Before we jump in, we need to make clear the following: no single solution will ever offer complete and total security. In fact, even multiple solutions designed to provide overlapping layers of security to your crown jewels will not provide “complete and total” security. But what any reasonably implemented solution should do is the following: slow down your adversary by making their job difficult and eventually forcing them to move on to a more easily accessible target (or, more colloquially, go for the low hanging fruit). Although this fact should be relatively obvious, both of us still experience – more often than we would like to admit – “experts” professing they can provide “total security” because they have the latest and greatest technology. As we indicated in our previous article (making sense of big data), big numbers are, in fact, hard to make sense of by mere mortals like us. In the same fashion, humans are really bad at understanding probabilities (for those who seek greater understanding of the topic, Nassim Nicholas Taleb, author of The Black Swan and Fooled by Randomness, explains the subject well). “Low” probability is in fact quite different from “zero” probability, but we often make the mistake of equating the two (and such a mistake could be perilous). Therefore, the next time somebody says, “this encryption cannot be broken,” ask the following: “Is it unbreakable forever or just unbreakable for the next 15 years because computational power is not strong enough yet?” This distinction matters. Sure, some argue that Moore’s Law is dead in the sense we are reaching a plateau, yet if we ever figure out this quantum computing thing, many of our existing encryption methods are going to get crushed. Our little preamble comes down to this: if somebody wants it badly enough, chances are they are going to get it. (Remember, low tech like good old fashion social engineering can still bite you.) What that means for you goes as follows: slow them down and make their life so painstakingly frustrating and miserable it is not worth their time to try to steal, manipulate, and exploit your data. Encryption and tokenization are ways to slow the bad guys down.
The World Relies on Encryption
Almost certainly you have used encryption today. In fact, we can guarantee you are using it today. How so? Well, Tripwire uses HTTPS, a protocol which encrypts the connection between you and Tripwire’s server. For the non-tech talkers, what does that mean? It means that when you can be quite certain that you are really on Tripwire’s website and not some spoof, as HTTPS authenticates the website and provides the protections of privacy and integrity to the data, all the while doing its best to stop man-in-the-middle (MiM) attacks. So whether you are making a phone call or withdrawing money from the ATM or buying something online, there is a very good chance your data has been encrypted today. All of this is pretty basic stuff, but to the everyday user, perhaps they are unaware how pervasive encryption is in their life. We have come to a bit of a conundrum now: encryption is used all over, but encryption is not used widely enough. For example, we explained the benefits HTTPS offers, but a March 2016 Google audit showed that “79 of the web’s top 100 non-Google sites don’t deploy HTTPS by default, while 67 of those use either outdated encryption technology or offer none at all.” In defense of some of the companies named in the article, since the release of the audit, some have upgraded to HTTPS. Remember the following: encryption can happen in different states. For example, when discussing HTTPS, we were discussing “Data-in-Motion” (DiM) that was being encrypted. We started with plain text then used some sort of key to scramble (encrypt) it into cipher text – in order to send it over some transmission line – and the person at the other end had a key that could unscramble (decrypt) the cipher text back into plain text. And we can do just the same process to encrypt “Data-at-Rest” (DaR) so that if the data is stolen or lost (say, like on a USB key or laptop), all that the unauthorized people should be able to view is a bunch of cipher text. There are also two basic ways to encrypt information: symmetric (also known as “secret key” encryption) and asymmetric (public key encryption). Microsoft has a very good and easy-to-understand description of them here. The keys are algorithms designed to provide not only confidentiality but authentication (making sure the message is true), integrity (making sure the message has not been tampered with), and nonrepudiation (a way to assure that something cannot be denied). So how can we summarize encryption? Well, it is a method to not only protect your data from people you do not want to see it, but is also a way to make sure that data is real and true. For these reasons, encryption is great for sending sensitive information, to securing your email, to keeping your cloud storage safe, and even hiding your entire operating system. And if you really want to make your adversary’s life miserable, yes, you can encrypt encrypted data! All of these applications of encryption help slow down an actor. But before we go full-out-encrypt-everything-mode, it would be disingenuous of us not to reference some of our concerns, which we outline here. Another way to slow down your adversaries is through another technique is called tokenization. It is similar to encryption in the sense that plain text gets scrambled up into something that cannot be deciphered, but the process and use is somewhat different.
One More Protective Step: Tokenization
The simplest way to differentiate encryption and tokenization goes like this: encryption transforms a message into some cipher text based on rules and steps, whereas tokenization relies on a codebook to transform the message. It is not a mathematical system, but it still replaces sensitive data with non-sensitive substitutes (a token) using randomization. For a more in-depth examination of the differences, look here. Therefore, if you do not have the original key, you really have no way to decrypt the message. This is why tokenization is great for credit card transactions: you minimize the exposure of your information sitting on a database you do not control (or are even aware of in some cases). Let us explain: say we do not want your plain text information (your credit card number in this case) stored with a third-party (such as a retailer). Tokenization does the following: once your credit card gets swiped, the information is run through a tokenization system (where a token is created), and then the retailer retains and uses the token for transactions. A more illustrative example can be found here. First, let us discuss the main advantages of tokenization. Tokens can only be used in specific places. Say you walk into Bob’s Shop (and Bob uses a tokenization system) to buy a piece of gum. When you pay for the gum using your credit card, the token created will only be good for Bob’s Shop. That means if you walk to Sally’s Store down the street (who also uses a tokenization system) and buy a piece of candy using the exact same credit card, a totally separate token is created, one that is only good for Sally’s Store. That leads us to the next advantage: if all of Bob’s tokens are stolen, you do not need to worry about changing your credit cards, as – in theory – there should be no way to decrypt the randomized tokens. In other words, a retailer’s database is useless to an adversary precisely because these meaningless tokens cannot be reverse engineered (unlike encrypted data, which – in theory – can be decrypted once the cryptographic system is broken). Chances are you have used tokenization, as many digital transactions have gone this route, and even Visa and MasterCard are teaming to make the system more robust especially to prevent fraud. But now you must be asking the obvious question: what are the disadvantages to tokenization? We do not need a separate article for that, as the disadvantages are quite straight forward. First disadvantage: size of data. Again, referring back to the previous article on big data, you would have to create tokens for all your existing data. That is quite an exhaustive, extensive, and expensive process, though emerging technologies are making mass scale tokenization possible. Second disadvantage: you become tied to a tokenization system. The drawbacks of being tied to any system are fairly straightforward. Next disadvantage, yup, you guessed it: the tokenization system (the codebook) is quite the gem of gems to steal. Like most things in this world, we operate through trust and confidence. If we lose that confidence in them, this system begins to fall apart. Therefore, when we use tokenization, we trust the third-party to take all precautions to protect the codebook (yes, the third-party may very well be using encryption to protect the codebook). And this is a good place to tie up these techniques: use them in tandem, because as you do, you make your adversary’s life that much more difficult.
If Your Data Must be Out There, Make it Meaningless
We talked about encryption and tokenization, but we should also know that data masking (or obfuscation) is another technique on how to make your data meaningless to an unauthorized actor. And therein lays our point of this piece: since you must have data (sitting somewhere, DaR) and since you almost certainly will have to transmit that data at some point (DiM), make it frustrating for the unauthorized actor. Think of it like this: give the adversary a whole bunch of puzzle pieces that are indistinguishable from each other and make sure they do not have an idea of what the final puzzle should look like. The realities of life dictate we need data to operate. Furthermore, defensive measures – such as defense-in-depth strategies and perimeter defenses – are useful and necessary, but they are also becoming both financially untenable and incredibly difficult to monitor in real-time. These approaches were designed to STOP the adversary, but we are finding out – very painfully – that we are not too good at that. So instead of fortifying a road into your compound (that is just getting constantly chipped away at), make the road to your compound so cumbersome to get through that the adversary may just say “this target isn’t worth my time.” And that should be your strategy. Would you invest time and treasure in a “goes nowhere” project? Probably not. You have better things to do. Therefore, take steps – like encryption, tokenization, and data masking – to make your data so meaningless to an adversary that they will consider you a “goes nowhere” project. About the Authors:
Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them.
George Platsis has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.