Data security has traditionally been seen as a matter of locking down data in a physical location, such as a data center. But as data migrates across networks, borders, mobile devices, and into the cloud and Internet of Things (IoT), focusing solely on the physical location of data is no longer relevant.

To prevent disclosure of sensitive corporate data to unauthorized people in this new corporate environment, data needs to be secured. Encryption and data masking are two primary ways for securing sensitive data, either at rest or in motion, in the enterprise. It is an important part of endpoint security.

Encryption is the process of encoding data in such a way that only authorized parties can access it. Using homomorphic encryption, sensitive data in plaintext is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted.

In data masking, fake data replaces real data for users who should not have access to the real data, whether because of their role in the company or because they are attackers. Masking ensures sensitive data is obscured or otherwise de-identified.

Dynamic data masking can transform the data based on the user roles and privileges. It is used to secure real-time transactional systems and improve data privacy, compliance implementation, and maintenance.

With data masking, data is retained in its native form, and no decryption key is necessary. The resulting data set does not contain any references to the original information, making it useless for attackers.

Encryption scrambles data using nonreadable mathematical calculations and algorithms. An encryption system employs an encryption key generated by an algorithm. While it is possible to decrypt the data without possessing the key, significant computational resources and skills would be required if the encryption system is designed properly. An authorized recipient can easily decrypt the message with the key provided by the originator.

If the encryption key is lost or damaged, it may not be possible to recover the encrypted data from the computer. Therefore, enterprises need to set up rigorous key management processes, procedures, and technologies before implementing data encryption technologies.

Organizations should consider how key management practices can support the recovery of encrypted data if a key is lost or destroyed. Those planning on encrypting removable media need to consider how changing keys will impact access to encrypted storage on removable media, such as USB drives, and develop solutions, such as retaining the previous keys in case they are needed.

Encryption can be applied to endpoint drives, servers, email, databases, and files. The appropriate encryption depends upon the type of storage, the amount of data that needs to be protected, environments where the storage will be located, and the threats that need to be stopped.

Public key encryption is one use of public key cryptography, also known as asymmetric cryptography. Digital signature, in which a message is signed with the senders private key and can be verified by anyone who has access to the senders public key, is another well-known use of public key cryptography.

There are three primary types of encryption solutions: full disk encryption, volume/virtual disk encryption, and file/folder encryption. When selecting encryption types, enterprises should consider the range of solutions that meet their security requirements, not just the type that is most commonly used.

The top features that enterprises should consider when choosing an encryption system include centralized policy management, application and database transparency, low latency, key management interoperability, support for hardware-based cryptographic acceleration, support for compliance regulations, and monitoring capabilities.

There are many factors to consider when selecting storage encryption solutions, such as the platforms they support, the data they protect, and the threats they block. Some involve installing servers and software on the devices to be protected, while others can use existing servers, as well as software built into devices operating systems.

Unfortunately, encryption can result in loss of functionality or other issues, depending on how extensive the changes are to the infrastructure and devices. When evaluating solutions, enterprises should compare the loss of functionality with the gain in security capabilities and decide if the tradeoff is worth it. Solutions that require extensive changes to the infrastructure and end user devices should generally be used only when other options cannot meet the enterprises security needs.

An encryption protocol is a series of steps and message exchanges designed to achieve a specific security objective.

To ensure compatibility and functionality, enterprises should use standard-conforming encryption protocols such as Internet Protocol Security (IPSec), Secure Socket Layer (SSL), Transport Layer Security (TLS), Secure Shell (SSH), Secure/Multipurpose Internet Mail Extensions (S/MIME), and Kerberos. Each has advantages and disadvantages. Some overlap in functionality, but each tends to be used in different areas.

IPSec provides encryption at the IP packet level and requires low-level support from the operating system and a configured server. Since IPSec can be used as a tunnel to secure packets belonging to multiple users and hosts, it is useful for building virtual private networks and connecting remote machines. The next-generation Internet Protocol, IPv6, comes with IPSec built in, but IPSec also works with IPv4.

SSL and TLS work over the Transmission Control Protocol (TCP) and link up with other protocols using TCP, adding encryption, server authentication, and authentication of the client. TLS is an upgrade to SSL that strengthens security and improves flexibility. SSL and TLS are the primary method for securing Web transactions, such as the use of https instead of http in URLs. A widely used open-source implementation of SSL is OpenSSL.

S/MIME is a standard for public key encryption and signing MIME data. With S/MIME, administrators have an e-mail option that is more secure than the previously used Simple Mail Transfer Protocol (SMTP). S/MIME brings SMTP to the next level, allowing widespread e-mail connectivity without compromising security.

SSH is the primary method of securing remote terminals over the internet and for tunneling Windows sessions. SSH has been extended to support single sign-on and general secure tunneling for TCP streams, so it is often used for securing other data streams. The most popular implementation of SSH is the open-source OpenSSH. Typical uses of SSH allows the client to authenticate the server, and then the user enters a password to authenticate the user. The password is encrypted and sent to the other system for verification. To prevent man-in-the-middle attacks, in which communication between two users is monitored and modified by an unauthorized third party, SSH records keying information about servers with which it communicates.

Kerberos is a protocol for single sign-on and user authentication against a central authentication and key distribution server. Kerberos works by giving authenticated users tickets, granting them access to various services on the network. When clients then contact servers, the servers can verify the tickets. Kerberos is a primary method for securing and supporting authentication on a local area network. To use Kerberos, both the client and server have to include code since not everyone has a Kerberos setup, complicating the use of Kerberos in some programs.

Most of the major security firms provide data encryption software for the enterprise. Here is a sampling of available enterprise data encryption software, which includes full disk encryption (for more in-depth discussions of vendors who provide full disk encryption, see eSecurity Planets articles 7 Full Disk Encryption Solutions to Check out and Full Disk Encryption Buyers Guide):

Check Point Full Disk Encryption Software Blade provides automatic security for data on endpoint hard drives, including user data, operating system files, and temporary and erased files. Multifactor pre-boot authentication ensures user identity, while encryption prevents data loss from theft.

Dell Data Protection Encryption Enterprise enables IT to enforce encryption policies, whether the data resides on the system drive or external media. Designed for mixed vendor environments, it also will not interfere with existing IT processes for patch management and authentication.

HPE SecureData Enterprise uses both encryption and data masking to secure corporate data. HPE SecureData de-identifies data, rendering it useless to attackers, while maintaining usability and referential integrity for data processes, applications, and services. It uses Hyper Format-Preserving Encryption, a high-performance format-preserving encryption.

IBM Guardium Data Encryption provides encryption capabilities to help enterprises safeguard on-premises structured and unstructured data and comply with industry and regulatory requirements. This software performs encryption and decryption operations with minimal performance impact and requires no changes to databases, applications, or networks.

McAfee (Intel Security) Complete Data Protection provides its own encryption tools and supports Apple OS X and Microsoft Windows-native encryption, system encryption drives, removable media, file shares, and cloud data. It also integrates with McAfees other enterprise security tools, such as data loss prevention.

Microsoft BitLocker Drive Encryption provides encryption for Windows operating systems only and is intended to increase the security surrounding computer drives. Having BitLocker integrated with the operating system addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

Sophos SafeGuard Encryption is always on, allowing for secure collaboration. Synchronized encryption protects data by continuously validating the user, application, and security integrity of a device before allowing access to encrypted data.

Symantec Endpoint Encryption provides endpoint encryption and removable media encryption with centralized management, as well as email, file share, and command-line tools. It also integrates with the companys data loss prevention technology.

Trend Micro Endpoint Encryption provides full disk encryption, folder and file encryption, and removable media encryption. It can also manage Microsoft BitLocker and Apple FileVault.

WinMagic SecureDoc Enterprise Server (SES) offers enterprises control over their data security environment, ensuring security and transparency in regular workflow. With full disk encryption and PBConnex technology, SES enables customers to streamline their IT processes.

In addition to these data encryption software solutions, enterprises could benefit from employing other encryption tools. An eSecurity Planet slideshow advises IT pros to build a portfolio of encryption tools to leverage each ones strengths. And for the DIY crowd, VeraCrypt offers an open source encryption option.

eSecurity Planet offers six tips for stronger encryption:

do not use old encryption ciphers

use longer encryption keys

encrypt in layers

store encryption keys securely

ensure that encryption implementation is done properly

consider external factors, such as digital signature compromise.

Increasingly, enterprises are adopting cloud computing and deploying Internet of Things (IoT) devices to improve efficiencies and reduce costs. However, these technologies can pose additional risks to corporate data.

Encryption could help secure the data, but not many enterprises are opting for that solution. For example, only one-third of sensitive corporate data stored in cloud apps is encrypted, according to a survey of more than 3,400 IT and IT security pros by the Ponemon Institute and Gemalto.

At the same time, close to three-quarters of respondents believe that cloud-based apps and services are important to their companys operations, and an overwhelming 81 percent expect the cloud to become more important in the near future.

Data encryption can be more challenging in the cloud because data may be spread over different geographic locations, and data is not on storage devices dedicated solely to an individual enterprise. One option is to require the cloud service provider to offer data encryption as part of a service level agreement.

Also, enterprises are increasingly using IoT devices, but few of them have security built in. One option to improve security is to encrypt the data that is transferred by IoT devices, particularly those that connect wirelessly to the network.

In sum, data encryption can be used to secure data at rest and in motion in the traditional enterprise environment, as well as the emerging environments of cloud computing and IoT deployments.

See the original post here:
Encryption: Securing Sensitive Data in Changing Corporate ...

e.tv had challenged the government, saying an unencrypted system would hurt its ability to compete as encryption would allow government to offer better services to the public.

The Constitutional Court. Picture: Gia Nicolaides/EWN.

JOHANNESBURG The Constitutional Court has ruled that government did not behave unconstitutionally when it decided that it would implement a policy of unencrypted digital terrestrial television.

e.tv had challenged the decision, saying that an unencrypted system would hurt its ability to compete and that encryption would allow government to offer better services to the public.government to offer better services to the public.

The court ruled by five judges to four that government can continue to use an unencrypted system for digital terrestrial television and that e.tv's legal bid to stop the system must fail.

But judges have also criticised former communications minister Faith Muthambi for her conduct in refusing to name who she spoke to when she changed her mind from using an encrypted system to using an unencrypted system.

e.tv had said that using the unencrypted system would make it impossible for it to compete against other players over the longer term.

Writing for the majority, Chief Justice Mogoeng Mogoeng opened his ruling with the statement: Ours is a constitutional democracy - not a judiciocracy.

He then said this means that government - as the executive - must have the power to make policy, before saying that government did, in fact, conduct a proper process of consultation before deciding to use the unencrypted system.

But Mogoeng says this is not because of then Communications Minister Faith Muthambi, but because of the actions of the previous Minister Yunus Carrim.

He said that while Muthambi did not properly consult with e.tv when making her decision to use the unencrypted system, previous communications minister Carrim had fulfilled the legal obligations of the department when he had consulted with e.tv in a previous process.

Both Mogoeng's judgment and the dissenting judgement agreed that Muthambi was wrong to not explain who she spoke to when she changed her mind on this issue.

Mogoeng also castigated e.tv, saying it first argued strongly for an unencrypted system and then argued against it.

Mogoeng also said the effect of Muthambi's decision was to virtually maintain the status quo in terms of the relationships and obligations the various broadcasters have.

In their judgment, four other judges said they would have come to a different decision and that Muthambi had not explained why her conduct did not open the door to secret lobbying and influenced peddling.

(Edited by Zinhle Nkosi)

View original post here:
ConCourt rules against e.tv in digital encryption case - Eyewitness News

TechNet wants Congress to grill President Donald Trump's new FBI director nominee on issues like privacy and encryption.

President Trump signaled Wednesdaythat he plans to nominate Christopher Wray, a partner at international law firm King & Spalding, as new FBI director.

That announcement came only a day before his fired FBI director, James Comey, is scheduled to testify before the Senate Intelligence Committee, which some Democrats were seeing as an attempt to distract attention from the run-up to Comey's testimony.

Reacting to the news, TechNet, representing tech CEOs and top execs, signaled because of the increasing interaction of the FBI and their industry, Congress needed to get his input on those issues.

Comey and the tech industry crossed paths, and to some degree swords, over the issue of government access to encrypted information, notably in the case of an Apple phone the FBI wanted to access in its investigation of the San Bernardino shooting.

With the nomination of Christopher Wray as Director of the FBI, the responsibility now falls on the United States Senate to ensure the nominee will do everything in his power to protect the American people and uphold the rule of law, said TechNet president Linda Moore. Because of the FBI's increasing engagement with the technology industry, this confirmation process must explore Mr. Wrays views on digital privacy rights, encryption technologies, and needed reforms to the Electronic Communications Privacy Act that account for modern advances in cloud computing"

TechNet executive council members include Microsoft President Brad Smith and Apple general Counsel Bruce Sewell.

More here:
TechNet to Hill: Query FBI Nominee on Encryption - Broadcasting & Cable

Supporters of the terrorist group Islamic State (Isis) are shunning sophisticated security and encryption software, including the Tails operating system and the Tor network, which could be used to cover their tracks when viewingterrorist propaganda online, communications between jihadi sympathisers have revealed.

Find out what are the most appropriate threat intelligence systems and services for your organisation

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The disclosures come as the UK government prepares to introduce new restrictions on encryption following the terrorist attacks that killed more than 20 people, including children, at a concert in Manchester, and killed eight andinjured 47 at London Bridge.

Isis has claimed responsibility for the Manchester and London attacks and has also been linked to atrocities in Paris, Germany and Brussels.

Confidential messages show that Isis supporters had little interest in encryption techniques to hide their web browsing activities, or to createa secureversion of propaganda websites that would be difficult for law enforcement to censor or take down.

The messages between supporters recovered by police and the FBI investigating an internet terrorist reveal that Isis supporters preferred method of communication is mobile phone apps Telegram Threema, ChatSecure and Signal, which are designed for people with little or no technical knowledge.

Internet terrorist Samata Ullah communicated with Isis supporters on a Telegram discussion group known as the Khayr group. Police also retrieved a guide to ChatSecure, another mobile phone chat app, from Ullahs computer.

Ullah, who was jailed for eight years in May 2017 after posting encryption training videos on an Islamist blogsite, sent messages to an unidentified Isis supporter raising concerns that the terror groups supporters were not using more secure communications tools.

I dont know Akhi [brother], he wrote. It seems they have some bad info. They refuse to use Wikr [a mobile phone messaging system] and tails. They say threema is the best, then signal, and in extreme case chat secure [sic].

Ullahs Isis contact replied: And they say telegram with virtual sim or open vpn is enough protection.

Another message reads: Dawla [Isis] security groups seem to be very stubborn and not very flexible.

It was only when one of Ullahscontacts inKenya was arrested on 29 April 2016 that attempts were made to persuade fellow Isis supporters to adopt stronger forms of encryption.

The Kenyan said in a letter smuggled out of prison: Tell all KN [Khalifa News] and CCA [Cyber Caliphate Army] teams to be very careful online. It is very much advisable that phones be avoided & instead use PCs with TOR and TAILS.

Many Isis supporters, who often refer to themselves as fanboys, have little technical knowledge and it is difficult to convince them to use encryption software, one counter-terrorism organisation told Computer Weekly.

They have experimented a couple of times with ZeroNet and Onion [Tor] sites on occasions, but those sites are usually very short-lived, a spokesman said, speaking on condition of anonymity. While there are some tech savvy supporters, the majority of their fan base is not very tech savvy and trying to get a newbie to not only understand ZeroNet and Tor but to actually use them consistently is a challenge.

Isiss policy is to saturate the internet with ideas and jihadi content, through social media platforms such as Twitter, according to a report by counter-terrorism think-tank Quilliam.

The terror group distributes daily videos and photographs, which are circulated as widely as possible through self-appointed distributors, often with no official connection to the organisation.

Islamic State has revolutionised jihadist messaging by jettisoning operational security in the pursuit of dynamism, Quilliam reports in a study, The Virtual Caliphate: Understanding Islamic States Propaganda Strategy.

Ullah proposed using ZeroNet which uses BitTorrent peer-to-peer networking and integrates with the Tor secure internet network to create a secure version of a pro-Islamic blogsite, Ansar al Khilafah (Supporters of the Caliphate).

The WordPress propaganda blogsite had attracted interest from the UKs media arm of Isis, according to messages recovered by investigators.

The head of English Islamic State media wants to have the right to proofread all content before it is published on the wordpress in future, one Isis supporter told Ullah. If you would agree to it, they would promote the wordpress.

Ullah replied: Sure. thats good.

But in a series of exchanges, it becomes clear that Isis had no interest in using ZeroNet to create a version of the blog that would be difficult for law enforcement to censor or take down.

An Isis supporter told Ullah: First thing is, the brother almost completely dismissed the idea of zero net. So you will either have to give up the idea or try and convince them.

David Wells, a former GCHQ intelligence officer, told Computer Weekly that mobile phone apps offered a more practical alternative to ZeroNet, Tails and Tor for Isis supporters that may not have technical expertise.

More secure technologies are rarely easy to use, and pragmatically any terrorist group would rather their networks were using something pretty secure than not communicating [at all] when needed or doing something stupid like [sending an] SMS, he said.

A forensic report revealed that Ullahs ZeroNet version of the Answar al Khilafah blog did not work in practice.

ZeroNet would have been cumbersome to use for Isis supporters who were used to exchanging news on social media. It required each user to download the blogs contents, including the Isis magazine Dabiq, onto their own computer, putting them at risk of possession of terrorist materials.

Correspondence recovered from Ullahs computer equipment revealed that he had struggled to find a way to update the ZeroNet version of the site without writing code for each update, and to find ways of displaying videos and other feature-rich content.

Isis favours the mobile app Telegram as a platform for sharing propaganda and for group discussions because it has the ability to create public channels that unlimited numbers of people can view, according to the counter-terrorism specialist.

Isis members begin by creating a private distribution channel on Telegram which is restricted to a few people. These members are responsible forcopying messages from the private channels to publicly advertised open channels, where teams of people then share them through disposable Twitter and social media accounts.

The public channels usually have multiple backups to keep the data flowing if one of them gets suspended by Telegram administrators, said the specialist. Since the private channels have no links to join, they are considered private by Telegram and therefore wont be shut down.

Telegram is said to take down an average of 100 to 200 public Isis channels a day, but Isis creates multiple back-ups of each channel to keep data flowing.

However, the messaging service does not take down private discussion groups between Isis supporters because they are not publicly accessible, said the counter-terrorism specialist.

Encrypted communications is pretty much all they [Isis] do. Id say if theyre not using a walkie-talkie or a cell phone, theyre on one of the encrypted [mobile] apps.

If Isis had taken up ZeroNet, it may have drawn the intelligence services attention to its activities, Wells told Computer Weekly.

If a terrorist group chooses a bespoke or unusual communications provider or service, then this has huge challenges for the intelligence services but it also allows them to focus their efforts, he said.

Experimenting with unproven systems is likely be a low priority for Isis commanders in Syria, who have to deal with the day-to-day realities of civil war with the Assad regime and US drone strikes, said Ross Anderson, professor of computer security at Cambridge University.

If I was running Daeshs technology and some foot soldier says why dont we use ZeroNet, I would say get lost, I have far more interesting and important things to do, said Anderson. Why should I spend weeks investigating this stuff and seeing if it works?

Isis may be avoiding Tor and Tails for similar reasons. The US National Security Agency (NSA) and the UKs GCHQ could narrow down the search for Isis supporters if the terror group started using specialist applications such as Tails and Tor.

Anderson said: They could just harvest all the Tails users in the observable universe and de-dupe them against lists of known users, look for all the new ones and go searching for those.

Isis has used a variety of techniques to avoid detection. During the attack on the Bataclan theatre in Paris in November 2015, terrorist teams used multiple pre-paid burner phones, which they instantly discarded.

Investigators found a crates worth of disposable phones, an investigation by the New York Times has revealed. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims, it said.

Although investigators concluded that the attackers were likely to have used encryption software, no evidence of it was found.

Follow this link:
Islamic State supporters shun Tails and Tor encryption for Telegram - ComputerWeekly.com

James Clapper at a Senate intelligence committee hearing in February. (Image: file photo)

James Clapper, Barack Obama's former director of National Intelligence, has said the issue of criminals and terrorists going dark by using end-to-end encrypted systems is causing issues in the United States.

"The so-called going dark phenomenon -- a situation that was dramatically accelerated by the Snowden revelations -- in our country, I don't think we're in a good place here," Clapper said at the National Press Club on Wednesday.

"I think there needs to be a very serious dialogue about giving criminals, terrorists, rapists, murderers, etcetera, a pass."

Clapper said he hopes technology giants will use the creativity and innovation that made the iPhone and turn it to a form of encryption that simultaneously protects privacy while allowing authorities to access its content, but he had no answers to offer himself.

"One of the approaches that might have promise, I don't know, would be circle back on a system of key escrow where not one party necessarily would have the keys to the kingdom from an encryption standpoint," he said.

"Where there might be three independent, separate, autonomous elements that would have to prove the provision of encryption in order to solve a crime or detect a terrorist attack, for example.

"We had some discussions about that in the waning days of the Obama Administration. I'm not a techie, but that appears to me to have some promise."

The former director of National Intelligence also said there is no single correct answer to the issues of whether intelligence agencies should disclose vulnerabilities in software to vendors, or use them to collect information.

In recent days, political leaders in the United Kingdom and Australia have called on social media companies and tech giants -- labelled by Australian opposition leader Bill Shorten as Big Internet -- to help provide access to encryption. It is an idea that Clapper is backing, particularly after a meeting with executives from Silicon Valley at the White House approximately 18 months ago.

"I was struck by the interest that the companies have in helping," he said. "I do think there is a role to play here in some screening and filtering of what appears in social media.

"I know this is a very sensitive, controversial issue, but in the same way that these companies very adroitly capitalise on the information that we make available to them and exploit it, it seems that that same ingenuity could be applied in a sensitive way to filtering out or at least identifying some of the more egregious material that appears on social media.

"I do think that as part of their social or municipal responsibility that they need to cooperate and if that means under some safeguarded way that they would have confidence in ... that law enforcement particularly, would be allowed access to encryption.

"I hear the argument about if you share once with one person and it's forever compromised -- I'm not sure I really buy into that."

Talking to ABC radio on Wednesday morning, Special Adviser to the Prime Minister on Cybersecurity Alastair MacGibbon stepped away from some of the rhetoric used by Australian politicians this week.

"The Australian government -- in fact, all governments with an interest in the safety of the public -- like encryption. End-to-end encryption helps reduce criminality against individuals, against governments and against business," MacGibbon said.

"But there's no absolutes. Clearly, encryption causes problems if you're investigating criminals or terrorists."

MacGibbon dismissed the issue of intelligence agencies using encryption backdoors to access communication content, and instead said investigations might be interested in a user's metadata and working with industry to solve crimes.

"No one is talking about back doors here," he said. "But as a police officer you'd execute search warrants. From time to time we do expect our privacy to be breached, but most of us don't ever have that privacy breached."

"And we need to take that same logic into the online space. That means, from time to time, you'd expect a law enforcement agency to break in to a private communication or to something that happens online."

MacGibbon said that regardless of whether it is a bus or an internet service, the public expects that service providers do not allow criminals or terrorists to abuse the service.

"There's nothing extreme about that. That's just what we expect offline and we should have that same philosophy online."

Read the original post:
Encryption leaves authorities 'not in a good place': Former US intelligence chief - ZDNet