Into the Unknown
As I travel around doing security assessments, audits and visits, I am often asked to share or distribute some of the very sensitive information that I collect on my journeys. Recognizing that it is delicate (even dangerous) information that must be communicated, I inquire as to how the recipient would like to receive this “top secret” data. Far too often the response is, “Just email it to me.”
“Okay, what do you use for decrypting the payload?” I ask.
“… um, decrypting what?”
“Well, since this is sensitive information, it needs to be safeguarded with encryption.” I continue, “That means either a secure channel or a secure payload needs to be created. You’ve requested we use email but since email is not a secure-channel communication I assume you are requesting a secure payload. Therefore, I will need to protect it with any one of a number of available alternatives. So, which one do you use?”
“Oh, we don’t have any of that.”
This is the part that surprises me the most. It’s not the unfamiliarity with encryption mechanisms or algorithms or tools. Encryption is complicated. I get that. It’s that I seem to be the first person to ever have this conversation with them. Is this really the first time they’ve ever needed to send or receive sensitive information?
Secure Channel vs. Secure Payload
Sensitive information needs to be protected from unauthorized disclosure.
To do this you can encrypt the channel (e.g. the route of transmission), encrypt the payload (e.g. messages, documents, files) or both (for the “belt and suspenders” types). Electronic channels are normally encrypted with VPN, SSL, TLS or SFTP. Payloads are usually encrypted using tools such as PGP, WinRAR or others.
Pigeons and Plain-text
Think of it this way. You have a file that contains all of your banking information, medical history, payroll data, personnel reviews, PINs and passwords. You place this file on a USB thumb drive and need to deliver it securely to your lawyer on the other side of town. There are a number of ways to “convey” this data across town:
- Put it in your pocket and take it yourself
- Send it in the mail
- Hire that guy in the movie, “The Transporter”
- Train a pigeon
- Lock it in a sealed blast-resistant box and use a bonded, armored courier service with gun-toting guards.
Obviously, some choices are better than others but they all have one thing in common. The file itself is still plain-text that could be read by anyone who intercepts it, finds it when it becomes lost or waits until it has been delivered and steals it once the lawyer leaves his office. In other words, no matter how secure the channel is, the contents can always be read by anyone who gets the file.
If the file on the USB drive is encrypted, however, it doesn’t matter if the mailman loses it or if the pigeon drops it or the office cleaning crew tries to read it during their break. It’s still protected. That is a secure payload.
Crypto for Humans
So, although the world of cryptography can be a mathematically mind-boggling career choice better left to geeky NSA-types, there is no need for us humans to be intimidated into inaction when it comes to protecting our confidential stuff. All we need is a tool and the awareness of when to use it.