Encryption is not a new invention. In fact, evidence of encrypted messages dates back to 1900 BC when the Egyptians wrote alternative symbols on pyramid walls to relay secret messages to one another. In modern times, though, encryption takes on a new meaning. Encryption is an essential part of securing data that sits on or moves through networks, devices, and other information systems.
Without encryption, “you are quite literally casting your thoughts, plans, projections, and concepts into the public realm, without regard for where they go, or by whom they may be consumed,” says Nick Selby, CEO of StreetCred Software, a provider of data analysis products for law enforcement.
Businesses exist entirely because of the individual products and services they offer. Business operations depend largely on the information systems on which they are run. What this means is that all of the data about intellectual property (IP), strategic and tactical plans, customer information, employee information, revenues, forward orders, partners, providers, new products or services, and even inter-office personal communications is available somewhere in your office network. If the information is sitting on or moving through the system unencrypted, anyone with access into the system—legitimate or not—can see it. There are scant few CEOs, I have to imagine, who would say, “Oh, don’t worry about protecting our business secrets,” yet many businesses still don’t encrypt (think: OPM, Healthworks, or the more recent SC Medicaid breach). As potentially devastating as it is to have data stolen or leaked, the real damage is only truly accomplished when that data is taken in cleartext.
If security professionals know the importance of encryption, and even the media is starting to catch on, thus consumers are adding it to their nomenclature, why is so much data still transmitted and stored unencrypted?
What you Want, Baby I got It
To begin, a lot of people don’t believe the emails they’re typing or the spreadsheets they’re creating for a meeting contain that much important stuff. Very few of us sit back and really ponder the value of the data in our work. We just do it to get it done and make sure we’re constantly moving forward, aiding the business. This habit of providing information when it’s needed or requested makes us a little careless at times. It’s not intentional. Even when certain parts of the information, like a finance spreadsheet for instance, are encrypted, if Leslie from legal sends an (unencrypted) email to Fred from finance asking about numbers on a merger the organization is considering, that communication is separate from the protected data. The really important information is protected in a spreadsheet, right, so what’s the harm in the email? In a word: Lots.
The same sensitive information is being communicated unencrypted even though it was stored encrypted. Even “the purveyors of the boring (‘I have nothing interesting to read’),” warns Selby, “would be quite stunned at the amount of information they give away” through unencrypted Internet communications.
Quite a lot of information can be pieced together with a little persistence, and once an adversary knows whom to target, it’s much easier to track down enough information to take what they need and make it “their own.”
Obviously things grow much worse when someone doesn’t have to piece together information. When entire databases are stored unencrypted, for instance, anyone with access can simply pluck sensitive data and use it to affect further damage. When we’re talking about password databases, employee databases with social security numbers, customer databases with credit card information, and the like, failure to encrypt—or failure to encrypt correctly—is massive systemic failure. According to Darrin Reynolds, founder of Reynolds Privacy, “the benefits of encryption can evaporate quickly due to common limitations such as human error, sloppy implementation, weak keys, or poor judgement.”
Ain’t Gonna do you Wrong
“A common mistake of businesses is to conflate legal protection (for example, marking a document as ‘Confidential’ or ‘Attorney-Client Privileged’) with information security,” says Selby. In fact, there’s an argument to be made that marking documents or files as such makes them more attractive to malfeasants. I know more than one pentester who writes, “year-end bonuses” on USBs then drops them in parking lots or break rooms. Another favorite trickster move is to create a file, name it, “layoffs,” then post it to the organization’s Intranet. It works every time, they report. Every single time in every type of organization, at least one employee takes the bait and opens the files.
Now replace your end user with an adversary and the phony file with real, sensitive documents that have been misplaced or surreptitiously proffered, and the problem is clear. Unless those same documents are encrypted, your nice note asking unauthorized individuals to stay away is the equivalent of putting one piece of Scotch Tape on your door to keep it secure. “Your foreign competitors or criminal gangs are unconcerned with legal niceties and think nothing of intercepting unencrypted communications," says Selby.
I'm about to give you all of my money
Encryption is not easy, though. Even when security teams are as diligent as can be, some information can slip through the cracks; the head of HR wants to work on a project over the weekend so she emails herself at her Yahoo! email address the information she needs. A sales rep is communicating with a hot prospect while he’s out of town, and he’s doing so from his personal mobile device that isn’t encrypted because it’s a pain to type in a passcode every time he needs to check messages.
Despite the best of intentions, mistakes can be made and systems can be circumvented. What about, though, security teams that have just not taken the necessary steps? What’s their excuse?
Encryption is hard, especially when so many priorities are on security teams’ lists. Every day the amount of information and number of systems security teams are responsible for grows larger. Each week there’s a new threat. Each month there is a board meeting for which security has to demonstrate effectiveness. And if there hasn’t been a breach? We’re all human and, as Selby points out, “if the threat of interception feels obscure and remote, most people will choose to roll the dice rather than protect their data.”
In addition, the process of configuring encryption and managing the keys that encrypt/decrypt documents and messages is challenging, says, Selby. It’s a time consuming, often tedious task that’s less pressing if a return on investment isn’t realized. The problem, as with much of a security, is that the absence of an occurrence equals success. Just because unencrypted data hasn’t be stolen (or if you don’t know it has been stolen) yet, doesn’t mean it won’t be. An organization doesn’t need to have its product plans posted on Pastebin for a problem to exist.
Reynolds agrees: “Encryption is easy to recommend. It’s a single-word answer for improving the security posture of just about any architecture, has a proven track record, and makes any conversation sound a bit sexier (which is a rare treat in the world of infosec).” The problem with actually implementing it, he furthers, is scale and complexity. “By design, [encryption is] intended to make data ‘unusable.’ That is antithetical to the needs of an enterprise.”
All I’m askin’ in return, honey
Turn your tables on the attackers and make it harder for them to see your product plans in the first place. Encrypt. A recent report by Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar listed 865 encryption products currently on the market. With so many options available—some free, some for a fee—organizations need to take a good, hard look at how they are protecting the data inside their systems. Further, security teams should question the encryption practices of vendors who might have any control of or access to their data.
In both the court of law and public perception, it doesn’t matter who stole your data or how; it only matters if best efforts to adequately protect that data were not made. Without a doubt, leaving your data unencrypted does not count as the “best of” anything. Reynolds concurs: “(at least for today) Encryption may function as a ‘get-out-of-jail-free’ card for nearly every breach scenario.” While this may not hold true in the future, for now, the ability to prove your data was encrypted “is akin to uttering a mystic incantation of protection,” he says. Or in other words, without encryption, you’re runnin’ out of fools, and I ain’t lying!