Cybercrime , Cybersecurity , Data Breach
The Marriott mega-breach is calling attention to the issues of whether organizations are storing too much data and whether they're adequately protecting it with the proper encryption steps.
See Also: The Role of Threat Intelligence in Cyber Resilience
In its revised findings about a mega-breach that it now says affected 327 million customers, Marriott notes that 25.6 million passport numbers were exposed in the breach, of which 5.25 million were unencrypted. "There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers," Marriott says. But that doesn't mean that the attackers couldn't later brute-force decrypt the numbers (see: Marriott Mega-Breach: Victim Count Drops to 383 Million).
Also exposed in the breach were approximately 8.6 million encrypted payment cards that were being stored by Marriott. By the time the breach was discovered in late 2018, however, Marriott says most of the payment cards had already expired. As with the passport data, "there is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers," Marriott says.
U.S. Sen. Mark Warner, D-Virginia, says the breach highlights a failure by many organizations to minimize the amount of data they routinely store on consumers.
"It's unacceptable that Marriott was retaining sensitive data like passport numbers for so long, and it's unconscionable that it kept this data unencrypted," said Warner, who co-chairs the Senate Cybersecurity Caucus, the Wall Street Journal reported.
Meanwhile, security experts around the world are calling attention to the need to take all necessary steps to properly encrypt sensitive data that organizations store.
Although cryptography is being added to more backend applications, it's often being implemented incorrectly, contends Steve Marshall, chief information security officer and head of cyber consulting at Bytes Software Services, a U.K.-based IT company. "This often leaves organizations with a false sense of security, which, unfortunately becomes evident when they are attacked," he says.
And with governments across the world pushing for encryption backdoors to be used by law enforcement, the hacking risks could get worse.
Jagdeep Singh, head of risk and governance at Instarem, a Singapore-based payments company, says many companies worldwide make common mistakes when implementing encryption. For example, they:
Tarun Pant, CEO at SecurelyShare, a Bangalore-based company, says too many organizations focus on encrypting data while it's transmitted but fail to encrypt it when it's at rest.
"Many organizations don't do end-to-end encryption of data," he says. "Hence, the weakest link is often the source of the breach. Data at rest, if not encrypted with source key, leads to breaches from within the organization."
Too many companies take a "check list" approach to data security, focusing narrowly on regulatory compliance. These firms often don't devote enough time and effort to properly implementing encryption, security experts say.
"Many development teams adding encryption to their code call it a day once they achieve the minimum security needed for a regulatory checkmark. This attitude is dangerous," Singh says (see: Demystifying DevSecOps and Its Role in App Security).
Kevin Bocek, vice president of security strategy and threat intelligence for Salt Lake City, Utah-based Venafi, a cybersecurity company that develops software to secure and protect cryptographic keys, says managing machine identities that are used to establish encryption is challenging for many organizations.
"Investigations have shown that simply not keeping track of machine identities, like TLS certificates, can create encrypted tunnels for hackers to hide in," Bocek says. "In addition, if a simple machine identity, like a key and certificate, not being updated, mobile networks across entire countries can be impacted."
Depending on where encryption occurs - column level vs. application level - what encryption techniques are used and what kind of vulnerability is being exploited, attackers can use many different techniques to cause data breaches, says Sandesh Anand, managing consultant at Synopsys, a Mountain View, Calif.-based technology company.
"Practitioners should not build their own crypto algorithms or libraries," he stresses. "They should instead focus on implementing well-known, peer-reviewed, secure algorithms properly."
Anand says the best algorithms to use are AES or Advanced Encryption Standard for symmetric encryption algorithm, RSA for asymmetric encryption algorithm and SHA-256 for hashing.
Mistakes in key management also can lead to trouble, Anand says. "Often firms end up either using short keys or they end up using the same key for months," he says. "Then there is the problem of insecure key management."
Pune-based Rohan Vibhandik, a security researcher with a multinational company, notes: "Storing or transmitting keys insecurely remains a common mistake, especially in case of a symmetric key where a single key is used at both ends - encryption and decryption."
While it's important to secure the storage of machine identities, including keys, it's become even more critical to be able to have the capability to change machine identities fast, Bocek stresses.
"Browsers can distrust Certificate Authorities. This means businesses have to quickly find and change out machine identities, like TLS keys and certificates, used for encryption," he says.
While encryption plays an important role in data security, it's not a cure-all, security experts stress.
"Encryption is just one of the many controls that protect data while in transit or at rest," Singh says. "However, there are numerous ways to circumvent encryption in a client-server model. "Also, encryption technologies and the way they get adopted are still evolving."
Anand notes: "Remember: The strength of a chain is the weakest link. So, if crypto keys are lying around in insecure locations or if database admins use weak passwords, data can still be breached. Finally, insecure application controls can also lead to a breach."
An important aspect of encryption is proper key management.
"Key management is a challenge that grows with the size and complexity of your environment," Pant says. "The larger the user base, the more diverse the environment, the more distributed the keys are. Hence the challenges of key management will be greater."
Singh recommends organizations avoid saving keys in the same server as the encrypted data.
"One needs to ensure that private keys, when stored, are non-exportable. Also, one must not use the same keys for both directions," he says. He also recommends adoption of proper standards, including TLS, or Transport Layer Security, while data is in transit. "Avoid using secure sockets layer as it is outdated," he emphasizes.
To help ensure that encrypted data remains untampered, adding a layer of hashing and salting is essential, Vibhandik says.
"When data is encrypted, one must hash it using functions like MD5 and SHA," he says. "To provide further layered security to the hashed data, SALT function must be used; that can prevent tampering of data.
"One must remember that hashing does not add any privacy to data; it only saves against any data alteration or tampering attempts. Encryption provides privacy to your data but does not make it tamper proof. So a combination of both is important for endpoint and end-to-end communication and data security."
See the original post here:
Encryption: Avoiding the Pitfalls That Can Lead to Breaches
- Ring adds end-to-end video encryption to its doorbells and security cameras at CES 2021 - CNET - January 14th, 2021
- Encrypted Phones iPhone and Android Encryption - Reader's Digest - January 14th, 2021
- Millions Flock to Telegram and Signal as Fears Grow Over Big Tech - The New York Times - January 14th, 2021
- Signal, the encrypted messaging app and WhatsApp alternative, explained - Vox.com - January 14th, 2021
- Heres why Telegram does not offer end-to-end encryption by default - The Indian Express - January 14th, 2021
- Mobile Encryption Market Structure, Industry Inspection, and Forecast 2025 - Business-newsupdate.com - January 14th, 2021
- Comprehensive Report on Email Encryption Market 2020 | Size, Growth, Demand, Opportunities & Forecast To 2030 - KSU | The Sentinel Newspaper - January 14th, 2021
- The World's Only Processor Family with Full Memory Encryption* - PCWorld - January 14th, 2021
- What is Signal? The basics of the most secure messaging app. - Mashable - January 14th, 2021
- WhatsApp chats are encrypted so how will Facebook use chat data for ads? This is how - India Today - January 14th, 2021
- Encryption Software Market Current and Future Industry Trends, 2020-2025 - AlgosOnline - January 14th, 2021
- What Is Signal, and Why Is Everyone Using It? - How-To Geek - January 14th, 2021
- Data Encryption Market Analysis and In-depth Research on Size, Trends, Emerging Growth Factors and Forecasts 2026 - Murphy's Hockey Law - January 14th, 2021
- Elon Musk says to use Signal instead of Facebook. What to know about the messaging app - CNET - January 10th, 2021
- Global Document Encryption Software Market 2020 Industry Analysis, Key Drivers, Business Strategy, Opportunities and Forecast to 2025 The Sentinel... - January 10th, 2021
- Encryption Software Market Segmentation and Analysis by Recent Trends, Development and Growth by Regions to 2026 - Farming Sector - January 10th, 2021
- Homomorphic Encryption Market 2020 | COVID-19 Impact With Top Key Players, Trends, Overview, Insights And Outlook 2027 : Cosmian, CryptoExperts,... - January 10th, 2021
- Global Email Encryption Market Expected to reach highest CAGR by 2025 : Hewlett-Packard, Symantec Corporation, Cisco Systems, Mcafee (Intel), Trend... - January 10th, 2021
- Homomorhpic Encryption Market Latest Innovations, Analysis, Business Opportunities, Overview, Component, Industry Revenue and Forecast - LionLowdown - January 10th, 2021
- Homomorphic Encryption Market Forecast 2021-2027, Latest Trends and Opportunities|Microsoft (US), IBM Corporation (US), Galois Inc (US) - Farming... - January 10th, 2021
- Are We Heading Towards EU Legislation Banning End-to-End Encryption? - Lexology - December 29th, 2020
- Encryption Software Market Trending Technologies, Industry Growth, Share, Opportunities, Developments And Forecast - LionLowdown - December 29th, 2020
- Signals famous encryption may have been cracked - TechRadar - December 29th, 2020
- AES Encryption Software Market 2021: Comprehensive Analysis and Growth Forecast - NeighborWebSJ - December 29th, 2020
- Encryption, zero trust and the quantum threat security predictions for 2021 - BetaNews - December 29th, 2020
- Encryption Software Market By Business Analysis, Industry Types, Demand, Capacity, Applications, Services, Innovations and Forecast 2025 - Farming... - December 29th, 2020
- Encryption Software Market Size 2020 by Top Key Players, Global Trend, Types, Applications, Regional Demand, Forecast to 2027 - LionLowdown - December 29th, 2020
- How to Securely Send Sensitive Information over the Internet - TechBullion - December 29th, 2020
- In 2020, Congress Threatened Our Speech and Security With the EARN IT Act - EFF - December 29th, 2020
- Encryption Key Management Market Key Trends and how do they Impact the Specific Regions - NeighborWebSJ - December 29th, 2020
- The ACLU Is Suing For Info On The FBI's Encryption Breaking Capabilities - Gizmodo - December 29th, 2020
- Encrypting data is the key to a peaceful New Year (Includes interview) - Digital Journal - December 29th, 2020
- Proton's Calendar Platform With End-to-End Encryption Now Available as an Android App - News18 - December 29th, 2020
- Encryption Software Market 2020: COVID19 Impact on Industry Growth, Trends, Top Manufacturer, Regional Analysis and Forecast to 2027 - The Monitor - December 29th, 2020
- The Same U.S. Government That Wants To Weaken Our Encryption Just Got Massively Hacked - Reason - December 15th, 2020
- How to Enable End-to-End Encryption in Google Messages - Lifehacker - December 15th, 2020
- Ransomware gangs are getting faster at encrypting networks. That will make them harder to stop - ZDNet - December 15th, 2020
- UK has not ordered 'backdoor access' to WhatsApp messages - but could issue injunction against Facebook's encryption plans - Sky News - December 15th, 2020
- From the bottom of the sea rose a piece of encrypted history. What were the Nazi Enigmas? - The Indian Express - December 15th, 2020
- Global Cloud Encryption Software Market To Witness Huge Gains Over 2020-2026 - The Courier - December 15th, 2020
- Google Messages End-to-End Encryption Guide: How It Works on Android - Tech Times - December 15th, 2020
- Facebooks encryption could prevent MI5 and police from stopping terror attacks and child abuse - Telegraph.co.uk - December 15th, 2020
- S'pore seizes $5.3m in illicit funds linked to Canadian network used by crime syndicates - The Straits Times - December 15th, 2020
- Encrypted messaging could increase child abuse cases, report warns - E&T Magazine - December 9th, 2020
- A Balanced DNS Information Protection Strategy: Minimize at Root, TLD; Encrypt When Needed Elsewhere - CircleID - December 9th, 2020
- Protecting consumer data is leading driver for encryption in Middle East: report - Gulf Business - December 9th, 2020
- Insights on the Cloud Encryption Software Market 2020-2024: COVID-19 Industry Analysis, Market Trends, Market Growth, Opportunities and Forecast 2024... - December 9th, 2020
- Commercial Encryption Software Market Trends, Growth, Analysis, Opportunities and Overview by 2026 - Murphy's Hockey Law - December 9th, 2020
- Does opening a 'back door' to encrypted communications create a whole new raft of problems? How can firms promise privacy if there is official access?... - December 9th, 2020
- Enigma encryption machine used by Nazis in World War II found on bottom of ocean - ABC News - December 9th, 2020
- Encryption Software Market 2020 | Latest Trend, Swot Analysis, Covid-19 Impact And Forecast - The Haitian-Caribbean News Network - December 9th, 2020
- Data Encryption Market Size with Business Opportunity, Challenges, Standardization, Competitive Intelligence and Regional Analysis - The... - December 9th, 2020
- COVID-19 Update: Global Encryption Software Market is Expected to Grow at a Healthy CAGR with Top players: Dell , Eset , Gemalto , IBM , Mcafee , etc.... - December 9th, 2020
- SSL-based threats remain prevalent and are becoming increasingly sophisticated. - The CyberWire - December 9th, 2020
- What Is the Signal Encryption Protocol? - WIRED - November 30th, 2020
- Data Protection | The Pros and Cons of End-to-End Encryption - DIGIT.FYI - November 30th, 2020
- Encryption Software Market Overview, Growth, Types, Applications, Dynamics, Companies, Regions, & Forecast to 2026 - The Haitian-Caribbean News... - November 30th, 2020
- Encryption Software Market to Witness Astonishing Growth by 2027 | Dell , Eset , Gemalto and more - Cheshire Media - November 30th, 2020
- EU targets end-to-end encryption tools after rise in terror attacks - DIGIT.FYI - November 30th, 2020
- European Legislators Move to Eliminate End-to-End Encryption in Messaging Services Following Terror Attacks - Digital Information World - November 30th, 2020
- Facebook urged to end encryption to help cops stop paedophiles using app - The Sun - November 30th, 2020
- Inside the French governments mission to develop an encrypted messaging platform - NS Tech - November 30th, 2020
- Hardware-based Full Disk Encryption Market Size, Key Manufacturers, Demand, Application And Opportunities By 2027 - The Haitian-Caribbean News Network - November 30th, 2020
- The tech and security backends that keep your data safe - Business MattersBusiness Matters - November 30th, 2020
- Encryption Software Market Expected to Boost the Global Industry Growth in the Near Future - Cheshire Media - November 30th, 2020
- Commercial Encryption Software Market Will Generate Record Revenue by 2025 - The Haitian-Caribbean News Network - November 30th, 2020
- Symmetric Encryption Algorithms: Live Long & Encrypt - Hashed Out by The SSL Store - Hashed Out by The SSL Store - November 24th, 2020
- Google plans to test end-to-end encryption in Android messages - TechCrunch - November 24th, 2020
- Google Messages Set to Roll Out End-to-End Encryption - Infosecurity Magazine - November 24th, 2020
- Did they crack the code? The importance of encryption for protest movements - OpenGlobalRights - November 24th, 2020
- The EU's muddled approach to encryption - The Spectator US - November 24th, 2020
- AES Encryption Software Market 2020 Global Industry Size, Demand, Growth Analysis, Share, Revenue and Forecast 2022 - The Think Curiouser - November 24th, 2020
- How to recover data from a Mac with T2 or FileVault encryption and without a password - Macworld - November 24th, 2020
- Security flaws in smart doorbells may open the door to hackers - We Live Security - November 24th, 2020
- Document Encryption Software Market 2020 - Impact of COVID-19 Pandemic, Future Development, Top Manufacturers Analysis, Trends and Demand discussed in... - November 24th, 2020
- U.S. Hardware Encryption Market is expected to reach $259.12 billion by 2026 | CAGR 32.4% - WhaTech - November 24th, 2020
- Data Encryption Market: Global Industry Analysis, Size, Share, Trends, Growth and Forecast 2020 2026 - The Think Curiouser - November 24th, 2020
- Arrests and raids in Essex as police crackdown on encrypted criminal networks - Gazette - November 24th, 2020
- 2020 and Beyond: Homomorphic Encryption Market Trends and Outlook Study to 2027 - The Haitian-Caribbean News Network - November 24th, 2020
- US Department of Justice reignites the Battle to Break Encryption - Naked Security - October 17th, 2020