INVITATION TO CYBERSECURITY 240 adopt a second factor. For most users the most convenient second factor is a push-based smartphone app. Another option is investing in a security key (see Section 8.1.3.3). 9.2.2 Use Cryptography Cryptography is the bedrock of cybersecurity. It is how cyberspace information is protected from theft and manipulation. Data needs to be protected in storage (at rest) and during transmission over computer networks (in transit). This section will highlight some best practices in both areas. 9.2.2.1 Protect Data at Rest Data at rest is data stored on a computer’s hard drive and on removable media. This includes all kinds of data such as personal documents, pictures, and videos. If the data is not encrypted, then it can be viewed by anyone that gains physical access to the storage medium. For example, if data is copied onto a thumb drive as a backup or for physical transport, and if that thumb drive is lost, stolen, or “borrowed” for a period of time, then the information on it is not secure by default. Anybody who comes in possession of the drive can plug it into a computer and access all of the information on it. The same holds true for a laptop or smartphone. A person with full physical access to a computing device can bypass operating system-based access controls by directly reading the data stored on the device’s hard drive. A better approach for disk storage is to use full disk encryption. Full disk encryption stores data in encrypted form and decrypts and encrypts data transparently as needed. When full disk encryption is used, if an attacker gains physical access to a device, its data is encrypted and is of no value to the attacker. Because it works transparently in the background, the user experience is not affected—encryption and decryption occurs automatically. The data is unlocked with a master key, typically at log-in time. Windows has a built-in disk encryption utility called Bitlocker. Bitlocker can be used to encrypt an entire hard drive and removable media devices. For removable media, if data is transported from one computer to another it requires that Bitlocker be installed on the destination computer. In addition to Bitlocker, there are a variety of other disk encryption utilities— some cost money and others are free. Data at rest can also be encrypted in a one-off fashion with encryption software. OpenSSL is a free command line utility that performs a large variety of cryptographic operations. OpenSSL includes several different encryption algorithms. It comes installed by default on Linux and macOS systems and can be added to Windows devices. It can be used for symmetric key and public key cryptography, for creating hashes and message authentication codes, and for many other purposes. If used properly, OpenSSL can encrypt files that no person or government could ever hope to decrypt—the highest standards of cryptography available. Figure 9.9 shows a file named secret being encrypted as secret. crypt with the Advanced Encryption Standard (AES) cipher and a user-supplied password as the key. In this example, the security of the encryption resides in the password,
RkJQdWJsaXNoZXIy MTM4ODY=