- Ken Hawkins, BOHH CTO
However, where I’d like to focus is on the data itself, both at rest and in transport. Both states of data are often managed via modern AES based encryption methodologies. These are strong but have one weakness that is continually exploited and is most easily described as “brute force type attacks,” which are generally defined as continually asking “can I have it?” or “Is this item correct?” Given how cheap today’s hardware is, coupled with great speed improvements in processing power, have made this questioning-based attack extraordinarily efficient on not only network attacks but also attacking blockchain-based systems like what bitcoin is based upon, but that is another discussion all together. Once we come to terms with this inherent weakness of AES we can start to effectively address the problem.
Given that a business will easily spend millions to protect access to data, it would only make sense to secure the data itself as well. But wait you say we do that, right? Well if you rely solely on the TLS/SSL transport, then you are not protecting data, rather you are attempting to hold the horde at the castle gate by monitoring access to potentially unencrypted data. Once inside, more often than not the network is wide open to the malicious code or individual and like a kid in a candy store data can be easily taken control of in some fashion and an unencrypted database can be a gold mine of information. In the enterprise business IT environment, TLS/SSL based securities can be as easily circumvented by an errant upgrade to expose data, which we have seen too many times. If that update has malicious code within it, that update could tear open a hole in it and at minimal siphon your businesses’ important documents, and worse, it could set up residence within the network. Once there, it can report back anything that happens on the network and/or machine it is on. Now of course this appears on face value to be a simple ok, just verify the updates and smart IT professionals would never, EVER blindly apply an update to a production facing server, right? Well it does happen and the majority of big breaches we hear about today are a product of that scenario. In our collective rush to “live update” hardware and software so we can develop at a faster pace and in theory adjust for attacks in real time, we forget that people make mistakes and one seemingly small mistake can destroy a company’s livelihood, not to mention the individuals who could also be affected based on the data stolen.
Once we ween ourselves off the blind reliance of secure TLS/SSL protocols to do policing of network traffic, the problem of securing data in the network is more easily addressable and ultimately your data is safer. I’m not knocking the router companies or the many permutations of lite security-based web servers and/or software-based managers. We have come a long way, and coupled with today’s learning networks, they can be effective when included with other methodologies involving elaborate routing and reporting systems and make a pretty good gate keeper against TCP layered attacks. However, most of those systems still rely on TLS/SSL as the core transport mechanism verifying the requestor, entering, exiting the network and accessing data.
In order to properly isolate data access and monitor intrusions, the IT professional today will have to take at minimal a three-pronged approach to securing the data.
- Network traffic monitoring – Yes watch and react quickly to questionable external and internal network traffic.
- Implement up to data access methodologies – This can be timed password rotation, hard locks on computers, etc.
- Encrypt the data – Ensure all data on the system or systems is properly encrypted at all times.
Properly addressing these areas is no small challenge for any of us as individuals, however, for the IT professional it can seem practically impossible to always stay up to date and ahead of the hackers. Particularly addressing data encryption and access can be an ongoing battle as users want data to be secure but not have to have a complicated means of accessing it. Unfortunately, todays encryption methods use a password or some form of unique key/passphrase to encrypt data and we like to only use one password. This is a problem and always will be until we build a better mouse trap in regard to data encryption and access.
No comments:
Post a Comment