Why hackers will always win, and what you can do so they don’t
The stereotypical image of a hacker (thanks to Getty Images, Shutterstock et al. for this) is that of a lone hooded figure at a computer, attempting to gain access — we presume — to a high-security network, probably belonging to a government department clouded in secrecy.
The truth is more mundane: using readily available tools, or slight variants on them, teams of relatively skilled people use automated routines to comb the internet for easy openings to steal data for money. It’s not difficult work, rarely dangerous, and most targets are unaware that either they’re under attack, or even know when data begins to be copied from their network.
For every fully-hardened, encrypted network, there are thousands that present relatively easy pickings for this new breed of criminals. That’s been the case for the last 30 or 40 years, and despite numerous high-profile data losses, cybersecurity teams always seem to be playing catch-up: patching switches and firewalls, installing anti-malware on endpoints, shoring up perimeter protection and trusting that cloud-providers’ security systems are better than average. And yet IBM reported that the average cost of a data breach now exceeds US$4million, and that’s before penalties are imposed!
Remarkably, it seems that despite the eye-watering data breach fines imposed in the past year: Google (US$60million), British Airways (US$223million), and Marriott Hotels (US$123million), the number of data breaches of unencrypted data continues to grow. While many of these huge penalties were imposed under Europe’s gold-standard data security regulation, the GDPR, if the data been encrypted “…to a strong standard…” (as the GDPR stipulates), no penalties nor breach notifications would have been imposed.
In Australia this year, where cybersecurity and privacy regulations are comparatively soft, there have been dozens of data breaches of enough impact to make international news, and for every one of those, there have indubitably been hundreds of similar incidents where organisations suffer data breaches but keep the event quiet, or simply don’t notice at all. And for every successful, targeted attack, there are hourly discoveries of virtual doors left wide open: public-facing databases, open ports, routers and firewalls with default passwords, and dozens of other vulnerabilities.
The data security adage is to prepare for when a data breach occurs, not if. That’s an acceptance of the reality of cybersecurity, where there will always be a crack in the armour.
In most cases, the defence totality is made of parts: perimeter and endpoint defences work in combination with WAFs, east-west traffic monitoring, IPSs, logfile processing, encrypting tunnels between edge installations, and a changing picture of discrete tools and methods. That sounds like a great deal of work and expense for no absolute guarantee of safety, but organisations that have that multifaceted approach will, in all likelihood, prevent most (if not all) hacking attempts. Nevertheless, it still pays to plan and rehearse disaster recovery and business continuity measures. As the saying goes, “hope for the best and plan for the worst”. Unfortunately, hope alone doesn’t make much of a viable strategy!
If we accept that a data breach is inevitable (given enough time), then the only way to prevent data falling into the wrong hands is to protect it by encryption. And, not just any encryption: it needs to be strong and unbreakable, what Australian security specialists Senetas calls “high-assurance encryption.” (PDF)
Ask any IT network professional about data encryption and the chances are they’ll come up with the following reasons why protecting an entire organisation’s data via real-time encryption is problematic:
- – There’s a significant cost to be paid, over and above monetary value, in network speeds. Anyone who’s used a remote connection to a workplace via VPN from a domestic wi-fi service will attest to that. IPSec traffic typically uses 30 percent of a connection’s bandwidth, for example, and the resulting slowdown is seen as too onerous.
- – It’s an additional complication. Because most networks weren’t designed with security in mind, encryption has to be added in as an afterthought. Similarly, every new deployment, change in hardware, cloud service spun up mean each need security consideration, and encryption added “to the mix.”
- – Further down the line, new hardware, software, and services will be used, as the business scales or changes direction. There’s no guarantee that a choice of encryption platform will remain compatible.
- – What happens when security holes are found in encryption technologies, like that discovered in OpenSSL a few years ago? Quantum computing — whenever that lands — may well render all current encryption methods invalid. What then?
- – The provision of end-to-end encryption is expensive and especially troublesome in remote or edge settings. The hardware required is costly, complex to set up, and lacks the type of agility and fluidity that resonates with current business strategy, which is to respond (and often deploy) rapidly.
- Ten years ago some of the above were valid obstacles, but today that’s simply not the case. Here’s a little myth-busting:
- – Encryption costs have never been lower.
- – Overheads – management and data – are near-zero.
- – The best encryption technologies are vendor agnostic, so compatibility is largely a non-issue.
- – Crypto-agility is important (especially as quantum computing is on the horizon), so finding a solution that won’t become redundant is the way forward. Luckily, such solutions exist.
The Australian encryption products developer and manufacturer Senetas shows in its product range that these issues of costs, compatibility, agility and complexity are myths, and have been for a long time.
There is an increasing amount of legislative and regulatory weight placed on data security and governance, and proving that an organisation is compliant is nearly as complex as the measures required to comply. But strictures like those affected APAC and Australasian businesses (and US and European companies, too) will only increase in number and severity. Complete data encryption right across the enterprise is one sure-fire way of adhering to legislation, and (is this more important?) making sure that there are no PR-destroying data breaches, loss of IP (intellectual property) or financial calamities.
Whenever there is news of a major data breach of customers’ identity and financial records, or an organisation’s IP, the simple ever-present question should be, “Why wasn’t the data encrypted?” It seems likely, with the disastrous consequences of data breaches being more common, that question is soon to be a regular one at company AGMs.
Australian company Senetas provides high-assurance encryption to governments, US defence, agencies, high-security entities like airports and travel hubs, critical national infrastructure, and security-conscious companies all over the world. Its product range can be roughly divided in two: a range of high-assurance hardware encryptors designed for different network sizes and data throughputs (such as used in core IT infrastructure), and a virtualised software version of the hardware units. The VM runs the same platform as its hardware cousins, but can be hosted where shipping-in hardware may not be viable (or thought practical), like in some remote and edge settings.
You can read more about the Senetas product range in this article on Tech Wire Asia, but for the time-poor, here’s a quick summary.
- – A high-assurance encryption solution that secures every data packet on the network, in transit.
- – Uses standards-based encryption algorithms that can be replaced/updated if new technology appears to crack the latest encryption methods — the oft-quoted quantum computing, for example.
- – Fully encrypts on OSI layers 2, 3, and 4.
- – Self-healing and uses zero-touch key management.
- – Has near-zero latency and uses virtually no bandwidth: users won’t notice how safe they are.
- – Physically and technologically secure: tamper-proof hardware and client-side only keys.
If you accept that data breaches will happen, the most effective way to prevent a potential class-action suit, or stopping your information appearing for sale on the dark web (and the not-so dark web, too), is to encrypt your organisation’s data, wherever it may be. With a range of hardware options and a virtualised option too to run as a discrete VM on x86 commodity hardware, we recommend you read more here.
*Some of the companies featured on this editorial are commercial partners of Tech Wire Asia