Cybercrime , Cybersecurity , Data Breach
The Marriott mega-breach is calling attention to the issues of whether organizations are storing too much data and whether they're adequately protecting it with the proper encryption steps.
See Also: The Role of Threat Intelligence in Cyber Resilience
In its revised findings about a mega-breach that it now says affected 327 million customers, Marriott notes that 25.6 million passport numbers were exposed in the breach, of which 5.25 million were unencrypted. "There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers," Marriott says. But that doesn't mean that the attackers couldn't later brute-force decrypt the numbers (see: Marriott Mega-Breach: Victim Count Drops to 383 Million).
Also exposed in the breach were approximately 8.6 million encrypted payment cards that were being stored by Marriott. By the time the breach was discovered in late 2018, however, Marriott says most of the payment cards had already expired. As with the passport data, "there is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers," Marriott says.
U.S. Sen. Mark Warner, D-Virginia, says the breach highlights a failure by many organizations to minimize the amount of data they routinely store on consumers.
"It's unacceptable that Marriott was retaining sensitive data like passport numbers for so long, and it's unconscionable that it kept this data unencrypted," said Warner, who co-chairs the Senate Cybersecurity Caucus, the Wall Street Journal reported.
Meanwhile, security experts around the world are calling attention to the need to take all necessary steps to properly encrypt sensitive data that organizations store.
Although cryptography is being added to more backend applications, it's often being implemented incorrectly, contends Steve Marshall, chief information security officer and head of cyber consulting at Bytes Software Services, a U.K.-based IT company. "This often leaves organizations with a false sense of security, which, unfortunately becomes evident when they are attacked," he says.
And with governments across the world pushing for encryption backdoors to be used by law enforcement, the hacking risks could get worse.
Jagdeep Singh, head of risk and governance at Instarem, a Singapore-based payments company, says many companies worldwide make common mistakes when implementing encryption. For example, they:
Tarun Pant, CEO at SecurelyShare, a Bangalore-based company, says too many organizations focus on encrypting data while it's transmitted but fail to encrypt it when it's at rest.
"Many organizations don't do end-to-end encryption of data," he says. "Hence, the weakest link is often the source of the breach. Data at rest, if not encrypted with source key, leads to breaches from within the organization."
Too many companies take a "check list" approach to data security, focusing narrowly on regulatory compliance. These firms often don't devote enough time and effort to properly implementing encryption, security experts say.
"Many development teams adding encryption to their code call it a day once they achieve the minimum security needed for a regulatory checkmark. This attitude is dangerous," Singh says (see: Demystifying DevSecOps and Its Role in App Security).
Kevin Bocek, vice president of security strategy and threat intelligence for Salt Lake City, Utah-based Venafi, a cybersecurity company that develops software to secure and protect cryptographic keys, says managing machine identities that are used to establish encryption is challenging for many organizations.
"Investigations have shown that simply not keeping track of machine identities, like TLS certificates, can create encrypted tunnels for hackers to hide in," Bocek says. "In addition, if a simple machine identity, like a key and certificate, not being updated, mobile networks across entire countries can be impacted."
Depending on where encryption occurs - column level vs. application level - what encryption techniques are used and what kind of vulnerability is being exploited, attackers can use many different techniques to cause data breaches, says Sandesh Anand, managing consultant at Synopsys, a Mountain View, Calif.-based technology company.
"Practitioners should not build their own crypto algorithms or libraries," he stresses. "They should instead focus on implementing well-known, peer-reviewed, secure algorithms properly."
Anand says the best algorithms to use are AES or Advanced Encryption Standard for symmetric encryption algorithm, RSA for asymmetric encryption algorithm and SHA-256 for hashing.
Mistakes in key management also can lead to trouble, Anand says. "Often firms end up either using short keys or they end up using the same key for months," he says. "Then there is the problem of insecure key management."
Pune-based Rohan Vibhandik, a security researcher with a multinational company, notes: "Storing or transmitting keys insecurely remains a common mistake, especially in case of a symmetric key where a single key is used at both ends - encryption and decryption."
While it's important to secure the storage of machine identities, including keys, it's become even more critical to be able to have the capability to change machine identities fast, Bocek stresses.
"Browsers can distrust Certificate Authorities. This means businesses have to quickly find and change out machine identities, like TLS keys and certificates, used for encryption," he says.
While encryption plays an important role in data security, it's not a cure-all, security experts stress.
"Encryption is just one of the many controls that protect data while in transit or at rest," Singh says. "However, there are numerous ways to circumvent encryption in a client-server model. "Also, encryption technologies and the way they get adopted are still evolving."
Anand notes: "Remember: The strength of a chain is the weakest link. So, if crypto keys are lying around in insecure locations or if database admins use weak passwords, data can still be breached. Finally, insecure application controls can also lead to a breach."
An important aspect of encryption is proper key management.
"Key management is a challenge that grows with the size and complexity of your environment," Pant says. "The larger the user base, the more diverse the environment, the more distributed the keys are. Hence the challenges of key management will be greater."
Singh recommends organizations avoid saving keys in the same server as the encrypted data.
"One needs to ensure that private keys, when stored, are non-exportable. Also, one must not use the same keys for both directions," he says. He also recommends adoption of proper standards, including TLS, or Transport Layer Security, while data is in transit. "Avoid using secure sockets layer as it is outdated," he emphasizes.
To help ensure that encrypted data remains untampered, adding a layer of hashing and salting is essential, Vibhandik says.
"When data is encrypted, one must hash it using functions like MD5 and SHA," he says. "To provide further layered security to the hashed data, SALT function must be used; that can prevent tampering of data.
"One must remember that hashing does not add any privacy to data; it only saves against any data alteration or tampering attempts. Encryption provides privacy to your data but does not make it tamper proof. So a combination of both is important for endpoint and end-to-end communication and data security."
See the original post here:
Encryption: Avoiding the Pitfalls That Can Lead to Breaches
- Hong Kong is number one in Asia for enterprise encryption, with customer personal information the top data protection priority, reports nCipher... - May 27th, 2020
- Are social giants morally obligated to break encryption? - ACS - May 27th, 2020
- Facebook plot to encrypt ALL chats will help child abusers to hide, former police chief warns - The Sun - May 27th, 2020
- Encryption Software Market To Expand At A Robust 14.27% Cagr Of 2020 | Sophos,McAfee,Check Point Software Technologies,Proofpoint,Trend Micro - 3rd... - May 27th, 2020
- Encryption Software Market Forecast Revised in a New Market Expertz Report as COVID-19 Projected to Hold a Massive Impact on Sales in 2020 | Long-term... - May 27th, 2020
- Global Homomorphic Encryption Market Analysis 2020-2025: by Key Players with Countries, Type, Application and Forecast Till 2025 - Cole of Duty - May 27th, 2020
- COVID-19 Impact ON AES Encryption Software Market: Size, Market Analysis, Application, Growth Drivers, Trends, status and Research Report by 2025 -... - May 27th, 2020
- Cloud Encryption Software Market 2020: Potential growth, attractive valuation make it is a long-term investment | Know the COVID19 Impact | Top... - May 27th, 2020
- Global Encryption Key Management Market 2020 Insights, Key Player's Competition, Trends, Sales, Revenue, Supply, Demand, Growth Analysis and Forecast... - May 27th, 2020
- Starting to look at email security. Looking for guidance - Encryption Methods and Programs - BleepingComputer - May 25th, 2020
- Global Cloud Encryption Technology Market Projected to Reach USD XX.XX billion by 2025- Gemalto, Sophos, Symantec, SkyHigh Networks, Netskope etc. -... - May 25th, 2020
- Impact of Covid-19 on Cloud Encryption Technology Market is Expected to Grow at an active CAGR by Forecast to 2025 | Top Players Gemalto, Sophos,... - May 25th, 2020
- Zoom will seek public feedback on plan for stronger encryption - The Indian Express - May 16th, 2020
- Encryption Software Market Research Report 2020 By Size, Share, Trends, Analysis and Forecast to 2026 - Cole of Duty - May 16th, 2020
- Almost half of organisations have been reported to the ICO for a potential data breach - ResponseSource - May 16th, 2020
- VPN Tunnels explained: what are they and how can they keep your internet data secure - TechRadar - May 16th, 2020
- The Week in Ransomware - May 15th 2020 - REvil targets Trump - BleepingComputer - May 16th, 2020
- WhatsApp Video Calls Will Soon Support 50: This Is Why 8s The Limit For Your Security - Forbes - May 16th, 2020
- How to Use Encryption for Defense in Depth in Native and Browser Apps - InfoQ.com - May 14th, 2020
- Analyzing Encrypted RDP Connections - Security Boulevard - May 14th, 2020
- Analysis on Impact of COVID-19-Global Cloud Encryption Software Market 2020-2024| Increasing Use of In-built Cloud Encryption Solutions to Boost... - May 14th, 2020
- Vcrypt ransomware brings along a buddy to do the encryption - Naked Security - May 14th, 2020
- Move over Zoom, this encryption company just released the first fully end to end encrypted conferencing solution - Yahoo Finance - May 14th, 2020
- GovCon Expert Chuck Brooks: Three Steps for Protecting Data in the Public and Private Sectors - GovConWire - May 14th, 2020
- What is the difference between Symmetric and Asymmetric Encryption? - TWCN Tech News - May 14th, 2020
- Encryption Key Management Software Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- IoT Security Solution For Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Mobile Encryption Technology Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Data Encryption Service Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Congress May Hand Bill Barr the Keys to Your Online Life - The New Republic - May 14th, 2020
- DataLocker Sentry K300 8GB Encrypted Thumb Drive Review - TweakTown - May 14th, 2020
- Hardware Encryption Technology Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Global Cloud Encryption Software Market SHARE, SIZE 2020| EMERGING RAPIDLY WITH LATEST TRENDS, GROWTH, REVENUE, DEMAND AND FORECAST TO 2026 -... - May 14th, 2020
- Mobile Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Hardware Based Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Email Encryption Software Market Incredible Possibilities, Growth With Industry Study, Detailed Analysis And Forecast To 2025 - Bulletin Line - May 14th, 2020
- Google Duo is coming to the web via Chrome; features Family mode, end-to-end encryption - Moneycontrol - May 14th, 2020
- Global trade impact of the Coronavirus Commercial Encryption Software Market Applications and Company's Active in the Industry Science Market Reports... - May 2nd, 2020
- Email Encryption Market Growth Opportunities, Challenges, Key Companies, Drivers and Forecast to 2026 Cole Reports - Cole of Duty - May 2nd, 2020
- U.S. Hardware Encryption Market (2019 to 2026) - by Algorithm & Standard, Architecture and Field-Programmable Gate Array, Product, Application,... - May 2nd, 2020
- Innovative Encryption Algorithm Developed in South Korea - BusinessKorea - May 2nd, 2020
- Online course trains students in the bizarre world of quantum computing - Livescience.com - May 2nd, 2020
- Encryption Software Market Growth Opportunities, Challenges, Key Companies, Drivers and Forecast to 2026 Cole Reports - Cole of Duty - May 2nd, 2020
- COVID19 impact: Global Cloud Encryption Software Market Trends (Constraints, Drivers, Opportunities, Threats, Challenges, recommendations and... - May 2nd, 2020
- Review of the iStorage datAshur Pro2, an encrypted thumbdrive for home and work - Neowin - May 2nd, 2020
- Kanguru expands encrypted flash drive range with new 256GB options - Geeky Gadgets - May 2nd, 2020
- Global Encryption Management Solutions Market Size |Incredible Possibilities and Growth Analysis and Forecast To 2026 | Check Point Software... - May 2nd, 2020
- The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy - The Conversation AU - May 2nd, 2020
- Data Encryption Service Market Detailed Analysis of Current Industry Figures With Forecasts Growth by 2026| Microsoft, IBM, OneNeck - News Log Book - May 2nd, 2020
- ACLU, EFF still trying to get documents unsealed in Facebook encryption case - CyberScoop - April 29th, 2020
- Advanced Encryption Standard (AES): What It Is and How It Works - Security Boulevard - April 29th, 2020
- How Let's Encrypt changed the web with free, easy encryption - Fast Company - April 29th, 2020
- Group video calls of up to 100 participants, with encryption and noise cancellation - Explica - April 29th, 2020
- Analysis of COVID-19-Encryption Management Solutions Market 2019-2023 | Rising Demand For Digitalization to Boost Growth | Technavio - Yahoo Finance - April 17th, 2020
- Protecting consumers personal data becomes top reason for encryption, global study involving nCipher Security finds - Cambridge Independent - April 17th, 2020
- Signal: Well be eaten alive by EARN IT Acts anti-encryption wolves - Naked Security - April 17th, 2020
- Coronavirus tracing tech policy 'more significant' than the war on encryption - ZDNet - April 17th, 2020
- How a former NSA scientist grasped the Holy Grail of encryption and changed the paradigm for safely sharing data - SiliconANGLE - April 17th, 2020
- Zoom will let paying customers pick which data center their calls are routed from - The Verge - April 17th, 2020
- Encryption will be broken in the next four to five years - - Enterprise Times - April 17th, 2020
- Global Hardware-based Full Disk Encryption Market 2020 Comprehensive Research, SWOT Analysis, Key Players and Forecast by 2025 - Galus Australis - April 17th, 2020
- Signal Threatens to Leave the US If EARN IT Act Passes - WIRED - April 17th, 2020
- What is homomorphic encryption and how can it help in elections? | Microsoft On The Issues - Microsoft - April 17th, 2020
- Encryption Software Market Booming by Size, Trends, Top Key players and Forecast to 2026 - Science In Me - April 17th, 2020
- Hardware Encryption Technology Market SWOT Analysis by Key Outlook to 2026 | Illumina, Thermo Fisher Scientific, Roche Diagnostics - Cole of Duty - April 17th, 2020
- Bill to protect children online ensnared in encryption fight | TheHill - The Hill - March 13th, 2020
- Child exploitation bill earns strong opposition from encryption advocates - Washington Examiner - March 13th, 2020
- Senators Pretend That EARN IT Act Wouldn't Be Used To Undermine Encryption; They're Wrong - Techdirt - March 13th, 2020
- Patent hints that encrypted displays could appear on future Apple devices - TechSpot - March 13th, 2020
- Senators dispute industry claims that a bill targeting tech's legal shield would prohibit encryption - CNBC - March 11th, 2020
- The EARN IT Act Is a Sneak Attack on Encryption - WIRED - March 11th, 2020
- Krk WiFi vulnerability affected WiFi encryption on over a billion devices - Privacy News Online - March 11th, 2020
- The Benefits of Encryption and the Implications of Creating Backdoors - American Action Forum - March 11th, 2020
- Big Boom in Encryption Key Management Software Market that is Significantly Growing with Top Key Players Netlib Security, Fortanix, Avery Oden, AWS -... - March 11th, 2020
- Mobile Encryption Market to Witness Robust Expansion throughout the Forecast 2020-2026: McAfee(Intel Corporation), Blackberry, T-Systems... - March 11th, 2020
- Email Encryption Market Rising Trends, Technology and Business Outlook 2020 to 2026 - Best Research Reports - March 11th, 2020
- Crypto, Encryption, and the Quest for a Secure Messaging App - Bitcoin News - March 8th, 2020
- Encryption Flaws Leave Millions of Toyota, Kia, and Hyundai Cars Vulnerable to Key Cloning - Gizmodo - March 8th, 2020
- IoT Security Solution for Encryption Market to Boom In Near Future by 2026 Industry Key Players: Cisco Systems, Intel Corporation, IBM Corporation -... - March 8th, 2020
- What are the top-rated encrypted texting apps? - Fox Business - March 8th, 2020