Security Threats Aren't Mitigated By Details - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
12/18/2008
03:18 PM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Threats Aren't Mitigated By Details

Good security programs start with asking the right questions. All too often, security and network engineers sweat the details of some security technology or other and don't examine the most likely sources of attack. I recently overhead the question "How long should I set an IPSec VPN rekey time interval?" Answer the question by asking how worried you are about an attacker breaking into your VPN and how that might be accomplished.

Good security programs start with asking the right questions. All too often, security and network engineers sweat the details of some security technology or other and don't examine the most likely sources of attack. I recently overhead the question "How long should I set an IPSec VPN rekey time interval?" Answer the question by asking how worried you are about an attacker breaking into your VPN and how that might be accomplished.This is one example where the answer depends on a lot of factors, such as: how sensitive is the data that is being protected, who the potential attackers are and their skill and funding levels, what requirements attackers need to achieve to pull off the attack successfully, and for how long the data needs to be protected.

The real question asks whether the data is properly protected from attack at rest and in transit. Let's make the assumption that the IPSec VPN product implements the cryptographic stuff properly and there are no bugs or problems that can be exploited. The only way to break the VPN is to crack the key. For a 112-bit 3DES key, there are 5.19e+33 possible keys. For a 168-bit 3DES key, 3.74e+50 possible keys. Assume 1,000,000 guesses per second and the time to guess the key works out to, um, forever.

Chances are, unless there is a problem with the IPSec VPN gateways cryptographic system, recovering the key would be difficult. Re-keying periodically generates a new key and is used so that if an attacker guesses the key, they can only recover a portion of the data before having to crack a new key. If you use perfect-forward secrecy, a feature where the new key isn't related to the existing key, the attacker has to crack a brand new key to get more of the data. This was important when people still used 56-bit DES and cracking a 56-bit DES key was in reach. With 112- or 168-bit keys, fuggedaboutit.

Unless your company is a target of a well-funded corporation or government, there is probably no practical reduction in risk if you don't rekey the VPN or use perfect-forward secrecy because the costs of even attempting to crack a 112- or 168-bit key are large. There is no harm, or cost, in using those features, either, and turning them on may help you sleep at night knowing that cracking your VPN is that much more difficult.

It's more likely your data will be compromised by a trusted insider, social engineering, a lost USB device, a tape falling off the back of a truck, or by this guy or by that guy. Low-tech attacks are cheap and successful.

Targeted, technical attacks, the kinds of attacks where someone would try to crack your VPN keys, are more costly to pull off and more likely to fail than a low-tech breach. For the cost of a plane ticket and some custom shirts with a logo, you can probably walk into most businesses as a copier-repair technician and be running around the network in 15 minutes.

Information security is more than technology. Information security is a mindset that prioritizes threats and targets so you can spend your time protecting the most valuable and at-risk targets in a way that has practical impact. Using a VPN to encrypt sensitive data on the network is a great idea, but don't get so lost in the details that you lose sight of big picture.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll