9. The Application of Cybersecurity: Principles and Practices 241 so as long as it is a strong password, the file will remain safe. Many similar cryptographic tools are also available, both free and paid, with some featuring more user-friendly graphical user interfaces. Data at rest also includes data stored in the cloud. Cloud data is encrypted while it is being uploaded and downloaded over the network, but it is likely stored unencrypted on the cloud servers. This means that cloud storage providers can read their customer’s data. Depending on the service agreement and the trustworthiness of the storage provider, the data could be mined for marketing and other purposes, or shared with others, including law enforcement and government officials under certain circumstances. Plus, it is possible that it could be accessed by hackers either through the end-user interface or by compromising the cloud service provider’s servers. To protect against this, users can encrypt their data before uploading it to the cloud. This would make their data useless for data mining and sharing and to hackers if a data breach occurs. It is more work for the user, but it provides better security. For example, if a person wants to share a sensitive file with a friend using a file hosting provider, he can encrypt it before uploading it. This will protect the file from abuse and theft, and the friend can decrypt it once it is downloaded (assuming the key has been securely shared with him). Figure 9.9 An OpenSSL encryption example using a password. One caution when using encryption for data at rest is key security and management. Keys can be stolen or lost. If a key is lost, then the encrypted data is forever locked and can never be recovered. Also, if a poor key is chosen or a weak password from which a key is derived, then the encrypted data is vulnerable to brute-force attacks. 9.2.2.2 Protect Data in Transit “Gentlemen don’t read each other’s mail.” - United States Secretary of State Henry Stimson When data is sent over a network, it passes through untrusted servers. Therefore, protecting data in transit from eavesdropping and manipulation is critical. Many of the older networking protocols do not use encryption. These include Telnet, File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP)—these protocols send
RkJQdWJsaXNoZXIy MTM4ODY=