Why Encryption Is Not A Silver Bullet
October 2, 2017 Alex Woodie
While there is a temptation to view database encryption as the ultimate form of security, there are a variety reasons why the technology should not be relied upon as the main means to protect your valuable DB24i data. We talk with former IBMer Bruce Bading, who wrote the book on IBM i security assessments, to get the dirty details.
In the wake of the Equifax hack, several important questions have gone unanswered: Did the credit giant encrypt its data, and if so, how did hackers end up with 143 million records? With multiple government investigations – and many more civil lawsuits – underway, it could be months or years before we find out. In the meantime, organizations should take stock of their security controls, and ask themselves whether they’re doing enough to keep themselves from ending up in the news for all the wrong reasons, as Equifax did.
This conversation leads to Bading, who recently left IBM’s Lab Services team in Rochester, Minnesota, to launch a private practice around security assessments, audits, and compliance. During his 20 years at IBM, Bading was instrumental in shaping IBM’s security controls for IBM i. In 1995, at the urging of then-AS/400 security architect Carol Woodbury (now a vice president at HelpSystems), Bading wrote a paper on how to conduct a security assessment for AS/400. That paper went on to become the official IBM handbook for conducting security assessments, and continues to be relied upon by IBM Lab Services personnel and many other security professionals to this day.
Bading popped more than a few holes in the idea that database encryption is one of the critical components in a good security posture. His argument essentially boils down to this: If the rest of your server (IBM i, Linux, Windows, or otherwise) is configured so poorly that intruders can waltz right in, then encryption won’t do you much good at all.
“You should view encryption as your third or fourth line of defense,” Bading tells IT Jungle. “But trust me, you don’t want to look at that encrypted data as either the first or second line of defense.”
Layered Defense
The first line of defense is application white listing, Bading says. “It’s making sure you know what is running on your system, and taking away all the abilities to elevate your privileges, removing all eight of the special user authorities, taking care of your public/private authored profiles, encrypting Telnet so nobody can steal your passwords, encrypting DDM, encrypting FTP, making sure you know where adopted authority programs are running.”
“The second line is access controls, putting tight access controls on everything,” he continues. “Putting access controls on encryption and decryption programs and encrypted databases. The best thing to do is to actually make your encrypted database owned by an adopted authority user and give nobody access to it. The third line of defense is encrypted data.”
“Bading doesn’t tell clients that encrypting data is a bad idea. “I will never say that,” he says. “Where it really does bring a lot of benefit is if the disk is ever going bad on you and you remove the disk, so you don’t have to overwrite it six times. Or while sending data over a network… Or for backups, the data goes onto the tape as encrypted data, so that if the tape falls off the back of the UPS truck and somebody restores the data, they’ll find it’s encrypted. In each one of these case, encrypting it is very beneficial.”
Where encryption is not so handy actually is where people may assume that encryption brings the most protection: during day-to-day business activities, when bad actors, both of the internal and external variety, are most likely to sneak onto the network in an attempt to surreptitiously lift some data.
Weakest Link
One of the things Bading likes to point out is how easy it is for users to access encrypted data from 5250 screens or other applications connected to a DB2 for i database or applications that hit the database.
“I tell them, ‘You’re on the system, you’re viewing the data decrypted right?’ Yes, I am,” he says. “Doesn’t that protect me? No, because you’re already viewing it decrypted. Anybody who gets on the system with administrative rights has the ability with the keys and the programs to decrypt the data.”
And therein lies encryption’s biggest bugaboo: Companies need access to unencrypted data to function. You could encrypt all your data and throw away the decryption key (essentially what a hashing algorithm does), and the bad guys would never be able to use it. But the data would also be useless to your company. It’s the ultimate paradox in security, and provides built-in job security for cybercriminals.
That’s why Bading views encryption as a useful tool only when everything else is correctly configured. “Encrypted data on the system, I view, as a good method only if all other access methods on the system are being secured,” Bading says. “Those on the system already have the ability to decrypt, and if your system is not secure, neither is your encryption.”
When you consider how bad the average IBM i shop is at security – really, how poorly the average IT shop is at security, period, if Equifax is our sample – then you understand how little actual protection encryption can provide. Even the strongest encryption in the world won’t protect you when a vulnerability-ridden PC or smartphone has the capability to access plain-text data through decryption programs and encryption keys.
In all manners of defense – whether you’re talking computers, chess, or football – your opponent will inevitably attack your weakest link. You may have the computer security equivalent of JJ Watt protecting one egress point into the data, but the other team will probably test your rookie cornerback, instead.
‘Kill Chain’
The picture gets even worse when you consider how eager and willing companies are to open up their networks to laptops, mobile phones, and sundry smart devices to partake of new Web-based collaboration capabilities made possible by the big data boom. Sophisticated cybercriminals are only too happy to take advantage of the networking ports companies are opening by installing advanced persistent threats (APTs) into them.
Bading says the new internal threat is the cyber-criminal equipped with APTs and a six-step “kill chain.”
“In both the Target and Sony breaches, they went through a six-step kill chain,” he says. “They came in, delivered the payload, started doing reconnaissance, mapped out the network, found the vulnerable spots, took a bigger payload into it, planted that payload in it, and the last step is they took command and control and uploaded the data.”
In Target’s massive 2013 data breach, the actual breach came through a smart thermostat. “The HVAC vendor said, we can come in and lower your environmental costs, lighting and HVAC, by installing these smart thermostats,” Bading says. “Target said, this is cool stuff, we can save tons of money.” Instead, Target’s expenses related to that breach are close to $300 million.
“That’s your new insider threat,” Bading warns. “Nobody walked through the door. Nobody was carded through a secure computer room. They hacked you from North Korea, China, Russia – I don’t care where – and got this advanced persistent threat on your system that started monitoring and doing reconnaissance on your network.”
Today, Bading specializes in providing white hat-hacking services through his company, BFB Consulting. Bading bring an array of his own reconnaissance tools used for penetration testing, such as NMAP, Wireshark, and Open Vulnerability Assessment System (OpenVAS). Cybercriminals have access to the same tools – as well as an underground network of thieves who have experience hacking Big Iron systems like IBM i and System z servers.
“As I watch those things run, I see people’s eyes pop out of their heads,” Bading says. “They’re sitting there saying, ‘We don’t even detect this running on our network.’ Their endpoints don’t even detect the fact that I have just scanned them and found unpatched vulnerabilities. You didn’t take care of this CVE. You didn’t take care of Apache Struts. You didn’t do things that could have protected you from the breach.”
Hackers today have a target rich environment, with so many vulnerabilities and attack vectors to choose from. The chief information officer should be focusing on the highest priority items. If she’s doing her job right, the hackers will have given up long before they ever find out that the IBM i’s database was encrypted.
“I don’t want a soft chewy center with a hard candy shell. I want a jawbreaker,” Bading says. “I want layered defenses, so that by the time I got through your first, second, and third lines of defense, I’m frustrated, out of resources, out of time, and I haven’t gotten to the data.”
