New cybersecurity threats seem to pop up on a daily basis. All the encryption in the world doesn’t seem to stop people from hacking into systems and leaking data that should have been zealously guarded. Is encryption just not all it’s cracked up to be? If encryption isn’t enough, what does it take to safeguard your data, your personal information, and your workplace from digital threats?
Think about what all these thick-walled vaults, some of the most secure places in the entire world, have in common.
That’s easy, you’d say. They all hold literal metric tons of gold.
Right you are. But what else do they have in common?
What all these vaults have in common is that their thick walls and heavy vault doors alone aren’t enough. Those heavy vaults aren’t the first line of defense. They’re the last, in fact, so let’s zoom out a bit and see what the designers of these places put in front of them.
Fort Knox has electric fences and armed guards. Say you, a would-be Arsene Lupin, are lucky enough to make it past them to the vault (you aren’t). You’d still be at a loss to find a way in. Every staff member only knows part of the vault’s combination. Will you have the time to round up all of them before you’re caught and eliminated? (You won’t.)
The Federal Reserve Bank of New York rests 80 feet underground. Make your way to the vault—somehow—and you’ll meet the same fate you did in Fort Knox: taken out by crack marksmen.
The Bank of England’s vault is guarded by a sophisticated voice recognition system. If you’re supernaturally silver-tongued enough to fool that (you aren’t), then you’ll also have to be able to lug around all the keys it takes to unlock the vault (you can’t).
Oh, and did I mention the eighty-year-old keys to the Bank of England’s vault are three feet long?
Encryption is very good at what it does. We’ve talked about how strong encryption is here on Gillware’s blog already. To break 256-bit encryption you would need to make at most 2256 guesses (that’s a one followed by 78 zeroes, or, in other words, a lot). It would take 1038 supercomputers running until the end of time itself to break 256-bit AES encryption, according to our back-of-the-napkin math (not so super now, are they?). Today, encryption is the law of the land, and overall, that’s a pretty good thing.
So why do all these hacks and data breaches keep happening? It seems you can always find a new hack in the news, or a new bug for hackers to exploit. Equifax’s name was on everybody’s lips just a few months ago, and now Apple users—and Apple itself—are gnashing their teeth over an extremely embarrassing bug involving root administrator accounts in macOS High Sierra.
Let’s put it this way.
Fort Knox simply wouldn’t be Fort Knox if all it had were its vault. You can have the thickest vault in the world with the heaviest doors to keep your gold safe. But that doesn’t make a world of difference to a sufficiently-determined thief dreaming of a Scrooge McDuck style pool of gold they can swim in (maybe it works like this). What does make a difference? The electric fences, the armed guards, and the other security measures in place that make it so impregnable.
To tell the truth, for years the computing world has been over-hyping encryption. The fact is, even the most robust encryption won’t protect you if your authentication is lacking (like, for example, if you keep all your passwords written on post-it notes stuck to your monitor). Think of encryption the same way you think of a bank vault: as the last in a long line of defenses. A would-be hacker shouldn’t even be able to make it that far.
Thick walls stop criminals from tunneling in and absconding with your gold bullion. Likewise, encryption prevents hackers from simply peeping at your data. But encryption without a good password behind it (at the very least) and other layers of authentication on top of that is like a vault with a combination of 1-2-3-4-5.
Every data breach and every hack you see when you pull up today’s news on your computer or phone is a failure of authentication. Encryption has no holes. It has no weakest link to pull at. But the password you use, whether you have two-factor or multi-factor authentication, whether the code accidentally allows for just anybody to log in as root without a password, and other factors are your weakest link.
In other words, encryption can’t do its job if your authentication is lacking.
There are three things you need to do to protect your data in addition to encrypting your data:
In Mel Brooks’ classic Star Wars spoof Spaceballs, the titular villains seek to steal the atmosphere from the peaceful planet of Druidia. Druidia’s atmosphere, fortunately, lies behind a planet-wide barrier. Unfortunately, that barrier relies on one of the lamest passwords you can set: “That’s the kind of thing an idiot would have on his luggage,” Rick Moranis‘ dweebishly villainous character snarls.
If you have a password that a hacker can easily brute-force or suss out using social engineering and phishing, all the encryption in the world won’t protect you. While making strong, random passwords is more necessary now than ever before, fortunately, it’s also easier now than ever before.
But a password is only your first line of defense. On its own, it still doesn’t do enough to protect your data.
When you set up two-factor authentication or 2FA for an account, whether it’s for a business-critical service or even just your personal Facebook, Twitter, or Amazon account, you force them to require more from you than just a password to log in. The extra piece of authentication typically takes the form of:
Other authentication forms can include eye or face scanning, thumbprint scans, or swipe patterns. Multi-factor authentication goes farther and requires you to have two or more of these items in addition to your password.
Think of it as the retinal scanner protecting your vault in addition to the keypad.
Many security holes exist simply because people neglect to update their apps and operating systems. For example, the WannaCry virus that took the world by storm earlier in 2017 exploited a security hole in Windows operating systems that had been fixed by the latest Windows 10 updates. Being prudent about updating your computers is one of the best ways to prevent hackers from finding their way through the back door.
After all, if there’s one thing we know from our years offering data recovery services, it’s that your data is a treasure. And just like gold or state secrets or other treasures, it deserves protection.