Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
FAQ: Understanding The True Price of Encryption
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
4/29/2014 | 8:44:59 AM
Re: Cost effective is not enough to win the war
Thank you. I think that file encryption with proper key management can protect media (os files and backups) but not the data flow (that now increasingly is under attack).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:38:52 AM
Re: Cost effective is not enough to win the war
Thanks for your thoughtful comment, Ulf, and also for raising the issue of data security and big data in the context of encryption, cloud computing and the recently released Verizon DBIR. That's a lot to think about! To  your point:

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory. My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.


If file encryption "won't stop the bad guys," in the era of cloud and big data, what is it's proper role?

Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
4/26/2014 | 10:28:49 AM
Cost effective is not enough to win the war
The good news is that the Verizon's "2014 Data Breach Investigations Report," is now available for download.

The bad news, as Wade Baker, principal author of the Data Breach Investigations Report (DBIR) series, says is that: "After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning."

My view is that that we are now more concerned about attackers that are targeting our data flow, including data in memory since the DBIR reported that "RAM scrapers" went from a low #17 in 2012 and shoot up the charts to a very concerning #4 spot in 2013. 

My view is that that we are now less concerned about attackers that are targeting our stored data since the DBIR reported that "Capture stored data" went from a #4 in 2012 and to a less concerning #9 spot in 2013 and "Privilege abuse" went from a #14 in 2012 and to a less concerning #17 spot in 2013.

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory.

My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.

An important development was the addition of coarse-grained volume or file encryption will only solve one problem, protecting data at rest, but considering one of the primary goals is using the data, one might suggest that it provided little in the grand scheme of Data security.  Sensitive data in use for analytics, traveling between nodes, sent to other systems, or even just being viewed is subject to full exposure.

What they're seeking is advanced functionality equal to the task of balancing security and regulatory compliance with data insights and data utility. This balance is critical for Big Data and Cloud platforms.

Emerging Big Data and Cloud platforms are presenting new use cases that are requiring data insight for analytics, high performance and scalability for Big Data platforms cannot be achieved by old security approaches.  New security approaches are required since Big Data is based on a new and different architecture.

Big Data is introducing a new approach to collecting data by allowing unstructured data to be blindly collected. In many cases we do not even know about all sensitive and regulated data fields that are contained in these large data feeds. Analysis of the content is often deferred to a later point in the process, to a stage when we are starting to use the data for analytics. Then it is too late to go back and try to apply data security and compliance to regulations.

My view is that we now need to secure the data flow. The bad guys are no longer attacking stored data in files.

Ulf Mattsson, CTO Protegrity
theb0x
50%
50%
theb0x,
User Rank: Ninja
4/22/2014 | 10:33:00 AM
Encryption
I'm surpsied there are still software companies that actively utilize encryption schemes such as Blowfish cipher. Even with a 448 bit key it is still considered weak.

It's a poor choice of performance over security.

 
macker490
50%
50%
macker490,
User Rank: Ninja
4/22/2014 | 8:10:36 AM
Re: Key management must be part of the picture
this is an excellent post

those who have been following the "hacking" problem for a while will have probably realized that a failure to authenticate is a big part of the problem -- possibly the biggest part.   

the commercial sector keeps trying to provide authentication for us.   the Certificate Authorities provision of the SSL, TLS, and X.509 certificate system being the Prime Example.

still, attackers have broken through, -- Comodo and Digi-Notar being examples.

my take on this problem is that they have allowed the "attack surface" to become large.   Those familiar with Phil Zimmerman's original work will note that participation is required -- to maintain a proper Trust Model for PGP keys and/or x.509 certificates -- which rely on public key encryption

the resolution here may be to assign only marginal trust to the current method; each user should generate a key-pair for his/her system -- and then validate and countersign those certificate which require full trust.

examples of certificates needing full trust: Credit Union, online banking, online shopping, IRS reports,-- where there's money there will be scammers

another thing noted by Phil Zimmerman's original work: you must work from a secure o/s.   think about this. what are you using?    what sort of reputation does it have ?   is anything better available?

security is something you do not something you get.
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Ninja
4/21/2014 | 9:13:31 PM
Key management must be part of the picture
The key point here is, encryption alone is not good protection, even though to many users it is foolproof. On the contrary, encryption key management is what makes the process of encrypting work.
solcates
50%
50%
solcates,
User Rank: Author
4/21/2014 | 4:15:37 PM
Re: Rethinking encryption
Marilyn,

 

I think one of the biggest things to focus on in the advent of Heartbleed, is vendor management...  I had over 20 vendors effected by the Heartbleed bug, and had to focus our efforts on ensuring the vendor was responding quickly with a solution or effective workarounds.  

As with any software/hardware, there will be bugs.  It's the detection, and reaction to them is critical to get right.  
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:09:46 PM
Rethinking encryption
Thanks for a good overview on the ROI of encryption, Sol. In light of Heartbleed, what -- if any -- specific changes in corporate security would you recommend with respect to encryption. 


Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11111
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVE-2020-11112
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVE-2020-11113
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVE-2020-10374
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
CVE-2020-11104
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...