teissTalk: Is privacy the source of your failing security?

On 25 April, teissTalk host Tom Langford was joined by:
Tom Ellis-Aziz, Associate Director, Control Risks
Raul Zeppenfeldt, Principal Consultant, PA Consulting
Jamie Moles, Senior Technical Marketing Manager, ExtraHop

Views on news

European Police Chiefs said that the complementary partnership between law enforcement agencies and the technology industry is at risk due to end-to-end encryption (E2EE). "Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies from seeing any offending that occurs on their platforms," Europol said. Building backdoors into encryption and whether it should be allowed is an old dilemma (see the clipper chip story). App developers have a good reason for adding end-to-end encryption to their solutions – it’s in response to governments’ demonstrated attitude to privacy. Even those who aren’t friends of FB or similar platforms may find themselves on their side against crime agencies to protect user data from them via encryption without providing any access via backdoors. Europol calls for technological solutions that don’t make data security or privacy and public safety a binary choice. As of now, there is no such technology, but it has been widely suggested that the NSA have captured, downloaded and stored all traffic on the internet, so they can break encryption when technology has become available thanks to quantum computing. 

Privacy is a double-edged sword

However, it’s possible to have processes and technology that can detect user anomalies, while also protecting the privacy of users provided stakeholders are willing to cooperate. Collaboration with HR regarding privacy is key, where they specify the areas where privacy is non-negotiable. When an employee is being made redundant, for example, there are to opposing risks to consider –   the former employee releasing info about the company and the company giving away private data on the employee causing libelous or defamatory damage. MDM (mobile device management) is an area where these issues are the most acute, especially under BYOD protocols, where employers often reserve the right for themselves to wipe an employee’s device if need be, which is also their private mobile phone. This is not only about the risk of either the employer or the employee doing bad things with data, but also about compliance and the risk of incurring penalties. Thanks to today’s privacy capabilities, about 70% of data within a corporate environment is encrypted by default, which, as collateral damage, also gives cover to threat actors.  

95% of breaches today come via users’ emails. PSI DSS mandates the encryption of data that goes through public networks. This rule, however, doesn’t apply to internal traffic but as encryption is easier to start at the endpoint, data becomes encrypted on the inside too by default.  However, anomalies can’t only be picked up from network payload. AI now and quantum technology in the future can detect and analyse digital trails that bad actors leave on the network and catch them out without meddling with encryption. You can also leverage encrypted traffic analysis, which can tell if something looks bad based on the features and behaviour of the traffic with a metadata type of approach – although it’s not always conclusive and often leads to decryption anyway. 

Although you have to make your own choices regarding what risks you want to run, data protection is mandated, so you must comply with it up to a certain level. But as part of your risk management exercise, you must consider how much cover your data privacy controls give to bad actors and see if  and how you can manage those. 

The panel’s advice

• Most of the breaches start with the bad guys pretending to be a legitimate user on a corporate network.
• Removing encryption to protect personal data is not the right thing to do but controlling and working around it should be.
• You have to make a call whether privacy or security is more important for you. Do you want a curtain on the window or a strong protective window.