Even with the latest disclosures that the National Security Agency is regularly subverting the cryptography used to secure large swaths of Internet communications, there is no reason for enterprises to give up on encryption, experts say. Enterprises can still retain control over their sensitive information by implementing encryption correctly, improving key management and auditing software for vulnerabilities.
The National Security Agency has intercepted encryption keys to stealthily decrypt and eavesdrop on secure communications on the Internet, according to a news report from The New York Times and Pro Publica, which was based on leaked NSA documents (see: Report: NSA Circumvented Encryption). The NSA used several methods to bypass encryption, including exploiting software vulnerabilities, hacking into servers to steal keys and using brute-force attempts to crack weak implementations, according to the report. These attempts enabled the NSA to unlock the data and access it without the involved parties being aware they were being monitored.
The prospect of the NSA eavesdropping on Internet traffic by exploiting software vulnerabilities and weak encryption keys is, indeed, alarming. But it is important to remember that the same techniques are regularly used by cybercriminals to breach organizations, says Chris Wysopal, a security researcher who is chief technology officer of Veracode, an application security company.
“The NSA news raises awareness among organizations that if the NSA is getting into the network using these methods, it’s likely the criminals are getting in the same way, too,” Wysopal says.
Encryption Still Works
Experts point out, however, that while the NSA has devoted plenty of resources to cracking the underlying mathematical algorithm, the bulk of its effort went toward bypassing the cryptography entirely. This means encryption still works.
“There is no reason to stop using encryption. I still lock my car doors even though a professional thief can still bypass the locks,” says Tom Walsh, an independent healthcare information security consultant.
Many organizations, however, still rely on weak cryptographic algorithms, such as MS-CHAP, that are known to be vulnerable. Many also use weak passwords when generating their keys, which makes it easy for the NSA or cybercriminals to use dictionary attacks to recover the keys. If the key generator is not configured correctly when deployed within the enterprise, the resulting keys may be improperly formed and susceptible to being cracked, security experts say.
Manage Encryption Keys, Certificates
The NSA has a group dedicated to hacking into servers and seizing encryption keys, according to the news report. The agency likely took advantage of poorly designed key management processes to grab the keys without the organizations being aware of the theft, says Dave Anderson, a senior director with Voltage Security, a provider of data security software.
While properly implemented encryption essentially provides unbreakable security, “if the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack [the keys] in a few hours at most,” Anderson says.
Key management systems enable organizations to identify all the keys and certificates used within the enterprise, the users who have access to the keys, and where the keys are all stored. By ensuring the keys are stored securely, organizations can make it more difficult for attackers to waltz off with these important cryptographic pieces of information. Proper key management also alerts the organization if any of the keys are intercepted and used by unknown parties.
The National Institute of Standards and Technology recently issued guidance on cryptographic key management (see Tips for Cryptographic Key Management). The goal of the framework is to guide designers in creating a complete, uniform specification to build, procure and evaluate cryptographic key management systems, NIST says.
Market research firm Forrester recently said every enterprise is a “sitting duck” because attacks against encryption keys and certificates are so powerful, and organizations are generally unprepared to identify and respond to these attacks.
Organizations must be aware of how they use keys and certificates and have the ability to identify risks, and respond and remediate, says Kevin Bocek, vice-president of marketing at Venafi, a key management company. “Otherwise, Forrester’s ‘sitting duck’ warning will be more than a warning,” he stresses.
Audit Software for Vulnerabilities
The NSA also took advantage of software defects to gain access to the endpoint and user data, according to the news report. In some cases, the defects were vulnerabilities the NSA discovered and didn’t disclose to the vendor. In other cases, the vendor intentionally introduced the defect at the request of NSA or was instructed by the agency to not fix a flaw, the news report said.
So organizations need to ask the companies whose software they use about the secure coding and testing processes they have in place, says Wysopal of Veracode. Instead of relying on the vendor’s promises that the software is secure, organizations should take the extra step of demanding that all software undergo third-party scanning to identify potential defects, Wysopal says.
If a software company refuses to undergo scanning, the organization using the software should consider switching vendors, Wysopal recommends. “Stop trusting that the provider has done it [security] right,” he says.
When it comes to encryption, using public domain encryption, such as PGP and TLS, may be the better option than closed-source, proprietary solutions because it is easier to verify the that public domain encryption hasn’t been modified or broken, Bruce Schneier, a leading cryptography expert and author, wrote in the Guardian newspaper when discussing the NSA revelations.
Schneier predicts most encryption products from large U.S. companies have NSA-friendly back doors. So he recommends implementations based off open standards, such as SilentCircle, GPG, Tails, OTR, TrueCrypt and BleachBit.