Julius Caesar Used Encryption. Shouldn’t You?

Uploaded on 2023-05-23 in TECHNOLOGY--Resilience, FREE TO VIEW

Encryption is the process by which information is converted from a readable format into one that obscures its meaning from those without the authorisation or ability to decipher it and has long been used to protect sensitive information from prying eyes.

Julius Caesar around 100 BC, was known to use a form of encryption to convey secret messages to his army generals posted in the war front. This substitution cipher, known as Caesar cipher, is perhaps the most mentioned historic cipher in academic literature. In a substitution cipher, each character of the plain text (plain text is the message which must be encrypted) is substituted by another character to form the cipher text (cipher text is the encrypted message). The variant used by Caesar was a shift by 3 ciphers. Each character was shifted by 3 places, so the character 'A' was replaced by 'D', 'B' was replaced by 'E', and so on. 

Encryption is invaluable for ensuring that sensitive information that falls into the wrong hands, is prevented from being of use to anyone without the ability to decrypt that information.

This has huge benefits when compliance regulations come into play following a data breach as, if the data was encrypted the requirements for public disclosure are minimised, as the risk to data compromise has been eliminated. This is often referred to as ‘safe harbour’ and can be a life saver to organisations facing the stress of a data loss, with all its related impact on the business.

Encryption with its various techniques of securing data has a key role to play in keeping sensitive and confidential information protected wherever it resides or is being transmitted to, for example in emails.

As a technology it can be deployed for data stored in servers, back up devices and cloud services, often referred to as Data at Rest. For data in motion, encryption can be used to secure the transmission path by creating a unique closed point to point route between two or more points and eliminates the risk of a ‘man-in-the-middle’ attack, where a bad actor sits in between your transmissions and looks at your data.

Originally considered to be a complex technology to deploy and manage, it has now moved on and can be easily used by anyone. Gone are the fears that it will slow down access to data or double the size once encrypted. 

Here are some points you should know about encryption:

1.    Due to the increasing levels of both businesses and individuals falling victim to a plethora of cyber attacks, the need for encryption is at an all-time-high.

2.    Tokenisation is a form of encryption where applications can still operate but using tokens so that sensitive data is hidden, reducing  risk of exposure. An example of where it would be used is for medical research purposes, where large sets of data related to people are analysed but sensitive data  that could be used to identify a person, is replaced with tokens.

3.    Data masking encryption scrambles information, but it is often done more selectively. An example of where it is particularly useful is in redacting sensitive data in documents such as emails and office productivity documents, so that they can be sent largely in plain text but with sensitive information, such as credit card numbers, hidden or masked.

4.     Providers such as Google or Microsoft, or other centralised providers, offer encryption but if they hold the encryption key, they may de-code data if officially asked to, by a government or law enforcement agencies, or worse still  if one of their employees wants to sell your data. For this reason, the technique of ‘bring your own key’ has been introduced where you hold and control your own keys outside of any service provider.

5.    End-to-End encryption stops third parties accessing data, as it flows from the sender to receiver only and is used by apps such as WhatsApp. Private networks called Virtual Private Networks (VPN)can be set up to achieve this.

6.    Public/Private Key encryption is available for all to use but, only the intended receiver will have the decryption key by which to unlock the communication. This process works so any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.

7.    Key Management: If keys and certificates are not properly secured the organisation is open to attack, no matter what security controls are in place. Always consider adding a High Security Module HSM into any encryption plan. The HSM will also help define any key rotation needs and processes to change the key used in any data set.

8.     Encryption is based on levels of complexity and thus security. The higher the encryption number  the better the encryption code. Typically, 256bit encryption is the standard level.

9.     There are many names for encryption codes. Some are held for government use only and many others are proprietary. The most common commercial and widely recognised as being of a strong level of encryption are AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adleman) and DES (Data Encryption Standard). Go for these rather than an unproven version.

10.    Encryption when linked to access control can be a powerful tool in separation of duties by controlling who or what process can see the data. This means users, in particular system administrators, can be prevented from reading the data but still allowed to manage it, for example to do backups.

We all want to be able to communicate securely and without interference. Encryption can help us to achieve this and should be considered a core part, if not the starting point of any data security strategy that organisations develop both for data at rest and in motion.

For both data security needs and for achieving regulatory compliance, encryption should be the baseline for any data security strategy.

Colin Tankard is Managing Director at Digital Pathways

You Might Also Read: 

PAM, IAM, Or Both?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Meta Will Contest EU $1.3B Data Privacy Fine
Artificial Intelligence To Replace 55,000 Telecom Jobs »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

rPeople Staffing

rPeople Staffing

rPeople provides direct placement in all areas of your organization, including and specializing in Technical and Executive hiring.

GTB Technologies

GTB Technologies

GTB Technologies is a cyber security company that focuses on providing enterprise class data protection and data loss prevention solutions.

Cyber Risk Agency

Cyber Risk Agency

Cyber Risk Agency is a cybersecurity consulting firm specializing in managing cyber risks for SMEs.

Early Warning Services

Early Warning Services

Early Warning Services identity, authentication and payment solutions empower financial institutions to make confident decisions, enable payments and mitigate fraud.

Cyberhaven

Cyberhaven

Cyberhaven provides rapid enablement for GDPR and CCPA compliance, streamlined data security and modern risk management.

InsightCyber

InsightCyber

InsightCyber is on a mission to keep the world’s critical infrastructure, supply chains, and manufacturing operations cyber-safe, helping to prevent attacks that can have catastrophic impacts.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

Protek International

Protek International

Protek International delivers world-class Digital Forensics, eDiscovery, Cyber Security, and related Advisory services.

Porto Research, Technology & Innovation Center (PORTIC)

Porto Research, Technology & Innovation Center (PORTIC)

PORTIC brings together several research centers and groups from P.PORTO in a single space, forming a superstructure dedicated to research, technology transfer, innovation and entrepreneurship.

Axitea

Axitea

Axitea designs, implements and develops the solutions best suited to its customers’ needs and their physical and cyber security requirements.

Riskonnect

Riskonnect

Riskonnect technology empowers organizations with the ability to anticipate, manage, and respond in real-time to strategic, operational, and digital risks across the extended enterprise.

Deutsche Gesellschaft für Cybersicherheit (DGC)

Deutsche Gesellschaft für Cybersicherheit (DGC)

As a leading provider of cyber security, DGC supports companies in taking advantage of the opportunities offered by the digital transformation – and in minimizing the associated risks.

Tozny

Tozny

Tozny offers products with security and privacy in mind that are built on the foundation of end-to-end encryption, and open-source verifiable software.

Cisco Systems

Cisco Systems

Cisco helps seize the opportunities of tomorrow by proving that amazing things can happen when you connect the unconnected.

NPCERT

NPCERT

NPCERT is a team of Information Security experts formed to address the urgent need for the protection of national information and growing cybersecurity threat in Nepal.

Silk Security

Silk Security

Silk is the first platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk.