FIFO Networks (link below).
Available by the hour, week, month, project... Let’s talk.
Wireless – Telecom – VoIP –
Networks – Cybersecurity – Remote or Onsite