Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

How to Properly Wield the Weapon of Encryption

Among the everyday news of security breaches, there is one recent incident that brought to light a certain vulnerability we often take for granted because it’s considered “standard” –encrypted data.

Among the everyday news of security breaches, there is one recent incident that brought to light a certain vulnerability we often take for granted because it’s considered “standard” –encrypted data.

Earlier this year in South Carolina, the state’s Department of Revenue was responsible for a debilitating fissure in its security that led to an enormous leak of personal data. South Carolina’s governor, Nikki Haley, commented, “When you combine 1970 equipment and the fact we were IRS compliant, that was a cocktail for an attack. The IRS, which we were compliant with, does not believe that you have to encrypt Social Security numbers. Should we have done more? Yes, we should have done above and beyond what we did.”

EncryptionDue to the fact that sensitive data was not entirely encrypted, millions of personal tax returns including social security numbers were successfully stolen, and 700,000 businesses also were affected with tax return exploitation. Furthermore, of all the credit card numbers stored by the Department of Revenue, all but 371,000 of them were unencrypted. Clearly PCI compliance was not met in this scenario, an issue (and article) in and of itself. For now, let’s look at why encryption matters so much, and what you can do to avoid a similar disaster.

Tokenization, the other encryption

I hear you saying it now…. “Tokenization is not encryption.” Sure it is! It’s just a little different. Where your normal encryption is algorithm-based, tokenization is essentially architecture-based. Replacing the sensitive data with an obscure, seemingly meaningless key, tokenization insulates the sensitive data by denying your application direct access to it. This process makes it so that a compromise of your immediate data source equates to a much less severe breach, while the items of real value remain intact. It’s an easy add-on and perfect complement to encryption, so make sure you don’t leave it off the table. Tokenization is something that can be easily managed internally without much trouble. If you don’t have internal resources, though, tokenization can be outsourced to a vendor and deployed successfully that way as well. Whichever route you take, just be sure you’re entrusting this process to capable, experienced hands.

Be smart about your cipher

You know that weak ciphers can compromise the integrity of your data, but maybe you don’t think that’s a significant enough reason to put some effort into strengthening yours. Oftentimes even savvy security managers overlook weak key algorithms or even intentionally disregard an inadequate cipher in exchange for meeting performance needs. Despite some common misinformation, it actually is quite possible to find a strong cipher while simultaneously meeting performance requirements based on key strength. For example, you can employ AES-256 and still experience relatively fast performance. Symmetric key ciphers encompass either block or stream ciphers, each of which serves a particular purpose, so do your research to find out what best suits your unique security needs. Look into your options, and don’t skimp on something as important as your cipher.

On the flip side, hashing is also a viable option depending on the data. Quite a few organizations hash passwords, but keep in mind a word of caution – hash cracking has become an increasingly popular “sport.” Be mindful of the ability to reverse certain hashing algorithms without much effort. MD5 and other weak hashing methods are essentially worthless for data with any value.

Consider your choices

Advertisement. Scroll to continue reading.

You know you need encryption, so then the question becomes how to start. What needs to be encrypted? The answer is anything of value. Sensitive data that is being accessed from a mobile device, cloud infrastructure, or through public networks must be encrypted in addition to anything housed locally as these mediums are sometimes more vulnerable by nature. It’s always worth repeating that things like credit card numbers, social security numbers and other personally identifying pieces of information should be handled with ultimate protection. Learn from the South Carolina Department of Revenue disaster, and don’t allow even a slim chance for sensitive information to be unearthed. Cover the bases by being sure passwords are never stored in plaintext, and continue to use other security measures to provide a layered defense. Also look into more basic measures such as SSL/TLS, which will put in place an encrypted link between a browser and your Web server.

With something like encryption, it’s easy to become complacent and not take proper steps due to an ill-perceived lack of time or resources, or a misconception that you have other safety nets in place. Know that you can’t expect encryption alone to act as a be-all, end-all solution to the full suite of your security needs. When it comes to security, every layer matters. This major breach in South Carolina should serve as a stringent example of why you can’t look past the powerful mainstay of encryption.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.