16 April 2016

It’s 2016 and you aren’t using encryption. Why?

All breaches aren’t created equally. Encryption, not breach prevention, separates damaging hacks from annoying intrusions.
By Jason Hart, CTO Data Protection, Gemalto April 13, 2016

Encryption sounds synonymous with complexity.
It's not. It's very, very simple.
There should be no reason why an organization shouldn't be encrypting its data in 2016. The technology is there. And the rationale for using it is simple: Breach prevention is dead.
Recommended:Sponsor Content 2015 in breaches: The year digital attacks got personal
Our 2015 Breach Level Index showed over 1,600 disclosed breaches worldwide. That lead to more than 700 million records being exposed.
To put it simply, blocking breaches isn’t working.
As we watch hackers hone in on data critical to our lives and our businesses, we need to develop a mindset that accepts attackers will find a way in — but that our critical data is protected so it doesn’t make its way out.
Where are hackers headed?

Attackers pursued and achieved more valuable and durable information in 2015, according to the same Breach Level Index. While bad guys pilfered less financial data, the main takeaway from the report was the focus on long-lasting information (think of your health records or massive, comprehensive government databases) that allows them to conduct other attacks.
Hackers, in short, understand that it’s way harder to change your Social Security Number than it is to cancel a credit card — and in some cases, such as with one’s medical history, that information can’t be altered at all.
Bad guys see the enduring value of this data. At a consumer level, if a hacker can capture key information on an individual, they can potentially attack not only that individual but the organization they work for and other organizations that the compromised person accesses online.
Compare that to what happens when a digital attacker steals your credit card information: if the credit card's compromised, it's comparatively extremely easy for that credit card to be rejected, stopped, and a new credit card issued.

Turning to corporations, you don’t need to think data science is the sexiest job of the 21st century to see how companies are putting data at the heart of their business decision making like never before.

So where will clever digital attackers go? At the integrity of the most vital business data.
If a key driver of whether a company manufactures more or less widgets is its big data analytical approach, a nefarious digital intruder might just tweak the data, altering its integrity in a way that the organization would be unable, at first glance, to notice. Such attacks don’t need to steal a single bit of information to make a dent in a competitor.

The company, unaware of the faulty basis of their decision making, continues to drive its business ahead, making a slew of damaging decisions because of tampering with the original data. Companies could go months on broken assumptions and off-base approaches — making recovery from such an attack that much more painful to ameliorate, costly to the bottom line, and impactful on a company’s reputation.
What can stop these attacks?

To consider how hard it is to prevent an attacker from ever getting into your network, think about the hyper connectivity of the near future. Think about the Internet of Things.

Even one digitally-connected gadget has at least five different parties touching the data it generates: the manufacturer, the consumer, the cloud provider hosting that data, the smartphone maker on whose phone the consumer runs the app that controls the gadget, and at least (usually) one other gadget that digitally connects to our first IoT device.

And when our homes or our cars are chock full of connectivity, the number of connections is going to be a lot greater than five.

At any point in that transmission chain, a hacker could breach a faulty defense and start siphoning off our information. If any one part of that sprawling web of connectivity gets compromised, we have a problem.

It’s not hard to see why securing this intricate web of connections is an awe-inspiring task, even for the most sophisticated technologists. Now consider a massive enterprise with thousands of devices, a mobile workforce carrying those devices across the world, and digital attackers using increasingly sophisticated approaches to find even a small crack in our collective digital armor.

Which brings us to a crossroads. We can stick our heads in the sand believe that a breach isn’t going to happen to us because of our superior prevention or that our data isn’t valuable enough to matter.

Given the more than 1,600 breaches in 2015 worldwide, this seems, shall we say, unwise.

Alternatively, we can focus on protecting the asset that hackers are really after: data.

Which brings us back to not only encryption but a mindset that takes breaches as a given and focuses instead on protecting data.

Security leaders at organizations large and small need to admit that they are going to be breached — and then figure out what to do from there. What data is going to cause them massive reputational impact? What data, in the event its integrity is compromised, is going to kill my business?

By making that shift from considering more extravagant (and expensive) ways to keep bad guys out to protecting core assets once a diligent hacker eventually gets in, information security leaders will begin thinking in a totally different way. They’ll begin to evaluate risk better and apply core information security controls, encryption, key management, and authentication.

It sounds oxymoronic, but this type of approach leads to what we call a secure breach.

Even when the attacker breaks through, the locked box they find inside is way less useful than the sprawling flows of data they unlocked in the unencrypted past.

And yet while encryption is one of the most obvious strategies for preparing for a breach, only 48 of the data breaches in 2015 – less than 4 percent of all breaches – involved data that was encrypted to any degree.

We’ve got to accept the fact that breaches are going to happen. And to keep them secure, the answer is encryption.

Jason is vice president and chief technology officer for Gemalto’s data protection solutions. He is a former ethical hacker with 20 years’ experience in the information security industry. Follow him on Twitter at @Hart_Jason and download the full Breach Level Index here.

No comments: