Joseph Assaf Turner
QUICK WINS – ENCRYPTION
Prevent Data Leakage
Data breaches happen and will continue to happen. There will always be some vulnerability / backdoor / misconfiguration for an attacker to exploit. No one is impervious, but there are still tools you can use to minimize risk and even make a data breach ineffective for all intents and purposes.
Standard encryption renders stolen information worthless to the perpetrator. They may have files or databases but won't be able to successfully make any sense of the data for years.
Attackers have been using encryption against us for years, causing billions in damages through ransomware. Why not use encryption to protect our data and the privacy of our clients?
Following are a few implementations of encryption that could have saved millions of records and clients from being exposed following data breaches. They can still save your company.
Usernames and passwords are part of the "Users" table. A data breach exposing this table will inevitably expose user accounts and subsequently – passwords. There is double-trouble here:
a. An attacker with a user's credentials could perform activities on the user's behalf without the user's or the company's knowledge.
b. Users usually recycle passwords which means they use the same credentials for multiple accounts on different websites. Revealing a user's credentials exposes that user's accounts on other websites as well.
Solution: Only use hashed passwords and never keep the original password in text form. This prevents anyone with access to the database knowledge of the actual password.
Caveat: Very simple passwords can still be guessed by reverse-hash "rainbow tables" so make sure your users use long passwords.
Attempts to ban use of portable mass storage media such as USB-keys, failed. We still need to store and transfer data between networks and computer systems manually and the ultimate tool is portable media. Moreover, our employees are out and about with laptops filled to the brim with sensitive business and personal client information. Common theft or loss of such devices can be devastating to the company. An average 500GB laptop hard drive or a 64GB USB key can hold enough personal data to ruin millions of lives.
Solution: Mandate full disk encryption on all devices which can potentially leave the company facilities. Encryption will not protect the company form theft / loss of equipment but the data on those missing devices can be considered safe.
Encrypt Data in Rest
Data in rest i.e. data in your databases should be encrypted. When stored data is encrypted, outside users will not be able to use that data. This includes not only outside attackers exfiltrating data but also malicious insiders who try to unlawfully access restricted records. Again, this will not protect your network from being hacked into but will render the data useless to anyone without the proper decryption keys.
Encrypt Data in Transit
This is possibly the most trivial of all but still – too many companies neglect to encrypt communication pipes between sites and to 3rd party entities. As computing power grows, encryption becomes simpler and less burdensome, allowing encryption everywhere including between machines and nodes inside the company LAN.
Encryption is simple, easy to implement and to use over most media. I am encouraged by recent Russian threats and attempts to gain encryption keys from Telegram instant messaging app. If a superpower is having trouble decrypting our personal data, there may be hope for us after all…