Data from the NCSC released in early October reported that Covid-19 related cybercrime has driven attacks on the UK to a record number. Cybercriminals have been having a field day during the pandemic because, alongside being able to exploit people’s fears, the fact that more people than ever are working from home has left many firms incredibly vulnerable.
In the midst of a second national lockdown and confusion around an end date, cyber teams defending their organizations and trainee cyber-pros alike should consider honing a skill which is arguably more important now than ever: cryptography. Not properly encrypting (and securely decrypting) data in transit and in use or stored in a non-persistent state in memory on employees’ devices at home opens up huge vulnerabilities for the organization. As well, if applied poorly it can become a threat vector, opening organizations up to the likes of brute force, DDoS and man-in-the-middle attacks.
In this article I’ll give an introduction to what cryptography is, why it is so important and how it can be applied to the organization to ensure data is secured as we enter a second lockdown.
The discipline of cryptography is always evolving in line with regulations and the cybercrime landscape, so this is a skill that requires regular reskilling. So, whether you are a cyber-pro looking to hone in your skills or an individual retraining to enter the world of cybersecurity, this is a critical cyber-skill to focus on in lockdown 2.0.
What is cryptography?
Cryptography is the practice of protecting data (whether being used, static or moving from one place to another) through the use of codes and keys. A handy way of remembering the term is that it comes from the Ancient Greek “crypt” meaning “hidden” or “vault” and “graphy” meaning “to write” or “writing”, so “hidden writing”! A fun fact for you, the term cryptograph wasn’t invented by World War codebreakers or mathematicians as you may expect, but the novelist Edgar Allen Poe in his novel The Gold-Bug.
While cryptography used to be completed manually, today it relies heavily on the use of computers which can encrypt (transform) data from plaintext (readable data) into ciphertext (a human and/or system unreadable format) and vice versa.
There are different cryptographic methods, of which there are then numerous examples, which encrypt data in different ways. For example, symmetric encryption uses one “secret key” to encrypt and decrypt data, with Blowfish, AES and RC4 all being examples of symmetric encryption. Asymmetric encryption (A.K.A public key cryptography) on the other hand uses two keys, a public and secret key, to encrypt plaintext. Depending on the nature of the activity taking place, a public key is accessible to anyone who wants to send or receive a message, while a private key is only accessible to relevant parties to do the opposite of the public key. Examples of asymmetric key encryption algorithms include RSA and ECC.
In any given cybersecurity solution it is advisable to use a mixture of cryptography methods in order to ensure data is as heavily protected as possible, making it nigh on impossible for people to crack into.
Why is it important?
Cryptography addresses concerns regarding confidentiality, integrity, authentication and non-repudiation. In more simple terms, it keeps people away from your data who shouldn’t have access to it, such as cybercriminals and ensures a degree of confidence in online connections and downloads.
Data is vulnerable at all times but for different reasons, depending on whether it is being used, being stored or in transit. It is therefore key that the data is encrypted in the on-prem or cloud database, hardware device or network that it is in at any time. The coronavirus pandemic has thrown up an issue even for cybersecurity professionals who may have had the best systems in place with the most in-depth cryptography in their offices. Users are at home moving and storing data from secured work networks and devices to their personal networks and PCs, laptops and phones. This has created a huge opportunity for cybercriminals who are able to take advantage of a newly opened web of vulnerabilities.
A final point to bear in mind here is that cryptography can actually create vulnerabilities as well as fixing them. Poorly applied cryptography and associated technologies can become a threat vector because of weak keys, pre-shared keys/symmetric systems not being properly protected, hash collisions, key management problems and many more issues.
For these reasons, learning cryptography is an important part of various cybersecurity certifications such as CompTIA Security+(4)/Network+(5)/CASP(6); EC Council CND(7)/CEH(8); MTA Security Fundamentals(9); and CISSP(10).
How can it be applied to the organization (which may be largely WFH)
Developing an encryption program should be part of your organization’s overall enterprise risk management and data governance planning process - and this should have shifted recently to cope with the different demands of a workforce that is likely largely WFH. Having an in-depth understanding of cryptography as well as which kinds of methods work best for which kinds of data can be applied to a comprehensive approach that considers which data should be encrypted, how it should be encrypted, as well as what kind of key management process you will use.
If you haven’t already done so, ensuring your staff at home are fully encrypted should be an urgent task. Secure any devices they have that could be holding your organization’s data using the likes of Full Disk Encryption for endpoint protection. Then, to ensure they are using safe networks for transiting data you can set them up with a VPN for remote access or WPA2 for wireless access. Tech company Sirius has written a fantastic step-by-step guide(11) on how to ensure your encryption strategy is tip-top which I’d recommend you check out.
A final issue to bear in mind is jurisdiction. Cryptography is used widely by governments, businesses and private individuals but it is also used by criminals, terrorists and nefarious organizations to hide illegal activities from law enforcement and government agencies. Everyone involved in cryptographic processes in your organization must be aware of the latest in law and regulations around it in your jurisdiction, such as GDPR and PCI-DSS. As well, legal advice should be sought when transferring encrypted information or tools from one legal jurisdiction to another.
An essential skill to keep up-to-date
To summarize, cryptography - the process of encrypting and decrypting information - is an essential part of any cybersecurity strategy. Like many cybersecurity processes, the shift to WFH during the pandemic has made things a lot more complicated for cyber-pros. With that in mind, I recommend urgently checking that your cryptography strategy is up to scratch and upskilling to ensure you’re up-to-date with the latest methods and regulations. Every tech professional knows that constant education is key because our field moves as a truly unprecedented pace - at least things are never boring!
Phil Chapman, Senior Cybersecurity Instructor, Firebrand Training