Information Security Blog

Dropbox Debacle: Don’t Worry It’s Encrypted (Maybe)

Encryption is one of the most fundamental of all information security controls. So why is it so widely credited as being “bulletproof” when it isn’t?

Data encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The primary objective of encryption is to ensure the confidentiality of data. When used in concert with other controls it can also be used to authenticate the sender/receiver and/or validate the integrity of the message.

During many information security assessments when we are discussing the information security risks associated with particularly sensitive data someone will eventually sigh and with a confident smile declare “you don’t need to worry about that data its encrypted!” (often accompanied with well flourished hand waiving). One of our consultants sometimes refers to this as the “then the magic happens” moment. The key to encryption (pun very much intended) is the key. What type of key, where its stored, and how its managed/used are issues that are not asked often enough. Locking the front door of your house is great and likely to keep your new Patek Philippe Calatrava watch secure – unless your leave the key under the front mat, for the maid, who shares the information with the pool boy, who has a copy made by his friend at the Home Depot.

Recently, the wildly popular service Dropbox illustrated this risk. The first when they did a lot of “hand-waiving” to obscure the fact that the key to your encrypted data is stored (and usable by) Dropbox. The second, when a mistake made EVERY FILE for EVERY USER stored on Dropbox available WITHOUT a password.

So the next time any one tells you not to worry because the data is encrypted (with an overly confident smile) – worry at least a little bit – and ask the “key” questions. If you’re not sure what the key questions are … a good start is the controls detailed in ISO 27002 Clause 12 Security Category 3 (12.3).

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Simplify compliance monitoring/reporting
Vastly improve Incident Detection & Incident Response
Contextualize event information with other business relevant information

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.