Many governments seek to reduce access to strong encryption technology for national security reasons. Enter “crypto wars”-- battles over government attempts to obtain access to encryption keys or to prevent the public or foreign powers from accessing strong encryption. The paradox is that the whole idea of data encryption loses its purpose if backdoors are created to circumvent it.
Kaspersky Labs’ Security Evangelist, David Balcar, believes it’s crucial for businesses to keep their encryption as hard and unbreakable as possible.
“It’s a matter of consumer trust,” says Balcar, who is responsible for supporting Kaspersky’s enterprise Anti-Targeted Attack Platform and Security Intelligence Services. Companies that don’t take threats to encryption technology seriously risk losing customers along with their hard-earned confidence.
“Imagine a bank that has the encryption between itself and customers compromised and does nothing to correct it. Who is going to want to conduct online banking with them?” Balcar asks. “If the bank’s mortgage brokers are in the field and their devices cannot be trusted to safeguard customer data, then the bank can’t conduct business. It’s a huge issue.”
PUBLIC’S SECURITY VS. YOUR PRIVACY
Security is a continuous battle between the “good guys” and the “bad guys”. But the line blurs with the addition of government agencies seeking to access encrypted data for national security purposes or to aid law enforcement.
Brought under the public spotlight during the 2013 Snowden leak, the “crypto wars” rage on. For example, in early 2016, the FBI obtained court orders to have Apple create software to unlock an iPhone recovered from one of the terrorist shooters in an attack in San Bernardino, California. The company refused.
“On one hand, you have the governments saying, ‘We need the ability to see all the data.’ But people have an inherent right to privacy,” he says. “How do you balance the public’s right to privacy with the police force’s ability to keep us safe? It’s a slippery slope.”
Balcar says there are always methods by which law enforcement can run investigations without being given backdoor access to encrypted data. “In the case of San Bernardino, law enforcement eventually paid $1 million to have someone crack the phone. Now Apple is suing them to find out how, so they can prevent it from happening again in the future.” When a backdoor exists, it is only a matter of time before cyber criminals can find and exploit it. And let’s not forget the Clipper chip debacle from a few years ago.
UPPING ENCRYPTION EFFORTS ENCRYPTION BY DEFAULT
Balcar says companies like Apple and Google are recognizing consumers’ increased desire for security, and continue to ramp up the encryption technology incorporated in their products. Both companies have started to encrypt their mobile devices by default, rather than leaving them for customers to configure.
“And they’ve made the encryption so strong that even governments can’t decrypt it,” Balcar says. “The governments of the world can’t expect to have a backdoor into someone’s encrypted data and communications, because all backdoors eventually get discovered and used for bad things.”
“It’s a question of who’s watching the watchers,” adds Balcar. “I don’t know of a single company that would want the government to have access to all their private data.”
PASSWORD REUSE CONTINUES TO BE A THREAT
According to Balcar, despite the hype around quantum computing’s ability to hack state of the art encryption, one of the biggest risks companies face today is the common practice of reusing passwords across different systems.
“If one password is hacked, it doesn’t take a quantum computer to hack the others if they are the same,” he notes. “You’ve made the hacker’s job super-easy.”
Balcar sees quantum computing as a direct threat to current encryption algorithms, but it’s unlikely that cybercriminals will need to take advantage right now, since ongoing password dumps on the Internet make their work even easier. Some of these dumps result from improper use of encryption or the lack of it, so how can you be sure your password is secure on a 3rd party site?
“Only time will tell,” he adds, “Quantum computing is a phenomenal next step in encryption and decryption technology. But it isn’t really in the hands of cybercriminals. Only research universities and a few companies around the world are utilizing this. Quantum computing is still in its infancy.” A research paper published in 2012 outlines that Quantum Cryptography can be attacked in a “man-in-the-middle” attack.
COMPANIES ARE ONLY AS VIGILANT AS THEIR SECURITY STRATEGY
“Look closely at the options available and test them for your environment, because there is no silver bullet,” Balcar continues. He provides IT and security managers with a few key tips:
- Check your encryption methods and make sure they are working. If you are using DES (Data Encryption Standard), which is known to be breakable, Balcar suggests upgrading to AES (Advanced Encryption Standard) or higher forms of encryption.
- Stay informed about what’s happening on the security landscape -- not just what is affecting your company, but also your industry as a whole.
- Look at security as “layers of an onion”. Don’t just consider the encryption of your data at rest, but also the encryption needs for data in transmission.
- Clarify what needs to be secured and at what level. “You might not need to encrypt the monthly newsletter,” Balcar says, “but the company’s intellectual property -- a chemical formula or the Colonel’s secret recipe -- is something that needs to be protected. Start with what’s most important.”
In addition to maintaining strong encryption algorithms and enforcing good password policies, Balcar suggests a company’s security strategy must be holistic.
ENCRYPTION IS, OF COURSE, JUST ONE PART OF THE EQUATION.