Encryption: The good and the bad
Encryption exists to protect data from unauthorised access by translating it into a format that is unreadable without a decryption or secret key. However, the very method used to keep data safe is also being used to compromise it.
The likes of Ransomware is becoming increasingly prevalent, with stories about such attacks flooding newsfeeds on almost a daily basis. Once it has infiltrated a system or network, Ransomware leverages encryption to hold data hostage, demanding payment for the decryption key to release the data back to the owner.
The need to protect data
Data is valuable, and there is an increasing need to protect it. Looming regulations such as the Protection of Personal Information (PoPI) Act, and the EU’s General Data Protection Regulation (GDPR) are driving forces behind having proper mechanisms in place to protect personal information.
It’s also good common sense to ensure that data, particularly sensitive data such as company information, proprietary data and personal data, is protected. Perimeter security and firewalls are no longer sufficient in a connected world where closing all the doors to your information is becoming harder to do.
Many cyber-attacks are unwittingly initiated from within organisations through users accidentally opening an infected webpage or link, heightening the need for proper controls to be in place - controls such as encryption.
How encryption works
Encryption essentially converts plaintext data into something called ciphertext using algorithms and an encryption key. There are two main types of encryption: symmetrical and asymmetrical. Symmetrical encryption uses the same key to encrypt and decrypt data, meaning the key used to encrypt the data must be shared with the recipient to decrypt the file - similar to when your password lock a word document.
Asymmetric encryption makes use of two different encryption keys, a private and public key. The keys are usually large numbers that have been paired together but are not identical. Either of the keys can be used to encrypt a message, however the opposite key from the one used to encrypt the message is used for decryption.
Best practice for better control
Encryption is one of the tools that is used to protect data, but should form part of a data security strategy which defines various controls to keep data safe.
For organisations to protect data, it is important that they understand their data, knowing what data they are protecting and where that data resides. After all, you can’t effectively protect something if you don’t know where it is, and it wastes resources and time to protect data that doesn’t need protection.
There are two main types of data: data at rest and data in transit. From a data in transit point of view, data is encrypted as it traverses various networks. Data at rest, however, requires different levels of protection for maximum effectiveness.
Data at rest - which is data residing in a business’s data centre, backup storage, network and various machines such as computers or mobile devices - needs to be classified in order to define the level of protection required. This includes basic rights management and access control regarding who may access what data, an under what conditions.
More often, organisations are employing controls such as multi factor authentication, which combines two or three of three elements: password, physical card or token and biometrics. Regardless of the controls in place, encryption is still required at every data access point to protect against unauthorised access, use or dissemination. In this way, even if an individual gains access to data, they are unable to read it or, in any way, use or abuse the data.
Ransomware is predicted to escalate in the upcoming years, especially with services such as Ransomware-as-a-Service (RaaS) being offered on the Dark Web. The rise of Ransomware means that organisations need to make plans to protect themselves against attack, while also considering a plan of action for if they are successfully targeted.
Most IT security companies and professionals strongly advise against paying to restore data. Not only does this drive the success of Ransomware, fuelling the rise of cybercrime, but paying the ransom does not guarantee that a business will recover its data. With this in mind, companies need to be prepared in other ways.
Preparation includes introducing a strict and well communicated IT security policy, with aligned security mechanisms, which educates and informs all stakeholders of the dangers of Ransomware and how to prevent infiltration. It also means having a solid backup solution in place which enables multiple data copies to be created and kept, and which shows evidence of strong security and encryption in place as well.
If Ransomware breaches an organisation’s security measures, organisations can fall back on a backup. It is important, however, that the business chooses a backup solution which offers quick data restoration time, as well as the safety net of an offline backup, too. No organisation which uses the Internet (basically every business) is completely immune to Ransomware, and if a business’s backup is also compromised, having an offline backup could be the difference between continuing with business as usual, or shutting up shop.
Simeon Tassev, Managing Director and QSA, Galix Networking