• No, Encryption Is Not Enough to Protect Your Data

    If you don't think your data is vulnerable, just search Google for “data breach,” and limit the search to news in the last month. You'll get more than 2,000 results. And while most may be redundant, there are enough unique stories to demonstrate that if your company network is accessible via the Internet, it is potentially under attack.

    In 2011, the top 10 reported data breaches netted hackers more than 170 million data records, including personally identifiable information (PII) such as names, addresses, and email addresses. More serious information including login credentials, credit card information, and medical treatment information was also exposed.

    While there is no data on the security employed on the systems from which this data was taken, the variety of companies and the volume of data compromised is significant enough to point out that no system should be considered safe.

    Even if you encrypt your data, you are only part of the way there. In its "2012 Data Protection & Breach Readiness Guide," the Online Trust Alliance (OTA) notes that data and disk encryption is just one of 12 security best-practices. But why isn't encryption by itself enough?

    Unfortunately, encryption is not enough because of the number and variety of attack vectors that are launched against your network every day. According to Verizon’s "2012 Data Breach Investigations Report," the vast majority of all breaches in 2011 were engineered through online attacks in the form of hacking, malware, or use of social engineering attacks -- an approach where human interaction, rather than software, is used as the attack vector.

    Let's look at the list of “Security Best-Practices” provided by the OTA (first column of the table below) with my added comments and thoughts as to the purpose behind the recommendation (second column). Please note, I am in no way affiliated with the Online Trust Alliance, and I had no input into the report cited.

    Table 1: Security Best-Practices & Commentary

    Recommendation Purpose / Comments
    1.            Use of Secure Socket Layer (SSL) for all data forms Limits network snooping – CAUTION: Because of known hacks to SSL, only TLS v 1.1 and 1.2 should be used.
    2.           Extended Validation of SSL certificates for all commerce and banking applications This is a consumer protection recommendation. It does nothing for securing data.

    3.           Data and Disk Encryption Limits data access.

    Disk Encryption, depending on its implementation, is either a software key or a hardware key that can encrypt the volume and/or the Master Boot Record (MBR).

    Data encryption, depending on implementation, can encrypt fields within a table or entire tables. The encryption can be symmetric or asymmetric. It prevents access to the information in the tables.
    4.           Multilayered firewall protection Limits cross tier network access.

    5.           Encryption of wireless routers Limits network entry points by blocking unauthorized wireless access.
    6.           Default disabling of shared folders Limits network entry points by removing common shares and their associated, known passwords.
    7.           Security risks of password re-set and identity verification security questions Limits unauthorized password resets or unintentional leaks of password information.

    8.           Upgrading browsers with integrated phishing and malware protection Limits an attack vector.

    9.           Email authentication to help detect malicious and deceptive email Limits an attack vector.
    10.       Automatic patch management for operating systems, applications and add-ons Reduces zero-day exploits or malware delivered as a software patch.

    11.       Inventory system access credentials Limits loss of network access.

    12.       Remote wiping of mobile devices Limits loss of data from stolen/lost/known compromised mobile devices.
    Source: Online Trust Alliance and Hendry Betts III
    In the Purpose/Comments column above, I used the verb “limits” intentionally because nothing completely prevents users from responding to social engineering, phishing attacks via email or Web sites, or malicious downloads. User education is, in my opinion, the best tool to limit the impact of these types of attacks.

    Both my personal experience and the best-practices outlined in the OTA report show that there is no single silver bullet for data protection. The best-practices to protect your company's data engage the network, the data, and the users themselves. And, ultimately, I think the absolute best-practice is to expect a breach, actively monitor your networks, and educate the users.

    Article published on: The Internet Evolution Website.

    0 comments → No, Encryption Is Not Enough to Protect Your Data