Endpoint
2/2/2016
10:30 AM
Doug Clare
Doug Clare
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Encryption Has Its Place But It Isnt Foolproof

Most encrypted data is unencrypted at some point in its lifecycle -- and the bad guys are pretty good at finding the one window left open.

Last year, an uncovered Snowden document from the US National Intelligence Council warned that the slow deployment of encryption and other technologies is putting government and private computers at risk of cyber attacks. The annual cost of cybercrime to the global economy is estimated at over $400 billion. Encryption is viewed by many experts as the go-to security technology, but data breaches and other attacks continue to rise despite advances in encryption.

Arguing against encryption would be a bit like arguing against locks on doors. Strong encryption is a basic defense against the damage that might flow from a successful attack on information infrastructure. Encryption technology is improving, as are best practices in deploying it; and everyone should embrace these improvements. But encryption alone is not enough, and may induce a false sense of security among those who depend on it. 

Sticking with the locks-on-doors analogy, rational people may also install an alarm system on their doors and windows. At my house, I have deadbolt locks on my doors. I also have an alarm system that warns me if a door or window is opened -- regardless of the time. The locks on my doors and windows serve to protect me from intrusion but I know these systems fail for a variety of reasons. Perhaps I’ve forgotten to lock a window. Perhaps one of my kids decides to sneak out for a rendezvous with friends. Or perhaps someone has actually broken a lock in an attempt to enter. My alarm system alerts me and provides me an opportunity to respond.  

[COUNTERPOINT: As Good As They're Getting, Analytics Don't Inherently Protect Data, by Scott Petry, Co-Founder and CEO, Authentic8]

A similar analogy can be drawn from home security to national security. Regardless of your political leanings, the features of a strong defense are well understood – secure borders, big guns, and various “walls and moats” strategies. But governments have deployed layered defenses for millennia, which include both physical defenses and intelligence assets that warn them of threats. Spies, intelligence services, and counter-intelligence are all indispensable, integrated components of national security. Their mission is to detect and counteract threats that aren’t necessarily subject to the controls of strong basic defenses. 

Encryption, while not a physical defense, is much like other basic defense mechanisms that serve to block access to items of value. Like other basic defenses, encryption is not foolproof. It can be evaded and undermined, and it can be prone to errors in deployment; encryption keys can be lost, stolen, or inadvertently exposed. Perhaps even more likely is a situation where we believe we’ve encrypted everything, when in fact we’ve encrypted almost everything. Most encrypted data is unencrypted at some point in its usage lifecycle. The bad guys are pretty good at finding the one window left open.  

Analytics are to encryption what intelligence services are to military defenses. The increasing number, variety, speed, and severity of cyber attacks necessitate a dynamic cyber intelligence posture. In the past, cybersecurity analytics were focused on gathering data about compromises, developing threat “signatures,” and using those signatures to protect against future threats, all comprising another form of defense that served to block an attacker.  

Identifying threats in real time

Advanced detection analytics, by contrast, identify emerging threats by recognizing anomalous patterns in real time. Many of these techniques have commercial and technical roots in high-volume network assurance applications (e.g., telecommunications) as well as financial fraud detection (e.g., banks and insurance). While many firms label their signature-based detection methods as “analytics," the analytics are largely static and built to block known threats and therefore fall into the category of basic defenses.

What differentiates the emerging field of detection analytics from these basic defenses (including physical security, firewalls, encryption, and signature-based detection methods) is that advanced detection analytics are focused on finding anything unusual or threatening that gets by your basic defenses. And since we brought Snowden into this already, let’s include those threats that emerge from the inside.  

Big data stores and emerging forensic tools can be a critical aid in unwinding complex attacks and data exfiltration schemes. But at the forefront of cyber threat detection analytics are real-time streaming analytics applied to data flow within the network, and the profiling of entities (e.g., sensors, devices, servers, routers, and human actors) engaged in network communications. With the help of machine learning, organizations can harvest actionable behavioral analytic insights from huge streams of data traffic in two ways:

  • Self-calibrating models constantly recalibrate traffic behavior of monitored entities, and score anomalies for the extent of their deviation from the norm.
  • Self-learning analytics improve with each resolved alert, serving to systematically automate the insights of human security analysts as they work cases.

Building an ever-clearer picture of the typical behavior of individual entities, these two approaches enable streaming analytics to better identify threats. They also help minimize false positives – a huge problem as many large organizations are currently sorting through hundreds of thousands of alerts each day. And most importantly, these technologies work in real time – providing, for the first time, the ability to sense and respond to the most egregious threats as they happen, and before damage is done. 

It’s worth noting that these analytic approaches are tried and tested. Many of the underlying technologies, including the AI/machine learning analytics, have been protecting most of the world’s credit cards for years. The fraud teams at card issuers use these systems not only to detect fraud, but to set the level of risk that triggers investigation or card blocking, in order to balance loss prevention with a positive customer experience. Moreover, these fraud systems do not require issuers to hire armies of analytic techies. By crunching data to prioritize the biggest threats, they simplify the lives of fraud professionals, and the same would hold true in information security.

While encryption and other basic defense approaches will always have their place in security strategies, encryption alone does not prevent hackers from stealing data. Adding advanced analytic techniques to cybersecurity portfolios complements and can close the gaps left by encryption (and signature-based security) by detecting emerging and evolving attack patterns in real time. As a best practice, companies must advance beyond basic defenses, and enhance their security posture with the analytic equivalent of an effective intelligence service. It’s time to bolster our walls and moats with spies and intelligence.

More On This Topic:

Doug Clare is vice president of product management, leading the FICO(r) Analytic Cloud initiative and FICO's cyber security product team. He has been with FICO for more than 25 years, and has deep expertise in helping banks and other businesses manage fraud, risk, compliance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/3/2016 | 7:55:57 AM
Schneier notes on NSA presentation
system attack process summary:

intrusion phases
  • reconnaissance
  • initial exploitation
  • establish persistence
  • install tools
  • move laterally
  • collect exfi land exploit

the event was the usenix enigma conference.

 

reference (schneier)

https://www.schneier.com/blog/archives/2016/02/nsas_tao_on_int.html

 

attackers don't care about passwords, authentication, or encrypotion: they work by attacking the endpoints with root kits and other un-authorized programming  .until the industry addresses this issue there will be no meaningful progress against computer fraud and abuse.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
2/2/2016 | 7:17:50 PM
Data That Stays Encrypted, Is Read While Encrypted
The window of opportunity is a very valid point, and the only one that matters in arguing for more advanced protection of data.  One imagines technology down the road that can accomplish the (seemingly) impossible.  That is, one only ever deals with encrypted data, and that data as a whole is never decrypted.  However, via a variety of reading methods, the reader can 1) read the data (if a document) line by line where a reader decrypts a certain number of lines using a different key for each paragraph, encrypting the data again using a new cipher as if moves along the document, or 2) the data is printed out using a printer that similarly decrypts chunks using different keys, dropping a bit of decrypted data into a secure print queue, then moving on to another print queue, all the while the user must authenticate over time to keep the processes available, whether reading at a terminal, or receiving printed items.  An option could be to have to destroy data already read before the rest will print; or that it must be locked into a safe box before one could move on to the rest of the material.

These are examples of overkill – perhaps even comedic, but with the right processing power and the right infrastructure, there is no reason extremely sensitive documents can't remain secure and those windows never open, since the windows are actually removed, or mostly removed.  Yes, people are the remaining "window" and always will be, but there are ways to keep that to a dull minimum, too, depending on the information.  As a rule, data should never travel (whether on media or over the Internet) in a decrypted state.  Layering the encryption as described requires time with today's tech, but can be done as computing power increases.  Layering the human factor could work, too, where you require a minimum number of people to be able to translate and use decrypted data, depending on the nature of the information.

I suspect that time and money are a huge reason why so much data that might otherwise be secured is out there, and if we took twice as much effort to lock it down with today's tech and resources, we'd be in much better shape.  But in the end, we need to get rid of the windows and doors, over-complicate our security measures and tech so that once we know we are having a hard time already just getting to the data we are supposed to have access to, we'll know we are doing a better job of securing the information other eyes are never supposed to see.  If we can get to the ultimate state where data is even read while encrypted (I'm imagining this will be when biotech has reached a certain maturity), we'll in great shape, indeed!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.