Cybercrime , Cybersecurity , Data Breach
The Marriott mega-breach is calling attention to the issues of whether organizations are storing too much data and whether they're adequately protecting it with the proper encryption steps.
See Also: The Role of Threat Intelligence in Cyber Resilience
In its revised findings about a mega-breach that it now says affected 327 million customers, Marriott notes that 25.6 million passport numbers were exposed in the breach, of which 5.25 million were unencrypted. "There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers," Marriott says. But that doesn't mean that the attackers couldn't later brute-force decrypt the numbers (see: Marriott Mega-Breach: Victim Count Drops to 383 Million).
Also exposed in the breach were approximately 8.6 million encrypted payment cards that were being stored by Marriott. By the time the breach was discovered in late 2018, however, Marriott says most of the payment cards had already expired. As with the passport data, "there is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers," Marriott says.
U.S. Sen. Mark Warner, D-Virginia, says the breach highlights a failure by many organizations to minimize the amount of data they routinely store on consumers.
"It's unacceptable that Marriott was retaining sensitive data like passport numbers for so long, and it's unconscionable that it kept this data unencrypted," said Warner, who co-chairs the Senate Cybersecurity Caucus, the Wall Street Journal reported.
Meanwhile, security experts around the world are calling attention to the need to take all necessary steps to properly encrypt sensitive data that organizations store.
Although cryptography is being added to more backend applications, it's often being implemented incorrectly, contends Steve Marshall, chief information security officer and head of cyber consulting at Bytes Software Services, a U.K.-based IT company. "This often leaves organizations with a false sense of security, which, unfortunately becomes evident when they are attacked," he says.
And with governments across the world pushing for encryption backdoors to be used by law enforcement, the hacking risks could get worse.
Jagdeep Singh, head of risk and governance at Instarem, a Singapore-based payments company, says many companies worldwide make common mistakes when implementing encryption. For example, they:
Tarun Pant, CEO at SecurelyShare, a Bangalore-based company, says too many organizations focus on encrypting data while it's transmitted but fail to encrypt it when it's at rest.
"Many organizations don't do end-to-end encryption of data," he says. "Hence, the weakest link is often the source of the breach. Data at rest, if not encrypted with source key, leads to breaches from within the organization."
Too many companies take a "check list" approach to data security, focusing narrowly on regulatory compliance. These firms often don't devote enough time and effort to properly implementing encryption, security experts say.
"Many development teams adding encryption to their code call it a day once they achieve the minimum security needed for a regulatory checkmark. This attitude is dangerous," Singh says (see: Demystifying DevSecOps and Its Role in App Security).
Kevin Bocek, vice president of security strategy and threat intelligence for Salt Lake City, Utah-based Venafi, a cybersecurity company that develops software to secure and protect cryptographic keys, says managing machine identities that are used to establish encryption is challenging for many organizations.
"Investigations have shown that simply not keeping track of machine identities, like TLS certificates, can create encrypted tunnels for hackers to hide in," Bocek says. "In addition, if a simple machine identity, like a key and certificate, not being updated, mobile networks across entire countries can be impacted."
Depending on where encryption occurs - column level vs. application level - what encryption techniques are used and what kind of vulnerability is being exploited, attackers can use many different techniques to cause data breaches, says Sandesh Anand, managing consultant at Synopsys, a Mountain View, Calif.-based technology company.
"Practitioners should not build their own crypto algorithms or libraries," he stresses. "They should instead focus on implementing well-known, peer-reviewed, secure algorithms properly."
Anand says the best algorithms to use are AES or Advanced Encryption Standard for symmetric encryption algorithm, RSA for asymmetric encryption algorithm and SHA-256 for hashing.
Mistakes in key management also can lead to trouble, Anand says. "Often firms end up either using short keys or they end up using the same key for months," he says. "Then there is the problem of insecure key management."
Pune-based Rohan Vibhandik, a security researcher with a multinational company, notes: "Storing or transmitting keys insecurely remains a common mistake, especially in case of a symmetric key where a single key is used at both ends - encryption and decryption."
While it's important to secure the storage of machine identities, including keys, it's become even more critical to be able to have the capability to change machine identities fast, Bocek stresses.
"Browsers can distrust Certificate Authorities. This means businesses have to quickly find and change out machine identities, like TLS keys and certificates, used for encryption," he says.
While encryption plays an important role in data security, it's not a cure-all, security experts stress.
"Encryption is just one of the many controls that protect data while in transit or at rest," Singh says. "However, there are numerous ways to circumvent encryption in a client-server model. "Also, encryption technologies and the way they get adopted are still evolving."
Anand notes: "Remember: The strength of a chain is the weakest link. So, if crypto keys are lying around in insecure locations or if database admins use weak passwords, data can still be breached. Finally, insecure application controls can also lead to a breach."
An important aspect of encryption is proper key management.
"Key management is a challenge that grows with the size and complexity of your environment," Pant says. "The larger the user base, the more diverse the environment, the more distributed the keys are. Hence the challenges of key management will be greater."
Singh recommends organizations avoid saving keys in the same server as the encrypted data.
"One needs to ensure that private keys, when stored, are non-exportable. Also, one must not use the same keys for both directions," he says. He also recommends adoption of proper standards, including TLS, or Transport Layer Security, while data is in transit. "Avoid using secure sockets layer as it is outdated," he emphasizes.
To help ensure that encrypted data remains untampered, adding a layer of hashing and salting is essential, Vibhandik says.
"When data is encrypted, one must hash it using functions like MD5 and SHA," he says. "To provide further layered security to the hashed data, SALT function must be used; that can prevent tampering of data.
"One must remember that hashing does not add any privacy to data; it only saves against any data alteration or tampering attempts. Encryption provides privacy to your data but does not make it tamper proof. So a combination of both is important for endpoint and end-to-end communication and data security."
See the original post here:
Encryption: Avoiding the Pitfalls That Can Lead to Breaches
- Apple Wanted the iPhone to Have End-to-End Encryption. Then the FBI Stepped In - Popular Mechanics - January 27th, 2020
- Amazon Engineer Leaked Private Encryption Keys. Outside Analysts Discovered Them in Minutes - Gizmodo - January 27th, 2020
- Deployed 82nd Airborne unit told to use these encrypted messaging apps on government cell phones - Military Times - January 27th, 2020
- The FBI doesn't need Apple to give it a backdoor to encryption, because it already has all the access it needs - Boing Boing - January 27th, 2020
- Whether Apple or Google: Is there a back door into your phones online backups? - USA TODAY - January 27th, 2020
- Encryption Software Market | Global Analysis Along With Trends, Growth, Key Players And Future Predictions Till 2026 - VOICE of Wisconsin Rapids - January 27th, 2020
- How encryption could stop the exposure of personal data in the cloud - NewsDio - January 27th, 2020
- Bitcoin transactions will not be private even with Schnorr encryption - AMBCrypto - January 27th, 2020
- SSL Encryption: Making The Web A Safer Place - TechShout! - January 27th, 2020
- Review: SecureDrive BT, the encrypted external SSD you can unlock with Face ID - 9to5Mac - January 19th, 2020
- EncryptOnClick is a freeware tool that can encrypt files and folders - Ghacks Technology News - January 19th, 2020
- Trump and Comey Are United Against Encrypted Communications - Reason - January 19th, 2020
- Police Scotland to roll out encryption bypass technology - Glasgow Live - January 19th, 2020
- Encryption battle reignited as US govt at loggerheads with Apple - Times Now - January 19th, 2020
- Hardware Encryption Market Set To Register A CAGR Growth Of XX% Over The Forecast Period 2017 2025 - Fusion Science Academy - January 19th, 2020
- Malware Obfuscation, Encoding and Encryption - Security Boulevard - January 14th, 2020
- Microsoft CEO says encryption backdoors are a terrible idea - The Verge - January 14th, 2020
- Debate over access to encryption isn't going away - Washington Examiner - January 14th, 2020
- Over two dozen encryption experts call on India to rethink changes to its intermediary liability rules - TechCrunch - January 14th, 2020
- Encryption Software Market Booming by Size, Trends and Top Growing Companies- IBM Corporation, Sophos, Ciphercloud, Pkware, Mcafee - BulletintheNews - January 14th, 2020
- Hardware-based Full Disk Encryption Market Analysis With Key Players, Applications, Trends And Forecasts To 2025 - Instanews247 - January 14th, 2020
- Mobile Encryption Market Insights and Technology 2020, Forecasts to 2026 - Broadcast Offer - January 14th, 2020
- Garda needs new technology for online child abuse investigations - The Irish Times - January 14th, 2020
- IoT Security Solution for Encryption Market Research, Recent Trends and Growth F - News by aeresearch - January 14th, 2020
- Apple made a rare appearance at tech's biggest conference and defended encryption on the iPhone - Business Insider - January 8th, 2020
- Encryption Software Market to cross USD 20 Bn by 2026: Global Market Insights, Inc. - Yahoo Finance - January 8th, 2020
- Data Encryption Software Market Size by Top Leading Key Players, Growth Opportunities, Incremental Revenue , Trends, Outlook and Forecasts to 2025 -... - January 8th, 2020
- WidePoint Partners with KoolSpan to Offer End-to-End Encryption for Phone Calls and Text Messages - GlobeNewswire - January 8th, 2020
- Encryption Software Market 2020 Size, Growth By Top Companies, Forecast Analysis To 2027 - Citi Blog News - January 8th, 2020
- How to cope with a FileVault recovery key disappearing while you write it down - Macworld - January 8th, 2020
- Doing these 10 things on WhatsApp may land you in jail - Gadgets Now - January 8th, 2020
- Holistic encryption is one of the keys to California Consumer Privacy Act risk management - Continuity Central - January 6th, 2020
- Encryption Software Market 2020 Size, Share Metrics, Growth Trends and Forecast to 2026 - Food & Beverage Herald - January 6th, 2020
- New Informative Report of IoT Security Solution for Encryption Top Key Players are Cisco Systems, Intel Corporation, IBM Corporation, Symantec... - January 6th, 2020
- Maastricht University gets almost all of its Windows systems encrypted by ransomware - 2-spyware.com - January 6th, 2020
- Homomorphic Encryption Market Analysis, Industry Size, Application Analysis, Regional Outlook, Competitive Strategies And Forecasts (2020 2027) -... - January 6th, 2020
- The Week in Ransomware - January 3rd 2020 - Busy Holiday Season - BleepingComputer - January 6th, 2020
- Keep Your Business Secure From Online Threats - BBN Times - January 6th, 2020
- State Department Adds ITAR Definitions in Interim Final Rule for Activities that Are Not Exports, Reexports, Retransfers or Temporary Imports -... - January 6th, 2020
- Global Hardware-based Full Disk Encryption (FDE) Market Executive Summary and Analysis by Top Players 2020-2027: Seagate Technology PLC, Western... - January 6th, 2020
- Clop Ransomware Now Kills Windows 10 Apps and 3rd Party Tools - BleepingComputer - January 6th, 2020
- Scientists in Scotland help develop worlds first encryption system that is unbreakable by hackers - The Independent - December 21st, 2019
- Apple Bows Down To Google As 2019 Most Trustworthy Recognition - International Business Times - December 21st, 2019
- Facebook , Apple being threatened by US senators over data encryption - Gizmo Posts 24 - December 21st, 2019
- How To Secure Microsoft Windows 10 In Eight Easy Steps - Forbes - December 21st, 2019
- Examine Mobile Encryption Market expected to obtain $2,917.9 million by 2022 - WhaTech - WhaTech - December 21st, 2019
- Facebook's end-to-end encryption will enhance user privacy but its not good news for law enforcement - Firstpost - December 21st, 2019
- Future of Encryption Software Market Reviewed in a New Research Study 2019-2025 - Daily News Reports 24 - December 21st, 2019
- Fortanix expert on how European companies are taking back control of their data in the cloud - Intelligent CIO ME - December 21st, 2019
- What's that? Encryption's OK now? UK politicos Brexit from Whatsapp to Signal - The Register - December 20th, 2019
- NYPD radio encryption most likely wont happen in 2020 but will soon - amNY - December 20th, 2019
- If You Think Encryption Back Doors Won't Be Abused, You May Be a Member of Congress - Reason - December 20th, 2019
- The decline of passwords, the rise of encryption and deepfakes cybersecurity predictions for 2020 - BetaNews - December 20th, 2019
- Facebook's Push for End-to-End Encryption Is Good News for User Privacy, as Well as Terrorists and Paedophiles - Nextgov - December 20th, 2019
- Internet of crap (encryption): IoT gear is generating easy-to-crack keys - The Register - December 20th, 2019
- What Is Snatch Ransomware and How to Remove It - Guiding Tech - December 20th, 2019
- Hardware-based Full Disk Encryption Market Executive Summary, Introduction, Sizing, Analysis and Forecast To 2025 - Market Research Sheets - December 20th, 2019
- NYPD Eyeing Encrypted Radios to Protect Criminal Investigations - Officer - December 20th, 2019
- Volunteer firefighters, EMTs worry they won't have NYPD radio access to help public - amNY - December 20th, 2019
- What We Learned About the Technology That Times Journalists Use - The New York Times - December 20th, 2019
- The Senate Judiciary Committee Wants Everyone to Know It's Concerned About Encryption - EFF - December 14th, 2019
- The Defense Department Says It Needs the Encryption the FBI Wants to Break - Free - December 14th, 2019
- Congress wants to regulate encryption for big tech - The Burn-In - December 14th, 2019
- Facebook says it won't break end-to-end encryption - TechRadar - December 14th, 2019
- Encryption spat sees backdoor back-and-forth between tech firms, Congress - TelecomTV - December 14th, 2019
- Michael Hayden Ran The NSA And CIA: Now Warns That Encryption Backdoors Will Harm American Security & Tech Leadership - Techdirt - December 14th, 2019
- Large, diverse coalition of civil society groups tell the US, UK and Australian governments not to ban working encryption - Boing Boing - December 14th, 2019
- U.S. Attorney Justin Herdman of Ohio says agents need access encrypted devices, apps for the sake of public s - cleveland.com - December 14th, 2019
- Google makes it safer to text on Android phones, but end-to-end encryption is still MIA - PCWorld - December 14th, 2019
- Priti Patel bids to create end-to-end encryption apps' back door - The National - December 14th, 2019
- Encryption can't put tech giants beyond the reach of the law, Minister says - The Age - December 14th, 2019
- Chrome 79 includes anti-phishing and hacked password protection - Naked Security - December 14th, 2019
- Hardware Encryption Technology Market : Analysis and In-depth study on market Size Trends, Emerging Growth Factors and Forecasts to 2027 - Downey... - December 14th, 2019
- Encryption back on the congressional agenda - Politico - December 9th, 2019
- Police radios blocked from the public in southeast Denver metro area - The Denver Post - December 9th, 2019
- Encryption Software Market Innovations, And Top Companies - Forecast To 2029| Microsoft, Sophos Ltd., Check Point Software Technologies Ltd. -... - December 9th, 2019
- Did You Hear That? Securing Communications in 2019 | Insight for the Connected Enterprise - No Jitter - December 9th, 2019
- 'Government broke their promise': Labor seeks to amend encryption legislation - Sydney Morning Herald - December 9th, 2019
- Global Hardware-based Full Disk Encryption Market 2019 Innovation and Technological Developments, Industry Analysis & Outlook 2023 - Weekly News... - December 9th, 2019
- Privacy vs public safety - the pros and cons of encryption - World Economic Forum - December 8th, 2019