Security

Is the Data on your Network Encrypted?


In today's workplace, stealing information doesn't require a covert Special Forces team: It is often done by an employee armed with a 5 GB USB flash drive. And your unsecured, unencrypted network invites a hacker to compromise a server or workstation holding sensitive data.

But you don't have to be vulnerable. There are plenty of options available today for securing/encrypting your data and many of these options are just overlooked.

Consider in recent news the security breach where hackers obtained access to more than 40 million credit card accounts. Could this have been avoided?

Yes! If the data had been encrypted, we wouldn't have 40 million people losing sleep.

In other news, Citigroup announced that 4 million consumer records, stored on magnetic computer tapes, were mysteriously lost during a shipment by UPS to a credit reporting agency.

Guess what? Those tapes were not encrypted. And the list of examples goes on.

With this string of incidents, it is very clear what has to happen. We must start encrypting our data. It is essential.

Encrypting your data does not have to be an expensive rollout like moving from NT 4.0 to Active Directory. There are many types of encryption, from complete encryption at the enterprise level down to the often overlooked encryption of an individual’s workstation. With so many options, your perfect solution is surely available.

For example, MCI is now evaluating stronger security measures following the theft of a laptop containing Social Security numbers and names of 16,500 current and former MCI employees. The laptop was stolen from the employee's car. The computer was password protected but there has been no comment on whether the data was encrypted.

I believe encryption is as important as a firewall. You wouldn't leave your network unprotected by a firewall — we all know that's as foolish as just giving a hacker your enterprise or domain admin password. Nor should you leave your sensitive data unencrypted; encryption ensures that your data is secure.

But how, specifically, might encryption be useful to you?

When you send an email of sensitive information, encryption provides security that no unauthorized parties have access to your data. If your password is encrypted, it cannot be duplicated by anyone else so it ultimately proves your identity when you sign on to a computer or use a smart card or an RSA device.

When you sign an email with an encrypted signature, the email cannot be changed or modified without changing the digital signature. Using digital signatures provides you with proof that a document has not been compromised.

Encryption can be used for email exchange as well as to encrypt documents on your hard drive. Encryption is used when logging onto a system, SSL connections on the web, and on anything that is sensitive within your business model.

Just as you have a disaster recovery plan, you should also create an encryption plan for your organization. Make it corporate policy to digitally sign every email. Configure encryption over your remote connections. Use encryption technology to encrypt the entire contents of your hard drive.

With the amount of data being too frequently compromised, not having an encryption plan for your company is security suicide. September 11 was the disaster recovery wake-up call for many companies who lost everything because they didn’t have a plan in place; many companies quickly got their acts in gear after the fact to have disaster recovery sites configured.

Not having an encryption plan may not quite stop you dead in your tracks as failure to have disaster recovery did for some, but it could cause your stock to fall, profits to decline, and peace of mind to be shattered. Do yourself a favor and configure an encryption plan for your company today.

3 comments
greg.rublev
greg.rublev

What are the biggest challenges when deploying encryption for data in an Oracle DB?

x military
x military

OK. I can understand the examples for physical media. But what real world examples do you have for email not being encrypted?

stress junkie
stress junkie

... you are asking for examples of what could possibly go wrong if email is not encrypted. First, the article talked about putting a checksum on the email so that the recipient could tell if the email had been changed. The checksum has to be encrypted with the sender's private key in a public/private key encryption system. In this case the contents of the email are visible to everyone. This scheme only ensures that the email was sent from a certain person and that it hasn't been altered. Now if you want to encrypt the contents of the email so that unauthorized people cannot even read the message then you add privacy to your emails. This, I believe, addresses your question. Here the email is encrypted with the recipient's public key and is decrypted with the recipient's private key. This prevents eavesdropping on communications. As ex-military you can certainly appreciate the value of keeping communications private. If a general wants to communicate a battle plan to the troops via email it would be a good idea if the enemy couldn't read the email. The same thing happens in business and in private life. You have communications that have confidential data. If that is transmitted over the Internet then numerous people can eavesdrop and read your email. If the contents of the email are encrypted then people cannot read it. Eavesdropping on network communications is very easy. If those network communications are not encrypted then confidential data can easily fall into the wrong hands. The communication of a server to a client could contain confidential information. You don't want every bored employee in the company able to see other employees' SSN and pay rate. This type of encryption was briefly mentioned in the article. If you don't have this type of encryption then data that is protected on disk with a password is available to everyone when it is transmitted over the network. That makes the password access to the disk unnecessary. Just listen to the network traffic and you will eventually collect a lot of information that is password protected on the server. So using a checksum on email ensures that the email came from whomever it says it came from and that it hasn't changed since it was sent. Encrypting email keeps communications private. Encrypting network packets keeps sensitive client/server information private. If you want to see this for yourself just download and run a packet sniffer like Wire Shark (formerly Ethereal). It's amazing what you can see. www.wireshark.org

Editor's Picks