THE MOVIES GET IT WRONG.
A teenager with a laptop cannot crack multiple layers of encryption — unless that laptop is connected to a super- computer somewhere and the teen- ager can afford to wait a few billion years.
Encryption works. It works so well that even the government gets sty- mied, as demonstrated by the lengths the FBI went to to access an iPhone used by one of the San Bernardino, Calif., shooters.
So in the face of ever more damag- ing stories about data breaches, why aren’t all government agencies en- crypting everything, everywhere, all the time?
Encryption can be costly and time- consuming. It can also be sabotaged by users and difficult to integrate with legacy applications.
Furthermore, according to a recent 451 Research survey of senior security executives, government agencies seem to be fighting the previous war. In- stead of protecting data from hackers who’ve already gotten in, they’re still focusing on keeping the bad guys out of their systems.
Among U.S. government respon- dents, the top category for increased spending in the next 12 months was network defenses — at 53 percent. By comparison, spending for data-at-rest defenses such as encryption ranked dead last, with just 37 percent plan- ning to increase their spending.
Part of the reason for those figures is that government agencies overes- timate the benefits of perimeter de- fenses. Sixty percent said network de- fenses were “very” effective, a higher percentage than any other category, while government respondents ranked data-at-rest defenses as less effec- tive than respondents in any other category.
There was a time when that attitude made sense. “Organizations used to
say that they wouldn’t encrypt data in their data centers because they’re be- hind solid walls and require a [pass- word] to get in,” said Steve Pate, chief architect at security firm HyTrust.
That attitude, however, runs counter to the modern reality that there is no longer a perimeter to protect. Every organization uses third-party service providers, offers mobile access or con- nects to the web — or a combination of all three.
A security audit at the Office of Per-
sonnel Management, for example, showed that use of multifactor authen- tication, such as the government’s own personal identity verification card read- ers, was not required for remote access to OPM applications. That made it easy for an attacker with a stolen login and password to bypass all perimeter de- fenses and directly log into the OPM systems.
An over-reliance on perimeter de- fenses also means that government agencies pay less attention to where
SOME ENCRYPTION OPTIONS
• Full-disk encryption. Fully encrypting everything on a particular device, such as a laptop, is useless un- less the device is protected with a secure password
— which should not be on a Post-it attached to the de- vice. It is also ineffective if the device is compromised while it is being used or if the user turns off the pass- word protection. But when implemented correctly, not even the FBI can breach full-disk encryption. Accord- ing to the Aberdeen Group, 70 percent of all breaches of endpoint devices involve loss or theft, and full-disk encryption would be useful in blocking them.
• File-level encryption. If hackers get into a particular file on a server, they would not be able to access oth- ers because the files are locked with different keys. However, if hackers compromise a privileged user’s account, they might be able to access a large number of files. For maximum effectiveness, agencies should keep the number of privileged accounts to a minimum and use multifactor authentication to reduce the risk of outside access. Aberdeen Group research shows that 93 percent of breaches involving servers are caused by hacking, malware, misuse and error, which file-level encryption would be useful in preventing.
GCN MAY 2016 • GCN.COM 29