When sensitive information is transmitted outside of trusted systems, it should be encrypted to preserve confidentiality. Few consumers would want their credit card information transmitted through the Internet as plain text. Even when data is stored on an organization's own devices, it is sometimes encrypted to prevent information theft. Several high-profile laptop thefts have raised awareness about the dangers of storing large quantities of personally identifying information on mobile devices.
Even when encryption is used, threats to confidentiality still exist. Two such threats are cryptographic attacks, or attempts to break the encryption code, and the loss of a private key in a public key cryptography system. The best method for countering cryptographic attacks is to use strong cryptography and properly manage the private key. Strong cryptography is based on sound encryption algorithms and long keys. For example, the Advanced Encryption Standard (AES), adopted as a standard by the U.S. government, can use 256-bit keys. Although in theory, a brute force search of all possible keys could be used to break this encryption, the time required to conduct such a search is so long as to be impractical. Of course, anyone in possession of the private key can decrypt even the most strongly encrypted message. It is imperative that private keys be securely distributed and stored to ensure that security is not compromised.
An important factor in the use of cryptography is that information should be encrypted only as long as that information is useful or not publicly available. Documents detailing a merger negotiation would be kept confidential during the negotiations, but once the deal is finalized and announced, the contents of those documents are far less valuable.
How to Assess and Mitigate Information Security Threats
Malware: The ever-evolving threat
Information theft and cryptographic attacks
Attacks targeted to specific applications
Threats to physical security
Balancing the cost and benefits of countermeasures
This chapter excerpt from the free eBook The Shortcut Guide to Protecting Business Internet Usage, by Dan Sullivan, is printed with permission from Realtimepublishers, Copyright 2006.