Recent decades have seen researchers looking for ever-stronger methods of public-private key encryption, even as law-enforcement authorities enlist the federal government in a war on the technology’s wrongful use.
But with so much focus on the current encryption debate, it’s easy to forget that some of the best encryption ideas were invented decades ago – long before the advent of the modern computer. One-time pad (OTP) methods, for example, were first described in the 1880s and used a method of paper-based key tapes that was considered unbreakable throughout the military conflicts of the 20th century.
Such methods may now seem antiquated to many, but a renewal of thinking around interception-proof encryption means “some of the stuff we had in the manual world is making a comeback,” says Nick Brant, Chief Information Officer with Brisbane-based accounting and business advisory firm BDO.
“Some ideas are good ones, but they just move from the manual and analogue world into the digital world.”
Brant completed a BSc in computer science at the University of NSW, and subsequently completed a graduate diploma of information systems at the University of Canberra.
But it was during his military service, in the Royal Australian Corps of Signals (RASigs), where he learned the ins and outs of OTP and other encryption methods used to fulfil the fundamental mission to secure the communication of information.
He has subsequently been able to leverage the mindset he developed at RASigs in a range of information-management positions at the likes of Virgin Blue, GHD Group, Brisbane City Council and now BDO Australia.
And as the government rails against encryption that’s too strong for it to circumvent, Brant says, the high profile of encryption is feeding renewed considerations about the best way to protect data in a climate of constant attack.
The endpoint problem
In an enterprise context, growth in the number of endpoints used within businesses has become a significant problem for any company.
Brant learned this first-hand at airline Virgin Blue (now Virgin Australia), where the need for extremely strong authentication capabilities was balanced with customers’ demand for convenience through features like online check-in and self-service kiosks.
“That’s where you understand that some of that security is a bit of a trade-off,” he says. “It’s a bell curve between flexibility, convenience, and security. You can make it very easy for people to walk up, check in and jump on a plane – but how do you know it was the right person, and that you’ve asked enough questions to prove who they are?”
That consideration is a real issue in conventional enterprise deployments, as well.
As businesses wrestle with reining in bring your own device (BYOD) policies that have seen them flooded with employee smartphones and tablets, enterprise security managers must balance the need to securely authenticate users with the need to not make that process unduly burdensome.
That’s why two-factor authentication (2FA) has grown in popularity, since it combines conventional password-based authentication with a layer of security based on a message delivered to a hardware device.
Those authentication codes aren’t generally used for encryption, but they could be – and that’s why Brant sees importance in remembering where we’ve come from when planning contemporary endpoint-security policies.
“Security isn’t anything new in a digital world,” he says. “It’s always been around, but these days it’s probably a bit more front-of-mind. People always had sensitive client records locked in their businesses – but you had to go to the business to take them, whereas now you just have to go to a keyboard.”
The other security problem
Authentication is only one of the problems setting the agenda for today’s information-security managers: the other significant endpoint that must be secured is humans themselves.
That can be even harder than securing devices, since humans have a habit of doing unpredictable and habitual things even when they’ve been told not to – like clicking on emails that may well lead them to malware.
“Sometimes technology isn’t always the answer,” Brant says. “People still open spam emails and click on the wrong link, and in the cold hard light of day you show them and they say, ‘I don’t know why I did that’.
“It’s normally when they’re rushing, multitasking, finishing a few emails as they race out the door. The only way to stop them, technically, is to stop all emails and that’s not feasible.”
More workable alternatives include actively testing users’ clicking proclivities by subscribing to a self-spamming service, as well as encouraging (or forcing) them to undergo online training courses, webinars, and other activities.
Brant also points out the merits of threat-intelligence services – which offer better analytical tools for keeping up with the general threat climate, and correlating user activities to known dangerous sites – as well as the need to keep on top of patching the many applications used in the typical enterprise.
“You’ve still got many businesses out there that are still on unpatched software and doing no maintenance,” he said. “They have never changed their passwords.”
“It’s just a risk waiting to happen, unfortunately, and I don’t know how you get the message across.”
Getting the message across
Ultimately, both past and current experience have reminded Brant that security in enterprises, as in the military, is something that must be lived and breathed every day.
Regular security drills and tests are a significant part of this: “It’s like being a firefighter in that you train for the unfortunate situation,” he explains. “It’s for a situation that you don’t want to happen.”
That includes regular liaisons with board and C-level executives to frame the current threat climate in terms of business risk and compliance with mandates such as privacy protections and the looming threat of sanctions under the notifiable data breaches (NDB) scheme.
“The beauty of NDB is that it raised the issue at the board and executive level, and it became easier to have those non-technical discussions around the data and the risks it poses.
“It has been easy for organisations to get the support of executive committees to put more rigorous processes in place so that things aren’t, for example, just put online.
“They need to be assessed and approved, with consideration of the implications if it does get breached.”
That includes evaluating the need for processes that rely on personal data – for example, the use of driver licences for authentication – and a cold hard look at how long that data must be retained.
“I had good habits drilled into me in the military days,” Brant says. “Security is just an integral part of everything you do, and sometimes the easiest way to get rid of a data risk is to just purge it.”
“Every new project, and every new system, must be considered in the same way we look at availability and maintainability, performance, and redundancy.”
“It’s all about that matrix between flexibility, convenience, and process; to make sure you keep security at the endpoint.”
Nick Brant is an ACS Certified Professional (Cyber Security).
In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.