Encryption for Data Protection

A Q&A with Patrick Townsend of Townsend Security
Encryption is one of the best defenses against data loss, giving an organization some assurances that unauthorized interlopers won’t be able to access encrypted information, no matter where it resides. Moreover, in some cases the organization may not have to notify the victims of a breach because encryption provides safe harbor. Yet many organizations still choose to not encrypt their data, at their peril. I spoke with Patrick Townsend, CEO of Townsend Security, about the benefits of encryption and key management.

Can you please explain, for a layperson, the value of encrypting PII data?
From a security perspective, encrypting PII is simply a baseline, fundamental protection that most people would expect of businesses in today’s world. If hackers are trying to steal data that’s stored on servers, it will be unusable so long as it’s encrypted. Nobody is immune from data breaches, but encryption makes sure the information is properly protected. To be able to tell your customers that you’ve protected their sensitive data, that even in the case of a breach they won’t be exposed is a wonderful thing.

What are some of the main reasons organizations decide to not encrypt their data?
Five or six years ago people had the attitude of ‘I’ll just pay the fine if we have a data loss—it’s not a big deal.’ Well, no one thinks that anymore. We now know that companies suffer hugely with the legal liability of data breaches—there’s a lot of litigation, fines and other associated costs. Today, the problem is the perception that encryption is difficult, complex, time consuming and expensive. The reality is that these days all of the major companies have done important work in this area and encryption is not as expensive or difficult as it used to be.

If an organization encrypts their information, do they still have risk? Is there any foolproof method for encryption?
No one in the security industry will ever tell you that there’s such a thing as perfect protection—and if they do, you probably shouldn’t trust them. Encrypting your data is a substantial improvement in your security posture, it’s an industry-wide best practice, but it’s not perfect. And encryption in and of itself is not enough. You need to manage and protect the key. We see a lot of situations where people store keys on the same server where their data is stored. If you’re not doing it right, you won’t get the real benefit of extra protection. Our analogy is that when you leave your house or apartment and lock the door you don’t leave the key in the lock. That being said, I think key management plays a greater role in data breaches than we realize.

How can a risk manager proactively protect sensitive data and choose an encryption provider?
A good practice that’s reflected in a number of compliance regulations is to start by knowing where sensitive data is stored. It seems obvious but a lot of companies, especially mid-sized companies, have many servers and applications and they don’t know where the sensitive data is. Getting an inventory is the first step before you make any technological decisions. Then you can at least start prioritizing and addressing your issues accordingly. In the areas of encryption and key management there are well-proven standards and certification processes you can rely on when you look at vendor solutions. The last thing I’d say is to look for a vendor that can provide technology you can use out of the box, which is something you couldn’t do ten years ago.

It’s been reported that NSA can now crack encryption. How might NSA be doing this? Do they have backdoors into the various vendor encryption products, or super computers that simply run trillions of calculations?
I can only speak for our company, and tell you that we don’t implement any of the suspect encryption algorithms that have come to light recently. Our system doesn’t have any backdoors or ways to be compromised, we own all of our source code which has been independently validated by a security lab, and we have no access to our customers’ encryption keys even when they’re stored in the cloud, so it’s our belief that our product is not subject to this concern. To me, the vulnerability really seems to be around key management, so I’m not personally concerned about this particular issue. With encryption, I don’t think it’s feasible to use a brute force attack—I don’t care how many computers you’re using. All of us who work in the security industry stay closely involved with a worldwide group of academic cryptographers who are evolving the algorithms. We continue to benefit from their work, basing our solutions on it, so there should be a level of confidence that things are being done the right way.

Any other thoughts?
I think a lot of folks are interested in cloud security, especially now with so many cloud providers out there. All of the things we’ve talked about apply in spades to data stored in the cloud. You want to make sure that the encryption is properly vetted to protect you from any added risk.

In summary…
When a client says “we’re encrypting all of our sensitive data” the expectation is—and it needs to be verified—that they’re applying this best practice across the many locations in which organizations may store, transmit and share PII data. This can include mobile devices (laptops, iPhone, thumb drives); email; online transactions; data-at-rest (corporate databases); backup tapes; and online storage solutions (cloud). However, due to cost or complexity some organizations might decide to forgo encryption in certain settings. This places the organization, employees and customers at unnecessary risk.

Data Breach Preparation and Centralized Logging

A Q&A with Branden Williams, of Sysnet Global Solutions
Many insured organizations are not as prepared for cyber breach incidents as they could be. Without a centralized logging system known as SIEM in place, it can be exceedingly difficult and expensive to investigate and remedy a breach situation. I talked to Branden Williams, executive vice president of Sysnet Global Solutions about SIEM and its advantages.

Please explain in layperson terms what SIEM is.
SIEM stands for security information and event management. A SIEM tool collects security-related information from all of the devices in your infrastructure and manages it in a centralized place. This allows you to look at multiple logs at the same time and understand correlation, in context, so that if you have 20 or 30 devices that are all having a security issue, you could go back and see that yes, someone tried and failed to log in several times before they were successful. These patterns allow you to understand how and when these incidents occur. The technology, in its current iteration, has been around for a decade or so but in the last three years more people have adopted it beyond the compliance use case. However, many companies still use it as a catchall to make auditors go away—and we know that compliance measures are usually behind the eight ball as solutions to real world threats—and they are not using it in the most effective manner. Proper deployment of a SIEM is costly and so even companies that are using a SIEM correctly are often only using it in specific areas and not across their infrastructure.

How can SIEM help a company with decentralized operations and multiple business units?
It’s difficult to track threats that go through the network if you can’t centralize your logs and this becomes even more complicated in a large company with many operations.  Being able to maintain logs in a single place can help you track data across functions and identify issues early, including inefficiencies. Another major reason to use SIEM is to prepare for the case of a natural disaster or major outage—it’s much easier to access log information when it’s all in one place, even if your satellite location is offline.

How can a SIEM help a forensic investigator in a data breach situation?
If a system is a complex one, an investigator could have a difficult time determining where an incident came from. If you have a functioning, wide-scale SIEM in place, an investigator can review the logs and see which machines are impacted. Narrowing down the investigation’s scope saves money, time and effort. For example, in a prominent breach we were involved in, it took about six weeks to figure out the cause due to the lack of logs. Ultimately, it turned out that one of the machines we originally dismissed was the original infiltration point that led to the larger breach. We could have shaved two weeks off of the investigation and saved the company about $50,000 dollars.

In summary…
Recently, an insurance executive whose company offers cyber liability coverage to healthcare entities told me his clients that suffer data breach events rack up immense claims costs for computer forensics, due to the lack of SIEM. And it’s a problem for sectors beyond healthcare. Investigations may take weeks as opposed to days. Because this type of proactive solution can ultimately help organizations better manage security threats while decreasing the future cost of a breach investigation, companies—especially those with decentralized IT operations—should give it thoughtful consideration.

Protecting IP

A Q&A with James Giszczak of McDonald Hopkins, LLC
The loss of trade secrets through a data breach can have major implications both financially and legally for an organization. I asked attorney James Giszczak to share his insight about the threats today’s companies are facing and how they can better fortify their intellectual property protections.

Can you explain in layperson terms the issues facing organizations when it comes to safeguarding their IP?
Organizations have external threats—hackers that are either trying to steal information or disrupt business. They have a greater threat internally, whether it is an intentional bad act or simply human error. An employee might lose a laptop while traveling, for instance, and the information on it is lost or stolen. Finally, we are starting to see more bad actors from within, rogue employees that are misusing or stealing information and holding it hostage in exchange for something from the organization.

What are some of the blind spots facing businesses that might lead to a loss/theft of their IP?
All companies must manage these issues, irrespective of the resources of the organization.  Yet there are still many companies who assume this only happens to the Sonys of the world. However, even a small company has substantial risk and exposure, yet in most cases a smaller budget than a Fortune 500 Company to deal with it. Big or small, we find that far too often companies fail to be proactive—they are only reactive. An extraordinary number of data breaches and losses are preventable. What’s sad is that companies will spend millions of dollars, an extremely large percentage of revenue, to generate more revenue but they do very little to protect their assets. Most organizations will leave security up to the IT folks, assuming that they have it covered with firewalls. That is certainly one piece of the pie, if you will, but I always tell my clients that they have to take a holistic view of the issue. Human resources, risk management, in-house counsel, and IT all have to be stakeholders in the process. The first step in being proactive is to educate employees about safeguarding data and why it’s important. For instance, certain information should not be physically removed from the office unless it’s encrypted.

What are some of the legal ramifications involving the protection of IP?
There are 47 states that have adopted the Uniform Trade Secret Act. The UTSA provides a statutory level of protection. Even if the organization doesn’t have its individual employees sign a confidentiality agreement, they may have recourse against former employees through a UTSA. At a basic level, in order to have recourse through a UTSA, you must show that the information has independent economic value and that it has taken reasonable steps to protect the IP. By the same token, if you haven’t been proactive then the law won’t provide you with the sword to protect your assets. Depending on the facts of a theft, an organization may also be able to rely on the Computer Fraud and Abuse Act

What might a risk manager do to proactively mitigate exposure here?
When we counsel organizations we talk about assets and the importance of creating an asset protection program. Assets that typically need to be protected usually fall into three buckets: trade secrets, customer relationships and the knowledge base of personnel. All three need to be protected. One of the things we do first is conduct a review, providing clients with a questionnaire to determine what assets they have, what safeguards they already have and what particular risks and exposure they face. Often organizations don’t even realize what trade secrets they have. We look at what protections are already in place and what things they might not be implementing appropriately, and do a gap analysis to see where there’s exposure. Then we help them determine what policies and procedures can help protect them, making sure they’re robust from both an IT and an HR perspective. Finally, we make sure they have an incident response plan. A fairly basic thing is how people react when there’s an incident—they should not be sending around emails before they retain counsel because those emails are usually discoverable in litigation. I think the most critical thing on the front end is to talk with a data breach expert who understands the issues and the law, which can be dramatically different state to state, and can really explain the nuances of protection, specific to your company’s needs.

In summary…
Counselor Giszczak does an excellent job describing the problems facing the many organizations whose lifeblood is their IP. Given the recent problems highlighted in the press such as the report by Mandiant (see Junto post: Fighting Against IP Espionage), and the APT threats outlined by security vendors such as McAfee (see Junto post: Fighting Advanced Malware), this exposure should be the top priority for risk managers charged with protecting the company’s bottom-line from e-perils such as cyber espionage.

No more posts.