Everybody knows that it is easier to hit a stationary target than a fast-moving target. Yet, an enormous amount of resources are being used to encrypt data in motion, while any smart hacker (in its negative context of somebody trying to obtain data not intended for them) can tell you that data at rest is that much easier to decode and transmit to a second location.

While everybody has learned that the Internet has massively enabled hacking in regards to corporate data, the actual risks are still largely unknown and efforts seem to be targeted in the wrong places - with complex and costly (in terms of CPU load) encryption schemes that serve little purpose.

For example, just the other day, I was watching a popular technology show on cable television that explained how Ethernet broadcasts all communications between two computers to all of the nearby computers, thus allowing a hacker with a sniffer (a piece of software that captures network traffic) to see other users' data.


While this was true in the old shared loop days, prior to 1994, in most small, medium and large enterprises today, data is almost always transferred on switched networks, with Ethernet switches retailing for less than $100, and thus is transferred from point to point - with no visibility of that data by other network-attached devices. This fact alone prevents almost all sniffer-based hacking attempts from outside the corporate data centre (and let's face it - if the hacker is actually physically in the data centre itself, you have a very serious and very different problem). The only way to circumvent this would be for the hacker to load their sniffer program onto the actual server itself, but even in this scenario, there would be much simpler ways to access the data directly.

Given this fact, the enormous amount of resources put into encrypting data in flight, travelling over the network, seems disproportionate. For example, iSCSI incorporates IPSec security, which can encrypt data as it is transferred between two devices, preventing a hacker with a sniffer from seeing the contents of that data - never mind that the hacker would first be lucky to get access to the data being routed from point to point, but they also would have to know ahead of time which packets to capture and decrypt from the thousands of packets per second travelling over a particular network segment.

For a long time, this danger was perceived as so great that IPSec was almost mandatory for iSCSI traffic, this requirement being removed just prior to the standard's ratification, when the extreme cost to implement any reasonable data rate was fully realised.