Connect with us

Hi, what are you looking for?


Cloud Security

How to Properly Wield the Weapon of Encryption

Among the everyday news of security breaches, there is one recent incident that brought to light a certain vulnerability we often take for granted because it’s considered “standard” –encrypted data.

Among the everyday news of security breaches, there is one recent incident that brought to light a certain vulnerability we often take for granted because it’s considered “standard” –encrypted data.

Earlier this year in South Carolina, the state’s Department of Revenue was responsible for a debilitating fissure in its security that led to an enormous leak of personal data. South Carolina’s governor, Nikki Haley, commented, “When you combine 1970 equipment and the fact we were IRS compliant, that was a cocktail for an attack. The IRS, which we were compliant with, does not believe that you have to encrypt Social Security numbers. Should we have done more? Yes, we should have done above and beyond what we did.”

EncryptionDue to the fact that sensitive data was not entirely encrypted, millions of personal tax returns including social security numbers were successfully stolen, and 700,000 businesses also were affected with tax return exploitation. Furthermore, of all the credit card numbers stored by the Department of Revenue, all but 371,000 of them were unencrypted. Clearly PCI compliance was not met in this scenario, an issue (and article) in and of itself. For now, let’s look at why encryption matters so much, and what you can do to avoid a similar disaster.

Tokenization, the other encryption

I hear you saying it now…. “Tokenization is not encryption.” Sure it is! It’s just a little different. Where your normal encryption is algorithm-based, tokenization is essentially architecture-based. Replacing the sensitive data with an obscure, seemingly meaningless key, tokenization insulates the sensitive data by denying your application direct access to it. This process makes it so that a compromise of your immediate data source equates to a much less severe breach, while the items of real value remain intact. It’s an easy add-on and perfect complement to encryption, so make sure you don’t leave it off the table. Tokenization is something that can be easily managed internally without much trouble. If you don’t have internal resources, though, tokenization can be outsourced to a vendor and deployed successfully that way as well. Whichever route you take, just be sure you’re entrusting this process to capable, experienced hands.

Be smart about your cipher

You know that weak ciphers can compromise the integrity of your data, but maybe you don’t think that’s a significant enough reason to put some effort into strengthening yours. Oftentimes even savvy security managers overlook weak key algorithms or even intentionally disregard an inadequate cipher in exchange for meeting performance needs. Despite some common misinformation, it actually is quite possible to find a strong cipher while simultaneously meeting performance requirements based on key strength. For example, you can employ AES-256 and still experience relatively fast performance. Symmetric key ciphers encompass either block or stream ciphers, each of which serves a particular purpose, so do your research to find out what best suits your unique security needs. Look into your options, and don’t skimp on something as important as your cipher.

On the flip side, hashing is also a viable option depending on the data. Quite a few organizations hash passwords, but keep in mind a word of caution – hash cracking has become an increasingly popular “sport.” Be mindful of the ability to reverse certain hashing algorithms without much effort. MD5 and other weak hashing methods are essentially worthless for data with any value.

Advertisement. Scroll to continue reading.

Consider your choices

You know you need encryption, so then the question becomes how to start. What needs to be encrypted? The answer is anything of value. Sensitive data that is being accessed from a mobile device, cloud infrastructure, or through public networks must be encrypted in addition to anything housed locally as these mediums are sometimes more vulnerable by nature. It’s always worth repeating that things like credit card numbers, social security numbers and other personally identifying pieces of information should be handled with ultimate protection. Learn from the South Carolina Department of Revenue disaster, and don’t allow even a slim chance for sensitive information to be unearthed. Cover the bases by being sure passwords are never stored in plaintext, and continue to use other security measures to provide a layered defense. Also look into more basic measures such as SSL/TLS, which will put in place an encrypted link between a browser and your Web server.

With something like encryption, it’s easy to become complacent and not take proper steps due to an ill-perceived lack of time or resources, or a misconception that you have other safety nets in place. Know that you can’t expect encryption alone to act as a be-all, end-all solution to the full suite of your security needs. When it comes to security, every layer matters. This major breach in South Carolina should serve as a stringent example of why you can’t look past the powerful mainstay of encryption.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...