By Paul Ferrillo & George Platsis
Originally published on Tripwire, April 10, 2017
Before we jump in, we need to make clear the following: no single solution will ever offer complete and total security. In fact, even multiple solutions designed to provide overlapping layers of security to your crown jewels will not provide “complete and total” security. But what any reasonably implemented solution should do is the following: slow down your adversary by making their job difficult and eventually forcing them to move on to a more easily accessible target (or, more colloquially, go for the low hanging fruit).
Although this fact should be relatively obvious, both of us still experience – more often than we would like to admit – “experts” professing they can provide “total security” because they have the latest and greatest technology. As we indicated in our previous article (making sense of big data), big numbers are, in fact, hard to make sense of by mere mortals like us. In the same fashion, humans are really bad at understanding probabilities (for those who seek greater understanding of the topic, Nassim Nicholas Taleb, author of The Black Swan and Fooled by Randomness, explains the subject well). “Low” probability is in fact quite different from “zero” probability, but we often make the mistake of equating the two (and such a mistake could be perilous).
Therefore, the next time somebody says, “this encryption cannot be broken,” ask the following: “Is it unbreakable forever or just unbreakable for the next 15 years because computational power is not strong enough yet?” This distinction matters. Sure, some argue that Moore’s Law is dead in the sense we are reaching a plateau, yet if we ever figure out this quantum computing thing, many of our existing encryption methods are going to get crushed.
Our little preamble comes down to this: if somebody wants it badly enough, chances are they are going to get it. (Remember, low tech like good old fashion social engineering can still bite you.) What that means for you goes as follows: slow them down and make their life so painstakingly frustrating and miserable it is not worth their time to try to steal, manipulate, and exploit your data. Encryption and tokenization are ways to slow the bad guys down.
The World Relies on Encryption
Almost certainly you have used encryption today. In fact, we can guarantee you are using it today. How so? Well, Tripwire uses HTTPS, a protocol which encrypts the connection between you and Tripwire’s server. For the non-tech talkers, what does that mean? It means that when you can be quite certain that you are really on Tripwire’s website and not some spoof, as HTTPS authenticates the website and provides the protections of privacy and integrity to the data, all the while doing its best to stop man-in-the-middle (MiM) attacks.
So whether you are making a phone call or withdrawing money from the ATM or buying something online, there is a very good chance your data has been encrypted today. All of this is pretty basic stuff, but to the everyday user, perhaps they are unaware how pervasive encryption is in their life.