Let’s talk about Wi-Fi. Remember WEP? It turned out anybody could crack the code in minutes. Then we got WPA, which failed to withstand a 60-second attack. So, we moved on to WPA2. I don’t need to tell you about the KRACK attack, which affected nearly all Wi-Fi devices. KRACKers were able to read communications and, perhaps even worse, inject malicious packets into traffic. As a separate matter, man-in-the-middle campaigns have successfully used fake digital certificates to impersonate encrypted websites and steal information. I guess you shouldn’t be blamed for that though.
We can’t forget about OpenSSL and the nasty Heartbleed programming vulnerability. That flaw provided access to encryption keys, giving the criminally curious an ability to decrypt SSL traffic. Imagine the delight of those who hoarded stolen encrypted data in hopes of such a flaw. After all, if somebody gets the key or underlying password, it no longer matters that a brute force attack otherwise would have taken well over a trillion years to succeed. That’s an impressive statistic indeed, if not for workarounds. Speaking of brute force, just imagine the power of quantum computing in years to come. Will NIST succeed in its current search for “quantum-resistant” cryptographic algorithms? Nobody knows.
Encryption, there is no perfect security. That said, in addition to applying patches, there are a number of steps companies can take to mitigate the highest risks:
- First, to fully protect an organisation’s most sensitive data at rest and in-motion, consider full-disk encryption and file-level encryption. The latter will protect files in transit, and ensure that simply powering up and logging onto a system doesn’t expose all files to all users.
- Second, remember to encrypt laptops, thumb drives, backups and archives.
- Third, set up corporate websites to offer HTTPS, and browsers to default to HTTPS sites.
- Fourth, review key management as a lifecycle that includes key selection, generation, distribution, storage and backup, key rotation, accountability and audit, and key compromise and recovery.
- Fifth, anticipate data breaches and encryption failures not only by deploying defences in depth, but by scaling back altogether on certain highly sensitive electronic communications. Collect and store less, and have an appropriately aggressive destruction schedule.
Well Encryption, it’s hard to know what tomorrow will bring, you can only take steps to minimise your chances of being attacked. After all there are many businesses out there who are not taking the right steps to protect themselves, but at least following the steps listed above will go some way to making you that little bit safer.