Tag Archives: encryption

HTTPS encryption for all federal websites requires new endpoint protection concepts

13 June 2015

Starting in 2017, all federal websites that are publicly accessible in the US should have HTTPS encryption as the standard secure communication protocol.

This directive, issued by The White House Office of Management and Budget (OMB), is a real game-changer because it makes it harder for attackers to intercept sensitive communications or to steal personal data that is entered on federal web sites.

I just finished my preparations for my ISO 27001 Information Security Officer exam when I read the announcement in a LIFARS post. ISO 27001 deals with cryptographic controls in Annex 10.1. In the related chapter A.10.1 of ISO 27002 you learn:

When developing a cryptographic policy the following should be considered:

g. the impact of using encrypted information on controls that rely on content inspection (e.g. malware detection).

Encryption means death for all traditional malware protection systems. Traditional malware detection tries to match patterns in a data stream with patterns stored in the pattern database of the anti-malware system. Since the patterns in the data stream are encrypted matches are no longer found. Game-Over!

This has only a minor impact on enterprises. They can use already available technology that breaks the SSL encryption for inspection, but this is too expensive for end-users.

Vendors of endpoint protection systems have to develop new concepts to protect consumers of unknown malware hidden in the encrypted data stream. And federal agencies have to grow their efforts to make sure that data exchanged through their websites does not contain malware.

‘HTTPS everywhere’ is indeed a real game-changer. Hopefully someone in the OMB has thought of the impact on endpoint protection.

Don’t panic… and have a good weekend.

Anthem Hacked – The call for ‘More of Everything’ grows louder

19 February 2015

Just some thoughts about the call for more technology, encryption, pen testing, etc.

The big question is: Would database encryption have slowed down or stopped the attackers? From my experience with Transparent Data Encryption (TDE) in the Oracle universe I can only answer: Definitely Not!

If it’s properly set up TDE works very well to prevent unauthorized access to data in rest. Administrators and users are not able to read or copy database files when e.g. the database is shut down.

But as long as the database is started TDE works transparent for all users and the administrators: They can access the data with applications or SQL tools without any restriction.

If you like to keep the administrators away from the data you must set up Oracle Database Vault on top of TDE. Database Vault acts as a firewall between the users and the administrators. Administrators can run their administrative tasks, but they could no longer access the data. In addition, the Separation of Duties principle is enforced for security critical operations like definition of users.

But what’s about malicious insiders? Malicious insiders are responsible for about two-third of all attacks, but neither TDE nor Vault would stop them from accessing all data. With Label Security a fine-grain access control system is available that gives data admins the opportunity to restrict a user to individual data sets in a table.

Sounds like rocket science, doesn’t it? Far from it. Most of this products are for several years in the market, but they are widely unknown, and, the effort for implementation is high.

That’s it for today.

For further reading please see

Anthem Cyber Hack: 5 Fast Facts You Need to Know

Anthem Breach Should Convince Healthcare To Double Down On Security

Anthem Breach Prompts New York To Conduct Cybersecurity Reviews Of All Insurers

Security Think Tank: How to share data securely

21 June 2014

This post of Tim Holman is absolutely worth reading.

Security Think Tank: How to share data securely

Tim presents the elementary basics on the People and Process level for sharing of classified data with trusted third parties. From my point of view these basic principles must be applied for handling of classified data inside a company as well.

In particular for strictly confidential classified information I would strongly recommend to take further actions:

  • Review of all authorizations and permissions with strict regards to the Need-to-Know and the Separation of Duties principle.
  • Reorganization of all filing structures

Both measures can be implemented rapidly and will raise the overall level of security because we know in detail who is authorized to access the information and where the information is stored.

In addition technical measures like an integrated Tagging/DLP solution could be applied to support the employees in enforcing the company’s security policy. In my opinion encryption is  the last line of defence.

The eBay data breach – Is hashing of passwords the appropriate response?

10 June 2014

The news about the data theft at eBay have almost electrified me. Not due to fears of losing my private data, I am not eBay customer, but the details under which the theft took place are interesting for me from a professional point of view.

My first thought was: This was an Insider Attack!

The IT departments of large companies are doing a very good job in operating the servers connected to the internet. I would have been very surprised about an attack through servers at the company’s border to the internet.

The information published by eBay at 21 May 2014 [1] saved my day:

‘Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network.’

I am not at all surprised that eBay discovered the loss of customer information with a two month delay. According to the Ponemon Study 2013 [2] the average time to resolve attacks by ‘malicious insiders’ is 65.5 days in 2012 (57.1 days in 2011). That fits well even in this case.

But I am somewhat puzzled by the discussion in some blogs whether encryption is the adequate method to protect sensitive and private data from unauthorized access. Hashing is praised as a better method for protecting passwords.

In my opinion this discussion goes hardly far enough. The loss of e-mail address, physical address, and date of birth is to take at least as seriously as the loss of passwords, since this information enables e.g. professionally made targeted phishing attacks. And, as we all know, an experienced hacker can attack even a hashed password, in particular if he has enough time behind closed doors. See [3] for amazing details about cracking of hashed passwords.

Just new technology will not necessarily increase the overall security because the root causes for this data breach are more likely a lack of security awareness and training. Therefore, only the classic PPT approach, which includes People, Processes and Technology, will lead to an increased overall security.
PPT - People, Processes, Technology

PPT – People, Processes, Technology