Dear Encryption, We're Worried About Your Future

December 1, 2017

Encryption, my friend, there’s a lot riding on your shoulders. There have been decades’ worth of debate as to whether you are too strong, or too weak. Entire nations think you are so powerful that they restrict your import, your export and your use. No less than the NSA has been accused of trying to influence your standards, presumably to break you. Indeed, you have been broken, and secrets have been lost. It’s true you always bounce back, but for how long?

Let’s talk about Wi-Fi. Remember WEP? It turned out anybody could crack the code in minutes. Then we got WPA, which failed to withstand a 60-second attack. So, we moved on to WPA2. I don’t need to tell you about the KRACK attack, which affected nearly all Wi-Fi devices. KRACKers were able to read communications and, perhaps even worse, inject malicious packets into traffic. As a separate matter, man-in-the-middle campaigns have successfully used fake digital certificates to impersonate encrypted websites and steal information. I guess you shouldn’t be blamed for that though.

Still old friend, we can’t forget about OpenSSL and the nasty Heartbleed programming vulnerability. That flaw provided access to encryption keys, giving the criminally curious an ability to decrypt SSL traffic. Imagine the delight of those who hoarded stolen encrypted data in hopes of such a flaw. Maybe you can’t be blamed for that either. After all, if somebody gets the key or underlying password, it no longer matters that a brute force attack otherwise would have taken well over a trillion years to succeed. That’s an impressive statistic indeed, if not for workarounds. Speaking of brute force, just imagine the power of quantum computing in years to come. Will NIST succeed in its current search for “quantum-resistant” cryptographic algorithms? Nobody knows.

In your defense, Encryption, there is no perfect security. That said, in addition to applying patches, there are a number of steps companies can take to mitigate the highest risks:

First, to fully protect an organization’s most sensitive data at rest and in-motion, consider full-disk encryption and file-level encryption. The latter will protect files in transit, and ensure that simply powering up and logging onto a system doesn’t expose all files to all users.
Second, remember to encrypt laptops, thumb drives, backups and archives.
Third, set up corporate websites to offer HTTPS, and browsers to default to HTTPS sites.
Fourth, review key management as a lifecycle that includes key selection, generation, distribution, storage, escrow and backup, key rotation, accountability and audit, and key compromise and recovery.
Fifth, anticipate data breaches and encryption failures not only by deploying defenses in depth, but by scaling back altogether on certain highly sensitive electronic communications. Collect and store less, and have an appropriately aggressive destruction schedule.

Well Encryption, it’s hard to know what tomorrow will bring. When it comes to your future, please don’t mind the pun, there’s a lot left to hash out.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

Dear Encryption, We're Worried About Your Future

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

Security Magazine

2020 November

Dear Encryption, We're Worried About Your Future

Recent Articles by Steven Chabinsky

Related Articles

Related Products

Related Events

Report Abusive Comment