Disk Encryption, SSL and TLS on their own fix very little

Introduction

So and then there was light... and DARPA created the Internet.

Those on high said let there be a way to deliver things to a destination ... and lo there was IP ... and then they said we need a way to chop up our data into segments and make sure they are rebuilt back in a reliable and robust way ... and so there was TCP. The world was happy but it couldn't do much.

Then they said we need to do something useful on the Internet .... and so there was SMTP (sending email), POP (reading email), HTTP (Web), FTP (File Transfer), Telnet (Remote Access), and all the rest. The world was happy again and the Internet was a useful place.

Then they said that anyone could see what you are doing ... and there was long silence ... and it little voice said:

"Let's fix it a little while we work on something else" ... and so the creator made SSL.

And the world was thus happy and that everything  was good again with the Internet. It was a time of great joy, and no-one was bad. Bob, Alice and Eve lived in harmony, and they helped each other:

And Eve thus said, "If I stand in the middle I can still hear you", and no-one listened, and then she said, "If I stand in the middle and tell you both to stop securing your communications, I can get the keys to your home?", and again no-one listened and she felt like a FREAK.

So she then said, "If I sit on their end of SSL I can still hear you talking", and no-one listened, apart from a Super Fish.

And Eve did thus say that she could see Alice's key under the plant pot, and, again, no-one listened. And so no-one cared, and the world was happy with what it had created. And thus the creator said "my work is done", and left.

How bad is SSL/TLS?

The dilemma that we have is that SSL and TLS are fixes for just one part of the whole complex issue of data. We are just finding a way to secure one part of states that data can be in. One of the greatest challenges that we face at the current time on the Internet is the leakage of data, and no one protocol can fix it. If a disgruntled administrator has the private keys that are used to store data on a server, we have a possible large-scale breach. 

At-rest, in-motion and in-use

Data exists in three main states: at-rest (on the disk); in-motion (on the network); and in-use (running on the system). If we just secure one or two of the three states, we risk a data loss. Increasingly companies need to understand the scope of their protect, especially in the translation between each of the states. The encryption key, for example, is the one thing that can release a great deal of the secure data. For where are the encryption keys stored, and what controls do we have on these? Only with TPM chips and finger print recognition to we have a creditable way of properly storing encryption keys.

I have lost count the number of times I've asked companies about how secure their encryption is, and they say we use 256-bit AES, and I find that the domain controller stores the keys, and anyone with administrator access can view and copy them. In this case brute-force means the trying of a single key! On other occasions I've received the usage of digital certificates, and the answer for security is that the keys are protected by a simple password ... pop the certificate off the system, and brute force reveals them.

Ask Lenovo about how they felt when Superfish managed to store a digital certificate with the public and private key on the user's computer, and where the password with the name of the company who created the spying library [here]?

 Figure 1: Data states

Sometimes data can pass between data at-rest and in-use with databases, and with distributed databases we see all there happening for a single transaction. Developers often try to minise the complexity of their programs, and will often select a single encryption key for the whole of the database. A loss of the key, reveals the whole of the database.

Data Loss Prevention

Overall DLP is a growing market, especially after Edward Joseph "Ed" Snowden who, in June 2013, leaked classified information from the National Security Agency (NSA) to the mainstream media. As with many large-scale data leaks, he worked from the inside of the company and was a system administrator at Central Intelligence Agency (CIA). Chelsea (Bradley) Manning also highlighted the problems around the insider threat, when in Feb 2011, he leaked hundreds of thousands of classified documents to WikiLeaks, which was setup by Julian Paul Assange.

The recent Sony hack actually shows a timeline of many years of problems around APT (Advanced Persistent Threat). With Sony, insiders managed to gain access to many of the emails sent within the company. Here's a garbled one from Amy Pascal, Sony Pictures Entertainment co-chairman, which has been leaked to the Internet:

 DLP continues to grow as a market, and the sell typically focuses on:

• Audit/Compliance. With Audit/Compliance, companies will often have to comply with an audit/compliance, such as PCI-DSS (for Finance) and HIPPA (for Health Care).
• Direct Losses. The Direct Losses can often be clearly defined, such as with investigation costs, customer compensation, litigation, and so on. In the finance industry, the fines can be heavy, such as where the FSA hit Zurich UK with a fine of ￡2.75 million for the loss of 46,000 customer details.
• Indirect Losses. Indirect Losses is often the major sell in DLP, such as falling in share price, company reputation, and loss of customer faith (Figure 1). The effects on brands can have a long-term effect on a company, especially within areas such as the finance sector, the public sector, and other areas that have sensitive information. Electronic mail is often one of the most sensitive areas within data loss, where personal information can often be included, and a large-scale loss of emails can lead to a great deal of embarrassment.

Figure 2: Data Leakage Losses

Conclusion

Data is the new battle field in computer security, especially as it's contents are so valuable for intruders. What would be the greatest data breach ever? It wouldn't be from a government department, or from your bank, it would be from your Cloud provider, as they know all your secrets. Did you known that Google holds your complete Internet search history, and all your passwords?

We need to admit that SSL and TLS and the whole concept of secure sockets are only a small part of securing data, and must of it is in the storage and access policies.

End of story

And so Eve, after telling Bob and Alice there was a problem, turned Evil, but Bob and Alice continued with their lives unaware that Eve was listening to everthing that they said. Eve decided that she wanted to be Alice, and so it was, and Bob had no idea.

So it was decided the digital forensics was not enough, and so came forth two new dragon slayers ... Live Forensics and Network Forensics ... and so the Internet became the place of the greatest battle in the history of the World!

Who will win?