Encryption. The good…and the bad.
With the increase in Cyber Attacks over the last decade, security vendors and organizations have focused a lot of their efforts on encrypting company data.
The Good:
Point to Point, VPN and TLS to protect data in transit.
Application encryption and HSM’s to protect sensitive data at rest.
SHA encryption to provide integrity and assurance data/applications have not changed.
The Bad:
While there has been tremendous progress made, these advances provide operational challenges for IT teams.
Key Management is more complex than it sounds. Rotating Keys, particularly in traditionally disconnected technologies like Payment Terminals, can be expensive and time consuming.
All encryption carries with it overhead, development teams are hesitant to implement strong encryption for fear of performance issues.
Depending on how encryption is implemented, data may need to be decrypted in order to be searched. This introduces challenges managing Business Intelligence systems.
Bad Actors are also leveraging encryption to protect their activities and avoid detection.
Nearly all websites use TLS, even the bad ones. This enables bad actors to circumvent perimeter controls.
Destructive Ransomware renders data useless.
Encrypted Emails and Attachments are used to bypass traditional email security.
How can security practitioners overcome some of these challenges?
Leverage a Key Vault and/or HSM that can manage keys on your behalf. There are plenty of options available for on prem hosting. The top 3 cloud providers (AWS, Azure, Google) also offer solutions that may fit nicely if you have existing cloud infrastructure.
If equipment needs to be upgraded in order to support centralized configuration management, build a business case that demonstrates both the security and operation benefits. Often times the savings realized by not sending technicians to remote locations pays for the solution outright.
Encrypt databases at rest to prevent leakage in the event of lost back up media or disks.
To address Development Team concerns, target only the sensitive information in your environment for field level encryption and manage Data Reporting access through constrained views that require user authorization.
If you are not performing SSL inspection for your web traffic, you should start. Most firewall and internet proxies can be configured as a man in the middle to inspect encrypted traffic for malicious content. A few tips: consider excluding web categories like Banking and Health Care to avoid accidental disclosure of sensitive info. Also, be aware that cert pinned apps may need to be excluded. Keep up with certificate expiration dates as most of these solutions are work by substituting certs. Lastly, make sure your Acceptable Use Policy covers monitoring employee internet usage. While your Security Team’s motives are honorable the fact is security software leverages the “ability” to eavesdrop on communications and this should be known.
To detect Ransomware, here are a few options. By the nature of how ransomware works, it must access and write to the local file system. With file auditing enabled you may be able to detect anomalies. Ransomware is typically noisy and will read and write files at a very high rate, use caution however as your logs will grow considerably. A better option may be using AV and EDR platforms, speak with your vendors about how they detect ransomware. They should have multiple ways of monitoring (heuristic, signature, file system). Another option to consider is using commercial E-Discovery or DLP tools, many can be leveraged for the purpose of detecting Ransomware and satisfy both your Data Classification and Data Protection needs.