Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

Encryption is Necessary, Tools and Tips Make It Easier

In the InteropITX conference, a speaker provided tips, tools, and incentives for moving to pervasive encryption in the enterprise.

InteropITX 2018 — Las Vegas — Encryption is critical and encryption can be complicated. Fortunately, there are tips, techniques, and information tools that can help reduce the difficulty and make proper encryption more achievable and affordable for most organizations. That was the message Ali Pabrai was preaching from the platform in an early morning session on Thursday.

Pabrai, CEO of security consulting firm ecfirstm, began the session by running through some of the critical security incidents that have forced companies to the conclusion that encryption is not merely an option for enterprise security — it's a necessity.

October 21, 2016 was one of the dates Pabrai recalled because it was the day on which the Mirai botnet activated and went on the offensive against DNS provider Dyn. At the time the most powerful DDoS attack on record, Pabrai said that Mirai will be the model for more powerful attacks to come. Avoiding having company computers and IoT devices become part of an attacker's weaponized network is just one of the reasons he gave for encrypting as much data (and data traffic) as possible. Many of the other reasons involve regulations.

May 25, 2018 is the day that GDPR begins to be enforced. It has a lot to say about protecting data and notifying customers if unprotected data is breached. It's also not the first regulation with those requirements. "HITECH has been with us since 2010," said Pabrai, noting that the Health Information Technology for Economic and Clinical Health (HITECH) Act defines "unprotected data" and specifies actions to be taken when it is breached.

Beyond the various regulations regarding encryption and data, there are frameworks and tools that help organizations understand how to go about protecting data both at rest and in transit.

"You can't be in cybersecurity without being literate in the NIST framework," Pabrai said, noting that, on April 16, NIST introduced the Cybersecurity Framework 1.1. The framework is quite prescriptive regarding best practices for building encryption into an enterprise process. That makes it and PCI DSS — another highly prescriptive standard — especially valuable resources for enterprise data security professionals.

In addition to the large frameworks and regulations, Pabrai argued in favor of a low-tech tool and basic strategy for dealing with encryption.

The low-tech tool is a spreadsheet listing every possible enterprise attack surface (data base, mobile devices, IoT, etc.) and whether the state of encryption is yes, no, or unknown. He said  that this tool allows him to understand the basic security stance of an organization in a matter of minutes during the initial encounter.

The basic strategy is taking the argument for wide-spread encryption — that it dramatically reduces risk exposure — to the executive committee with questions about why they would want to take this critical step.

There's no doubt that encryption requires investment, Pabrai said, but compared to the financial risk of unprotected data it is an investment that makes sense for practically every organization.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...