Encrypting data at rest is vital, but it's just not happening
The Office of the Australian Information Commissioner (OAIC) has been clear about encrypting personal data, both in its guidelines and in recent data breach investigations. But according to Chris Gatford, director of penetration testing firm Hacklabs, very few organisations are living up to expectations.
"Encrypted file systems, especially encrypting data at rest, it just doesn't occur," Gatford told ZDNet. "Ninety nine percent of organisations do not encrypt anything other than the occasional laptop."
The most common scenario Gatford encounters during pentests is where none of the target organisation's desktop workstations run any kind of encryption for end users whatsoever. That seems a long way from what the OAIC expects.
The OAIC doesn't demand encryption outright. But its Guide to securing personal information reminds organisations that they need to take "reasonable steps" to secure that information. Encryption is "important in many circumstances", and organisations need to protect data, whether it's on servers, in databases, in backups, in third-party cloud services, on end-user devices including smartphones and tablets as well as laptops, or in portable storage devices.
"Encryption methods should be reviewed regularly to ensure they continue to be relevant and effective, and are used where necessary. This includes ensuring that the scope of encryption is wide enough so that attackers cannot access another unencrypted copy of your encrypted information," the guide says.
What that can mean in practice is illustrated by the OAIC's recent report on its investigation into Adobe's massive 2013 data breach.
Adobe had apparently encrypted all user passwords with the same key, rather than each being individually salted then hashed. Password hints weren't encrypted at all.
Latest Australian news
"Hashing and salting is a basic security step that Adobe could reasonably have implemented to better protect the passwords," the OAIC wrote.
"Given the resources available to Adobe to implement robust security measures consistently across all its systems, and the consequences for individuals if the data on the old servers was compromised, the commissioner found that Adobe [had failed] to take reasonable steps to protect all of the personal information it held from misuse and loss, and from unauthorised access, modification, or disclosure."
While different laws applied at that time of Adobe's data breach -- Australia's privacy laws were updated on March 12, 2014 -- the "reasonable steps" test applied both then and now. The key difference is that now, the Privacy Commissioner can issue fines of up to AU$1.7 million to organisations that fail to take those reasonable steps.
Businesses also need to protect their trade secrets, of course, and Gatford said that more mature enterprises have become used to encrypting laptops because of the obvious risk of theft.
A username and password offer zero protection when a thief can simply remove the hard drive, install it in another computer, and copy the data. Encrypting laptops is essential, and the same goes for tablets and smartphones.
The theft of a mobile device can often be part of an organised operation, according to Sven Radavics, Imation Mobile Security's general manager for the APAC region -- and it's not just about national security and defence information. Any organisation's intellectual property can be a target, from the design for a new car engine to a movie or video game.
"Particularly in China -- but not always in China, it's happened in other countries -- [there have been cases] where it's been clear my hotel safe has been opened, and my laptop has been moved," Radavics told ZDNet last week.
"It's fairly common that if some entity wants access to your data, that hotel safe provides no protection," he said.
Radavics' own travel kit consists of his personal MacBook Air, hardened with a variety of security software, and one of Imation's own IronKey encrypted USB sticks.
Many other companies have a similar process for travellers to higher-risk destinations, he said. Employees are supplied with a laptop with a freshly installed, limited operating system image, with all of the company's data kept on an encrypted device, or running everything off something like IronKey's Windows to Go USB stick-based secure mobile workspace. Upon return, the laptop is completely wiped.
Radavics was keen to boast about IronKey's security features, of course, such as the layers of epoxy that make it difficult to get at the crypto chip without destroying it, or the self-destruct mechanism that trashes the keys if the chip is exposed to air. But he did make some valid points about evaluating the cost of defence against the risk of attack.
"You could theoretically put the chip under the [electron] microscope and extract the keys, and we consider that a $50,000 hack. But we actually shield the chip, so an electron microscope can't actually see what's going on inside the chip," Radavics said.
"If you have a hardware crypto device and the key is stored in flash, having somebody pull apart the device and put a couple of probes between the crypto chip and the flash to extract the keys that way, that's kind of a sub-$1,000 hack," he said.
"A lot of the conversation is around high-tech hacks ... but a lot of data loss can still be very mundane," Radavics said, like thumb drives or portable hard drives lost on trains, planes, and automobiles. "The encrypted device vendors have been talking about this sort of thing for years, and it's not new, and it's a little bit boring."
The need to encrypt mobile devices is obvious, but data on servers can also be vulnerable to theft if it isn't encrypted -- and sometimes it's easy to get to the servers.
One of the more notorious examples took place at the Australian Customs Service's national cargo intelligence centre at Sydney Airport on August 27, 2003. Thieves simply turned up, claimed to be technicians working for outsourced IT provider EDS, and walked out with two of the organisation's four servers -- along with the intelligence data they held.
"The burglars, described as men of Middle Eastern/Pakistani/Indian appearance, gave false EDS credentials and were given access to the mainframe room," the Sydney Morning Herald reported at the time.
"They spent two hours there that night before using trolleys to wheel the two servers past the third-floor security desk, into a lift and out of the building."
Gatford told ZDNet that he "very rarely" sees encryption deployed on servers, and Hacklabs has a "reasonable" client base across "quite a few" industry verticals.
"You hear people talking about it. If you're talking about credit card environments, where you've got a requirement to encrypt the credit card information at rest, I think the most common method people use there is enabling encryption within the database," he said. "That's typically about as good as it gets in terms of host-based encryption."
In fact, any kind of physical access to the organisation is usually enough.
"When you're physically in front of a workstation inside an organisation, it's game over, because it's trivial to boot it up of alternate media to gain access to the raw data, and from that, Bob's your uncle and you're away," Gatford said.
"Just about every pentest that we do, we see that the local admin workstation password is the same password for every local admin in the organisation," he said. That's either because the organisation has copied that password to the workstation as part of its standard operating environment (SOE) rollout, or simply because IT staff members need to be able to move from computer to computer efficiently.
"If you compromise one endpoint, and you get the local admin password, nine times out of 10 it's game over, and you reuse those credentials in the environment to go and find what you're after. You don't need the main admin access. You only need local admin workstation access, and you're good to go."
It gets worse. Even physically penetrating the organisation usually isn't required.
"Most successful compromises of an organisation these days occur from a phishing email compromising an end user, and using the end user's workstation to attack the rest of the network," Gatford said.
"Looking from the outside in, you still see people making fundamentally flawed choices when designing their applications," he said.
One common indicator of poor design is users being able to have their cleartext passwords emailed back to them -- something that Gatford called "an immediate fail".
"The fact that they store unencrypted password values in the database, that occurs still on a regular basis. So immediately, you know that the whole way they're thinking about designing the authentication module, and presumably how that's protected, are immediate flags that they wouldn't have done anything in that space [before], and 95 percent of the time that's correct," Gatford said.
But according to IBRS security analyst James Turner, all of this is actually an argument against putting too much effort into encrypting the data.
"The question that needs to be asked about full-disc encryption is 'What is the attack that it's actually preventing?' If the computer is on and functioning, and someone's actually using it, then full-disc encryption really isn't protecting against anything. A hacker can just go through a web vulnerability or whatever, and get access to all the plaintext stuff," Turner told ZDNet.
"I think encryption's incredibly important, but I don't think that this is an area that we need to be gnashing our teeth about. [Chris Gatford's] points are very valid. Authentication is where I see a lot of organisations having a lot of challenges."
Turner quoted a chief information security officer (CISO) who he'd approached in the last 12 months, seeking recommendations for an identity management vendor.
"Show me an identity management project that's worked," that CISO replied.
"Therein lies the problem. Identity is actually really hard," Turner told ZDNet.
"Key management, there are solutions for that. Is it done as well as it could be? Probably not. Is it going to be one of the issues that we face as we start moving increasingly into the cloud? Absolutely. Is encryption of your company's data going to be increasingly important? Yes, it's going to be directly proportionate to the value of the data that you're putting there. And the cloud vendors are all desperately scrabbling to address these things."
The recent massive data breach at the US Office of Personnel Management (OPM) would seem to support Turner's view. Encryption would "not have helped in this case", the Department of Homeland Security's assistant secretary for Cybersecurity Dr Andy Ozment reportedly testified to Congress, because the attackers had gained valid user credentials.
Turner doesn't get a lot of enquiries about full-disc encryption.
"Now, that tells me one of two things. Either it's absolutely just not a priority, and not even on the radar of my clients, which I suspect is very unlikely. Or it's an area that they feel that they're handling sufficiently well that they don't need to go out there and find out what everyone else is doing," Turner said.
"So encryption, it's not unimportant, it's not the be-all and end-all, it's just one of the many pieces that we need to use... It's kinda like DLP [data loss prevention technology]. DLP isn't going to save you from the master assassin. DLP is going to stop something from going pear-shaped," he said.
"The real security that full-disc encryption offers is on a laptop that gets left behind at an airport."