Encryption in cyber security refers to data conversion from a readable format to an encoded format. This takes place in data transmission between systems where the data can be read and processed after it has been decrypted. Encryption has become an important factor in organisations because it allows data to be processed in a secure manner while preventing malicious actors from accessing confidential information.
Everyone, every day uses encryption, whether you are messaging on WhatsApp, online shopping, or simply reading this article over a secure HTTPS connection, it is a key component of our lives. As for an individual, using messaging apps such as WhatsApp, end-to-end encryption is built within the applications to encrypt messages, photos, videos, voice notes and messages. By encrypting the data, Meta assures its users that their data is strictly confidential and in case of breach, users’ data cannot be read if accessed by a threat actor.
If we look inside an organisation, encryption forms part of services being used on a daily basis such as VPN connections, card payment services, password protection services, end-to-end encrypted network connections, encrypted access to servers, computers and cloud service and even Microsoft services. Encryption in those cases will run in the background to provide a secure traffic and communication between users and the required service. For example, an email sent from one user uses secure and encrypted transmission before the receiver opens the email. By applying encryption into services, providers reduce the risks of data masking and manipulation by an advance persistent threat.
A threat actor targeting systems will do anything to get inside an organisation’s systems, if successful, they would scour through networks and look for plain text communications between systems and servers. If encryption is applied within the systems, the Advanced Persistent Threat (APT) could only see encrypted traffic, which makes it harder for the APT to inject any malware and cripple the organisation’s data. In the past APT has accessed information and conducted a ransomware attack by encrypting files and systems while denying users from performing their daily activities. To reduce the risks of an APT accessing an organisation’s infrastructure and systems, organisations should:
The UK GDPR requires organisations to process data in a secure manner; with that said, organisations are recommended to have policies that outline how encryption should be implemented and maintained, as well as show that staff are aware of encryption. The Information Commissioner’s office (ICO) recommends that encryption should meet certain standard while transmitting personal data. On the other hand, PCI DSS encourages organisations to take adequate precautions to protect cardholders’ data. Some of the advice provided are: to build secure networks; perform vulnerability management programs; implement strong access controls; monitor and test networks; and maintain an information security policy.
Understand business processes requiring encryption
Understand areas in businesses where encryption is being used and verify if the traffic is secure, for example, card machines, interconnected devices and cloud connections. This cryptographic protocol exercise can help organisations check their level of compliance as they report to regulatory bodies such as GDPR, PCI DSS. This exercise can also help auditors to identify gaps within the infrastructure as well as justifying that encryption is implemented safely.
Encryption between SAP systems
As SAP Security experts, Turnkey can help with verifying the encryption configuration between end-to-end SAP Systems by checking the Remote Function Call (RFC) connection. From this analysis, secure connections between systems can be analysed to check for any misconfiguration. In addition, by conducting red teaming exercises, we help organisations to understand the amount of data that could be exposed to an APT, should there be an attack. By outlining the gaps, we help organisations to narrow down the risks of a data breach.