9. The Application of Cybersecurity: Principles and Practices 241 Data at rest also includes data stored in the cloud. Cloud data is encrypted while it is being uploaded and downloaded over the network, but it is likely stored unencrypted on the cloud servers. This means that cloud storage providers can read their customer’s data. Depending on the service agreement and the trustworthiness of the storage provider, the data could be mined for marketing and other purposes, or shared with others, including law enforcement and government officials under certain circumstances. Plus, it is possible that it could be accessed by hackers either through the end-user interface or by compromising the cloud service provider’s servers. To protect against this, users can encrypt their data before uploading it to the cloud. This would make their data useless for data mining and sharing and to hackers if a data breach occurs. It is more work for the user, but it provides better security. For example, if a person wants to share a sensitive file with a friend using a file hosting provider, he can encrypt it before uploading it. This will protect the file from abuse and theft, and the friend can decrypt it once it is downloaded (assuming the key has been securely shared with him). One caution when using encryption for data at rest is key security and management. Keys can be stolen or lost. If a key is lost, then the encrypted data is forever locked and can never be recovered. Also, if a poor key is chosen or a weak password from which a key is derived, then the encrypted data is vulnerable to brute-force attacks. 9.2.2.2 Protect Data in Transit “Gentlemen don’t read each other’s mail.” - United States Secretary of State Henry Stimson When data is sent over a network, it passes through untrusted servers. Therefore, protecting data in transit from eavesdropping and manipulation is critical. Many of the older networking protocols do not use encryption. These include Telnet, File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP)—these protocols send data in plaintext so anybody sniffing network traffic, and all the intermediary servers between endpoints, can read the data. Therefore, these protocols should not be used. Email is another old protocol without built-in encryption. Email messages traverse between email servers like snail mail letters traverse between post offices. One of the primary protocols used for transmitting emails over the Internet is called Simple Mail Transfer Protocol (SMTP). SMTP traffic was originally not encrypted, but it has been updated to use encryption to protect email messages as they travel over the Internet. However, email messages stored on servers are not encrypted. In other words, email providers can read their users’ email and could mine them for various purposes and share their contents with third parties. It is also easy for end-users to forward sensitive emails to others, either by accident or intentionally. Hackers may also be able to access emails, either through compromising a user account or an email provider’s servers. For these reasons, email is not considered a secure means of communication. Encrypted email software does exist and encrypted attachments can be sent over regular email, but these solutions require key distribution and management as well as additional steps, and are rarely used.
RkJQdWJsaXNoZXIy MTM4ODY=