Encryption Won't Protect What's Not Secure

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forensicmag.com/news/2015/02/encryption-wont-protect-whats-not-secure

Another day, another data breach, and another round of calls for companies
to encrypt their databases. Cryptography is a powerful tool, but in cases
like this one it's not going to help. If your OS is secure, you don't need
the crypto; if it's not, the crypto won't protect your data.

In a case like the Anthem breach, the really sensitive databases are always
in use. This means that they're effectively decrypted: the database
management systems (DBMS) are operating on cleartext, which means that the
decryption key is present in RAM somewhere. It may be in the OS, it may be
in the DBMS, or it may even be in the application itself (though that's
less likely if a large relational database is in use, which it probably
is). What's to stop an attacker from obtaining that key, or perhaps from
just making database queries?

The answer, in theory, is other forms of access control. Perhaps the DBMS
requires authentication, or operating system permissions will prevent the
attacker from getting at the keys. Unfortunately — and as these many
databreaches show — these defenses are not configured properly or aren't
doing the job. If that's the case, though, adding encryption isn't going to
help; the attacker will just go around the crypto. There's a very simple
rule of thumb here: Encryption is most useful when OS protections cannot
work.

What do I mean by that? The most obvious situation is where the attacker
has physical access to the device. Laptop disks should always be encrypted;
ditto flash drives, backup media, etc. Using full disk encryption on your
servers' drives isn't a bad idea, since it protects your data when you
discard the media, but you then have to worry about where the key comes
from if the server crashes and reboots.

Cloud storage is a good place for encryption, since you don't control the
machine room and you don't control the hypervisor. Again, your own
operating system isn't blocking a line of attack. (Note: I'm not saying
that the cloud is a bad idea; if nothing else, most cloud sysadmins are
better at securing their systems than are folks at average small
companies.) Email is another good use for encryption, unless you control
your own mail servers. Why? Because the data is yours, but you're storing
it on someone else's computer.

Encryption is a useful tool (and a fun research area), but like all tools
it's only useful if properly employed. If used in inappropriate situations,
it won't provide protection and will create operational headaches and
perhaps data loss from mismanaged keys.

Protecting large databases like Anthem's is a challenge. We need better
software security, and we need better structural tools to isolate the
really sensitive data from average, poorly protected machines. There may
even be a role for encryption, but simply encrypting the social security
numbers isn't going to do much.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!