Pt 2 - Enterprise encryption as a cybersecurity first principle strategy.
Rick Howard: Hey all, Rick here. Over the break between season five and season six, I finished reading "The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution" published by the great biographer Walter Isaacson in 2014.
Rick Howard: One of the many stories he tells is about Alan Turing. My all-time favorite computer science superhero, and the origin story to Bletchley Park the center for the cryptanalysis universe for breaking Nazi encryption codes during World War II. Apparently obtained from the British intelligence service posing as, and I'm using air quotes here, "Captain Ridley's shooting party" so it was not to draw any attention to what they were doing, and by the way, you've got to love the British and their secret code names.
Rick Howard: Captain Ridley discovered that the owner of Bletchley Park wanted to destroy the Manor located on the grounds. He called it and I quote here "the Victorian Gothic monstrosity" unquote. So Captain Ridley discreetly bought it and located the codebreakers and the cottages, stables, and some prefabricated huts that they erected on the grounds.
Rick Howard: Turing was assigned to hut eight that was trying to break the code created by the German Enigma machine. It encrypted military messages by using a cipher that after every keystroke changed the formula for substituting letters. That made it so tough to decipher that the British despaired of ever doing so. They got a break when the Poles captured one of the Enigma machines, but by the time Turing and his team got their hands on it, the Germans had added two more rotors and two more plugged board connections. Hut eight went to work creating a more sophisticated machine, dubbed the Bombe that could decipher the messages created by the improved Enigma. In particular, Naval orders that would reveal the deployment of U-boats that were decimating British supply convoys. The Bombe exploited a variety of subtle weaknesses in the coding including the fact that no letter could be enciphered as itself and that there were certain phrases the Germans used repeatedly.
Rick Howard: The 2014 movie "The Imitation Game" dramatized these efforts. Turing is played by Benedict Cumberbatch and his nickname for the Bombe is Christopher. You'll hear Hugh Alexander played by Matthew Goode and Joan Clark played by Keira Knightley.
Alan Turing: What if Christopher doesn't have to search through all of the settings? What if he only has to search through ones that produce words we already know will be in the message?
Hugh Alexander: Repeated words. Predictable words.
Alan Turing: Exactly. Send out weather reports every day at 6:00 AM. So that's, that's three words we, we know we'll be in every 6:00 AM message obviously and heil Bloody, Hitler.
Hugh Alexander: Heil Bloody, Hitler.
Alan Turing: I need a new message, The latest intercept.
Joan Clark: Ready?
Alan Turing: Yes.
Joan and Alan: M M Y Y M M S S A A I I S S O O A A Y Y R R I I .
Hugh Alexander: Our point is directed to 53 degrees, 24 minutes north, and one degree west. ... Heil Hitler
Alan Turing: Turns out that's the only German you need to know to break Enigma.
Group: Yes, . . .
Rick Howard: According to Isaacson, by August 1940, Turing's team had two operating Bombes, but by the end of the war, they had built close to 200. The Bombe and another machine built at Bletchley Park called the Colossus made it possible for the Allies to know what the Germans planned to do before the German commanders in the field received the messages.
Rick Howard: With this decryption breakthrough, some scholars say that the hut eight activities probably saved 20 million lives and shortened the war by at least two years. The point to all of this is that we should never underestimate our adversaries' desire and ability to read our sensitive information, and we should keep that thought close as we roll out our own internal resilience strategy.
Rick Howard: My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.
Rick Howard: Last week, I talked about reinforcing the resilience side of our first principal infosec wall, our backyard barbecue pit for cybersecurity. I put forth a resilience definition that I liked coined by two Stockholm University researchers, Janis Stirna and Jelena Zdravkovic. They defined it as the ability to continuously deliver the intended outcome despite adverse cyber events.
Rick Howard: One adverse cyber event that seems to be having a moment this year in 2021 is ransomware. And one way to reduce the probability of some adversaries successfully stealing your material data and extorting you to pay a ransom to prevent a public release of it, is by encrypting it.
Rick Howard: I made the case though that because we have material data potentially stored in multiple data islands, like mobile devices, data centers, SaaS applications, and hybrid cloud deployments, deploying an enterprise encryption program is, shall we say, complex? According to the Gartner Hype Cycle, we are at least five years away from having encryption platforms that can easily centrally manage encryption tasks across all of these data islands.
Rick Howard: The question is then, "What are security executives doing today to build robust encryption programs for their enterprise?" I brought two practitioners to the CyberWire Hash Table to ask them. Wayne Moore is the CISO for a company called Simply Business, one of the UKs largest insurance providers for micro business and landlords, and they have recently expanded their business to the U.S. This is Wayne's first appearance at the CyberWire Hash Table so be gentle. Don Welch is Penn State University's interim VP for IT, their CIO, and as regular listeners will know, an old Army buddy of mine and a regular guest here at the CyberWire Hash Table. I started out by asking Don and Wayne what exactly does encryption mean to their enterprises? Don's first.
Don Welch: I think of encryption as a family of tools. And so, you know, you have used the, metaphor of the foundation in building the barbecue and, so forth. And I look at it more a s a tool that we use to build that foundation. And so encryption is found in many different, programs. And where we employ them, once again, you know, risk-based approach, how we employ them, that's the way I look at encryption.
Wayne Moore: It's fundamental to how we protect the information that we've been entrusted with. The way in which we deploy that encryption and how we deploy that encryption some of it is very complex. So even that complexity has some vulnerability in it, but it's something that you have to get right if you're going to provide adequate protection for the data that you've been entrusted with.
Rick Howard: Both Don and Wayne agree that we will use encryption systems to protect their material data. One thing to consider though, is if that is true, then those protection systems become material too, in a sort of a recursive law of materiality that I just invented. In other words, security executives will have to protect the encryption systems with the same first principle strategies that we are using for all of our other material data and processes.
Rick Howard: If you look back on the now infamous SolarWinds attack, the supply chain backdoor was not how the adversaries caused their damage. It was just them establishing the beachhead on their intrusion kill chain attack sequence. Where they caused the damage was when they acquired the keys that authorized access to cloud resources. Here's Wayne.
Wayne Moore: I'm trying to think if I've seen that on their motto tech framework, I obviously don't know all the tactics that are behind the techniques and things, but, um, I wonder if in attacking the encryption system is part of that.
Rick Howard: Well, I looked at the, the framework last week and they have some generic tactics that bad guys go after. They say they're going to weaken the, the key management system. They don't give a lot of detail about that. But in my mind, if we're using encryption to as a major plank in our infosec program, then we need to protect it from the bad guys too.
Wayne Moore: Yeah, absolutely. Yeah. It does need to be in it's in itself. Yeah. It starts to, it starts to feel a bit like it's turtles all the way down.
Rick Howard: That's what I say. It's kind of recursive. Right? We got it. We already have encryption and then we got to protect it too. So, um, yeah.
Don Welch: Oh, absolutely. If you trace the chain all the way back, the importance of privileged access management. So when you're protecting, you know, those keys, those encryption systems, and then, you know, who can get in there and manage those? Who can create the keys? Who can interact with the cloud providers? Making sure that those accounts are well-protected that we're you know, we're executing least privilege, that we've got a privileged access management system.
Don Welch: I was speaking to a vendor /investor conference a few years ago, and I said, if I could only have one protection, one control, it would be a privileged access management system because those administrator accounts could get to anything. So, that principle definitely follows with encryption too. If, if you give up those accounts, you know, and don't have those protected appropriately, heck your entire system is, you know, just a, a paper castle.
Rick Howard: Since both Wayne and Don agree that the encryption system is itself a material system to the business, is the care and feeding of that system a CISO responsibility as a key and essential enterprise first principle security capability, or is the care and feeding of the system better if it is delegated to the organizations running the systems that create the material data? Here's Wayne.
Wayne Moore: I think a lot of these types of questions depend on the organizational structure. I personally would believe that the CISOs responsibility to run this or the CSO in that case. They are the ones equipped with the best knowledge to make best use of these things. There would be delegating implementation and running of these systems, but setting policy that the organization needs to follow, I would say it does sit with the CISO.
Don Welch: Universities are highly decentralized as you may, may be aware. Your listeners be aware.
Rick Howard: Yeah.
Don Welch: And, and, and very, very diverse things. So, you know, Penn State has an airport, a nuclear reactor, you know, police department, health care as well as very, very different, you know, disciplines in the various colleges and campuses and, and so forth. So what, the way we do it is our office of information security sets the standards and the policies, giving people the tools that they can choose to use, and help guidance using those tools. Sometimes they'll do a central purchase of those tools. So we just changed our VPN out. And so we, we offer some of those tools centrally and some of those on a distributed basis. But it really depends on the, that implementation and that, that specific circumstance. So in most cases, the administrators are going to handle the encryption. Our, our key management is distributed to the different organizations, who, you know, manage websites and, other, other types of things we happen to use, I don't want to mention a, a brand name, but, for our suite of productivity tools, we have settings on those that are handled through that cloud application that, that provides some ransomware protection and encryption. So it's a combination of things where it makes sense to have it centrally, managed , we do that. But generally speaking, it is the IT units who actually handle the management, the provisioning, the deployment, and the office of information security who sets the standards. And sometimes there's a little train the trainer between that office of information security when it's a new tool and the IT units.
Rick Howard: So a distributed model, especially for a university because it's, it's kinda like a little city, right. They have their own little departments and they don't really, they're all kind of independent fiefdoms. Right. That's how I've described it in the past. Is that right?
Don Welch: Yeah, I, well, it is, you know, the budget is decentralized. They have IT departments. We all try and, pull together, be aligned, to move the university strategy forward, but still they're making their individual decisions based on their individual circumstances. And they be very different from their neighbor and make different decisions based on the mission of that organization. And I think that, you know, the idea of a city, yup. We're there to provide education, but we also provide housing, food, service, public safety, et cetera, that have different types of people using different types of information in a different way. And therefore that decentralized nature, I think you see an important part of how you can work effectively and turning the dial between centralization decentralization is always important to tune that as technology changes and the environment changes and so forth.
Rick Howard: Well, it definitely takes the burden off of, the centralized leadership team. If project X gets hit by ransomware or by some bad guy, and it's embarrassing to the university, but the finger pointing goes to that, through that fiefdom. That's how it works?
Don Welch: I want to join your world.
Rick Howard: I was trying to be generous.
Don Welch: Yeah, no. Yeah, that, that would be great. Uh, but yeah, generally, not the case so, you know, and I think it's right too. So I'm accountable for all IT, at Penn State, even though I don't have budget or reporting responsibility to those IT units. And as you know, with leadership, you don't really need authority to be a good leader. In fact, I think you're a failed leader when you have to rely on authority. So, you know, we try to work together. We support each other. The university leadership looks to me regardless of where the problems are. Don Welch: Where the successes are, generally look to the units, but, you know, I think that's a good way to operate. So, yeah, that distributed is not really so much about the blame as understanding the exact environment that you're implementing because of that complexity.
Rick Howard: We've been talking about encryption as a data loss protection strategy on our first principle wall that supports our resilience strategy. The use case that most practitioners cite when talking about the need for encryption is ransomware. But when we think of ransomware, most of us imagine how criminal groups encrypt our material data and demand payment to encrypt it. How does the enterprise encrypting their own data first prevent that extortion? Won't the ransomware group just encrypt the encrypted files again so that we can't get access? Here's Wayne to explain.
Wayne Moore: That's a great, it's a great point. It's a great point. What we're finding nowadays is this largely, a, double extortion tactic that they're taking nowadays. Isn't it? So what you're seeing is, ransomware of the old was largely lock it up, demand ransom, and the way you mitigated against that was to have good recovery procedures that you've tested, and know work, and that's how you would avoid having to be extorted for money. But nowadays they also exfiltrated the data. So nowadays with the double extortion, your recovery procedures are only part of the solution. You've now also got to deal with the reputational damage of lost data and potentially fines associated with regulated data. So that data needs to be encrypted so if it is stolen, you've kind of covered off as much of that risk as possible, but you still need to rely on good recovery procedures to get your operations back online.
Rick Howard: When we talk about double extortion, you're talking about a bad guy comes in, encrypts all your data, and he extorts you to unencrypt it. That's extortion number one.
Wayne Moore: Yes.
Rick Howard: And then, but extortion number two is if you haven't encrypted your own data, now they have it, or they could have it and they can sell it. And they will say, if you don't want us to sell it, okay, you should pay us more money. So, uh, I think we're in the wrong business, Wayne. Okay, I think.
Wayne Moore: Is that a, is that a proposal, Rick?
Rick Howard: A new business proposal. Uh, um, yeah.
Wayne Moore: And you know what, interestingly on that, Rick is, uh, I heard another angle, I think it was on the CyberWire recently, is that I think probably going to be a less successful angle because it requires a lack of integrity on the competitor's part. But I believe that we're seeing some ransomware operators now also not only extorting for a promise that they will delete the data, which we know is a hard one to really prove, but also the, the fact that they are now approaching competitors of the entity that they've attacked and saying, you know, we've got this information about your competitor, potentially sensitive, could give you a competitive advantage. Do you want to buy it and seeing if they can also make money off the data that way.
Wayne Moore: I see it as being less successful long run because it requires a lack of integrity on the people that they are approaching, but still that's an interesting angle.
Rick Howard: So extortion revenue opportunity number three, right? Which is even if the victim pays to unencrypt the data, and pays the criminal not to send it out, they still might send it out and try to sell it on their own. So three ways they can make money off your data.
Don Welch: Oh, I think that is absolutely right. You know, the office of civil rights had come out a number of years ago when ransomware first came out, saying if you were attacked and had a ransomware attack, you had to assume that all that information was exposed. So Yeah, I think that is correct, but I also think you should be protecting it for other reasons. So if you didn't have your good data,
Rick Howard: I agree.
Don Welch: Yeah. If you didn't have it encrypted to protect it from just normal somebody you know, coming in and, breaking into your systems. Ransomware maybe it will help you get the momentum to do it because that's so much in the news nowadays, but, you know, a good program is going to have that covered from other attack vectors too. But yeah, that's a good point that anything you can use to get support.
Rick Howard: After this discussion with Don and Wayne and other Hash Table guests in the background, it turns out that there are actually four different revenue streams that ransomware groups can pursue. Number one, extortion, to unlock your data. Number two extortion to make the data public. Number three extortion to not sell the data to competitors. And finally, number four, do extortions one through three, but sell the data anyway, regardless of payment.
Rick Howard: The reason I'm adding encryption to our infosec first principle backyard barbecue is that it can greatly reduce the probability of material impact to three of them and that's a good thing.
Rick Howard: And that's a wrap. Next week, we're going to continue improving the resiliency section of our infosec wall by talking about backups. You don't want to miss that. But as always, if you agree or disagree with anything I've said or anything our guests have said, hit me up on LinkedIn or Twitter and we can continue the conversation there.
Rick Howard: The CyberWire's CSO Perspectives is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And, I am Rick Howard. Thanks for listening.