Category Archives: Encryption

3 Easy Techniques to Protect Your Data

Posted on March 11, 2016 | Leave a comment

Data_LockSome of the best firms use very simple techniques to protect their companies’ information. These techniques can be very efficient with not only securing company data but also your employee’s personal information as well. These may take some time and resources to set up initially, but you will thank yourself down the road.

First you want to implement some sort of yearly or bi-yearly security training program. Something interactive that will keep them involved and teach them the basics of security in the office. Using game-ology or animation in this training will insure that the information sticks with the employees. Not only will you remain compliant with a yearly security training program but you can insure awareness around the main cause of information leaks and breaches; humans.

Once this program is in place, you want to put it to the test. One of the best ways is to create a phishing campaign. This entails you sending out a fake email from a fake address with a false, clickable link that will record the number of users that click on this link. You can set up this campaign to log information like, clicks, openings of emails and even going as far as viewing the users that clicked the link then filled out an informational form about themselves. A phishing campaign is not to be used as a form of punishment but a teaching point about what “exactly” to look for in a phishing email.

Lastly is a step you should take into your own hands as a security professional. Utilize a tool like bit locker and/or Digital Guardian to monitoring what your employees are doing on the internet and help prepare for the worse situations. Having timely backups on all saved information is a plus incase you need to roll back changes on someone’s machine due to a malicious link that was accidently clicked.

Overall the best options, no matter how you do it, is to educate the people that handle sensitive information on best practices and then create assurances around them to protect in case of an accident. Remember in this industry it is not “if” but “when” a security event will take place.

Leave a comment

Posted in Big Data, Cyber Security, Data Breach, Encryption, Hacking, Security

Tagged ,

Rise of the CISO: Why the C suite needs a security chief

Posted on March 9, 2016 | Leave a comment

The CISO role is growing in popularity, but what does it actually mean for your business? Here’s what the role is responsible for and why CISOs are multiplying in the enterprise.

Businessman Showing A Shield Symbol

The latest c-suite executive role to step into the spotlight is the chief information security officer, or CISO. Even more focus was put on the CISO role when, in February, President Obama announced that the US government was planning to hire its first ever Federal CISO.

Obama’s announcement further justified what many organizations were already doing, which was assigning a specialized executive over security issues, instead of leaving them to be handled by the CIO or CTO, whose top priorities are typically a mix of innovation and operations. And, while the CISO is not a new role, it is still gaining popularity in the enterprise.

So, we’re going to break down what it is and why you might need one. Let’s start with defining the role.

What is a CISO?

Simply put, the goal of the CISO is to protect the business at all costs against present and future digital security threats.

Andrew Hay, CISO at DataGravity, said, “The CISO role is a true hybrid role that is responsible for implementing, defending, measuring, and communicating the security and privacy strategy of the organization to all of its stakeholders.”

And that “all stakeholders” bit is key—the CISO isn’t going to hold court with the executive team only. True CISOs will be working with employees, customers, and other partners as well, Hay said.

Additionally, the CISO role isn’t the typical “vision caster” most people associate with a CXO title. The CISO role is a mixture of strategy/big picture thinking and tactical skills. Most CISOs are coming from an IT security background, so they know how to directly implement and work with the systems they are recommending.

 In terms of who they report to, Entertainment Partners CISO John Tooley said that he believes the majority report to specific executives, and not just the CEO. In his tenure, he said he has reported to the CIO and CTO. Other CISOs may report to the COO or the CFO.

What does a CISO do?

In a broad sense, the CISO’s functions revolve around risk—identifying risk, assessing risk, presenting risk, and implementing programs to combat it. The difficulty in the role, Tooley said, is doing these things in a way that makes sense to the business, but is also effective in driving real change.

Identifying and assessing risk are skills that are typically developed as a combination of the training a CISO has received throughout his or her career and the sense of intuition that develops over a long time spent in the industry. Presenting the risk becomes a bigger challenge in that it requires specific communications and sales skills to get other leaders on board with a solution.

“As opposed to other C-level executives, I think there is more of a communication challenge, taking highly technical language and translating it into business value and need. There is also the balance that needs to be struck between empowering employees and securing the enterprise, since insider threats represent one of the biggest security concerns,” said Ari Lightman, director of the CISO Program at Carnegie Mellon University’s Heinz College.

The CISO must champion the organization’s security in all that he or she does, setting security goals and milestones to help measure the success of that strategy. Lightman said some of the day to day functions that comprise the role may include the following:

  1. Secure the enterprise’s digital assets
  2. Educate and train employees and the extended ecosystem on security best practices and procedures
  3. Define and monitor access and permissions
  4. Hire and train security personnel
  5. Define budgets for security equipment and training
  6. Work with other C-level executives to ensure compliance with security procedures

And, that above list is not exhaustive. Ultimately, a CISO’s role will also be shaped, in part, by the needs of the industry they operate in and the needs of their employer.

The rise of the CISO

So, why are we seeing the CISO rise to prominence now? For starters, security is no longer purely a technological issue, and can no longer be constrained solely to IT.

“So there is awareness among senior management now that information security is really a risk issue, and risk is a business challenge that needs broader solutions.,” Tooley said.

Another big issue is growth—there’s just more technology in the workplace than there has ever been before and it’s affecting organizations in new and interesting ways. The addition of DevOps, cloud, IoT, BYOD, and big data mean that the attackable surface is growing as well, and it needs a guardian.

“As a result, industry guidance, regulatory compliance standards, and the realization that security is a key component in business continuity and operational excellence, has led to the realization that the safety, security, and compliance of a company’s IT and information assets require an advocate at the highest level,” Hay said.

The 3 big takeaways for TheDigitalAgeBlog readers

  1. The CISO is an executive role that combines technical expertise with strategic vision to champion a security strategy for an organization.
  2. The CISO is responsible for acknowledging, analysing, and presenting risk. The communication of risk requires specific skills to help “sell” the solutions to mitigate against potential threats.
  3. The role itself is growing because the breadth of technology being implemented in business continues to grow. A CISO must understand how security risks affect the bottom line as well how they impact IT operations.

Leave a comment

Posted in Cyber Security, Encryption, Forensic, Security, Technology

Tagged , ,

Security Concerns That Entrepreneurs Should Address

Posted on March 8, 2016 | Leave a comment

db6056bb-94d8-44e3-8369-de8ce117d89f-mediumWhen it comes to running your own business, there is no end to the number of obstacles and obligations that today’s busy entrepreneurs need to take care of. However, one of the most important things that every entrepreneur needs to remember has to do with security. In today’s market, security has become a major challenge for all types of entrepreneurs, in all different industries and from all different walks of life. Understanding what these security threats are and why they are important is essential information for every entrepreneur to know. After all, the more you understand, the better equipped you will be to ward off these security threats moving forward.

Cyber Security
There is perhaps no more dangerous type of security threat present in our market today than cyber security. There are so many entrepreneurs who simply don’t have enough of a tech background to really understand cyber security, what it is, what it entails and why it is so risky. Hackers from anywhere in the world can easily hack into your computer system and steal important information from you and from your clients and customers, without you ever knowing. This is why it is so important to hire a cyber security professional to make sure your networks and your systems are safe.

Security Personnel
You can never put too much emphasis on security within your business. If you want to make sure that your customers and your employees are always safe, particularly if you live in a busy area, then you need to have security guards on staff. You would be surprised by how many threats and issues that can be resolved by simply having security personnel on the grounds. Many business owners underestimate their need for security personnel at their place of business; however, Dave Ngo of AlertSecurityandPatrol.com says, “People have a sense of security when a security officer is present.  They are an extra set of eyes for personal, property, and asset protection.  Customer’s would feel more comfortable with security present which will enhance their work, entertainment, or shopping experience.”

Surveillance Systems
Surveillance systems are some of the most important features to have in your business. Whether you are looking to find out who broke into your business or if an employee is jeopardizing your company or your money, there is no better way to do it than with live video footage. Installing a surveillance system in a building is actually easier and more cost effective than many people think. Make sure to have a sign somewhere in your business letting people know that you have cameras on the premises, many times, the sign alone can do a great deal of good in preventing incidents from happening.

Implement Mobile Security Systems
Today, it seems as though people use their mobile phones more than they use virtually any other piece of technology. Yet, very few entrepreneurs take the time to make sure that their mobile devices, and the mobile devices of their entire staff are safe from mobile apps. A recent study found that most organizations allow their employees to download apps to their work devices without vetting them first, this means that there could be a number of viruses coming through to your work devices. Mobile security is about more than just devices though. Mobile content, apps and sharing data through mobile devices can all put your company at risk.

While most entrepreneurs likely feel that they already have more than enough on their plates with running their own business, it is important that they also take the time to take additional security measures to keep their business, their money and their employees as safe as possible.

Leave a comment

Posted in Cyber Security, Encryption, Public Cloud, Security, Technology

Tagged , ,

Apple v. FBI: How to Sound Smart about Encryption

Posted on March 8, 2016 | Leave a comment

Encryption

Apple v. FBI has started a serious debate about the line between security and privacy. The FBI says this is a case about the contents of one specific iPhone 5c. Apple says this is a case about securing data for everyone.

No one seems to want to have a civil, Socratic discussion about what it means to evolve the governance of a digital democracy. Instead, most people want to voice their opinions about terrorism, the law, and Apple. People also want to know if this particular iPhone 5c (or any iPhone) can be hacked, and if offers to hack it from white hat hackers, such as John McAfee, are real.

The Apple v. FBI subject device, an iPhone 5c, can be hacked. This is true because of iOS 8 (the operating system running on the subject device) and the way all iPhone 5c’s were manufactured. Current vintage iPhones (5s, 6, 6s) could not be hacked the same way, so we should not be talking about this particular phone; we should be talking about encryption writ large, and how it is used in our daily lives.

What Is Encryption?

Encryption is the process of using algorithms to encode information with the specific goal of preventing unauthorized parties from accessing it. For digital communication, there are two popular methods of encryption: symmetric key and public key.

  • Symmetric key encryption requires both the sending and receiving parties to have the same key – hence the term “symmetric.”
  • Public key encryption is far more popular because the encryption key is publicly available, but only the receiving party has access to the decryption key.

How Can There Be Such a Thing as a “Public” Encryption Key?

One of the most popular ways to create public encryption keys is to use a mathematical problem known as prime factorization (aka integer factorization). You start with two relatively large prime numbers. (Quick 6th Grade Math Refresher: A prime number is only divisible by 1 and itself.) Let’s call them P and P. When you multiply them, the product is a composite number we’ll call “C.”

(P x P = C)

C is a very special number with very special properties. It’s called a semiprime number. Semiprime numbers are only divisible by 1, themselves and the two prime factors that made them. This special property enables the number to be used for public key encryption.

You use C for the public key and you keep P and P as the private key pair. While it is very easy to generate C, if the number is large enough and thoughtfully generated, it can take thousands, millions or even billions or trillions of tries to factor. (There are mathematical strategies to speed up the process, but in practice, prime factoring must be done by trial and error.)

Pretty Good Privacy, the Encryption We Mostly Use

The OpenPGP standard is one of the most popular versions of public key encryption, aka Pretty Good Privacy or PGP. There is a very good chance that your corporate IT department uses some version of PGP to encrypt your files – after all, it’s pretty good.

How good? Using current computer technology, a 2048-bit OpenPGP encrypted file cannot be decrypted. Someday it might be possible with a fully functional quantum computer, but these are still, for all practical purposes, theoretical devices.

Now, you’re going to push back with an argument that goes something like this: “Hey Michael, you may think that a file encoded with 2048-bit OpenPGP encryption is unbreakable, but you don’t know that for sure. You have no idea what the NSA can or cannot do! How do you know that quantum computers don’t exist? Nothing is impossible!”

Yeah … no. 2048-bit OpenPGP encryption can’t be decrypted without a key because of the way computers work today. In the future, with new hardware and processor and bus speeds that are currently undreamt of, the computation may be able to be done in reasonable time – but not today. Without your private key, the computational time required to break a 2048-bit key in a secure SSL certificate would take over 6.4 quadrillion years.

How Can the “Now Famous” iPhone 5c Be Hacked?

For the iPhone 5c in question, you don’t need to hack the encryption key; you need to “make” the encryption key. It is generated from a combination of the user-created PIN or password and a unique key that Apple embeds in each iPhone 5c when it is manufactured. The FBI is asking Apple to create a new operating system with the ability to disable certain security protocols – specifically to defeat the limit on failed passcode attempts and to remove the delay caused by failed attempts. With this new weaker security protocol and forensic software written to try every possible PIN or password combination, the FBI hopes to regenerate the unique key required to open the phone.

It is important to note that this whole idea is only possible on iPhones older than the 5c running iOS 8 or earlier. iPhones with fingerprint scanners such as the 5s, 6 and 6s use a second processor called “secure enclave.” Even Apple can’t hack an iPhone that includes a secure enclave processor – not without creating a “backdoor.”

This is what Apple is worried about. You should be too. If the government served Apple with a lawful writ or subpoena to deliver the key to an iPhone 6s, it would not be able to comply. This case asks the question, should the government be allowed to compel any company that creates a digital security product to create a “backdoor” and make it available for any reason (lawful or other)?

The important thing about an iOS 9 “backdoor” in Apple’s case is that it could not be guessed or randomly generated; it would have to be an actual file – a metaphorical “skeleton key.” There’s a problem with skeleton keys, even digital ones: they can be copied. Importantly, they can be copied or stolen without the owner’s knowledge. The idea of creating a “skeleton key” defeats the purpose of encrypting it in the first place. If a key exists, it will be copied by both good and bad actors – that’s just a fact of digital life.

So again, I find myself begging you to engage in a civil, Socratic discussion about what kind of future we want to live in. Encryption enables banking (commercial and consumer) and commerce. Without it, our digital lives would be very, very different. How do you want to evolve the governance of our digital democracy? Where is the line between security and privacy? What do we want to ask our lawmakers to do? Hopefully this short story will inspire you to learn more about encryption so you can draw your own conclusions and join this techno-political debate.

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Forensic, Hacking, Security

Tagged , , ,

Cyber Hygiene, it’s about the basics

Posted on March 6, 2016 | 1 comment

Cyber

In today’s interconnected world, phishing emails and malware infections caused by attachments and links to hacked web sites are just some of the digital flotsam that have become common occurrences. However, in the disparate enterprise environments found in many small businesses, cities, and industrial networks these types of attacks can be catastrophic due to the inherent blending of old and new technologies. The repercussions of new malware attacks on these intertwined infrastructures can result in loss of critical services to the business and its customers. To counter these ever-evolving threats, I believe we must focus on doing the basics well. Organizations must lay the equivalent of a digital foundation on which they can then build their networks and provision data and applications to their employees securely. The methodologies that businesses would follow to do the basics are commonly referred to as “cyber hygiene”. There are numerous approaches to implementing cyber hygiene, there also is numerous ideas for what should be considered cyber hygiene. In this article I will discuss five basic steps that I use to protect my organization: Count, Configure, Control, Patch, and Protect.

  • The first step to implement cyber hygiene, Count,” you would think should be pretty simple, however having an accurate inventory can be extremely difficult. It is very hard to protect an organization and understand its technology risk if there is poor visibility into what is connected to its networks. I normally start with collecting information about the standing policies and procedures for how cybersecurity is managed in the business. I then collect information on previous asset inventories for both hardware and software, and any current network documentation. Then with this information, I use tools such as Solarwinds or Netbrain to map and monitor the networks for better views into its inherent data flows. What you will want to do here is put together an accurate map of the organizations enterprise networks, an accurate list of its applications and data types that are in use and an accurate list of what hardware is required by your organization. This collected information will become the technology and application portfolios of the business and will be critical for implementing the following steps.
  • The next step we would use for cyber hygiene, “Configure,” is about understanding what settings all of your connected devices have enabled. To do this properly it is standard to use recommended industry security settings as a baseline, then adjust to making them “more secure” depending on the criticality of your business operations and its data. Typically, organizations will have a standard operating system image preconfigured with all required security settings and required applications. What is important in this step is flexibility, you will need to change any default security passwords because they can be easily found on the Internet. You will also need to change default security settings to ones that are not easily discoverable and make sure all configurations and operating system images are backed up and maintained. This step ensures you have a level of maturity with how the organization employs technology in its enterprise environment. I would also suggest you use a solution such as Tenable’s Nessus PSV to continually scan your environment for assets that are misconfigured. This will ensure you are only deploying assets for your organization that meet your predefined requirements.
  • The third step in building a cyber hygiene program, “Control,” is about managing who has access to the settings that were implemented in “Configure”.  It is also about gaining insight into the employee’s and vendors within the organization that have administrator privileges. These “admin” privileges can make enterprise changes, access critical data and implement system wide policies that would affect the businesses ability to operate effectively. In this step, I would recommend you first conduct an audit to see who has administrative privileges. Once you have created this list, I would then recommend you speak with the users to understand their business reasons for why they require elevated privileges. Once you clean up that list to only essential personnel, you then need to make sure those same individuals who have these administrator accounts only use them for specific business reasons and they conduct all normal work with their standard user accounts. Once you have these admin accounts documented, you will need to periodically audit them to properly manage who has administrative rights to the organizations enterprise assets. Don’t be surprised, that over time the number of personnel with these accounts will grow which is why you must periodically audit them to reduce the risk exposure to your business.
  • The fourth step in the cyber hygiene process, “Patch,” is critical and all mature organizations must standardize this process for how updates will be regularly tested and applied to its applications, software, operating systems and hardware. There are many documented cyber breaches to organizations that when triaged can trace the vector of attack to a software patch not being properly installed or not installed at all. What is important for an organization to understand is that in cyber hygiene this step impacts all others, you must have a standardized process in place so patches are installed in a timely manner, correctly the first time. There is numerous articles and books on how to create a patch management program, just remember you need this in place for all of your other steps to function correctly.
  • The fifth and final step in creating a cyber hygiene toolbox, Protect,” is about using basic security applications and controls to set the first layer of protection that a mature cyber-security program can be built upon. It is in “Protect” that a security team will ensure end point protection is installed and updated on all desktops, laptops, servers and mobile devices, if possible. You should also ensure desktop firewalls or their equivalent are turned on and configured, hard drives have full disk encryption installed and there is a password management program in place. This password management program should ensure there is some level of complexity to passwords and if possible use two-factor authentication for an additional level of authentication. Some of the last services you would find managed in this step is verifying all devices are generating some type of log to be collected by a SIEM, such as Splunk, to be analyzed for abnormalities and all critical data is backed up and the backups are periodically tested.

Remember once you build these processes you will need to continually monitor and assess their level of maturity. Networks are dynamic, they continually change over time as updates are installed, configurations are enabled or new technologies are implemented. I have found that using these tools together enables organizations to manage the baseline risk of their installed technology portfolio’s and establish an understanding of what risk is acceptable for business operations. These tools give businesses visibility into how their enterprise environments are built, how data is actually used by their stakeholders and which older technologies may need to be updated or replaced. In the end, these five tools are just that, tools that can be used together to create a basic methodology for protecting an organizations IT assets. Once you have them in place, you will then want to step to the next level and use a mature cyber-security/risk management framework to create an enterprise wide security program to protect your organization.

Some sites that would prove helpful for organizations establishing a security program are as follows:

http://csrc.nist.gov/publications/PubsSPs.html#800-101

  • 800 Series Special Publications, general interest to the computer security community

http://www.digitalgov.gov/digitalgov-university/

  • Federal government’s training program for digital media and citizen engagement

https://www.us-cert.gov/ccubedvp

  • Critical Infrastructure Cyber Community or C³ (pronounced “C Cubed”) Voluntary Program

https://www.us-cert.gov/ccubedvp/getting-started-business

  • Resources available to businesses and aligned to the five NIST Cybersecurity Framework Function Areas (Identify, Protect, Detect, Respond, & Recover)

 https://www.us-cert.gov/security-publications

  • Great documents from General Internet Security to Technical Publications (ICS users, Gov’t Users, Home & Business Users)
    • Site for best practices on providing security assurance within Cloud Computing

About the Author:  Gary Hayslip is Deputy Director, Chief Information Security Officer (CISO) for the City of San Diego, California. As CISO he is responsible for developing and executing citywide cyber security strategy and leading teams focused on Enterprise Risk Management, Security Engineering, Application Security, Cyber Security Operations, & Cyber Security Resiliency. His mission includes creating a “risk aware” culture that places high value on securing city information resources and protecting personal information entrusted to the City of San Diego.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of TheDigitalAgeBlog.

 

1 Comment

Posted in Cyber Security, Data Breach, Encryption, Hacking, Security, Technology

Tagged , , ,

John McAfee Reveals To FBI, On National TV, How To Crack The iPhone (RT Interview)

Posted on March 6, 2016 | 1 comment

YouTubeYes, it has gotten this bad. In language simple enough for even a child to understand, John McAfee explains for the world and for the FBI how to hack…

Not as easy as John says, but it can be done !!!

Actually about that encryption. What’s the key? Salt of the key depends on unique device ID. Another part of the key must depend either on the fingerprint ID (which is easy enough, you don’t need the guy alive to get his fingerprints, people even leave fingerprints everywhere), or on a 4-digit PIN. Once you have code injection and can hack out the try counter and have a more direct path to inject the PIN numbers into the key generation algorithm, you can brute force them in a matter of minutes.

1 Comment

Posted in Cyber Security, eDiscovery, Encryption, Hacking, Security, Technology

Tagged , ,

Six Strategies for Achieving Connected Security

Posted on March 4, 2016 | 3 comments

7838.security.png-550x0

A Holistic Approach is Critical for Securing Your Network

But a holistic approach is probably most critical when it comes to securing your network. Just when you think you have your network secured, there is always another threat — from outside or from inside. These threats have many names: spear phishing, botnets, zero-day threats, distributed denial-of-service (DDoS) attacks, insider threats and former employees. They are determined to exploit disconnected security — security tools, processes, user profiles and information that are separated in silos, leaving dangerous gaps in between.

The increasing complexity of IT environments only increases these gaps, providing attackers with many new opportunities to exploit. Consider the number of operating systems you are now slated to secure and the number of BYO devices that are a normal part of your organization’s operation, from smartphones and tablets to network-connected devices such as printers, scanners and kiosks. Yet BYOD is still in its infancy — just 24 percent of organizations say that BYOD is widely used and supported. And the Internet of Things (IoT) promises complexity on a scale that’s difficult to fathom, with analysts predicting that 6.4 billion connected things will be in use worldwide in 2016, and that the number will swell to 20.8 billion by 2020.

There’s no turning back. Your users want the mobility and flexibility BYOD provides, and your organization needs to remain agile and attractive to both current and prospective talent. But neither can you ignore the security threats that continue to grow in both number and sophistication.

6 Strategies for Achieving Connected Security

By abolishing technology tunnel vision and adopting a holistic, connected approach to security, you can embrace BYOD and new technologies while also protecting your IT network and systems from attackers. Here are the six key strategies:

  1. Discover and inventory all devices — Establish a complete and accurate inventory of all connected devices and keep it current with IT asset management software. You can’t secure what you don’t know about.
  2. Keep software up to date — Make sure that you are patching your operating systems and applications regularly. Using the latest versions of software is the starting point for eliminating vulnerabilities. Gartner, Inc., reports that nearly a third (30 percent) of system weaknesses can be resolved through patch management.
  3. Maintain antivirus software on all endpoints — Antivirus software was once considered the only line of defense against attackers. Although today you need other strategies as well, it’s still imperative that current antivirus software be in force on all of your managed systems.
  4. Deploy a modern firewall — Next-generation firewalls are no longer just for larger organizations. They offer critical new technologies that provide added protection and peace of mind, and they can be both affordable and easy to manage for organizations of any size.
  5. Conduct regular IT security audits and vulnerability assessments — With OVAL and SCAP scanning, you can get ahead of the curve in finding and remediating security holes in your IT endpoints.
  6. Encrypt your data — Security from the data level to the cloud is today’s mantra. Start with endpoint data encryption, which provides a solid defense against data loss from lost or stolen devices.

3 Comments

Posted in Cyber Security, Encryption, Hacking, Network, Security

Tagged , , , , ,

Encrypt or not to encrypt?

Posted on March 2, 2016 | Leave a comment

encryption-debate_Tresorit_Istvan-Lam08Overview of and comments on backdoors, frontdoors and the debate about it

To me, privacy means that I can decide to keep my data private, and neither an NSA or government agent, nor a Facebook/Dropbox/Google employee can see what is in there, if I don’t want it. This concept of privacy is not compatible with any kind of ‘doors’ – front, back or other – to user data.

Since UK Prime Minister David Cameron suggested earlier this year to ban encryption, policy debates intensified in the US, EU, UK and elsewhere about back- or frontdoors built into encryption systems. Certain parties argue that they need front- or backdoors to access tech companies’ data, to prevent and fight criminal activity. But both backdoors and frontdoors violate end user privacy and if that wouldn’t be enough reason against these doors, they also undermine the world’s overall cybersecurity. Let’s see why.

What are frontdoors and backdoors? – definition and examples

First, let’s get two expressions straight: what is a backdoor and what is a frontdoor.

A backdoor is a covert way to provide an entity with a higher level access to a system than what it should normally have. A backdoor is usually hidden as random security bug, but instead of being an accidental mistake, it is planted intentionally. The key thing is that backdoor is hidden, even from the system operator, which makes them uncontrollable and hence, dangerous. Someone who is not supposed to do so, can exploit them.

A frontdoor is a way to give higher access to a system, but it in a way that it is known to the participants or at least by the system operator. It is also assured, that only that entity can use the frontdoor. This is like a master key in a hotel for the maid.

Snowden uncovered several secret operations of the NSA, and that started the current debate on encryption backdoors and frontdoors. NSA director Michael S. Rogers is argues for “front doors with a big lock”, meaning that in case of an investigation, the FBI or other authorities should have a legal and technical way, to access encrypted content. Washington Post created a graphic about the proposal – basically, White House is considering two platforms, one where the authorities can recover encrypted data using a key escrow, and another, where the recovery key is split between platform vendor and the authority. In my view, neither of the proposed options provides sufficient solution. Especially, that they do not guarantee non-US citizens, that they are not monitored by (for them) a foreign government.

If you are new to the security industry, this debate might sound new, but the NSA has a long track record: Der Spiegel reported in 1996 that a swiss national pride, Crypto AG placed backdoors in their renowned crypto machines, due to pressure from the NSA. Another, more recent example is the SP 800-90A standard proposal: researchers suspected that the NSA might have included a backdoor in one of the newly standardized pseudo random generator (namely, Dual_EC-DRBG) . This backdoor could’ve enabled the NSA to monitor anybody, regardless of their citizenship or if they are using a strong encryption algorithm or not.

Also, we should not forget to mention the Gemalto SIM encryption key database hack: a joint effort by the NSA and the British GCHQ. To understand why this action is controversial, we need to understand how the GSM (and 4G/3G) network works. The SIM card stores a symmetric encryption key, which is used to encrypt the traffic in the air. Due to the nature of symmetric ciphers, the same key need to be used to decrypt the content by the GSM core network. For that reason, the SIM keys are stored in a secure, central database, called Home Location Register, or HLR. HLRs are under the jurisdiction of the geolocal authority. That means, the NSA already had a sort of control over the domestic encryption keys, as a default. But then why did they need to hack a respected vendor? Because it enabled them to get any user’s data, without leaving a single mark. The former was actually admitted by General Keith Alexander in his keynote speech at Black Hat conference in 2013, while he denied any covert domestic content monitoring.

These things all undermine the credibility of intelligence agencies, and in general, triggers sometime unfounded suspicion. Not all secret operations are necessarily evil: after DES was introduced by IBM in the early 1970s, which later became the predominant block cipher in the industry, NSA tweaked its structure. NSA lowered the key size, and changed the deep structure (the S-boxes) of it without explanation. Many believed that NSA planted some backdoors, but it turned out later, that the change actually increased the security of DES: NSA already discovered possible attacks, and prepared against it.

All in all, backdoors in crypto systems are not recent inventions, we have seen several suspicious activities by government agencies throughout the past decades. Let me explain why backdoors and frontdoors are bad.

Why backdoors and frontdoors are bad? – the objective technical reasons

It’s not only ethical, philosophical and political problems that are involved with backdoors and frontdoors. There are also several technical reasons why it is extremely difficult to accomplish exceptional governmental access, without insecuring the whole Internet. A recent MIT report by respected security scientists mentions quite a few challenges that a general governmental “frontdoor” would have to face. They state that introducing any frontdoors to encryption systems in rush could lead to a disaster without proper specification and proper system design.

Our world increasingly relies on a trustworthy connection through the internet: individuals and business are banking online, companies transfer crucial business data through this network, governments communicate with their citizens online and so on. Due to this high economic dependence, we need to protect whatever goes through. The Internet could become so widespread, because it adapted to the arising security challenges step by step. Frontdoors and backdoors would undermine its security and would zero the work has been done so far.

There are 4 main technical issues with backdoors and frontdoors:
1.New protocols: The installation of frontdoors & backdoors requires complete new security protocols, new research and development
2.Non-immune governmental agencies: Government agencies are not immune to attacks. Imagine the risk of a terrorist hacking a government agency and gaining access to all data about the US population.
3.National governments versus global citizens: In our globalized world, who would decide which government has the frontdoor?
4.High costs and uncertain results: A system that provides governmental frontdoors is complex and expensive. Who will take the bill of that cost?

1.New protocols: The installation of frontdoors & backdoors requires complete new security protocols, new research and development. The current security systems have been designed in a way that there is no exceptional access in the system. And more or less, they have been functioning OK so far. Forward secrecy is a good example: without this solution if any time in the future any party is compromised, all traffic could be decrypted. Current security protocols are not the best, but with backdoors, most of the accomplishments, like forward security, would be ruined. Also, a new protocol that includes frontdoors needs to be analyzed thoroughly before implementation – it may take years. We’ve seen that most ad-hoc, non-analyzed protocols were cracked later on, just remember WEP, the Wi-Fi encryption.
2.Non-immune governmental agencies: The assumption that a governmental agency is unhackable or not vulnerable is naïve, and proven to be wrong. Its employees are humans too: they can quit, gossip, can be bribed or worse. Just think about Snowden: he walked away with a bunch of classified information. A few years ago, John Anthony Walker, a US officer was convicted of spying for the Soviet Union for almost 20 years: between 1968 and 1985. No organization is unhackable: embarrassingly, even Hacking Team, a government supplier of surveillance and tracking software was hacked in 2015. Damages can be major: in the recent breach of the US Office of Personnel Management, 21.5M social security numbers of government personnel were leaked. If some organization had a frontdoor to all the communication over the internet, a breach would mean a breach of the entire Internet – a breach nobody saw before.
3.National governments versus global citizens: In our globalized world, who would decide which government has access to users’ data? Or is this only a privilege of the NSA? If the NSA has access to users’ data, wouldn’t China or Russia have the right to claim the same? If you are a US citizen , who is working on a project in Europe, should the European government has access to all your personal data? And what if you are working in China or Russia? And what if you are not just in Europe for a short project, you are actually living there as an expat? If you say no to any of those questions, then why should US government have right to access to any foreign citizen’s data? I know these are provocative questions. But in our globalized world, people are working, buying and living in multiple countries. International trading could be completely killed by introducing frontdoor requirements on country level: a US company with factories in Pakistan, suppliers in China and retailers in the EU would have to trust all those governments, because if backdoors and frontdoors were implanted, they would all have the rights to access their confidential business data. .
4.High costs and uncertain results: Digital Right Management (DRM) systems are good examples for how a key management at a global scale can go wrong. Hollywood and the publishing industry has been trying to introduce a proper Digital Right Management platform to prevent piracy, without a breakthrough yet. The similarities between DRM and the frontdoors are the following:
•Both require complex cryptographic key management, as the content in DRM is encrypted or at least scrambled a bit.
•Key management needs to have a global scale, without any exception: if a title is published without DRM in a small number, it can make pirates to copy and distribute that exception.
•The key management is actually implemented by vendors, who are not having interest to make it right; e.g. a DVD player vendor is not incentivized by properly protecting the DRM key. At the same time, those vendors are under serious competitive cost pressure.

Despite the billions of dollars and many years of research, all DRM systems has been cracked so far, just think about DVD: pirates have found the weaknesses and the way around. In case of any frontdoor technique the stakes are much-much higher, so it would be really motivating to many criminal hackers. We also have less experience to defend these systems than in case of DRM, so any leak can be disastrous to all industries, not just “some” revenue loss for the publishing industry.

Conclusion:

So the answer to the question in the title is “yes, let’s encrypt”. I think encryption is crucial from multiple perspectives: security is important for the Internet ecosystem, and weakening that security can be a complete backfire for our freedom, economy and personal security. Also, any backdoor and frontdoor plans raise political, philosophical and ethical questions which leads to a debate, that I think no one wants to take on. Legislative authorities try to address to these new issues, but if different countries take a different direction to this, it will undermine the potential growth of the global economy and the Internet ecosystem.

Leave a comment

Posted in Big Data, Cyber Security, eDiscovery, Encryption, Security

The 5 Biggest Cybersecurity Risks for Small and Medium Businesses

Posted on March 2, 2016 | 1 comment

Cyber_Security

Cases of data breaches from major corporations around the world are becoming more and more frequent, much to the dismay of business owners all over the world. Every few weeks, there is a report about a big corporation’s data being leaked on some website, causing the company huge monetary losses as well as irreparable damage to reputation.

Although the alarming frequency of such high-profile data breaches would lead one to believe that the hackers must really have it in for large business owners, the fact still remains that small and medium business owners are just as susceptible to data breaches, if not more. Even if small and medium businesses realize that they are under threat as well, they might wrongly think that they would need to spend a large amount of money to keep the threat at bay.

The reality is anything but this. The major factor that decides whether you fall victim to such attacks is your level of negligence. Therefore, this article aims to make you aware about the 5 biggest threats your business might face.




The 5 biggest threats

1. Stolen laptops and mobiles
It is astonishing how much data is stolen or compromised when the devices used by employees are stolen. The one who has access to the systems can access the company data and use it as he or she wishes. Therefore, it is absolutely essential for businesses to encrypt all data that is transferred on portable device of an employee. This would ensure that the data remains protected in the event that the device is stolen.
2. Unsecured Internet Networks
This is a blatant overlooking of your business’s security. Wireless networks are used by all businesses, and even small businesses today require off-shore and remote employees to access corporate data from elsewhere. Therefore, having a secure network is important to prevent unauthorized personnel from entering your network and causing problems.
3. Spear Phishing
This is another term for email scams. Email scams are one of the oldest tricks of the trade of gaining access to a user’s system. Hackers quite often send such tampered emails to all employees of a company in hopes that one of them falls for it. These attacks spread like fire, so if one employee system is affected, the entire network could be done soon enough. This is something employees should keep an eye out for as well, for such emails are usually simple to spot.
4. Malware
Malware is any code that has malicious intentions and has the capability to cause serious problems in your system. Malware are of different types, but they can be warded off by keeping a good anti-virus and anti-malware software on hand. It is also important to regularly update your anti-virus.
5. Insider Threats
This is something that is not always the case but is always a possibility. An employee holding a grudge against your company might take things further by mishandling your sensitive corporate data. To prevent such a thing from happening, make sure employees have differing access to corporate data according to their rank in your company. It is also wise to record the activity of all employees, big or small, to know if something is amiss.
Conclusion
We saw in this article how small and medium businesses can be targeted. The amount of money to be spent on security systems is by no means huge. All it takes is a little background knowledge to invest right in opposition to investing big.

1 Comment

Posted in Cyber Security, Encryption, Hacking, Malware, Security

Tagged , , , ,

This is What the Public Really Thinks About FBI vs. Apple

Posted on March 2, 2016 | 1 comment

Apple_FBI

DOJ v. Data Encryption – Public Perception and Communications Lessons

The heated dispute between Apple and the U.S. Department of Justice (DOJ) over the iPhone used by Syed Rizwan Farook before the San Bernardino, California, mass shooting has captured attention across America and the world. While this debate now focuses on one company’s decision, the implications go well beyond the mobile sector and even the whole technology industry. Companies and other organizations of all kinds responsible for managing personal data are concerned and need to be prepared to deal with the controversy’s impact.




To help deepen understanding about this complex issue, Burson-Marsteller, with their sister research firm Penn Schoen Berland, conducted a national opinion survey from February 23-24, 2016. The survey polled 500 General Population respondents (including 230 iPhone users) and 100 National Elites (individuals earning more than $100,000 per year who have college degrees and follow the news), and the results reveal critical communications issues around the fundamental conflict between privacy on the one hand and national security and safety on the other. Here are the key takeaways:

  • Overall awareness is high. Eighty-two percent of the General Population and 88 percent of National Elites have heard about the dispute. The news has gone viral, with people tweeting and posting on Facebook about it and commenting extensively online about news articles.
  •  The FBI should have access to one phone, not all phones. Respondents say the government should not be given a tool that potentially gives it access to all iPhones. Sixty-three percent of the General Population and 57 percent of National Elites say Apple should only provide the FBI with the data from the phone in question, and the tools to do it should never leave Apple’s premises. It is clear the public wants this decided on a case-by-case basis, and respondents do not trust law enforcement and national security agencies to self-police and protect privacy.
  •  The public expects companies to push back if there is the potential to violate privacy. Respondents say they want companies to protect the privacy of their data fully, even when the government is requesting data in the name of law enforcement or national security. A majority (64 percent of the General Population and 59 percent of Elites) says a company’s top obligation is to protect its customers’ data rather than cooperating with law enforcement or national security interests. However, most (69 percent of the General Population and 63 percent of Elites) see the need to compromise on privacy when terrorist threats are involved.
  • How the issue is framed determines public opinion. If the issue is framed as the FBI asking for access to this one phone, 63 percent of the General Population and 57 percent of Elites agree with the FBI position. If the issue is framed as potentially giving the FBI and other government agencies access to all iPhones, Apple’s position prevails overwhelmingly; 83 percent of the General Population and 78 percent of Elites agree Apple should either only grant access to the particular iPhone or refuse the request entirely.
  • Current laws are outdated. This situation reflects a much broader debate about privacy and security that will need to be resolved. About half (46 percent of the General Population and 52 percent of Elites) say current laws are outdated and need to be revised to reflect the changing role of technology in today’s society.

Regardless of the outcome of this current dispute, there is no question it is raising alarms about the state of data privacy. In the aftermath, companies will have to pay increasing attention to the expectations of their customers and consumers. The survey showed people are overwhelmingly concerned with the security and privacy of their digital data, with 90 percent of the General Population and 96 percent of National Elites saying they are very or somewhat concerned about the security and privacy of their personal information online or on their personal electronic devices. The Apple/DOJ dispute appears to be a turning point for all organizations trying to balance the demands of data privacy with national security and law enforcement considerations. The pressures on them are only going to grow.

 

1 Comment

Posted in Cyber Security, eDiscovery, Encryption, Forensic, Law Enforcement, Security, Technology

Tagged , , ,