A recent article brings up this question and argues that encrypting data at rest can open the door to a new range of security and usability problems. Speaking only of the security aspects, I both agree and disagree, so I’d like to add a few comments on this topic.
I think that the article makes a very good point that represents a great truth about security: the features you build to protect against attackers could end up being used by the attackers against you – this is the double-edged aspect of security. Once a system is compromised and the attacker gets to control it, he can use its defenses against the lawful users. This is not a new idea, but it is one that can be easily forgotten when adding new security features.
That being said, I don’t think that the scenario presented in the article about ransoming data is a new or very interesting scenario. Here are the reasons why:
– An attacker can use his own encryption routines to encrypt the data – it doesn’t matter if the compromised system had any encryption capabilities. Malware with the capability to encrypt data has existed for years and cyber-criminals are known to be proficient at using encryption to protect their data. Thus, ransoming is not really a new threat – it just appears new to those that also see encryption as a new technology.
– Ransoming could only work in a database system that lacks a disaster recovery procedure. Data loss is an ever-present threat for databases – even if ransoming would be new, it would be addressed by the same measures that address an old threat – data/key backups.
– The weakest link in ransoming is the ransom collection – that’s where the attacker exposes himself – this makes ransoming not very tempting.
– Ransoming is also a bad idea because it tells the system owner that his system has been breached and gives him a chance to close that breach.
– If an attacker can get access to data worth ransoming, it is more easy for him to make money from selling it and keeping his access secret than by attempting to ransom it.
However, I do think that encryption can make you more vulnerable – it can do that by giving people a false sense of security if they think that just by having data encrypted, it becomes secure. I went in a bit more detail about this idea here, but the point is that deploying encryption is not only about encrypting data but about carefully considering how the data will be accessed and about securing that access – sadly, the latter part is where the security of most applications fails. Encryption addresses well certain scenarios such as stealing data at rest, but those scenarios do not necessarily represent how most data is getting compromised today.