11 months ago


encryption BEWARE THE

encryption BEWARE THE DOUBLE-EDGED SWORD ENCRYPTION PLAYS A VITAL ROLE IN PROTECTING VALUABLE INFORMATION FROM BEING STOLEN OR ALTERED. BUT IT CAN BE USED BY YOUR ENEMIES JUST AS READILY How do you stay one step ahead of the attackers, when it comes to employing the latest encryption technology? What is the right solution for your organisation? How do you make sure your systems aren't breached? In the wake of constant breaches, the time to focus on encryption has never been more urgent. As Mark Hickman, chief operating officer, WinMagic, points out, encryption is the last line of defence against any data breach, such as an external hacker. "But it is often forgotten that the role of security is to protect against problems on the inside, as much as the outside, whether an accidental breach of data or a rogue employee. Sensitive data, whatever it is, should always be encrypted and be kept in that state. A simple rule is that, if you don't want just anyone to see it, then it should be encrypted. That way, encryption becomes embedded in the organisation from a technology and process perspective." QUESTION TIME Starting from that premise, we can then ask the following, he says: “What do I need to encrypt? How will that data be used and shared? Where will it be stored? Who needs access to it? These questions help you identify the scope of your encryption needs - for example, whether you need to be able to encrypt in the cloud. Any data that you would fear losing, or that is sensitive in any way, should always be encrypted at the end point in the organisation, he adds. "This can also be used to ensure that, when data leaves the organisation, it remains encrypted wherever it goes by enforcing a security policy that requires it. The only way to make this work over modern infrastructures, which are diverse and multi-layered, is through centralised key management." Since you own and control the encryption keys on a centrally controlled key server, access to the files remains completely under your control - wherever it goes, on any device. With centrally controlled encryption, it is also possible to ensure that files are only readable by certain individuals, thus helping a company enforce both regulatory and governance requirements. But there are other examples where it is helpful, Hickman points out. "If an employee leaves the company, or you stop working with a specific partner organisation, access can be instantly terminated. Without encryption, users would retain access to those files and the practice would have no way of removing them from devices. Using centrally managed encryption, access can be removed in the policy engine; the user instantly loses the ability to decrypt and read the files." If your company wants to use third party cloud storage services, it is critical to use solutions where encryption keys are always in the control of the organisation, rather than the cloud service, he says. "This adds yet another level of protection, should a breach of usernames/passwords occur at a thirdparty cloud service provider. A hacker will not be able to read the files they can see." This type of cloud-based approach to encryption, does not just protect from hackers, he continues, but equally it protects against anyone, accidentally or otherwise, sharing data with those that should not have access to it. RANSOMWARE ATTACKS Although encryption forms one layer of a cyber security policy by providing a mechanism to protect access to data by unauthorised individuals, whether at rest or in-transit, that is far from the whole picture. "Unfortunately, we also see encryption used as a tool against us in Ransomware attacks, where our data is encrypted by a third-party preventing our access to it," says Brian Chappell, senior director, Enterprise & Solutions Architecture from BeyondTrust. "Given that Ransomware will encrypt any data a user has access to write to, it makes it very hard to protect against. The rapid evolution of Ransomware means that signatures, 14 computing security May/June 2017 @CSMagAndAwards

encryption hashes etc are quickly out of date and it's difficult to uniquely identify the activity of Ransomware before it's already too late." It should be clear that the key here is the data that users have access to and how that access is provided. "Administrative access should be limited to accounts that are only used for that purpose; no-one should be using an account with super-user rights for daily work," adds Chappell. "The risk is too high to allow that; clicking on the wrong attachment or file could be catastrophic, as the super-user has access to everything. Making sure that users have limited access to file shares, if they only need to view files, then make the access read-only and Ransomware is rendered impotent. If users do need to update and/or write to files, then ensure it's only the files they absolutely need access to." Wherever possible, move data into more structured repositories, such as document management systems, databases etc, he further advises. "This may seem like a lot of effort and cost for a small to medium business, but losing access to all your data will make a £5,000 extortion payment seem like a reasonable option. By ensuring that users aren't directly accessing your data stores, even for administrative work, you present Ransomware with the least opportunity to impact your business and keep encryption as a tool that gives you benefits, rather than pain," he says. LAST LINE OF DEFENCE In itself, data encryption isn't a silver bullet. However, when properly embedded within an holistic information security plan, it will provide the most effective last line of defence. "If bad actors manage to break through gateway defences to access internal servers, or data is intercepted whilst being transferred electronically or, for that matter, physically on removable media, as long as the bits and bytes recovered are unintelligible to an unauthorised recipient, the last line of defence has held firm," states Jon Fielding, managing director, EMEA Apricorn. "Granted, the encryption must be correctly implemented with sufficiently strong encryption keys, ideally protected in hardware, so that the only method of attack is brute force. If you can also manage the number of unsuccessful brute force attempts before determining the device holding the data is being attacked and act, you build in another layer of protection." Encryption is necessarily complicated with tales of Bob and Alice, primary numbers, multiple algorithms, symmetric and asymmetric keys and a plethora of three-letter acronyms, he concedes. "However, to the average user, there is no need to understand this. Encryption should be automatic and invisible. The user shouldn't be left with a decision to encrypt or not. The organisation's information security policy should be enforced through technology, where possible, by locking USB ports to only accept corporately approved hardware encrypted USB devices, for example." Encrypting valuable or sensitive data enables organisations to manage their risk. In a commercial world where mobile working is increasingly becoming the norm against a back drop of stronger regulatory powers, encryption is a critical piece of the armoury. "For example, let's look at the General Data Protection Regulation (GDPR), which serves to harmonise a common legal framework in support of protecting EU citizen data and comes into effect in May of next year," suggests Fielding. "There are various articles that cover consent and EU citizen rights amongst others, but there are clear mandates for data encryption: first, for compliance (Article 32); secondly, to mitigate the impact on any organisation that suffers a breach. Article 34 also removes the obligation to individually inform each citizen affected, if the data remains unintelligible. Article 83 suggests that fines (which can be as high as 4% of global turnover or 20 million euros) Ed Kidson, Wick Hill: many organisations are left clueless as to which of their data is encrypted and which isn't. Jacob Ginsberg, Echoworx: always monitor your network and follow best practices. @CSMagAndAwards May/June 2017 computing security 15