Encryption and Data Protection

Hashing and encryption are essential elements in many layers of security. They help to protect the confidentiality and integrity of networks, hosts, and data. Their importance is shown even more as most security controls include them as built-in established features.

As you continue to develop secure system designs, you need to ensure that you can understand where and how encryption and hashing are used. Data should, whenever possible, be protected at rest and in transit, typically with encryption and hashing. It is often easy to protect data in one of these states, such as encrypting it while it is stored. However, additional scrutiny may reveal gaps, such as the data being encrypted during storage but lacking protection when transmitted over the internet. An example of this can be the use of cloud storage services. A company may store sensitive customer data encrypted at rest on the cloud provider’s server. This ensures security and privacy while it is stored. However, the company does not protect the data when being transmitted, such as when it is being uploaded or downloaded. This can allow an attacker the ability to intercept and read this sensitive plaintext private data. This underscores the need for comprehensive security measures that cover all stages of data handling. In this section, you will learn about the CySA+ objectives that are related to these principles such as public key infrastructure, Secure Sockets Layer, and data loss prevention. A review of two important data types, personally identifiable information and cardholder data, is also included.

Public Key Infrastructure

The public key infrastructure (PKI) encompasses a collection of protocols, rules, and procedures designed to establish secure communication using asymmetric cryptography. It facilitates identity verification and offers confidentiality, integrity, and authentication. Some example uses include digital signatures, encryption, and user or device authentication.

The PKI is made up of several parts, including a certificate authority (CA), a registration authority (RA), public and private keys, a key directory, digital certificates, and certificate revocation lists (CRLs). A CA is a trusted entity that verifies identities and then issues certificates; they also revoke certificates and share CRLs with entities. An RA works with the CA to help facilitate the identity verification process.

Figure 1.40 is a visual depiction of the high-level PKI certification request process, including the four main steps. A key directory is used to store PKI-related elements, such as private keys and digital certificates issued.

Figure 1.40: PKI certificate request process

Digital certificates are issued from the CA and contain public keys. A CRL is published by a CA and shared with subscribed entities, listing which certificates are revoked and no longer valid, so systems will no longer trust them. It is not uncommon to find organizations running their own internal PKIs to establish trust between internal systems.

Note

The CompTIA CySA+ exam may ask more targeted questions around the backend asymmetric process for PKI. There also may be a comparison to symmetric encryption options as well.

Secure Sockets Layer

Secure Sockets Layer (SSL) is a cryptographic protocol used to create secure and encrypted connections over the internet. It is still common to see TLS referred to as SSL, but all versions before 1.3 are considered insecure due to known flaws. SSL 1.0 was never publicly released, as it had significant security issues. SSL 2.0 had flaws such as downgrade attacks, weak cipher suites, no message integrity checks, and no support for modern cryptographic algorithms. SSL 3.0 also has weak cipher suites and no forward secrecy, while also being vulnerable to POODLE attacks. TLS 1.0 supported weak cipher suites and was vulnerable to padding oracle attacks such as the BEAST attack. TLS 1.1 also supported weak cipher suites and still did not fully address the padding oracle vulnerabilities such as what POODLE and BEAST were based on. TLS 1.2 had support for RC4, which has since been found to be insecure, did not require default forward secrecy, and still has the potential for downgrade attacks.

Since SSL/TLS encrypts data in flow, specialized tools and devices are necessary to monitor it and enforce security policies. These solutions use SSL decryption or SSL inspection to facilitate these functions. This is often done with a proxy that will decrypt the channel, do its own evaluation or monitoring of the traffic, and then re-encrypt it before sending it onto the next hop. It may also send a copy of the decrypted data to other security solutions, such as an IDS, IPS, or data loss prevention, to further evaluate the data. This can help identify more advanced malicious traffic that is being sent over encrypted channels. This type of activity should be done based on a risk decision, as it comes with its own complexity and administrative burden to the organization. One example of this administrative burden is sharing a full certificate of trust web from your organization with the SSL inspection device to allow TLS connection decryption.

Data Loss Prevention

Data loss prevention (DLP) systems act as guardians to keep sensitive information safe within an organization. They help with preventing unauthorized access, sharing, or exposure of data, operating against data at rest and data in transit. To facilitate these functions, they may integrate with other security solutions. One example is integrating with a proxy that intercepts all network traffic, which the DLP analyzes for sensitivity to prevent data leakage or sharing. DLP systems require consistent tuning and maintenance to ensure they are aware of the proper data and data types to protect. They often come with pre-created templates, such as for social security numbers, to monitor, but even these could require potential tuning.

Personally Identifiable Information

Personally identifiable information (PII) is any information that may be used to identify a specific person, either alone or in conjunction with other data. The types of PII can be quite extensive and can include name, address, phone number, social security number, and date of birth. Aside from general privacy benefits, it is a good idea to protect this data as it can be abused for attacks such as identity theft. Other nefarious uses include guessing security question answers and having additional factors used for authentication. Regulations and rules around the protection of PII can vary from state to state and country-to-country.

Some examples include the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). Further subsets of PII include protected health information (PHI) and cardholder data (CHD). PHI is regulated by the Health Insurance Portability and Accountability Act (HIPAA). These are just a few examples of regulations that have specific requirements for the handling and protection of data.

CHD

CHD is like the blueprint of your credit card. It typically includes the account number, cardholder name, and expiration date. It also encompasses sensitive authentication data (SAD), which could be magnetic stripe data, card verification value (CVV), or even the PIN. The Payment Card Industry Data Security Standard (PCI DSS) dictates the regulations on how organizations must handle, process, and store cardholder data. It is designed to help secure and protect information about CHD and credit card transactions. Non-compliance with this standard can cause financial penalties, reputational damage, and loss of trust from both customers and financial institutions.

This section covered key concepts in encryption and data protection essential for securing sensitive information. PKI was discussed as a framework for managing encryption keys and digital certificates to ensure secure communication. The evolution of SSL to its latest version, TLS 1.3, highlighted improvements in security protocols. DLP strategies were explored to protect against data breaches and ensure compliance with regulations. Additionally, the importance of safeguarding PII and CHD was discussed, focusing on the specific regulations that govern these types of sensitive data. Understanding these elements will help you implement robust data protection measures in your security strategy.