The Importance of Email and IM Encryption for Cyber Security

IM encryptionThe average office worker receives about 90 emails a day, and sends 40 emails. Also, 97% of all Americans text at least once a day and 80% text for business purposes. Yet, while more and more team members are cautious about file sharing and data protection, many are still unaware how easily an email can be intercepted by a hacker, or how easily SMS texts can be monitored by outside parties. The solution is data encryption.

What is Encryption and how does it work?

Encryption is the process of encoding information to prevent anyone other than its intended recipient from reading it. Data encryption uses an algorithm (known as a cipher or ciphertext) to convert information into random characters or symbols. These are unreadable to anyone who does not have access to a special encryption key used to decrypt the information (we described this in more detail in the first of an earlier two-part blog post about data encryption).

Email Encryption

A single, intercepted email can provide a password, a confidential file or other private information to a hacker. But a hacker can also hijack your entire email account to read emails, send emails, gather confidential information and more. As reported in a recent PC World article, “If you leave the connection from your email provider to your computer or other device unencrypted while you check or send email messages, other users on your network can easily capture your email login credentials.” To keep your emails and email accounts safe, these three things should be encrypted:

  • The connection from your email provider. Encrypting the connection prevents unauthorized users from intercepting and capturing login credentials, and any email messages travelling server-to-server.
  • Your actual email message. Encrypting email messages means any emails intercepted will be unreadable.
  • Your stored, cached or archived email messages. Encrypting your stored messages will prevent a hacker from reading the saved files on your hard drive or network.

Instant Messaging Encryption

For many people on your team, the productivity advantages of Instant Messaging are enormous. The speed of delivery and response can far surpass other electronic communication options. But since standard SMS texting is unencrypted, conversations can be monitored by hackers or even law enforcement personnel.

Fortunately, many IM providers already implement a level of encryption. For example, the Messages app on an iPhone or macOS device incorporates end-to-end encryption. The WhatsApp messaging feature on many Android and Windows devices also uses end-to-end encryption

Other providers may not be as secure. Recently, popular collaboration hub Slack received some unwanted attention for just this reason. Slack markets itself as a place “where you and your team can work together to get things done … From project kickoffs to budget discussions, and to everything in between.” Slack has more than 10 million users every day. But according to a report by CNBC, executives are concerned about the commonplace sharing of sensitive data on Slack. “I love my people, but they never shut up on Slack,” said the CEO of a security company. “It’s very good for productivity, but the problem is we’re working on security, so we have to be careful about what we say.” About a quarter of corporate breaches are related to insiders, (per a report from Verizon) and they can easily use information gathered from collaboration tools like Slack and Dropbox.

Encryption Made Easy

Encryption applications for emails and SMS messaging are easy to find, but not all are equally effective or easy to use. In addition to security, a successful encryption program should be:

  • Encryption should take as few steps as possible, and be easily accomplished by the most non-technical user. For the most part, this means the email encryption application should be automatic.
  • Encryption should enable the safe delivery of messages to anyone, regardless of their email server or own security protocols (or lack of them). It should look and act just like regular email.
  • Content Agnostic. Your email encryption should also encrypt documents, sound files, spreadsheet, video or any other attachment.
  • Only you and your recipient(s) should be able to read the message, not even your encryption provider.

The Importance of Staff Training

With so many people in your organization dependent on email and IM, it is critically important that they are aware of the risks involved, and are open to incorporating best practices into their daily routines. Security Awareness Training should be a mandatory part of every team member’s basic training. Security Awareness Training conditions staff not to click or open anything that looks suspicious, and focuses on changing human behavior to make security part of workplace culture.

How To Implement Encryption For Your Cyber Security Program

If your organization is not currently encrypting instant messages, and insisting on the use of encrypted email applications, you are putting your organization at pointless risk. Single Path works with many different businesses and schools on their cyber security. We can train your staff, help you analyze, procure and implement the best security software and protocols, and work with you to put the processes in place to help you navigate safely through the dangerous online world. Our security offerings are as vast as they are effective. Safer and effective messaging through encryption is a great place to begin.

Ask us how to get started!

The Newest Cyberthreat: Cryptojacking

Cryptocurrency, and in particular Bitcoin, has been in and out of the news recently as the volatility in its value elevates investment fortunes one week and then sinks back down to earth the next. With the rise of this unregulated currency has also come a new, and unexpected threat: cryptomining hacking, also known as cryptojacking.

In order to understand this new problem let’s try to first answer the question:

What Is Cryptocurrency Anyway?

Cryptocurrency is a form of money that, instead of existing in physical form, only exists digitally, on computers. Many people once thought the formation and use of digital money was basically impossible. But cryptocurrency proved the naysayers wrong, with a monetary system that allows for an easy and secure way to track spending, keep accounts and balances, and record transactions—making it shareable and secure. Bitcoin was the first and is still the most well-known cryptocurrency—it was created in 2009—but is only one of more than one thousand cryptocurrencies available worldwide (See a list from Investopedia.com that includes the most common Bitcoin alternatives including Litecoin, Ehereum and Zcash).

Bitcoin has reached a fairly impressive level of acceptance. It is accepted by a wide range of merchants, both online and brick-and-mortar, including Overstock.com, Whole Foods (via a purchased gift card), Expedia.com and even a Subway restaurant that immediately converts bitcoin to cash (Check out this list of companies that accept bitcoin).

How Bitcoins are Created —A Very Basic Primer

What makes Cryptocurrency unique is that there is no physical form to it, is not backed by any specific value (it is not backed by gold, for example), and there is no central bank that controls it. Yet is used in hundreds of thousands of transactions a day.

Cryptocurrency is made possible because of peer-to-peer technology plus public and private-key encryption. We described public and private-key encryption in our last post on encryption. As described on the website BlockGeeks.com: “cryptocurrency like Bitcoin consists of a network of peers. Every peer has a record of the complete history of all transactions and thus of the balance of every account. A transaction is a file that says, ‘Bob gives X Bitcoin to Alice’ and is signed by Bob’s private key … After signed, a transaction is broadcasted in the network, sent from one peer to every other peer. This is basic p2p-technology.” In other words, after a transaction is completed, it is made known to the entire network, making it impossible to be changed or manipulated after the fact.

The actual process of creating the cryptocurrency ledger is a little more complex than the description above, and this complexity is extremely important: before the transactions are added to the ‘ledger’ they are sent to a miner, who is someone who decrypts and verifies cryptocurrency transactions, and then publishes them. For this service they get paid in cryptocurrency. In fact, that’s how new cryptocurrency is created—by payment to miners for validating transactions. There are a reported 50,000 to 100,000 active miners.

As Forbes explains, “Some mine to engage in a unique kind of hobby, or for sheer profit. Others do it because they believe in the principles behind a certain coin and in what the developers intend to do with it. The reasons you have are yours.”

Quite a bit of processing power is needed for cryptocurrency mining. This helps reduce the number of people who can effectively mine cryptocurrency, and also how much any single person can mine, and this is what has created a new hacker scheme: crypto-mining malware (or cryptojacking malware). This is malware used to hack into someone else’s hardware in order to use their computer power to mine cryptocurrency.

The Threat of Crypto-Mining Malware

According to an article on the MIT Technology Review, “the practice of surreptitiously mining cryptocurrency on other people’s hardware is becoming pervasive, overtaking ransomware as a tool of choice for extorting money online.” Hackers can use cell phones, individual desktops and laptops, or the networks of an entire organization.

Cybersecurity firm Check Point, in its regular Global Threat Index revealed that Coinhive, a piece of software that uses processing power on someone’s device in order to mine cryptocurrency, has become the most prevalent form of malware on the Internet, and Cryptoloot, another piece of cryptojacking malware, is now the third most prevalent. Check Point also says that cryptojacking has “affected as many as 55 percent of organizations globally.”

By using more computer power, someone can mine more and more data, getting paid with more and more cryptocurrency, which at the same time slows and clogs network processing power, sometimes considerably.

How Can You Prevent Cryptojacking?

Keeping your network safe and free of hackers is a 24-hour job, and you need a partner who can help keep them out, as well as protect your data. Single Path is an IT consultancy and technology provider who can manage your IT needs from top to bottom, beginning to end, including ensuring top security protocols are in place. For example, our Single Path Security offerings include proactive infrastructure patch management, data loss prevention solutions and vulnerability assessments. We’ll help keep your organization safe from hackers, and much more.

Ask how we can keep you protected!

Owt trap, noitneverp ssol atad fo tra eht dna noitpyrcne (Encryption and the Art of Data Loss Prevention, Part Two)

With cyberthreats on the rise, and hackers becoming more sophisticated, strategies to protect your files are critical—and encryption is a tool too important to ignore. In our last post, we explained the basics and importance of data encryption. Now, we will dive a little deeper into the different types of encryption strategies and options.

Symmetric vs Asymmetric

If you delve into the world of encryption, the two terms you will commonly find are Symmetric and Asymmetric, which are two different encryption methods. Symmetrical encryption is the older of the two. With symmetrical encryption, both parties need the same code to read the same file. This code can be a word or a series of letters. One party enters a code to encrypt the document, and the second party enters the exact same code to open it. Simple, right? It’s like making a copy of the same key. But what if you don’t know the other party? How do you share the code? Do you email it? Send it in the mail? What if that code is intercepted or falls in the wrong hands?

Asymmetrical encryption on the other hand, uses two different encryption keys—one to lock it, and one to unlock it. This is also referred to as Public-key cryptography. One person has a public key, which encrypts the message or file, while the person on the other ends holds a private key—the only key that can decrypt it. With this approach, since the code does not need to be shared, there’s less risk of the key being swiped by someone else.

One even newer form of encryption that is growing in popularity is Elliptic curve cryptography. This is a form of public-key encryption that is practically unbreakable. It’s a complicated subject, and technology information provider Arstechnica does as good of a job as any in explaining how this works but it’s a bit too complicated to get into here and takes advantage of concepts such as Extended Euclidean algorithms.

How do you want to Encrypt?

Encryption can be simple or complex. It can take very little processing power, or quite a bit. You can encrypt everything or only some things. You can encrypt them only some places or every place. Here are the basic options.

  • Full disk encryption (FDE): An entire hard drive is automatically encrypted. This is particularly useful for a laptop or machine that could be stolen. There are intermediate options for disk encryption, as well—folder encryption, volume encryption, etc.—that aren’t quite full-disk encryption, but in between.
  • File encryption: a way to encrypt data on a file-by-file basis. This is helpful for individual files that have to be shared or protected, while others do not.
  • End-to-end (E2E) encryption: This obscures the content of messages while it is in transit, so only senders and receivers can read it. Such encryption is now embedded into platforms like Facebook Messenger and Apple’s iMessage.
  • Encrypted web connections: The familiar ‘https://’ at the beginning of most URLs (along with the small padlock icon) means your web connection is using Secure Sockets Layer (SSL) or transport layer security (TLS) protocols. This means the data you are sharing on that site, such as credit card numbers, are being encrypted.
  • Encrypted email servers: These are email servers that use S/MIME (Secure/Multipurpose Internet Mail Extensions) so they can send and receive encrypted messages, not just simple text messages.
  • Cloud Encryption: Cloud-Encryption software encrypts all data as it is stored on the cloud. It is still completely accessible (and vulnerable) on a computer, but not on the general network.

Key Management and Other Security Needs

As we detailed in our recent two-part posts on phishing strategies (Phishing Part One and Part Two), there are a great many malicious schemes out there, some more clever than others. So, having a solid encryption strategy will only go so far—you also need a system to keep your encryption keys safe. That’s why key management—the process of storing and keeping encryption keys protected but also accessible—is just as important as keeping the data itself safe.

Computer Weekly suggests the following protocols be kept in place:

  • Have one point of contact for cryptography; don’t spread it among operational users.
  • Ensure the central key repository is well protected.
  • Decide whether your outsourcer will have any role in key management, such as key pair generation, recovery of keys and escrow access.
  • Decide whether information security should manage keys as well as encryption policy.

What you need to know

As the data loss prevention experts at Digital Guardian wrote, “Companies and organizations face the challenge of protecting data and preventing data loss as employees use external devices, removable media, and web applications more often as a part of their daily business procedures. Sensitive data may no longer be under the company’s control and protection as employees copy data to removable devices or upload it to the cloud.”

Fortunately, you don’t need to be an expert on encryption and algorithms—you just need a partner that is. At Single Path, we’re adept at providing security offerings and tools for our clients, so that they are prepared for and protected against malicious attacks. We also provide proactive desktop and network infrastructure patch management, Security Risk Assessment, Managed Firewall Services and more. We’ll keep your data safe, and your organization worry-free.

Ask us how to get started!

Noitneverp ssol atad fo tra eht dna noitpyrcne. (Encryption and the Art of Data Loss Prevention)

Technology brings your staff closer, enables the sharing of files and information, and even allows off-site employees to work seamlessly together. But that convenience comes with a cost—with connectivity comes risk; with innovation comes vulnerabilities. Networks can be hacked, data can fall in the wrong hands, privacy can be intruded, ransomware enacted and more. The results can be devastating to the organization, employees, vendors and customers.

In fact, we’ve talked quite a bit about the risks out there, such as in our two-part series about phishing, Part 1 and Part 2, and our discussion about ethical hacking.

That’s why safeguards are necessary and why you always need to ask: how do we open the door for those who need it, while slamming it shut on those who don’t? And how can we add and enforce these security measures across all devices, even personal ones?

One affordable and comprehensive way to keep information away from those with malicious intent is with data encryption, which can safeguard files by rending information virtually useless when stolen.

How Encryption Works

Encryption scrambles text to make it unreadable by anyone other than those with the keys to decode it. As an article from web development freelancing company Upwork puts it, “If good encryption is capable of hindering investigations by FBI experts, consider what it could do for you and your company’s sensitive information.”

Encryption uses algorithms to turn plain text into an unreadable, jumbled code known as ciphertext. To decrypt the ciphertext, you need an encryption key, which is something only you or the intended recipient has in their possession.

Despite a code’s complexity and length, any code can be broken and hackers may attempt to break them using brute force: basically, programming a computer (or computers) to make random guesses over and over again. But sophisticated algorithms can take a very, very long time to break. For example, according to mathematics presented by eetimes, an online electronics industry magazine, it would take the most advanced computer system more than a billion billion years to crack an AES-128 key encryption (AES stands for Advanced Encryption Standard, as is the algorithm used by the U.S. Government and many organizations). By the way, that’s quite a bit longer than the age of the universe. The same article posts these numbers:

If you assume:

  • Every person on the planet owns 10 computers.
  • There are 7 billion people on the planet.
  • Each of these computers can test 1 billion key combinations per second.
  • On average, you can crack the key after testing 50% of the possibilities.
  • Then the earth’s population can crack one AES-128 key encryption in 77,000,000,000,000,000,000,000,000 years.

At Rest vs. In Transit

Encryption is traditionally put into two buckets: data ‘at rest’ and ‘in transit.’ The former is for files on your computer or network that can be stolen, while data ‘in transit’ refers to emails and Internet information, including online shopping. For instance, did you know the ‘s” in the familiar ‘https://’ at the beginning of most URLs stands for ‘secure?’ When you see this, it means any data that might be shared, such as credit card numbers, is being encrypted (these letters should also be preceded by a padlock symbol). Even iPhones are encrypted to protect their data if they’re lost or stolen—something that has made headlines when organizations like the FBI or the NSA need access to them for investigations.

Look for our next blog post where we delve further into the types of encryption and encryption keys commonly used.

Safety First

Data encryption is one way to protect your files, but it’s not the only one. The most important thing is to act, and act now. The longer you wait to make changes, the more you put your organization and your staff at risk. At Single Path, we will help you determine the best ways to protect your organization, how to safely share files, how to protect your data and much more. With Single Path security offerings you get everything you need—a comprehensive and customized plan that fits your needs.

Ask us how to get started!