Encryption may be a topic that you give passing attention to in response to security advisories but otherwise little else. Rather than providing a summary of the state of the art of encryption technologies, this article will cover four practical applications of encryption that might have gone unnoticed recently.
Encrypting mobile endpoints (BitLocker for Windows, FileVault 2 for macOS) is now likely part of your standard operating environment builds. The performance impact and inconvenience to your end-users are now negligible but the security benefits of securing the data on lost devices is massive. You may wish to confirm that you’re using tools to manage the enterprise encryption keys so that you can recover any locally stored data when devices are returned without access to a local user account.
To maximise the data security on your end users’ Windows devices, consider the following security settings for your group policy:
- Enable “Force BitLocker keys to be sync’d to AD Directory Services (AD DS)” in Recovery Options to prevent BitLocker encryption starting before the recovery keys are stored in AD
- Force Secure Boot and UEFI platform validation
- Require PINs of at least 6-8 alpha-numeric characters
- Enable BitLocker with a unique PIN per device
- store the PIN in a secure password store
- share the PIN with the end user when delivering the device
Providing it remains a secret, the complex PIN reduces the risk of a brute-force attack. This protects the encryption keys stored in the device’s hardware vault (the Trusted Platform Module or TPM). In turn, this protects the data from being stolen should the internal drive be installed in a different computer or if the adversary attempts to use pre-boot/alternate-boot tools to read the drive.
Entering a PIN during boot to unlock the encryption keys in the TPM works for end-user workflows but isn’t practical for server deployments. Servers need to perform unattended reboots during maintenance windows and, for hosted or cloud deployments, the server console isn’t accessible anyway. For Windows servers, this can be addressed by using a StartupKey (a USB device that contains the key to unlock the TPM) or Network Unlock. The latter employs a LAN connected server which provides the host keys to unlock the TPM during pre-boot. You might consider BitLocker Network Unlock to complement the physical security of your server and to reduce the potential for data loss when decommissioning the server.
We help many of our customers reduce the costs of managing another type of encryption key on many servers – the digital certificates that enable servers to use offer HTTPS/TLS(SSL) services. In 2018 browsers started flagging non-encrypted sites as being insecure – a great initiative for uplifting general internet security but bringing challenges, particularly for internal developers and internal legacy web applications. If you’re still clicking past “insecure website” warnings for your applications, rather than normalising this insecure response, take a look at Let’s Encrypt. They provide free SSL certificates that browsers trust and a wide variety of methods for automating the certificate renewals.
Finally, two technologies your security engineers may be evaluating this year are DoH and WireGuard. DNS over HTTPS (DoH) is one technique to encrypt lookups in the Internet phonebook (Domain Name System) yielding a variety of benefits to their privacy and security. WireGuard is an emerging virtual private network (VPN) technology that addresses performance, scalability and manageability problems with IPsec. It is very user friendly, has broad cross-platform support and was integrated into the linux kernel in 2020 with Linus Torvalds describing the implementation as a “work of art” compared with OpenVPN and IPsec.
At Brace168 we’re monitoring developments in cryptography and other security tools every day. We’re constantly helping customers’ uplift their security position while balancing commercial constraints and business needs. Please don’t hesitate to contact us to discuss how our expert cybersecurity consultants and state-of-the-art Security Operation Centre (SOC) with 24/7 monitoring can help secure your business.