Blog
Hush – This Data Is Secret
As a security practitioner, you know that businesses are fuelled not only by people but by data. Years ago, the phrase “Big Data” was a new, innovative way to gain a business advantage. Now, big data is the norm. When we think of all the data that has been gathered, we must stop and wonder about what is contained in that data. Many important, and often private details are stored about the clients of a particular business.
Over time, it became clear that this data, if obtained by criminals, could be damaging to an individual. Personally Identifiable Information (PII), Protected Health Information (PHI), private financial records, and a selection of other sensitive data hold all the required elements to perpetrate crimes such as blackmail, impersonation, and identity theft, or a combinations of these.
A recent strain of ransomware, known as “maze” not only encrypts the victim’s data, but it does so after exfiltrating the data. Part of the threat issued to the victim is to pay the ransom for the decryption key, or the stolen data will be released to the public. This is a new level of ransomware meets blackmail. A variety of imposter scams are made more convincing when more personal details are known about a person or their family. One alarming method of identity theft has resulted in some folks losing the title to their homes. From these examples, it is easy to see how criminals can benefit from all the data that businesses collect about their customers.
We Need That Data to Conduct Business
There is a fine line between collecting required, versus necessary data. Rather than walk that tightrope, government bodies have worked to promulgate regulations to protect all the data that, if leaked, may jeopardize an individual.
Protecting private data has been a concern even before the idea of big data. Some early regulations include the Directive 95/46/EC of the European Parliament and the Australia Privacy Act of 1988. Recent updates to privacy regulations include the General Data Protection Regulation (GDPR) of the European Union, the Health Insurance Portability and Accountability Act (HIPAA ), the Cybersecurity Requirements For Financial Services Companies (known as 23 NYCRR 500 ) enacted in New York State, and the California Consumer Privacy Act (CCPA ). These recent updates expand privacy protections, in some cases to an extraordinary degree. For example, in the CCPA, Section 1798.140(o)(1)(H) classifies one aspect of personal information to include “Thermal, olfactory, or similar information.” The inclusion of this information in a regulation suggests that organizations are collecting more data about people than we could ever imagine.
Although these regulations seem to hover in the realm of the legal profession, a security practitioner in an organization must be very familiar with these rules, as they have a direct impact on a firm’s security posture. More importantly, failure to comply with the regulations that pertain to a particular business can result in hefty penalties. An attorney can explain the legality of why compliance is important, but a security practitioner is the person who knows what is technically involved in achieving that compliance.
What About the CIA Triad?
All security practitioners, and especially those on a certification path , are intimately familiar with the “CIA Triad” of Confidentiality, Integrity, and Availability. The CIA Triad forms the keystone of the entire profession. For this discussion, we will focus on the confidentiality portion of the triad. In theory, confidentiality and privacy are two distinct concepts with very specific characteristics. All of the regulations do not make clear distinctions. This is good because, in the world of digital technology, neither is there a simple distinction when protecting data. To clarify, the only method to ensure privacy or confidentiality of digital information is through the use of encryption. Hashing, tokenization, and other forms of obfuscation are also methods of protecting data, however, those also do not distinguish between privacy and confidentiality. In essence, when working with data, there is no “almost private” or “almost confidential” setting. It is an all-or-nothing proposition.
The Figurative and Literal Keys to the Kingdom
Security practitioners can wax on almost infinitely about different types and methods of encryption. Ask any security practitioner about encryption, and they will start to weave a tale starting as far back as the Spartans, moving briskly through Caesar, glancing pensively at Mary, Queen of Scots, and possibly brushing against the tale of Benedict Arnold and his very clever wife. More recently, folks such as Whitfield Diffie, Ron Rivest, Adi Shamir, Leonard Adleman, Bruce Schneier, and so many others are icons in the profession, as are many more that it is impossible to mention here. Anyone who is curious to learn about the story of cryptography (without the math) would be intrigued by The Code Book, by Simon Singh . For a deeper technical understanding of the various types of cryptography, The Official (ISC)² Guide to the SSCP CBK covers the subject quite thoroughly. If you are of a mathematically inclined, Joshua Holden’s The Mathematics of Secrets is in a realm reserved for an esoteric few.
Whichever flavor of encryption one speaks about, there is a common theme that runs throughout the narrative. That is the protection of the keys. A well-known axiom in the cryptography community is August Kerckhoff’s principle of cryptography. This principle states that: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. The protection of the key is paramount to the security of a cryptosystem. A security practitioner is the person who should be in charge of the protection of the encryption keys in an organization. In a more robust security practice, more than one security practitioner would be tasked with protecting the keys in a way that makes it impossible for anyone of them to disclose the keys.
Bridging the Gap of Regulation, Theory, and Practice
The CIA Triad forms the keystone of the security profession. New regulations memorialize the need to keep secret data secret. Encryption is the practice used to tie these all together. An organization may be required to encrypt sensitive data to comply with one or more regulations, however, that comes with a cost, both in dollars, as well as time. As with many other security initiatives, there must be buy-in from the highest levels of the organization. While regulatory muscle makes that buy-in practically mandatory, it is up to the security practitioner to work with other teams to determine not only which data needs to be protected, but also which method of encryption is best for a particular data set. Regardless of the size of the organization, interdepartmental cooperation and participation will mean the difference between a successful deployment of encryption, and one that can run afoul of regulatory compliance.
To learn more about cryptography and what data you should be protecting, read our white paper, How You Can Become a Cybersecurity Hero .
How SSCP Certification helps
There is no better way to showcase your technical skills and security knowledge than achieving the Systems Security Certified Professional (SSCP) credential. Whether you are an experienced security professional or just starting out in the fascinating world of cybersecurity, (ISC)²’s SSCP certification is the ideal way to enhance your ability to implement, monitor and administer security procedures and controls that ensure the confidentiality, integrity, and availability of any organization.