[SCADASEC] Encryption could make you more vulnerable, warn experts
Bob Radvanovsky
rsradvan at unixworks.net
Mon Feb 11 09:33:17 CST 2008
> http://www.techworld.com/security/news/index.cfm?newsID=11371
>
> By Bryan Betts
> Techworld
> 08 February 2008
>
> The use of data encryption could make organisations vulnerable to new
> risks and threats, a panel of security experts warned today.
>
> Many organisations are encrypting their stored data to relieve concerns
> over data theft or loss - for example, US mandatory disclosure laws on
> data breaches do not apply to encrypted data.
>
> However, experts from IBM Internet Security Systems, Juniper, nCipher
> and elsewhere said that data encryption also brings new risks, in
> particular via attacks - deliberate or accidental - on the key
> management infrastructure.
>
> The change comes particularly with the shift from encrypting data in
> transit to encrypting stored data - often in response to regulatory
> demands - said Richard Moulds, nCipher's product strategy EVP.
>
> "Lot of organisations are new to encryption," he added. "Their only
> exposure to it has been with SSL, but that's just a session. When you
> shift to data at rest and encrypt your laptop, if you lose the key you
> trash your data - it's a self-inflicted denial-of-service attack.
>
> "Organisations experienced with encryption are standing back and saying
> this is potentially a nightmare. It is potentially bringing your
> business to a grinding halt."
>
> Encryption is also as big an interest for the bad guys as the good guys,
> warned Anton Grashion, European security strategist for Juniper. "As
> soon as you let the cat out of the bag, they'll be using it too," he
> said. "For example, it looks like a great opportunity to start attacking
> key infrastructures."
>
> "It's a new class of DoS attack," agreed Moulds. "If you can go in and
> revoke a key and then demand a ransom, it's a fantastic way of attacking
> a business."
>
> Another risk is that over-zealous use of encryption will damage an
> organisation's ability to legitimately share and use critical business
> data, noted Joshua Corman, principal security strategist for IBM ISS.
>
> "One fear I have is that we're all going to hide all our information,
> but companies are information-driven, so we take tactical decision and
> stifle ability to collaborate," he said.
>
> "Sometimes, the result of implementing security technology is actually a
> net increase in risk," added Richard Reiner, chief security and
> technology officer at Telus Security Solutions.
>
More information about the scadasec
mailing list