|
Protecting Data with Transport Encryption
Transport encryption methods encrypt data before it is transmitted, providing protection of
data in transit. The primary risk of sending unencrypted data over a network is a sniffing
attack. Attackers can use a sniffer or protocol analyzer to capture traffic sent over a network.
The sniffer allows attackers to read all the data sent in cleartext. However, attackers are un-
able to read data encrypted with a strong encryption protocol.
As an example, web browsers use Hypertext Transfer Protocol Secure (HTTPS) to
encrypt e-commerce transactions. This prevents attackers from capturing the data and
using credit card information to rack up charges. In contrast, Hypertext Transfer Protocol
(HTTP) transmits data in cleartext.
Almost all HTTPS transmissions use Transport Layer Security (TLS 1.1) as the underly-
ing encryption protocol. Secure Sockets Layer (SSL) was the precursor to TLS. Netscape
created and released SSL in 1995. Later, the Internet Engineering Task Force (IETF)
released TLS as a replacement. In 2014, Google discovered that SSL is susceptible to the
POODLE attack (Padding Oracle On Downgraded Legacy Encryption). As a result, many
organizations have disabled SSL in their applications.
178
Chapter 5
■
Protecting Security of Assets
Organizations often enable remote access solutions such as virtual private networks
(VPNs). VPNs allow employees to access the organization’s internal network from their
home or while traveling. VPN traffi c goes over a public network, such as the internet, so
encryption is important. VPNs use encryption protocols such as TLS and Internet Protocol
security (IPsec).
IPsec is often combined with Layer 2 Tunneling Protocol (L2TP) for VPNs. L2TP trans-
mits data in cleartext, but L2TP/IPsec encrypts data and sends it over the internet using
Tunnel mode to protect it while in transit. IPsec includes an Authentication Header (AH),
which provides authentication and integrity, and Encapsulating Security Payload (ESP) to
provide confi dentiality.
It’s also appropriate to encrypt sensitive data before transmitting it on internal networks.
IPsec and Secure Shell (SSH) are commonly used to protect data in transit on internal net-
works. SSH is a strong encryption protocol included with other protocols such as Secure
Copy (SCP) and Secure File Transfer Protocol (SFTP). Both SCP and SFTP are secure
protocols used to transfer encrypted fi les over a network. Protocols such as File Transfer
Protocol (FTP) transmit data in cleartext and so are not appropriate for transmitting sensi-
tive data over a network.
Many administrators use SSH when administering remote servers. The clear benefi t is
that SSH encrypts all the traffi c, including the administrator’s credentials. Historically,
many administrators used Telnet to manage remote servers. However, Telnet sends traffi c
over a network in cleartext, which is why administrators understand it should not be used
today. Some people suggest that using Telnet within an encrypted VPN tunnel is accept-
able, but it isn’t. Yes, the traffi c is encrypted from the client to the VPN server. However, it
is sent as cleartext from the VPN server to the Telnet server.
Secure Shell (SSH) is the primary protocol used by administrators to
connect to remote servers. Although it is possible to use Telnet over an
encrypted VPN connection, it is not recommended, and it is simpler to
use SSH.
Determining Ownership
Many people within an organization manage, handle, and use data, and they have different
requirements based on their roles. Different documentation refers to these roles a little differ-
ently. Some of the terms you may see match the terminology used in some NIST documents,
and other terms match some of the terminology used in the European Union (EU) General
Data Protection Regulation (GDPR). When appropriate, we’ve listed the source so that you
can dig into these terms a little deeper if desired.
One of the most important concepts here is ensuring that personnel know who owns
information and assets. The owners have a primary responsibility of protecting the data
and assets.
Determining Ownership
Do'stlaringiz bilan baham: |
