Security Efforts for Data In Motion Should Be Put to Rest
by Geoff Barrall - CTO and Founder, BlueArc - Friday, 13 June 2003.
Everybody knows that it is easier to hit a stationary target than a fast-moving target. Yet, an enormous amount of resources are being used to encrypt data in motion, while any smart hacker (in its negative context of somebody trying to obtain data not intended for them) can tell you that data at rest is that much easier to decode and transmit to a second location.

While everybody has learned that the Internet has massively enabled hacking in regards to corporate data, the actual risks are still largely unknown and efforts seem to be targeted in the wrong places - with complex and costly (in terms of CPU load) encryption schemes that serve little purpose.

For example, just the other day, I was watching a popular technology show on cable television that explained how Ethernet broadcasts all communications between two computers to all of the nearby computers, thus allowing a hacker with a sniffer (a piece of software that captures network traffic) to see other users' data.

While this was true in the old shared loop days, prior to 1994, in most small, medium and large enterprises today, data is almost always transferred on switched networks, with Ethernet switches retailing for less than $100, and thus is transferred from point to point - with no visibility of that data by other network-attached devices. This fact alone prevents almost all sniffer-based hacking attempts from outside the corporate data centre (and let's face it - if the hacker is actually physically in the data centre itself, you have a very serious and very different problem). The only way to circumvent this would be for the hacker to load their sniffer program onto the actual server itself, but even in this scenario, there would be much simpler ways to access the data directly.

Given this fact, the enormous amount of resources put into encrypting data in flight, travelling over the network, seems disproportionate. For example, iSCSI incorporates IPSec security, which can encrypt data as it is transferred between two devices, preventing a hacker with a sniffer from seeing the contents of that data - never mind that the hacker would first be lucky to get access to the data being routed from point to point, but they also would have to know ahead of time which packets to capture and decrypt from the thousands of packets per second travelling over a particular network segment.

For a long time, this danger was perceived as so great that IPSec was almost mandatory for iSCSI traffic, this requirement being removed just prior to the standard's ratification, when the extreme cost to implement any reasonable data rate was fully realised.

Rather than trying to decode thousands of network packets from many different sources, it is a much easier course for the hacker to get to the data where it is resting in a easy to read format on the edge device such as a server. Hacking a standard server is much simpler to do. Locating the data and uploading it to a secondary location is much simpler than trying to decode network traffic packet by packet. Given this, the lack of focus on encrypting data while at rest is surprising.

In fact, California has recently passed legislation to force companies to encrypt certain types of data, such as credit card numbers, Social Security Numbers, etc. However, even encryption on disk is only going to prevent the data from being read if somebody were to steal the hard disk, an unlikely event. A clever hacker with a hijacked user account can still log onto the server and read the data as the file system will decrypt the data as it is read from disk and transfer it in its decoded state.


Banks and IT security: The elements of success

Nathan Horn-Mitchem, VP, Information Security Officer at Provident Bank, talks about delivering and maintaining IT security for 80 branches of the bank.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Mar 27th