By Paul Ferrillo & George Platsis
Originally published on Tripwire, April 10, 2017
In an article we wrote for Tripwire, we discuss the advantages of encryption and tokenization. The premise of our argument is as follows: slow down your adversary by making your data meaningless to them. In other words, make yourself a “goes nowhere” project forcing your adversary to seek out a target that does not cause them the grief you do.
Encryption works precisely because it slows down an actor but it comes with some bad news, as well. Therefore, we wrote this add-on article to explain some of the drawbacks of encryption.
The first is that encryption is not widely employed (especially at the everyday user level) because it can be frustratingly difficult to employ. For example, Pretty Good Privacy (PGP) is a great tool for email encryption, but it can reach levels of head-bashing frustration given that you have to exchange keys with all your contacts to enjoy secure email (reason #14,352,785 why the words “secure” and “efficient” should never be used in the same sentence).
Here is another reason why encryption gets a bad reputation though (apart from some noted frustrations of implementing it): you need to do it right. We know this sounds obvious, but encryption implemented in the wrong manner will give do the following: give you the false sense of security (as in reality you have none) and make you a big fat juicy target if anybody finds out you that have implemented your encryption incorrectly.
Unfortunately, correct implementation can be quite difficult because of the platforms we use, meaning that there are a series of challenges that must be addressed. Cryptographic systems that are secure and robust require good math (and let’s be honest, most of us are not math geniuses). Therefore, we are often left to the “trust us” word of vendors, IT staff, and your niece or nephew that has to fix your computer every time you click the wrong thing.
So, how do you get around this problem? Do some homework and make sure whatever you are being sold meets NIST Cryptographic Standards. If you cannot do this on your own, find somebody who can do it for you. Taking this step make cost you more up front in both time and money, but this effort could very well be the life-saving step you take to protect your data.
Therefore, a word of caution: if you do not know what cryptographic system is being employed, you run the risk of possibly implementing an insecure system. Why do we say possibly?