Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Geoffrey H. Wold
As cyber criminals become more sophisticated in their efforts to target cyber victims, organizations must also grow their capabilities to successfully combat and defeat them. The evolving nature of Internet crime presents a unique set of challenges, as crimes often overlap jurisdictional boundaries and perpetrators can attack from anywhere on the globe. Because of the increasing threats of cyber attacks, cybersecurity—the defense against cyber attacks—is mandatory.
TO SECURE AGAINST CYBER ATTACKS, ORGANIZATIONS must vigorously defend their networks and systems from a variety of internal and external threats. They must also be prepared to detect and thwart damaging follow-on attack activities inside a network that has already been compromised.
Data security is an important cybersecurity protection technique. This article addresses both the confidentiality and integrity of information at rest and protection of the confidentiality and integrity of transmitted information. Information and records (data) should be managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
Organizations should implement the following best practices related to data security to improve their cyber resilience posture:
This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content.
Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file-share scanning. Integrity protection can be achieved by implementing Write-Once-Read- Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure offline storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.
The information system should protect the confidentiality and integrity of transmitted information. This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines).
Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques).
Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services that can be highly specialized to individual customer needs) may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations should determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations should implement appropriate compensating security controls or explicitly accept the additional risk.
Cryptographic or Alternate Physical Protection
The information system should use cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums2, and message authentication codes. Alternative physical security safeguards include protected distribution systems.
Pre- / Post-transmission Handling
The information system should maintain the confidentiality and integrity of information during preparation for transmission and during reception. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission or during reception, including during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
Cryptographic Protection for Message Externals
The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by an organization-defined alternative physical safeguard. This control addresses protection against unauthorized disclosure of information. Message externals include message headers / routing information. This control prevents the exploitation of message externals and applies to both internal and external networks or links that may be visible to individuals who are not authorized users.
Header/routing information is sometimes transmitted unencrypted because the information is not properly identified by organizations as having significant value or because encrypting the information can result in lower network performance and/or higher costs. Alternative physical safeguards include protected distribution systems.
The information system should use cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by an organization-defined alternative physical safeguard. This control addresses protection against unauthorized disclosure of information.
Communication patterns include, for example, frequency, periods, amount, and predictability. Changes to communications patterns can reveal information having intelligence value, especially when combined with other available information related to missions / business functions supported by organizational information systems. This control prevents the derivation of intelligence based on communications patterns and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Encrypting the links and transmitting in continuous, fixed/random patterns prevents the derivation of intelligence from the system communications patterns. Alternative physical safeguards include protected distribution systems.
Encryption is an essential instrument for network security. It is the foundation for authentication, confidentiality, and integrity. Data encryption disguises data flowing through a network so that it is unintelligible to anyone monitoring the data. Encryption techniques can also be used to detect any attempt to modify data. Therefore, data encryption can be used to protect the secrecy of a user password or personal identification number (PIN) and to conceal the integrity of data in a financial transaction.
Electronic eavesdropping threatens every aspect of information transfer and storage. No medium is totally secure. Communication networks are vulnerable to crime unless transaction data are protected. Without protection, messages can be intercepted, altered, deleted, or replaced at any time and place in the network. It is not practical to physically protect all communication lines from wiretapping. Therefore, the information must be protected as it flows through the network. A proven method to protect networked information is data encryption that uses an algorithm to scramble data into an unintelligible form.
Encryption should be considered for data that is sensitive, has a high value, or represents a high value if it is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. Encryption methods provide important functionality to protect against intentional and accidental compromise and alteration of data. These methods support communications security by encrypting the communication prior to transmission and decrypting it at receipt. These methods also provide file/data security by encrypting the data prior to placement on a storage medium and decrypting it after retrieval from the storage medium.
Encryption deals with the transformation of ordinary text (plaintext) into coded form (ciphertext) by encryption and the transformation of ciphertext into plaintext by decryption. Encryption relies on two basic components: an algorithm (or cryptographic methodology) and a key. The algorithm is the mathematical function used for encryption or decryption, and the key is the parameter used in the transformation.
There are two basic types of encryption: secret key systems (also called symmetric systems) and public key systems (also called asymmetric systems). In secret key systems, the same key is used for both encryption and decryption. That is, all parties participating in the communication share a single key. In public key systems, there are two keys: a public key and a private key. The public key used for encryption is different from the private key used for implementing cryptography decryption. The two keys are mathematically related, but the private key cannot be determined from the public key. In general, cryptography is used to meet the following security objectives:
The encryption key is defined as the secret sequence governing the encryption and decryption process. The two basic types of cryptographic systems used today are symmetric (private key) and asymmetric (public key) systems.
A private key encryption system uses the same key for encryption and decryption. It requires that the sending and receiving parties share a common key. This key must be kept secret (private) to ensure the security of the encrypted information.
A public key or public/private cryptographic system involves pairs of keys, one for encrypting messages and another for decrypting messages. The encrypting key is public, so that anyone wishing to send a message to a given user can use that encrypting key. Only the recipient, however, has the (secret) decryption key. A public/ private encryption system works as follows:
In both types of systems, selection and protection of keys (even public keys) are critical to the overall security of the system.
All cryptographic systems require a well-defined process (algorithm) by which information is transformed from clear text3 to ciphertext and back to clear text. It is an accepted principle of cryptology that the strength of a cryptographic system should not depend on the secrecy of the algorithm itself. This enables the exchange of information necessary for the design and manufacture of systems incorporating the algorithm. It also permits critical analysis of the algorithm itself and eliminates the need to provide physical protection for devices and documentation.
Various cryptographic products (both private and public key systems) use proprietary (secret) cryptographic algorithms. Such algorithms are often designed to operate at higher speeds than algorithms that are public information.
Cryptographic algorithms can, in general, be implemented in either hardware or software. The first approach usually results in a much faster operation and better integrity protection. The second approach is often less expensive and more flexible. Hardware implementations of algorithms on a single integrated circuit are available and used in several cryptographic products. Software versions of the cryptographic algorithms are also available.
Public vs. Secret Key Cryptography
The primary advantage of public key cryptography is increased security and convenience. Private keys never need to be transmitted or revealed to anyone. In a secret key system, the secret keys must be transmitted (either manually or through a communication channel). There may be a chance that an unauthorized individual can access the secret keys during their transmission. The primary advantage of secret key cryptography is speed. There are popular secret key encryption methods that are significantly faster than any currently available public key encryption method. Alternatively, public key cryptography can be used with secret key cryptography to get the best of both worlds—the security advantages of public key systems and the speed advantages of secret key systems. The public key system can be used to encrypt a secret key that is used to encrypt the bulk of a file or message. In some situations, public key cryptography is not necessary and secret key cryptography alone is sufficient. This includes environments where secure secret key agreement can take place, environments where a single authority knows and manages all the keys, and a single-user environment. In general, public key cryptography is best suited for an open multiuser environment.
An additional use of public key encryption is the ability to authenticate the user. If a message is sent from an individual where it is encrypted with that individual’s private key, there is only one source from which the message could have come. The message is therefore authenticated to the private key holder and no one else.
The proper management of cryptographic keys is essential to the effective use of cryptography for security. Ultimately, the security of information protected by cryptography directly depends on the protection afforded the keys. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Listed below are recommendations for effective key management.
The security of cryptographic keys in an electronic or digital signature system is the foundation of a secure system; therefore, users must maintain control of their keys. Users should be aware of their unique responsibilities, especially regarding the significance of a key compromise or loss.
It is imperative to have a plan for handling the compromise or suspected compromise of central/root keys or key components at a central site. The contingency plan should address what actions should be taken with system software and hardware, central/root keys, user keys, previously generated signatures, and encrypted data. If someone’s private key is lost or compromised, others must be made aware of this so that they will no longer encrypt messages using the invalid public key or accept messages signed with the invalid private key. Users must be able to store their private keys securely so that no intruder can find them, yet the keys must be readily accessible for legitimate use. Keys need to be valid only until a specified expiration date.
Software at the central key-management site should be electronically signed and periodically verified to check the integrity of the code. This provides a means of detecting the unauthorized modification of system software. Within a cryptomodule, this feature of generating and verifying a cryptographic checksum is essential.
Secure Key Management
Key management provides the foundation for the secure generation, storage, distribution, and translation of keys. One of the fundamental principles for protecting keys is the practice of split knowledge and dual control. Split knowledge and dual control may be used to protect the centrally stored user secret keys and root private keys, secure the distribution of user tokens, and initialize all encryption in the system to authorize their use in performing cryptographic functions within a system.
Another role of key management is key maintenance, specifically, the update/replacement of keys at the completion of a cryptoperiod. The cryptoperiod is determined based on the sensitivity of the information and the risk of key compromise. Central sites play an important role in key management. In public key systems, central sites typically include a certification authority (CA), which is an entity that issues and revokes public key certificates and may even generate key pairs. The CA private key should be protected with split knowledge and dual control. Whether in a secret or public key system, the security of the central site is critical to the overall cryptographic security of the system.
The generation of keys is the most sensitive of all cryptographic functions. Any inadequacies in the implementation of the keygeneration function or in the physical security safeguards of that function will seriously undermine the integrity of other cryptographic mechanisms. The physical security measures are necessary to prevent unauthorized disclosure, insertion, and deletion of the system or keys produced by the system. All automated resources that generate keys should be physically protected to prevent:
User keys should be archived for a sufficiently long cryptoperiod. A cryptoperiod is the time during which a key can be used for signature verification or decryption; it should extend well beyond the lifetime of a key (where the lifetime is the time during which a key can be used to generate a signature and/or perform encryption). Keys should be archived for a lengthy cryptoperiod (on the order of decades), so that they can be used to verify signatures and decrypt ciphertext during the cryptoperiod.
Users with different roles in the system should have keys with lifetimes that take into account the users’ roles and responsibilities, the applications for which the keys are used, and the security services provided by the keys (user/data authentication, confidentiality, and data integrity). Reissuing keys should not be done so often that it becomes burdensome; however, it should be performed often enough to minimize the loss caused by a possible key compromise.
One of the primary security controls to ensuring individual accountability (determining the identity of the user) is to authenticate each user. Traditional authentication techniques include passwords and personal identification numbers (PINs). Additional methods for authenticating users are provided by cryptographic methods.
Weak authentication only provides protection against attacks in which an impostor cannot view, insert, or alter the information passed between the user who is trying to prove identity (claimant) and the system checking on the claimant’s identity (verifier) during an authentication exchange and subsequent sessions. In this scenario, an impostor attempts to assume a claimant’s identity by initiating an access control session as a valid user and attempting to guess a legitimate user’s authentication data. Traditional password schemes provide weak authentication because an impostor may be able to view and later use the password to assume the user’s identity. The strength of this authentication process is highly dependent on the difficulty of guessing password values and how well these values are protected.
Use of dynamic authentication relies on dynamic authentication data that changes with each authenticated session between a claimant and verifier. An impostor who can view information passed between a claimant and verifier may attempt to record this information, initiate a separate access control session with the verifier, and replay the recorded authentication data in an attempt to assume the claimant’s identity. This authentication mechanism protects against such attacks, because authentication data recorded during a previous session will not be valid for any subsequent sessions.
Mobile devices have become an integral part of today’s workforce. These devices include smartphones, tablets, and laptops. The widespread usage of these devices allows for a mobile workforce, allowing users to be connected to their e-mail and the Internet. However, the convenience of these devices comes with risk. If a laptop or smartphone that contains customers’ personal information is stolen and the devices are not properly encrypted, the organization would be liable for the breach. The U.S. government mandates that organizations report any breach of security to the public if personal information has been compromised.
In order to protect customer information and avoid potentially damaging publicity, organizations must take the appropriate measures to secure mobile device data. The most prevalent types of mobile device security are:
Laptop Security and Tracking Software
There are many different types of laptop security and tracking software currently in the market. Of the many capabilities of this type of software, two of the most important are its ability to track mobile computer assets and to remotely wipe sensitive data if a laptop is lost or stolen.
Tracking is an important part of protecting sensitive customer information. Generally, tracking software uses the online connectivity of mobile devices to find their locations inside and outside of the organization. There are many different types of tracking software, all with variations on how to track stolen laptops and other mobile devices. Some tracking software will resist a hard drive reformat so that even after theft, the laptop can still be located.
Laptop security software works by remotely deleting sensitive data on mobile devices that have been lost or stolen by using an algorithm that meets the U.S. Department of Defense standard for data removal. Once the data is wiped from the device, data cannot be recovered. When deletion is complete, a log is created and can be viewed, and the organization can keep track of sensitive information that has been deleted to comply with data protection regulations.
Full-disk encryption (FDE) is a type of software or hardware that fully encrypts the entire Hard Disk Drive (HDD). FDE is “transparent” to the users. This means that once it is installed and booted successfully one time, the HDD is unlocked and behaves like any other HDD. The user does not need to decide which files to encrypt because, with FDE, everything is encrypted.
FDE benefits compared to regular file or folder encryption include:
One of the main drawbacks of software-based FDE is the increase in access time. Since the entire disk is encrypted, including the system’s virtual memory, the system’s performance is degraded slightly in normal use. File system intensive operations will see more of an impact, though the system should remain usable.
Trusted Platform Module
Trusted Computing Group (TCG), a not-for-profit organization with international membership and broad industry participation, has been working for years to create trusted hardware and enabling software to be less susceptible to virtual and physical attacks. Members of TCG include Intel®, Microsoft®, and Infinenon®. The outcome of their work is the Trusted Platform Module (TPM).
TPM is a small piece of silicon affixed to a motherboard that securely stores digital keys, certificates, and passwords. Security processes (i.e., digital signature and key exchange) are protected through the Trusted Computer Group subsystem. Access to the platform could be denied if the boot sequence is not as expected. Applications, such as e-mail and web access, are made more secure by using TPM.
Information Rights Management
Information Rights Management (IRM) is an encryption technology that is typically applied to unstructured data elements such as PDF files and spreadsheets. IRM provides for both the encryption of the file contents as well as for control over how the file contents can be used by those granted access to the data. For example, someone who possesses a file can be granted the ability to view the contents but prevented from printing the document. And in the event a holder of the file forwards the file to someone else (whether intentionally or inadvertently), the receiver will be unable to view the contents unless they have been given rights to do so.
IRM technology is increasingly available in commonly used commercial-off-the-shelf (COTS) desktop automation solutions. There are, however, key management infrastructure considerations to address should there be a need to make IRM-protected files available to third parties. Cloud-based solutions may be appealing, but this may mean exposing keys to the cloud service provider.
Whatever encryption solutions an organization deems appropriate to mitigate its risks, the organization will need to consider factors such as algorithm selection and key management. There are multiple encryption algorithms available with varying benefits in terms of security and performance. Furthermore, any encryption solution is subject to correct implementation and appropriate selection of important variables (e.g., key size).
Due to these complexities, it is generally recommended that organizations perform encryption using a well-established COTS or open source solution. The National Institute of Standards and Technology (NIST) maintains a Cryptographic Algorithm Validation Program that may be a useful resource in determining whether a particular algorithm, or implementation thereof, is secure. In any encryption implementation, organizations will also need to address key management considerations such as how to securely distribute keys as well as how and when to rotate keys. The strongest encryption algorithm can fail if keys are not well-controlled.
Data security is an important component of a complete cybersecurity program. Organizations should implement a continuous cycle of refinement and evolution of their cybersecurity programs. The cycle should provide for an assessment of internal and external risks, reasonable and prudent protective measures, constant and consistent monitoring for detection of anomalies (events), the appropriate responses to such anomalies, and a process for recovering from cyber attacks.
Geoffrey H. Wold, CPA, CISA, CGEIT, CRISC, CITP, CMA, CMC, CFSA, specializes in cybersecurity assessments and planning. He is the author of the comprehensive Cybersecurity Resilience Planning Handbook, which will be available through LexisNexis in November 2016. His experience includes assessing cyber threats, vulnerabilities, and risks assessments; auditing cybersecurity and controls; planning cybersecurity protection and detection controls; and testing of cybersecurity and controls. He has performed cybersecurity assessments and developed cybersecurity plans for all sizes and types of industries. Mr. Wold is also the author of Business Continuity for Corporations; Corporate Information Security; and Corporate Technology Planning and Management, all also available from LexisNexis.
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security> Planning for and Managing a Data Breach > Articles > Preparing a Data Breach Avoidance & Response Plan
> DRAFTING PRIVACY POLICIES
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Drafting Privacy Policies > Practice Notes > Drafting Privacy Policies
For information on data security and cyber insurance for cloud computing, see
> DRAFTING AND NEGOTIATING EFFECTIVE CLOUD COMPUTING AGREEMENTS
RESEARCH PATH: Intellectual Property & Technology > Software & Information Technology >Cloud Computing > Practice Notes > Cloud Computing
For a comprehensive discussion on preparing for and responding to a data breach, see
> PLANNING FOR & MANAGING A DATA BREACH
RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach
For assistance in preparing a data breach notification letter, see
> PREPARING A BREACH NOTIFICATION LETTER
1. Cryptographic mechanisms are techniques and applications designed to protect private and sensitive communications. 2. A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. 3. Cleartext (also plaintext) is the original form (usually readable) of information or data. When cleartext is encrypted, the result is ciphertext.