Less than a year ago, Apple and the FBI went head to head over encryption, an issue that, until now, seldom extended beyond the back offices of tech companies. The debate, which includes cybersecurity, surveillance and privacy, has since spread to kitchen tables everywhere. With emails and Twitter playing important roles in the U.S. presidential election, never before have issues of security and personal freedom gone quite so mainstream.
It’s expected that with the new administration will come an even bigger and more public discussion on encryption and privacy. President Donald Trump has made it clear that, for him at least, security trumps privacy, which has notably rattled the cages of civil libertarians.
No matter the result, the discussions will continue to offer both the tech world and consumers insights into the sometimes blurred lines between public and private affairs and the ways in which our data is being protected – or exposed. Are our communications really as confidential as we think? Do we have a right to security?
The biggest issues may not be what happens when the government seeks to intervene with corporate guidelines, but how issues like encryption will change the way we protect and share data on a massive scale.
Making the Web Safer
Encryption, if not properly secured, allows cyber-criminals to hide in encrypted traffic to carry out attacks. Looking ahead, this will only get worse, and it will be difficult to tell what is trusted and what is not.Kevin Bocek, Venafi
Kevin Bocek, vice president of security strategy and threat intelligence at cybersecurity firm Venafi, sees both positives and negatives to encryption.
“While the increased deployment and use of encryption is generally good to ensure authenticity and privacy, it also exposes enterprises to significant gaps if not properly implemented,” he said.
For example, more encrypted traffic may mean that more attackers will be using HTTPS protocols and forging certificates to mount more common cyber-attacks. He added that organizations must beware of over-reliance on encryption and understand the positive and negative effects.
Protecting the Tools That Protect Us
For IT professionals, knowing how and when to use encryption is becoming a key issue of cybersecurity.
“More encryption means more use of cryptographic keys and digital certificates,” Bocek said. “[They] are the foundation of cybersecurity and establish trust for secure computing, communications and commerce.” But unprotected keys and certificates can create blind spots that cybercriminals may use to hide in encrypted traffic, elevate privileges, deploy malware and ultimately steal data.
That could be why so many security companies are finding new avenues to not only explain encryption, but also to reach IT professionals with valuable tools that can be used across the board. For example, Symantec’s Encryption Everywhere allows web hosts to easily integrate encryption into every site created.
“There are almost a billion websites today, yet only about 3 percent are encrypted,” explained Roxane Divol, senior vice president and general manager of website security for Symantec.
That statement shouldn’t be surprising given the increase in attacks, and it has the U.S. government’s attention. To protect its own data, the government has mandated the use of HTTPS for all publicly accessible web services to ensure the authenticity and privacy of federal websites.
Depending on how effectively data security is handled in an age of terrorism (cyber and otherwise), it will ultimately impact everything from airline services, banking sites, software and government certificate authorities (CAs) to apps in cars and small appliances. The issue is as big as the web and as complex as the smartphone in your pocket.
“Most enterprises can’t detect advanced persistent threat-like attacks,” Bocek said. “Those that can will often not remediate fully by replacing and revoking compromised keys and certificates, leaving them exposed to ongoing or future attacks.”
Organizations use, on average, more than 23,000 keys and certificates —an increase of 34 percent since 2013, according to a Ponemon study. But every organization surveyed admitted to having been attacked using compromised keys and certificates. Bocek predicts that, in response, we may see companies like Amazon Web Services (AWS) and Let’s Encrypt launch free digital certificates.
“While AWS and other free certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000,” he explained. “Along with the rise of free certificates being used, CAs will start to lose credibility because of the ease in spoofing certificates and receiving authentic certification for fake websites.”
What’s the Solution?
IT professionals can consider using the Advanced Encryption Standard (AES), perhaps the best-known existing symmetric encryption algorithm, to get ahead of threats. But any approach should be widely vetted and strong enough to provide security for increasingly at-risk data. Because every IT professional will at some point deal with encryption in one form or another in the next year, being able to weigh the best possible options is integral to building effective security plans for corporate and government entities.
Certifications including CompTIA Security+, CompTIA Cybersecurity Analyst (CySA+), which launches February 15, and CompTIA Advanced Security Practitioner (CASP) can provide building blocks for the future.
“Encryption, if not properly secured, allows cyber-criminals to hide in encrypted traffic to carry out attacks,” Bocek said. “Looking ahead, this will only get worse, and it will be difficult to tell what is trusted and what is not."
Later this month, CompTIA will launch its newest certification, Cybersecurity Analyst (CySA+), which helps IT professionals gain the skills necessary to secure and protect an organization’s applications and systems. Many of the issues addressed in this article relate to the exam objectives of CySA+. Learn more about CySA+ and see if it’s the right next step for your career.
McDonald is a writer and editor based in Philadelphia. She can be reached online at www.nataliehopemcdonald.com.