illusion-of-safety

Sophos, the renowned security firm, recently reported in its survey of data encryption: “The Sophos survey of IT decision makers in six countries reveals that there are some misconceptions about encryption, and some disconnects between what companies say they are concerned about – and what they’re doing about it.”

The article does not talk about misconceptions, but should!  Probably the biggest misconception is that your data is safe from hackers when you adopt an encryption technology.

In further analysis of the Sophos survey for Healthcare firms, Sara Heath writes:

Those organizations that do not encrypt their data – and even some that do – are seeing some gaps in data protection. Nearly one-quarter of customer information and customer financial information falls through the encryption cracks, leaving it liable to a data breach.

This is especially alarming when put into the context of the healthcare industry. Because patients are the customers in the healthcare industry, it is important that all of their PHI be fully protected via encryption to keep that valuable information from falling into malicious hands.

While encryption is great and everybody seems to be advocating it, does it really thwart a determined hacker?

Malicious hackers routinely steal information from private databases. It is a widespread fallacy that by encrypting the data in these databases, data will be safe. Regulators, compliance authorities and industry standards insist on encrypting sensitive information such as SSNs, credit card numbers, and health information.



However, unless the encryption is one-way – once encrypted, the data can no longer be recovered – encrypted data used by database-backed websites is usually as insecure as unencrypted data.

The encrypted data, to be usable, is obviously decrypted by some applications and processes within the system or on the network. Those applications and processes need to access the sensitive data, usually quite frequently, and have access to the decryption keys. The decryption keys are made available to these applications either by trusting their user-id, or their process filename, the computer’s IP address, or a similar factor.

To understand why data encryption might provide a false sense of comfort, let us make some rather formidable assumptions against our adversary, the hacker.

Let us assume that:
(a) the application logs are encrypted
(b) the application is encrypting its “heap” memory
(c) the application is enforcing data privacy in its interfaces to other components
(d) the decryption keys are stored in an ultra-secure (digital) vault

These assumptions are very hard to implement correctly. But let’s assume that they are true.

The fact that a hacker is able to access data, even if in encrypted form, in a database clearly indicates that the hacker has breached the various security perimeters and gained unauthorized access to an internal system. In normal course, the hacker should have not been able to access the raw database at all. Once the hacker is inside the network and has been able to access the database, it is a fair assumption that the hacker is able to assume the identity of the application or the web-server itself. In fact, once inside a system, it is not that hard for a hacker to just try and become the superuser of that system and then masquerade as a specific user.

Once that happens, all bets are off. If the hacker’s access to the database cannot be distinguished from the application’s access, encryption does not help at all. Once a hacker is inside your network and is able to access your encrypted data, it is usually only a matter of time before he figures out how to access the required keys, and then to decrypt the data.

Bruce Schneier, the famous crypto-expert, highlighted this way back in a blog article from 2010:

Let’s take a concrete example: credit card databases associated with websites. Those databases are not encrypted because it doesn’t make any sense. The whole point of storing credit card numbers on a website is so it’s accessible — so each time I buy something, I don’t have to type it in again. The website needs to dynamically query the database and retrieve the numbers, millions of times a day. If the database were encrypted, the website would need the key. But if the key were on the same network as the data, what would be the point of encrypting it? Access to the website equals access to the database in either case. Security is achieved by good access control on the website and database, not by encrypting the data.

We re-iterate the last sentence: Security is achieved by good access control on the website and database, not by encrypting the data.

To be sure, encryption is useful for carrying around sensitive information. But for data “at rest”, mere encryption offers but an illusion of safety.

Leave a Reply

You must be logged in to post a comment.