Encryption 101

Unfortunately, many businesses fail to take advantage of encryption technology, fearing that it’s too complex and difficult to use on a routine basis. In reality, encrypting vital data isn’t much more difficult than running a virus scanner or a data-backup program. Here’s how to get started.

The Basics

There are two basic ways to encrypt data. One approach is to use asymmetric PKI (public-key infrastructure) encryption. PKI cryptography is based on a pair of cryptographic keys: One is private and known only to the user, while the other is public and known to the opposite party in any exchange.

PKI technology provides privacy and confidentiality, access control, proof of document transmission, and document archiving and retrieval support. While most security vendors currently incorporate some type of PKI technology into their software, differences in design and implementation prevent interoperability between products.

The other method of encrypting data is symmetric key protection, also known as “secret-key” encryption. Generally speedier yet less secure than PKI, symmetric encryption uses the same key to both encrypt and decrypt messages. Symmetric technology works best when key distribution is restricted to a limited number of trusted individuals. Since symmetric encryption can be fairly easy to break, it’s primarily used for safeguarding relatively unimportant information or material that only has to be protected for a short period of time.

Applying Encryption

The easiest way to use encryption is to purchase a business application or a hardware product that incorporates some form of encryption technology. Microsoft’s Outlook Express email client, for example, provides built-in encryption support. Meanwhile, vendors such as Seagate Technology LLC and Hitachi Ltd. have started incorporating encryption technology into their hard drives.

Since most software applications and hardware products don’t include any type of internal encryption technology, business owners and managers need to look for stand-alone encryption products. This can be a confusing process, one that’s best approached by first determining the business’s precise security requirements, then finding an encryption product that fits each need.

Microsoft Vista Enterprise and Ultimate users can take advantage of BitLocker Drive Encryption, a full disk tool that offers powerful 1024-bit encryption. Another Windows offering is EFS (Encrypting File System), which uses symmetrical PKI technology to provide file encryption.

Beyond Microsoft, leading encryption vendors and products include PGP, open-source TrueCrypt, DESlock+, Namo FileLock and T3 Basic Security.

What to Encypt

So how do you know what to encrypt? Here are some places to start:

• Hard Drives: A business may choose to encrypt entire hard drives as a way to reduce or eliminate data theft.
• Individual Files: In cases where full disk encryption is overkill, file-by-file encryption provides added security on an “as-needed” basis. Many leading encryption products offer drag-and-drop encryption capabilities.
• Laptops: Unlike office systems, laptops are easy to lose and are prone to casual theft. By ensuring that the system’s data content is unreadable, a business can limit its loss to the cost of the laptop. A growing number of government regulators and insurance companies are demanding that businesses encrypt any data that leaves their premises.
• Removable Media: Memory sticks, thumb drives and similar portable storage technologies provide portability, convenience, and an opportunity for data loss and theft. As with laptops, encryption limits a business’s loss to the cost of the device itself. A growing number of removable-media devices come with built-in encryption support.
• File Transfers: Sending files over unsecured wired or wireless links can expose sensitive information to data thieves. Encryption provides an additional layer of security, even when a secured network is used.
• Email: Encrypted email is kept secure during the transmission process and while sitting in its recipient’s mailbox.
• IM (Instant Messaging): A growing number of businesses are using IM to swap confidential business information. Encryption helps secure these critical transmissions.

Encryption’s Limitations

Like any technology, encryption software isn’t perfect. Even the best products consume both processor speed and storage space. Users can also lose or forget passwords, thereby potentially locking systems forever.

Before purchasing any encryption tool, carefully research the product. Make sure that the offering addresses your company’s needs, is compatible with your systems and has a good track record concerning reliability and support. If possible, check with your friends and colleagues for their opinions on various encryption tools.

Enterprise security in 2008: Malware trends suggest new twists on old tricks

With the new year upon us, the bad guys continue to improve their computer attacks, refining their outdated techniques and introducing new twists. Let’s look at some of the trends that will likely dominate the information security threat landscape in 2008:Increasing effectiveness and complexity of large-scale botnet management
Right now, there are multiple active botnets that each contain more than 1 million infected machines. Medium-scale collections (100,000 to a million infected machines) and small-scale ones (less than 100,000) are even more numerous.

Attackers can use annoying but relatively benign schemes — like pop-up ads, spam and search bar installations — to harvest money via such an infrastructure. More insidious attacks include pump-and-dump stock scams, denial-of-service floods, phishing schemes and form-scrapers that gather bank account numbers and passwords from browsers.

With large-scale distribution of a botnet’s infected computers, these bad guys are encountering the same infrastructure problems that large enterprises have — distributed remote management en masse is not easy. However, the attackers are a crafty lot, and they are developing robust peer-to-peer communications and control mechanisms to avoid single points of failure in their botnets. Attackers are also using fast flux techniques to rapidly shift critical servers’ domain name-to-IP address mapping, making it hard for investigators to hunt down phishing Web sites, control servers and other parts of their infrastructure. Look for such peer-to-peer and fast flux techniques to be included in almost all of the big botnets — and quite a few of the small- and medium-sized ones — in the year ahead.

More event-driven, targeted email containing malware
In early 2007, the Storm Trojan infected hundreds of thousands of machines by simply duping email recipients into reading an attachment that contained the malware. The message’s subject line exploited concerns about a string of floods in Europe. The malware’s authors continued throughout the rest of the year, modulating their headlines with the latest news stories. As a result, more than 1 million systems became part of the Storm botnet.

Look for more of the same in 2008. Numerous email worms will be spread with bogus — and sometimes even real — news stories about the upcoming U.S. primary and general election campaigns, or perhaps other gripping headlines, such as war and unrest in the Middle East.

Information security practitioners should educate users to be extra diligent when reading email and viewing attachments, even from users that they know. When sharing email, users should include the text of news stories pasted in the message, instead of forwarding links or sending attachments. It’s also important to redouble efforts for effective email antispam and antimalware deployments.

Security pro Michael Cobb explains how future application development processes will be corrupted.

Mike Rothman, our resident security management expert, reveals the emerging compliance issues in ‘08.

Leaked high-profile stories of executives nailed by spear-phishing attacks
Civilian and military organizations have reported a significant number of targeted phishing incidents. The attacks use specially crafted email messages to trick a target organization’s users into visiting a site that looks friendly, but will actually attack any browser that surfs there. Some targeted attacks also include infectious email attachments.

In these so-called “spear-phishing” attacks, the bad guys trick humans into installing a Trojan horse backdoor in the target environment. With malware planted on a victim machine, the attacker has a software sentinel inside the target organization, which can be used to control that system, take over others and exfiltrate sensitive information.

Some of the attackers look for low-hanging fruit, just any old user who they can trick into providing access inside a particular organization. Craftier attackers have set their sites on more important targets: corporate officers and higher-up military personnel.

In 2008, we may see some leaked information about targeted, high-profile individuals who fell victim to such attacks. Incident handlers working on the case may inadvertently reveal more information than they should. Leaks could also be intentional, too, due to possible vendettas or legal requirements for breach disclosure. Make sure that your internal incident-handling team has a clear set of non-disclosure agreements, along with documented plans and policies for dealing with the press.

Increasing cyber-attack activity attributed to nation-states, not organized crime groups:
Spear-phishing has occurred against major U.S. and European enterprises, and many allegations have cited China as one of the attacks’ major sources. Chinese officials have countered by saying that similar attacks are waged against their country as well.

In the spring of 2007, a barrage of packet floods hit the highly wired, eastern European country of Estonia, taking down much of its electronic government and banking sites. Some observers claim that the flood was directed by the Russian government for political reasons, but the Russian government denies this and blames Russian nationalists.

This year, look for more suspicions of government involvement in cyberattacks. The continuing packet floods, cyber espionage, and infiltration of military and commercial networks will receive more press scrutiny than ever. We are now in the midst of a shift that will not supplant cybercrime, but augment it, as nation states increasingly use computer attacks to further their interests.

Decrease in disclosure rate of credit card compromise — not because of fewer breaches
If an enterprise suffers a breach that exposes personally identifiable information (PII) to an attacker, state notification laws may require an organization to alert citizens whose data was compromised. For a computer attack to be considered a breach, however, the data actually has to be exposed to the attacker. With an increasing number of enterprises using desktop and laptop encryption tools, there is a chance that attackers cannot actually view the data that they receive from a hacked system or stolen laptop.

But some desktop and laptop encryption tools aren’t very good. Microsoft’s Encrypting File System, for example, leaves clear-text copies of data shortly after it is encrypted. Some tools (including Microsoft’s EFS) only use an operating system password to protect file encryption keys, instead of a separate and carefully guarded password just for the cryptographic function or even an authentication token or smart card. If attackers can crack a user’s operating system password, they can then decrypt files with EFS and similar tools.

If an organization suffers a breach, management must discern whether there was a reasonable chance that data was exposed. Even if the data is encrypted with a weak encryption product, management will likely respond that the sensitive information wasn’t compromised.

In 2008, we may see less disclosure, but not fewer breaches. Such a trend will unfortunately hide the magnitude of real security problems. Enterprise security personnel should make sure that they use strong laptop crypto products. They should also verify and review the disclosure decision-making process with management and legal personnel.

This new year will likely spell busy times for information security professionals, as attackers continue to ramp up their abilities. Keeping up with the bad guys won’t be easy, but it is vital that we understand their latest tactics and work diligently to thwart them. Don’t get discouraged. Instead, remind yourself about how exciting these times are, and how we are fighting the good fight.