Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/2/2019
10:00 AM
Ramon Peypoch
Ramon Peypoch
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Case for Encryption: Fact vs. Fiction

The common belief that encryption enables bad behavior primarily used by thieves, international terrorists, and other villainous characters is simply not true. Here's why.

Encryption engenders passionate opinions and reactions from a variety of government regulators, technologists, and privacy and security advocates. It's become the de facto standard of online commerce and communication, embraced by technocrats and security pros everywhere.

Conversely, some governments routinely seek to destabilize encryption through legislation, regulation, or dictatorial fiat. A common approach is to require device manufacturers and technology providers to implement "backdoors" in an attempt to break end-to-end encryption in order to surveil conversations deemed high risk. Such efforts are generally met with strong objections from privacy rights advocates.

There is also an evolving focus on user privacy, perhaps most prominently triggered by the passage of the European Union's General Data Protection Regulation, but now surging in many other parts of the world. Regulations and user concerns are forcing shifts in technology vendor practices, for example:

  • Apple's announcements at their recent Worldwide Developer Conference declaring data privacy as a fundamental human right that will be central to all Apple products;
  • The pullback by Google to restrict third-party developers' access to Google user data that previously had been accessible; and
  • Facebook amending its corporate privacy stance given numerous recent scandals.

These threads are converging, putting encryption at the center of major business, government, and societal shifts. The fact is that encryption is a highly reliable method of safeguarding devices and information in the digital age. It is, in effect, the foundation of modern computing and collaboration. While it can't serve as a comprehensive security solution for all issues an enterprise may face, it does offer a powerful backstop when intrusions and breaches occur.

For instance, you might think of encryption as relevant for protecting digital assets from being stolen. But cybercriminals are very savvy and continually up the cat-and-mouse security game; in reality, company assets are stolen every day. It's better to acknowledge that every asset, whether it resides on a corporate website, a government database, or elsewhere, is at risk of compromise. When compromise occurs, encryption is the last layer of defense, preventing thieves from utilizing what's been taken.

Just in recent weeks, we've seen several reports of high-profile breaches involving sensitive customer information:

  • A massive American Medical Collections Agency data breach ensnared data from medial testing giants Quest Diagnostics (11.9 million patient records) and Lab Corp (7.7 million patient records).
  • Real estate title insurance giant First American Financial leaked hundreds of millions of digitized customer documents.
  • There was also research published by Digital Shadows reporting 2.3 billion files stolen.
  • Additional research from the vpnMentor research team revealed 11 million photos were exposed due to a misconfigured cloud service.

While these breaches are filling headlines and causing ongoing customer worries, the situation would likely be quite different had these files been encrypted.

Encryption's Mistaken Beliefs & Unintended Consequences
If we consider government backdoor access demands, aside from the privacy concerns, imposing such actions actually could have unintended and contradictory consequences. For example, a government might compel a mobile phone manufacturer to install a backdoor that breaks encryption in high-risk situations such as terrorism incidents. But once such a mechanism exists, it is implausible in this active cyber threat environment that only that government entity would be able to access and utilize it. Realistically, it will be utilized by both good and bad actors, and is ultimately likely to cause more problems than obviating the problem it was originally intended to solve.

There are a few other common but erroneous beliefs about encryption that need to be dispelled. One is that because it's so hard to use, only sophisticated users can take advantage of it. Practically speaking, encryption is no longer just about locking down hard drives. It's now about protecting information at the point of creation and then being able to dynamically update policies around that data wherever it goes. Modern approaches can actually make this fairly simple to apply.

Another mistaken belief is that encryption is easily breakable. While sophisticated nation-states can harness the significant processing power needed to decrypt protected assets, that's not a common situation. Frankly, it's just easier for attackers to move on to other targets with unencrypted data stores.

Finally, there's a common belief that encryption enables a lot of bad behavior — that it's only used by thieves, international terrorists, and other villainous characters. This is simply not true. Encryption is actually central to our digital lives and enables trillions of dollars of secure commerce from banking transactions to the myriad online consumer and enterprise services we all utilize on a daily basis.

Encryption forms the essential underpinning of our virtual world. With the emotion that often gets packed into discussions and decisions about how encryption should be used, it's important to pause, separate fact from fiction, and responsibly apply this powerful tool to advance the security of the systems and data that enable our modern lifestyles.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

A proven leader in the security industry, Ramon leads Vera Security's product strategy, management and market delivery. Prior to Vera, he was part of the founding team of ProtectWise, Inc. (acquired by Verizon). Earlier he was vice president, web protection at McAfee. With a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13640
PUBLISHED: 2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
CVE-2019-5222
PUBLISHED: 2019-07-17
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...