A tool is a tool. In the right hands, it can do good. In the wrong hands, it can be used maliciously. ‘Twas ever thus.
In the modern world, the bad guys can access the same digital weapons as the good guys. Encryption, and data security more generally, is an important tool in the Information Age. But just like the spades and hammers of old, it can be wielded to a range of ends, both benevolent and malicious.
Constant brouhaha about encryption being a dangerous technology – about a “dark side” to cryptography – is simply misplaced. The truth is that technology knows no morality.
Is Encryption a Force for Evil?
We’ve heard a lot about encrypted communications providing hiding places for bad guys. However more recently, encryption has once again made its way to the forefront as a strategic tool for criminals with the WannaCry ransomware attack.
For anyone who’s been living under a rock the past few weeks, on Friday, May 12, 2017, WannaCry began to spread on an unprecedented scale, affecting organizations and enterprises across the globe extremely quickly. According to Europol, 200,000 victims in 150 countries have been identified. Ransomware attacks are relatively common, but the scale and speed of the WannaCry attack are unprecedented.
But I must stress that while encryption was an element of WannaCry, it’s not how the attackers got in. Instead, one could say that encryption was the safety mechanism by which affected individuals could get their data back! If the cybercriminals just wanted to mess with people, they could have gained access in the same way, spread the same way and then deleted the data altogether.
Encryption arguably made these attacks safer for those affected, while also making the attacks more lucrative for the cybercriminals. In any case, WannaCry (and any ransomware for that matter) is already illegal. As such, it’s unlikely to have mattered to the attackers if use of encryption were restricted by law.
Encryption as a Force for Good
Criminals love to get inside people’s lives and steal stuff. And if encryption is a hiding place for criminals, it has just as much potential to be a hiding place for the good guys. (Keep the criminals out!)
For security-minded organizations in today’s digital world, encryption is used as a crucial part of a company’s overall strategy to protect sensitive data. In fact, enterprises have accelerated adoption of encryption strategies. According to our recent 2017 Global Encryption Trends Study, 41 percent of organizations have an encryption strategy applied consistently across the enterprise. As for consumers, many privacy-aware individuals are also increasing their use of encryption in the form of secure messaging applications to encrypt texts and phone calls.
Encryption is the backbone of online security – allowing the safe transfer of passwords, credit card numbers, healthcare data, in fact almost anything of value over the internet. Without encryption, there would be no e-commerce, no online banking, no app stores (or the phones that use them), no debit cards, no internet of things and certainly no Bitcoin; the internet as we know it (think: shopping, banking, living) simply wouldn’t work.
I’ve Been Hit by Ransomware – What Now?
We’ve established that encryption isn’t the bad guy. However, that doesn’t mean that cybercriminals aren’t going to use the technology for nefarious purposes. Ransomware such as WannaCry will be a fact of life for the foreseeable future. So, what can be done to counter ransomware attacks?
Here are five important measures that organizations can put in place:
- Your Business Data Is an Important Business Asset – Treat it like one. Look after it ahead of time and put in place professional data management. Business data and machines should not be treated like home computers with valuable files stacking up on personal hard drives. Make backup copies of important data and spread it around, make sure important data is stored in known places under conscious management. If you properly manage and backup your data in its own right then ransomware is powerless: Simply wipe the affected machine and start again – your data is safe. Don’t forget though: If you’re spreading your data around, storing in remote or cloud services and so on, make sure it’s encrypted…with keys you control.
- Training and Awareness – It is often forgotten that users themselves, including company employees, enable attacks to spread. They therefore need to be aware of simple “safe computing” measures, such as never opening unexpected attachments and never clicking on a link from an unknown sender. Passwords also should be changed frequently.
- Anticipation – Security maintenance and vulnerability analysis, for example via supervision solutions such as the CERT-IST operated by Thales, make it possible to identify possible flaws in computer systems and take remedial action. Building security into computer systems from the earliest design phase is also crucial. Other ways to anticipate an attack include migrating obsolete systems to the software manufacturer’s latest versions, regularly keeping software updated and ensuring that systems are backed up so that data can be accessed even if an attack takes place.
- Surveillance and Attack Detection – Computer systems must be kept under constant surveillance. Thales operates five Cyber Security Operation Centers (CSOC) around the world (in France, the Netherlands, the United Kingdom, Canada and the recently opened center in Hong Kong) and develops probes specifically designed to detect attacks.
- Security and Response – If an attack happens, specific security and response measures can be taken. In the case of WannaCry, possible measures include blocking the files to stop them running, isolating infected computers or servers, or disabling the SMBv1 network file sharing protocol to stop the attack from spreading. Thales also has a Rapid Reaction Team that can be deployed to put remedial measures in place.
Wake Up and Smell the (Data Protection) Coffee
The WannaCry ransomware attack is a wakeup call, but not against encryption. It’s a wakeup call to consciously protect your data, as virtual cyberattacks can have very real consequences for both businesses and consumers. As our societies continue to pursue their digital transformation, system cybersecurity and data protection have become crucially important in enabling interactions between governments, businesses and citizens. Technology knows no morality, so use the technologies in your arsenal to shore up your cybersecurity defenses and get a leg up on the bad guys.
Do you have questions about ransomware and your organization’s data security posture? More to add to the conversation? If so, feel free leave a comment below, or tweet me @JonGeater.