This document provides an overview of encryption and incident response management. It begins with an agenda for a presentation on encryption, practical considerations, and legal limitations. It then discusses cryptography concepts like encryption, decryption, and hashing. It covers the goals of cryptography including privacy, authentication, integrity and non-repudiation. Next, it discusses symmetric, asymmetric and hashing algorithms as well as encryption versus hashing. The document then covers practical considerations like key length, encryption in transit versus storage. It also discusses legal requirements for encryption in various jurisdictions and restrictions on encryption. Finally, it discusses secure implementation, key management, and incident response management.
3. 3
Introductions: Today’s Speakers
•Gant Redmon, Esq., CIPP/US, General Counsel, Co3 Systems
•SuhnaPierce, Associate, Morrison & FoersterLLC
4. 4
About Co3 –Incident Response Management
MITIGATE
Document Results &
Improve Performance
•Generate reports for management,
auditors, and authorities
•Conduct post-mortem
•Update SOPs
•Track evidence
•Evaluate historical performance
•Educate the organization
ASSESS
Identify and Evaluate Incidents
•Assign appropriate team members
•Evaluate precursors and indicators
•Correlate threat intelligence
•Track incidents, maintain logbook
•Prioritize activities based on criticality
•Generate assessment summaries
PREPARE
Improve Organizational Readiness
•Appoint team members
•Fine-tune response SOPs
•Escalate from existing systems
•Run simulations (firedrills/ table tops)
MANAGE
Contain, Eradicate, and Recover
•Generate real-time IR plan
•Coordinate team response
•Choose appropriate containment strategy
•Isolate and remediate cause
•Instruct evidence gathering and handling
•Log evidence
5. 5
Cryptography: Basic Concepts
•Encryption is a component of cryptography
•Cryptography: the science of communicating information secretly
–Algorithm / cipher: The process used to transform information from plaintext to unintelligible ciphertextform
–Encryption: The operation of transforming plaintext information using a cipher / algorithm
–Decryption: The reverse operation, transforming a ciphertextmessage to plaintext
–Key: The secret “password” or “code” that facilitates encryption and decryption
6. 6
Goals of Cryptography: PAIN
•PAIN: Privacy, Authentication, Integrity, Non-repudiation
•Privacy: keep private information from being read by unauthorized readers
•Authentication: verifying the identities of the individual or machine participating in the communications
•Integrity: ensure that unauthorized changes have not been made to information
•Non-repudiation: prevent the sender of a message from denying its origin
7. 7
Three Basic Types of Algorithms
•Symmetric (aka shared key secret key)
–Sender and receiver share a secret key
–A single key is used to encrypt and decrypt messages
–Challenges:
•How to share the secret key; non-repudiation; scalability
•Asymmetric (public key)
–Key pair-private key and public key
–One is used to encrypt and the other to decrypt
–Challenges: more computational effort required to encrypt / decrypt than symmetric
•Reduces speed and performance
•Hashing (one-way encryption)
–Produces a “hash” or “message digest”
–The original messages cannot be deciphered
–Typically used for integrity
8. 8
Encryption versus Hashing 1
•Hashing produces a fixed length message digest for each message input
–Any change to input results in completely different output
–Not reversible
–Collision-resistant
–Input iterated many times
•Encryption produces ciphertextof length that will be related to the plaintext input
–Reversible
•If each secret message is a three-dimensional object, e.g., a snowflake:
–Encryption: putting a snowflake inside a box and locking it
–Hashing: tracing the snowflake on a piece of paper
9. 9
Encryption versus Hashing 2
•When to use encryption, and when to use hashing?
•Hashing: use when you want to check the validity of the secret message (i.e. that two values are the same)
–Do not need the original input data back
–Passwords
•Encryption: use when you need to get the original input data back
–Health data
–Other sensitive data that needs to be read at a future point
10. 10
Practical Considerations
•Key length
•Stream and block ciphers
•Types of algorithms: symmetric, asymmetric, and hashing
•Symmetric versus asymmetric: how do they work
•Encryption modes
•Encrypting in transit and encrypting in storage
•Full disk versus partial disk
11. 11
Key Length
•Encryption / decryption keys are binary strings.
–Each binary digit is a bit, and the total number of bits is the key length
–The longer the encryption key, the more secure the encryption
12. 18
Transmissions versus Storage
•Data can be encrypted “at rest” and “in transit”
•Encrypting data at rest (in storage)
–Sensitive data should be encrypted
–Can be encrypted in storage at various levels: individual files or folders, entire disk
–Databases: individual cells, entire table
–Removable media, mobile devices, other portable devices (e.g. printers)
•Encrypting data in transit
–Secure Sockets Layer (SSL): uses symmetric and asymmetric
–Transport Layer Security (TLS): newer protocol
•HTTPS: application of SSL / TLS to HTTP
–Secure Shell (SSH): asymmetric
–Internet Protocol Security (IPsec): secures IP-based messages
•Used to create VPNs
13. 19
Full Disk versus Partial Disk
•Encryption can be implemented on storage media (e.g., laptops, USB drives) on full disk or partial disk
•Full disk encryption on laptops: encrypt entire drive with an encryption utility that modifies boot process
–Uses symmetric encryption
–Prompts user to enter password / passphrase / USB drive
–Encryption / decryption key is loaded into memory
–Laptop resumes booting as normal
–Decrypts OS and data files as-needed, transparent to user
•Partial disk: encrypts only designated parts of the disk (e.g. file, folder, partition)
–Uses symmetric and asymmetric encryption
–User enters password / key to decrypt and access the encrypted portion
–When decrypted data is cleared from memory, the key is also cleared from memory
15. 21
Laws that Require Encryption 1
•Many data protection laws and regulations require encryption of sensitive types of personal data
•United States
–Massachusetts: “Personal information” stored on laptops and other portable devices or transmitted across public networks or wirelessly
–Nevada: “Personal information” stored on data storage devices moved beyond the control of the responsible entity or transmitted outside its secure systems
–HIPAA: e-PHI, if, after a risk assessment, the entity has determined that use of encryption is a reasonable and appropriate safeguard
•Argentina: sensitive data stored on removable media or portable storage devices or transmitted through communication networks
•Japan: biometric information stored on servers, portable devices and portable storage media
•Poland: all personal data transmitted across public networks or wirelessly and on laptops transported outside secured facilities
16. 22
Laws that Require Encryption 2
•Portugal: sensitive and criminal data transmitted over a network
•Norway: personal data for which confidentiality is necessary, when transferred electronically by means of a transfer medium that is beyond the physical control of the entity
•South Korea: complex encryption requirements for “peculiar identification data” and “bio data” and one-way encryption (hashing) required for passwords
•United Kingdom: personal data, the loss of which could cause damage or distress to individuals, on portable and mobile devices including magnetic media
•And others
17. 23
Safe Harbor for Encryption
•Breach notification laws in 48 U.S. states
–Encryption tied to the definition of a breach
–All contain a safe harbor for encrypted personal information
–Lose that safe harbor in many of them if the encryption key is also accessed or acquired
–In MA: a 128-bit algorithmic process must be used, unless regulations further define encryption.
•Over 15 other countries with mandatory laws, many others with voluntary guidelines
19. 25
Restrictions on Encryption
•US export restrictions
–Encryption is a “dual use” item governed for export by the Bureau of Industry and Security (BIS) within the Dept. of Commerce
–Must classify your product with the BIS or self classify and include that classification on your shippers export declaration
•Import, Export and Use Restrictions
–See http://www.cryptolaw.org/cls-sum.htm
–Use controls only export. Russia controls all three
•License requirements
–Description of the product
–List of algorithms used
–Description of how they are used and if they may be modified
20. 26
Encryption Is Not a Panacea
•Encryption is only part of a comprehensive security program.
•Also need to have:
–Suitable solution
–Trustworthy implementation
–Key management
–Other appropriate security processes
–Adequate training in technology and processes
•Encryption does not provide availability -need adequate backups.
21. 27
Hypothetical: Lost USB Drive
•Lost USB drive belonging to HR manager contains several spreadsheets containing employee personal information, including SSNs, and utilizes file encryption
•Does the company know which files on the drive contained SSNs?
•Can the company prove that those files were encrypted?
22. 28
Hypothetical: Stolen laptop
•Stolen laptop belonging to HR manager contains several spreadsheets containing employee personal information, including SSNs, and utilizes full disk encryption
•Was the laptop running when stolen?
•Was the laptop running shortly before it was stolen?
23. 29
Secure Implementation
•Use an encryption algorithm that has not been demonstrated to be insecure
–National Institute of Standards for Technology (NIST) publishes list of algorithms approved for federal government use in Federal Information Processing Standards (FIPS)
•NIST Cryptographic Algorithm Validation Program (CAVP)
–Validation testing of implementation of NIST approved algorithms
–Validation list contains some information about the implementations tested and found to have correctly implemented the algorithm
24. 30
Key Management
•Keys should be at least 192 bits for organizational data
•Keys should be securely and randomly generated
•Restrict access to keys to fewest number of custodians needed
•Store keys securely in the fewest number of places needed
•Distribute keys securely
•Key rotation process
26. 32
Upcoming Co3 Systems Events
•Cyber IP Expo, London, UK: October 8-9
•FS-ISAC EU Summit, London, UK: November 3-5
27. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD –FEBRUARY 2013
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
SuhnaPierce,
Associate
Morrison & FoersterLLC