Zero Days vs. Standard Ways

A few days ago, a new vulnerability was found that affects the security of encrypted data, specifically on full-disk encrypted drives using hardware encryption protocols. For some time now, it has been considered best practice in Infosec – regardless of vertical – to rely on full-disk encryption to protect sensitive data from theft. The premise of this practice is that if a hard drive encrypted using Microsoft’s BitLocker or other commercial alternatives, or the device in which it resides, is lost or stolen the systems owners can claim that no data was lost as unauthorized users cannot read the drive without the key.

Alarmingly, this new vulnerability allows attackers to decrypt and read information on encrypted drives that are affected. While this new revelation probably won’t change InfoSec and their approach to encrypted drives, it does raise some very important questions. To fully understand it is important to know that the primary use of encrypted drives is to allow organizations to assume the data on lost or stolen drives has not been compromised. Unfortunately, this assumption is being challenged, as should all assumptions – especially those made based on technological controls.

What’s That Saying About Assumptions?

We are living in a time when significant and concerning vulnerabilities in the systems we rely on every day are discovered frequently. In just the last few weeks we have seen the major vulnerability that affects full-disk encryption as well as a virtual machine (VM) busting zero-day that was released outside of the “typical” reporting process. These are just two of the latest issues in a concerning trend that anyone paying attention to the news can see almost every day.

It is time for a change in how we think about security; the time to begin challenging our assumptions is upon us. After more than 10 years working in security it has become increasingly apparent to me that our blind reliance on technical controls and tools is the most likely cause of our downfall (or at least all the breaches). As a whole, Infosec has spent a long time and a lot of effort to develop and implement every conceivable technological solution to our security woes. I have been just as guilty as anyone else of expecting more from these technologies, but a few years ago it hit me like a load of bricks that we were missing half the picture.

People Pleasers

Tech is great and makes up half the picture, but what is the part we seem to be missing, or barely understanding at least? It is the non-technical end of the world of security. It’s almost like we have been reading the cover of a book, safeguarding the book, but have never actually read it. People use these systems, software, and the like to do things daily and their behavior and habits have significantly more impact on the security of our networks and systems than most of the tools we are using today.

A really great example is how we have decided to deal with people and their forgetfulness that leads to the physical loss of devices. As an industry we have decided that if we can ensure the storage and data on devices that were lost or stolen is encrypted it is therefore inaccessible to any unauthorized parties and the data is secure. But the vulnerability discussed above challenges this, and we should at least consider that we are not dealing with absolutes regardless of our desire for them to be that.

So, what can you do?

Strive to understand your users, and ensure your users understand the responsibility that rests on their shoulders. Our best and most effective defense is the front line, which is populated with users that are not Infosec professionals. Work with them, teach them, be a people pleaser and maybe, just maybe, it won’t matter if the data can be decrypted because your users never lost any.

January 10th, 2019|

About the Author:

John Nye
John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications.Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).