“Finally, after years of government officials advocating for encryption backdoors, and ignoring warnings from cybersecurity experts who said that encryption keys become irresistible targets for hackers, the USG has now suffered a breach that seems to involve skilled hackers stealing encryption keys from USG servers,” reads the statement from December 21, 2020, by Senate Finance Committee Member Ron Wyden.

What happened? The Treasury Department got hacked.  Hackers got access to email accounts of, and systems used by, a number of the department’s high ranking officials.  The hackers used SolarWinds network monitoring solution to deploy a malicious update in the system.  Once they gained access to the network, they created an encrypted “token” to sign into Microsoft-based email accounts.  This allowed the hackers to pose as legitimate users and go unnoticed for months.

So, today let’s discuss the subject of encryption, and what steps your organization should take to ensure its data safety.

The basics of encryption

Encryption is the process of scrambling data into an unreadable format, or a ciphertext.  Only those with a decryption key can decipher the information through a process called “decryption.”

Encryption is far from a new concept – think the Enigma Machine and the communication advantage it provided to the German military in World War II.

However, with most communication taking place digitally and information being stored on the cloud, encryption is a vital element of a robust cybersecurity system.

Symmetric vs asymmetric encryption

There are two main ways to encrypt and decrypt data.  The difference lies in the encryption and decryption keys.  Symmetric encryption uses a single key to both encrypt and decrypt information.  Asymmetric encryption uses two keys – a public one that’s used to encrypt information and a private one to decrypt it.

While symmetric encryption is faster and does not require as many resources, it is not a scalable system.  Since a single key is used, anyone with unauthorized access can not only gain access to the data, but also modify and re-encrypt it.  The system requires a rigid key hierarchy and regular key rotation.

Asymmetric encryption systems, on the other hand, are slower but provide stronger security.  The public key – the one for data encryption – is shared.  The private key – the one for data decryption – is not.  The length of the keys is also significantly longer than in symmetric systems.

Symmetric encryption is generally used for large data transfers.  Asymmetric encryption is more suitable to establish a secure communication channel prior to data transfer.

Examples of encryption in daily activities

To better visualize the role encryption plays in our daily lives, here are just a few examples of the technologies that utilize it.

●  HTTPS websites – in the last decade, there has been a significant push to make HTTPS the dominant communication protocol on the Internet.  Whenever you visit an HTTPS website, the communication between your browser and the server where the website resides is encrypted.  This allows you to log into your online banking, purchase things online using your credit card, and conduct a dozen other activities securely.

●  Messaging apps – while not a feature for all applications, those that offer end-to-end encryption allow the communication between you and the other party to remain private.  That data can’t be as easily accessed by third parties and used for malicious purposes.

●  Cloud storage – whenever you upload data on such cloud storage solutions as Dropbox or Google Drive, it is encrypted.  This allows you to keep your data from prying eyes and share it only with the users of your choice.

Types of encryption

These are the most common types of encryption.

Symmetric encryption:

●  Triple Data Encryption Standard (Triple DES): DES block cipher uses a 56-bit key. Triple DES uses the same algorithm to generate three 56-bit keys, meaning data is encrypted three times.  It is slow and considered outdated.

●  Advanced Encryption Standard (AES): developed by the US National Institute of Standards and Technology in 2001, AES is also known as “Rijndael.” AES uses three block ciphers: 128 bits, 192 bits, and 256 bits.  This encryption uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.  Each round consists of a set of processing steps to create a ciphertext.  AES is the most popular type of encryption in the world and is used by the US government to classify information.

●  Twofish: designed by Bruce Schneier, Twofish uses pre-computed, key-dependent S-boxes with a block size of 128 bits and a key length of up to 256 bits.  While the security of this encryption algorithm is solid, it is slower than AES, which is why it is not nearly as popular.

Asymmetric encryption:

●  Rivest–Shamir–Adleman (RSA): this type of encryption functions on 1024-bit key length, which can be further extended to 2048-bit.  Due to the length of the key and the asymmetric nature of this encryption, it is considered one of the most secure types of encryption.  However, it is also significantly slower than symmetric encryption types and more resource-heavy.

Selecting the right encryption software for your organization

For most organizations – government agencies included – strong encryption protocols are mandatory.  There are numerous laws on the subject – e.g. the California Consumer Privacy Act of 2018, the Federal Information Processing Standards, the Gramm-Leach-Bliley Act, the Healthcare Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard, etc.

Government agencies almost exclusively use the AES encryption type.  As such, there are many solutions on the market that utilize this algorithm.  Here are a few points to consider when evaluating your options:

1. Integration
   Create a list of the technology used within your system and make sure the solution that you pick integrates with your infrastructure, leaving no important software unprotected.
2. Certification
   The two most important certifications you should look for in your encryption software provider are the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 and the Common Criteria for Information Technology Security Evaluation.  The former is a US government computer security standard; the latter is an international one.
3. Key management
   Keys allow users to safely decipher information.  Therefore, the solution that you pick must have a top-of-the-line automated key management system that generates, distributes, and manages keys securely and efficiently.  Furthermore, make sure to check if the system has a reliable recovery method in the event that keys are lost.
4. Ease of encryption
   Your staff will fail to encrypt data if it is not an intuitive, user-friendly process. Encrypting should be complicated on the back-end.  On the front-end, the solution that you use should provide a seamless experience.
5. Scope
   Alright, your system is secure and data is encrypted.  However, what happens when someone tries to save data on a USB drive or transfer it to their personal cloud storage?  Depending on the sensitivity of the data that you store and communicate, you may want to pick a solution that does not allow encrypted data to be moved outside of the internal system without proper authorization.
6. Encrypting data at rest vs data in motion
   Do you need your encryption software to keep data encrypted even when it is simply stored, also known as data at rest?  Should encryption apply to data that’s being transmitted, also known as data in motion?  Does the solution offer multiple levels of encryption, allowing you to select which data should remain encrypted at all times?  These questions must be answered before selecting a vendor.
7. Failure protocols
   Make sure the software you purchase has robust failure protocols – actions that will be taken in the event of a malfunction or breach.  This will allow you to mitigate the damage in the event of a software failure.

An effective cybersecurity posture acts as a multi-layered defense system.  Encryption is your last line of defense.  It further minimizes the risk of damages to your organization resulting from your data being stolen.  Even if hackers get into your system, they will have a hard time decrypting the data they access.  However, a successful layer of encryption protection requires strict compliance by your staff.  A study found that 58% of employees say that their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted.  This severely undermines the security of data.  In one of our next articles, we will talk about data management strategies that your organization should be adamant about enforcing.