Image
The World Relies on Encryption
Almost certainly you have used encryption today. In fact, we can guarantee you are using it today. How so? Well, Tripwire uses HTTPS, a protocol which encrypts the connection between you and Tripwire’s server. For the non-tech talkers, what does that mean? It means that when you can be quite certain that you are really on Tripwire’s website and not some spoof, as HTTPS authenticates the website and provides the protections of privacy and integrity to the data, all the while doing its best to stop man-in-the-middle (MiM) attacks. So whether you are making a phone call or withdrawing money from the ATM or buying something online, there is a very good chance your data has been encrypted today. All of this is pretty basic stuff, but to the everyday user, perhaps they are unaware how pervasive encryption is in their life. We have come to a bit of a conundrum now: encryption is used all over, but encryption is not used widely enough. For example, we explained the benefits HTTPS offers, but a March 2016 Google audit showed that “79 of the web’s top 100 non-Google sites don’t deploy HTTPS by default, while 67 of those use either outdated encryption technology or offer none at all.” In defense of some of the companies named in the article, since the release of the audit, some have upgraded to HTTPS. Remember the following: encryption can happen in different states. For example, when discussing HTTPS, we were discussing “Data-in-Motion” (DiM) that was being encrypted. We started with plain text then used some sort of key to scramble (encrypt) it into cipher text – in order to send it over some transmission line – and the person at the other end had a key that could unscramble (decrypt) the cipher text back into plain text. And we can do just the same process to encrypt “Data-at-Rest” (DaR) so that if the data is stolen or lost (say, like on a USB key or laptop), all that the unauthorized people should be able to view is a bunch of cipher text. There are also two basic ways to encrypt information: symmetric (also known as “secret key” encryption) and asymmetric (public key encryption). Microsoft has a very good and easy-to-understand description them here. The keys are algorithms designed to provide not only confidentiality but authentication (making sure the message is true), integrity (making sure the message has not been tampered with), and nonrepudiation (a way to assure that something cannot be denied). So how can we summarize encryption? Well, it is a method to not only protect your data from people you do not want to see it, but is also a way to make sure that data is real and true. For these reasons, encryption is great for sending sensitive information, to securing your email, to keeping your cloud storage safe, and even hiding your entire operating system. And if you really want to make your adversary’s life miserable, yes, you can encrypt encrypted data! All of these applications of encryption help slow down an actor. But before we go full-out-encrypt-everything-mode, it would be disingenuous of us not to reference some of our concerns, which we outline here. Another way to slow down your adversaries is through another technique is called tokenization. It is similar to encryption in the sense that plain text gets scrambled up into something that cannot be deciphered, but the process and use is somewhat different.One More Protective Step: Tokenization
The simplest way to differentiate encryption and tokenization goes like this: encryption transforms a message into some cipher text based on rules and steps, whereas tokenization relies on a codebook to transform the message. It is not a mathematical system, but it still replaces sensitive data with non-sensitive substitutes (a token) using randomization. For a more in-depth examination of the differences, look here. Therefore, if you do not have the original key, you really have no way to decrypt the message. This is why tokenization is great for credit card transactions: you minimize the exposure of your information sitting on a database you do not control (or are even aware of in some cases). Let us explain: say we do not want your plain text information (your credit card number in this case) stored with a third-party (such as a retailer). Tokenization does the following: once your credit card gets swiped, the information is run through a tokenization system (where a token is created), and then the retailer retains and uses the token for transactions. A more illustrative example can be found here. First, let us discuss the main advantages of tokenization. Tokens can only be used in specific places. Say you walk into Bob’s Shop (and Bob uses a tokenization system) to buy a piece of gum. When you pay for the gum using your credit card, the token created will only be good for Bob’s Shop. That means if you walk to Sally’s Store down the street (who also uses a tokenization system) and buy a piece of candy using the exact same credit card, a totally separate token is created, one that is only good for Sally’s Store. That leads us to the next advantage: if all of Bob’s tokens are stolen, you do not need to worry about changing your credit cards, as – in theory – there should be no way to decrypt the randomized tokens. In other words, a retailer’s database is useless to an adversary precisely because these meaningless tokens cannot be reverse engineered (unlike encrypted data, which – in theory – can be decrypted once the cryptographic system is broken). Chances are you have used tokenization, as many digital transactions have gone this route, and even Visa and MasterCard are teaming to make the system more robust especially to prevent fraud. But now you must be asking the obvious question: what are the disadvantages to tokenization? We do not need a separate article for that, as the disadvantages are quite straight forward. First disadvantage: size of data. Again, referring back to the previous article on big data, you would have to create tokens for all your existing data. That is quite an exhaustive, extensive, and expensive process, though emerging technologies are making mass scale tokenization possible. Second disadvantage: you become tied to a tokenization system. The drawbacks of being tied to any system are fairly straightforward. Next disadvantage, yup, you guessed it: the tokenization system (the codebook) is quite the gem of gems to steal. Like most things in this world, we operate through trust and confidence. If we lose that confidence in them, this system begins to fall apart. Therefore, when we use tokenization, we trust the third-party to take all precautions to protect the codebook (yes, the third-party may very well be using encryption to protect the codebook). And this is a good place to tie up these techniques: use them in tandem, because as you do, you make your adversary’s life that much more difficult.If Your Data Must be Out There, Make it Meaningless
We talked about encryption and tokenization, but we should also know that data masking (or obfuscation) is another technique on how to make your data meaningless to an unauthorized actor. And therein lays our point of this piece: since you must have data (sitting somewhere, DaR) and since you almost certainly will have to transmit that data at some point (DiM), make it frustrating for the unauthorized actor. Think of it like this: give the adversary a whole bunch of puzzle pieces that are indistinguishable from each other and make sure they do not have an idea of what the final puzzle should look like. The realities of life dictate we need data to operate. Furthermore, defensive measures – such as defense-in-depth strategies and perimeter defenses – are useful and necessary, but they are also becoming both financially untenable and incredibly difficult to monitor in real-time. These approaches were designed to STOP the adversary, but we are finding out – very painfully – that we are not too good at that. So instead of fortifying a road into your compound (that is just getting constantly chipped away at), make the road to your compound so cumbersome to get through that the adversary may just say “this target isn’t worth my time.” And that should be your strategy. Would you invest time and treasure in a “goes nowhere” project? Probably not. You have better things to do. Therefore, take steps – like encryption, tokenization, and data masking – to make your data so meaningless to an adversary that they will consider you a “goes nowhere” project. About the Authors:Image
Image
