encryption: who, what, when, where, and why it's not a panacea
DESCRIPTION
Encryption is a crucial and powerful tool in any organization's data protection / privacy arsenal. But to be effective, it must be applied properly. And even then it's not a silver bullet, including from a privacy breach disclosure perspective. This webinar will discuss: - Encryption vs. hashing: what is it, and when might you want to use one over the other? - Practical considerations: implementation options and their merits - Legal considerations: encryption requirements, benefits and restrictions - Legal limitations: situations in which encryption is not enough Our featured speakers for this webinar will be: - Suhna Pierce, Associate, Morrison Foerster - Gant Redmon, Esq. CIPP/US, General Counsel & VP of Business Development, Co3 Systems Are you a CIPP holder? (CIPP/US, CIPP/C, CIPP/E, CIPP/G and CIPP/IT) Attend this webinar for CPE credit.TRANSCRIPT
2
Agenda
• Introductions
• What is encryption?
• Practical Considerations
• Legal Considerations
• Legal Limitations
3
Introductions: Today’s Speakers
• Gant Redmon, Esq., CIPP/US, General Counsel, Co3 Systems
• Suhna Pierce, Associate, Morrison & Foerster LLC
4
About Co3 – Incident Response Management
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
PREPARE
Improve Organizational Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table tops)
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
• Log evidence
5
Cryptography: Basic Concepts
• Encryption is a component of cryptography
• Cryptography: the science of communicating information secretly
– Algorithm / cipher: The process used to transform information from plaintext to unintelligible ciphertext form
– Encryption: The operation of transforming plaintext information using a cipher / algorithm
– Decryption: The reverse operation, transforming a ciphertext message to plaintext
– Key: The secret “password” or “code” that facilitates encryption and decryption
6
Goals of Cryptography: PAIN
• PAIN: Privacy, Authentication, Integrity, Non-repudiation
• Privacy: keep private information from being read by unauthorized readers
• Authentication: verifying the identities of the individual or machine participating in the communications
• Integrity: ensure that unauthorized changes have not been made to information
• Non-repudiation: prevent the sender of a message from denying its origin
7
Three Basic Types of Algorithms
• Symmetric (aka shared key secret key)
– Sender and receiver share a secret key
– A single key is used to encrypt and decrypt messages
– Challenges:
• How to share the secret key; non-repudiation; scalability
• Asymmetric (public key)
– Key pair- private key and public key
– One is used to encrypt and the other to decrypt
– Challenges: more computational effort required to encrypt / decrypt than symmetric
• Reduces speed and performance
• Hashing (one-way encryption)
– Produces a “hash” or “message digest”
– The original messages cannot be deciphered
– Typically used for integrity
8
Encryption versus Hashing 1
• Hashing produces a fixed length message digest for each message input
– Any change to input results in completely different output
– Not reversible
– Collision- resistant
– Input iterated many times
• Encryption produces ciphertext of length that will be related to the plaintext input
– Reversible
• If each secret message is a three-dimensional object, e.g., a snowflake:
– Encryption: putting a snowflake inside a box and locking it
– Hashing: tracing the snowflake on a piece of paper
9
Encryption versus Hashing 2
• When to use encryption, and when to use hashing?
• Hashing: use when you want to check the validity of the secret message (i.e. that two values are the same)
– Do not need the original input data back
– Passwords
• Encryption: use when you need to get the original input data back
– Health data
– Other sensitive data that needs to be read at a future point
10
Practical Considerations
• Key length
• Stream and block ciphers
• Types of algorithms: symmetric, asymmetric, and hashing
• Symmetric versus asymmetric: how do they work
• Encryption modes
• Encrypting in transit and encrypting in storage
• Full disk versus partial disk
11
Key Length
• Encryption / decryption keys are binary strings.
– Each binary digit is a bit, and the total number of bits is the key length
– The longer the encryption key, the more secure the encryption
18
Transmissions versus Storage
• Data can be encrypted “at rest” and “in transit”
• Encrypting data at rest (in storage)
– Sensitive data should be encrypted
– Can be encrypted in storage at various levels: individual files or folders, entire disk
– Databases: individual cells, entire table
– Removable media, mobile devices, other portable devices (e.g. printers)
• Encrypting data in transit
– Secure Sockets Layer (SSL): uses symmetric and asymmetric
– Transport Layer Security (TLS): newer protocol
• HTTPS: application of SSL / TLS to HTTP
– Secure Shell (SSH): asymmetric
– Internet Protocol Security (IPsec): secures IP-based messages
• Used to create VPNs
19
Full Disk versus Partial Disk
• Encryption can be implemented on storage media (e.g., laptops, USB drives) on full disk or partial disk
• Full disk encryption on laptops: encrypt entire drive with an encryption utility that modifies boot process
– Uses symmetric encryption
– Prompts user to enter password / passphrase / USB drive
– Encryption / decryption key is loaded into memory
– Laptop resumes booting as normal
– Decrypts OS and data files as-needed, transparent to user
• Partial disk: encrypts only designated parts of the disk (e.g. file, folder, partition)
– Uses symmetric and asymmetric encryption
– User enters password / key to decrypt and access the encrypted portion
– When decrypted data is cleared from memory, the key is also cleared from memory
POLL
21
Laws that Require Encryption 1
• Many data protection laws and regulations require encryption of sensitive types of personal data
• United States
– Massachusetts: “Personal information” stored on laptops and other portable devices or transmitted across public networks or wirelessly
– Nevada: “Personal information” stored on data storage devices moved beyond the control of the responsible entity or transmitted outside its secure systems
– HIPAA: e-PHI, if, after a risk assessment, the entity has determined that use of encryption is a reasonable and appropriate safeguard
• Argentina: sensitive data stored on removable media or portable storage devices or transmitted through communication networks
• Japan: biometric information stored on servers, portable devices and portable storage media
• Poland: all personal data transmitted across public networks or wirelessly and on laptops transported outside secured facilities
22
Laws that Require Encryption 2
• Portugal: sensitive and criminal data transmitted over a network
• Norway: personal data for which confidentiality is necessary, when transferred electronically by means of a transfer medium that is beyond the physical control of the entity
• South Korea: complex encryption requirements for “peculiar identification data” and “bio data” and one-way encryption (hashing) required for passwords
• United Kingdom: personal data, the loss of which could cause damage or distress to individuals, on portable and mobile devices including magnetic media
• And others
23
Safe Harbor for Encryption
• Breach notification laws in 48 U.S. states
– Encryption tied to the definition of a breach
– All contain a safe harbor for encrypted personal information
– Lose that safe harbor in many of them if the encryption key is also accessed or acquired
– In MA: a 128-bit algorithmic process must be used, unless regulations further define encryption.
• Over 15 other countries with mandatory laws, many others with voluntary guidelines
POLL
25
Restrictions on Encryption
• US export restrictions
– Encryption is a “dual use” item governed for export by the Bureau of Industry and Security (BIS) within the Dept. of Commerce
– Must classify your product with the BIS or self classify and include that classification on your shippers export declaration
• Import, Export and Use Restrictions
– See http://www.cryptolaw.org/cls-sum.htm
– Use controls only export. Russia controls all three
• License requirements
– Description of the product
– List of algorithms used
– Description of how they are used and if they may be modified
26
Encryption Is Not a Panacea
• Encryption is only part of a comprehensive security program.
• Also need to have:
– Suitable solution
– Trustworthy implementation
– Key management
– Other appropriate security processes
– Adequate training in technology and processes
• Encryption does not provide availability - need adequate backups.
27
Hypothetical: Lost USB Drive
• Lost USB drive belonging to HR manager contains several spreadsheets containing employee personal information, including SSNs, and utilizes file encryption
• Does the company know which files on the drive contained SSNs?
• Can the company prove that those files were encrypted?
28
Hypothetical: Stolen laptop
• Stolen laptop belonging to HR manager contains several spreadsheets containing employee personal information, including SSNs, and utilizes full disk encryption
• Was the laptop running when stolen?
• Was the laptop running shortly before it was stolen?
29
Secure Implementation
• Use an encryption algorithm that has not been demonstrated to be insecure
– National Institute of Standards for Technology (NIST) publishes list of algorithms approved for federal government use in Federal Information Processing Standards (FIPS)
• NIST Cryptographic Algorithm Validation Program (CAVP)
– Validation testing of implementation of NIST approved algorithms
– Validation list contains some information about the implementations tested and found to have correctly implemented the algorithm
30
Key Management
• Keys should be at least 192 bits for organizational data
• Keys should be securely and randomly generated
• Restrict access to keys to fewest number of custodians needed
• Store keys securely in the fewest number of places needed
• Distribute keys securely
• Key rotation process
■
32
Upcoming Co3 Systems Events
• Cyber IP Expo, London, UK: October 8-9
• FS-ISAC EU Summit, London, UK: November 3-5
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Suhna Pierce,
Associate
Morrison & Foerster LLC