Lost in Encryption
Welcome to the final installment of EMPIST’s Spooky Cyber Stories in honor of National Cybersecurity Awareness Month. This week, we are introducing the Crypto Creeper. Stopping at nothing to encrypt all the data you hold dear; we will go through this cyber villain’s best hacks to help prevent you from falling victim to the same fate.
Did You Know…
Cybersecurity nowadays should never be a one-and-done process. Technology is evolving constantly, and your security efforts need regular updates and maintenance. In fact, encryption is estimated to be used by over 50% of hackers during a network attack.
So, the question is, are your systems prepared? Here are some of the ways the Crypto Creeper can gain access to your information through seemingly secure data encryption.
Lurking Deep in the IPsec Tunnels…
Internet Protocol Security or IPsec creates a VPN for a secure internet connection across an IP network. Thus, making this the perfect target for a hacker to infiltrate. IPsec tunnels are commonly used for remote access purposes, so it’s a simple task for a hacker to gain access to your IP network through their own IPsec tunnel. Once a hacker connects their tunnel to your IPsec, they can start laying the groundwork for a larger scale cyber-attack.
Encryption & Phishing
When a hacker gets in through an IPsec tunnel to your organization, they may start building out phishing websites within your intranets. When the victims connect to the phishing site, encrypted sessions ensue and soon the hacker will have access to the user’s sensitive data. These interactions often go off without a hitch because the hacker is using an HTTPS trusted site within your layered security network. Creepy, huh?
Are you worried you could be in danger of an encrypted cyber-attack? There are proactive things you could be doing to better prepare your organization. Learning what not to do when you’re setting up encryption security measures is step one. The most common encryption mistakes a company can make include:
- Misconfiguring the implementation
- Deploying vulnerable versions of crypto
- Using the same key for multiple communications
- Failing to understand their weakest control points
- Creating their own crypto algorithms
It’s time to stop assuming your developers are security experts or that the basic compliance regulations are enough to keep your data safe from an attack. Sure, sensitive information must be secure/encrypted, but “how” that information is secured is not always specified through basic compliance rules.
Furthermore, the rules developers must follow for encrypting information on a site only require a minimum amount to get the “check” they need for a bill of good site health. In other words, always be checking in and doing more.
Don’t rely on bare-bones encryption solutions to protect your network. Time and time again, we see businesses have one baseline file encryption service in place and fall susceptible to hackers. Like all good security plans, your structure should have layers of preventive tools in place. You never know when the Crypto Creeper might strike…