Written by Richard Henderson, CTO of InfoSec Global, North America.
In the age of over-decreasing storage costs, and ever-increasing compute power, the temptation to retain customer data indefinitely is a powerful one. The voracious appetite of teams inside organizations to collect and consume sensitive information is bigger than it’s ever been. But if recent data breaches like what just happened at Marriott teach us, it’s that there may be a staggering price to pay for poor data security. Calculating your liability for collecting, processing, and storing data is obviously not being done as well as it could be… and protecting that data appropriately is clearly being given short shrift.
While we still don’t know (and may never know) exactly what happened at Marriott, this isn’t the first time we’ve seen breaches where more effort to adequately protect data may have limited the damage done by attackers. Marriott has publicly stated that information including guest names, home addresses, email info, phone numbers, date of birth, passport numbers, and other data was taken. It appears that the attackers may have been resident inside Starwood’s systems for literally years.
Adobe’s massive password breach in 2013 taught organizations that not using proper password salting was barely better than storing things in plaintext, and led to popular web comic XKCD labelling the breach as “the greatest crossword puzzle in the history of the world”.
Yahoo’s breaches(which still holds the dubious record of being the largest breach ever) had multiple crypto failures: not all passwords were encrypted using modern methods, and backups chock full of personal information were taken. Why weren’t some of the passwords encrypted properly? Encryption of your sensitive backups should be part of every organization’s core security strategy.
More recently, the colossal Equifax breach showed us all that even firms that we would expect to have solid data protection measures in place had little or none. When ex-CEORichard Smith testified to the House Energy and Commerce Committee, he made it clear that the stolen data wasn’t being encrypted at rest. And the recent T-Mobile data breach executed through a vulnerable API included encrypted passwords that may have been hashed using the outdated MD5 hashing algorithm.
But problems with encryption go beyond the storage and transmission of data. A simple scan of theInternet shows that servers susceptible to Heartbleed are still out there chugging along. For many enterprises, they may not have any visibility to their total exposure to Heartbleed – simply because units inside the organizations pin up their own infrastructure without strong security oversight. For other organizations, it took months upon months of work to clean up the mess and deploy updates to their infrastructure… and as recently as a year ago, years after Heartbleed exploded onto the scene, there were hundreds of thousands of unpatched servers still humming along.
Why do organizations struggle with data encryption, and cryptography in general? For many, it’s because data security continues to play second fiddle to business needs. For others, it’s simply a cost calculation: if the cost of protecting the data is higher than what the organization believes their data liability is, then they just cross their fingers and roll the dice. But are they actually quantifying their risk correctly? In the age of GDPR and other global regulations coming into force, it might be time to recalculate things… or pay the price when things go wrong.
So what exactly should organizations do to get a better handle on encryption and cryptography? It’s not something that can be fixed overnight, but it is something that needs to be put on the front burner. First off, do you know where cryptography and cryptographic assets exist in your environment? A complete cryptographic audit of your systems must be done to find old, weak, vulnerable, or hard-coded crypto that lurks in dark corners of your systems. Once you’ve found it all, you should also look at it the other way around: were you expecting to find crypto somewhere and you didn’t? If that’s the case, then you must start asking why. Was the decision made to not protect data because it was too costly to do so? It took too long to implement? Your developers had no crypto experience? Or did someone at the management level not assess the risk to the data correctly?
Beyond that, taking the time to verify that the crypto you are using is being used correctly is also essential. Have you checked configurations? Are you certain that key sizes are appropriate to protect against current attacks? Have you retired out of ate algorithms whenever possible? Managing your entire cryptographic lifecycle should no longer be a “nice to have” option for organizations who collect, process, and store massive amounts of sensitive data.
Cryptography has long been seen as a magical discipline that few know how to deploy correctly, and even less understand how it works. But it is going to be paramount for organizations to pull back the curtain of cryptography and figure out how to get it right. A solid encryption strategy helps keep your data safe, but only if you deploy it correctly. If you apply encryption technologies properly, stolen data is useless to the attacker.
As more and more nations consider bringing in their own strict rules and regulations similar to what the EU did with GDPR, the cost of compliance and the complexity of adhering to this myriad of new laws will be substantial. Cutting corners on strong data protection will surely cost more, though – not only in remediation costs, but also in punitive damages and company value.