Follow us

Why data encryption just isn’t enough anymore in 2021

Explaining issues with current data encryption tools and ways for better data protection.

Updated: September 17, 2021 By Rakesh Naik

Title image for Data encryption just isn’t enough anymore with two people communicating through an end-to-end encrypted system

Image source – freepik.com

Data encryption is one of the key aspects of cyber security, which is necessary to keep any information-based system secure. With over 76% of systems using encryption globally, it did work to protect data for quite a long time.

However, in the last decade, hackers have begun adopting new techniques and tools to bypass data encryption to exploit data. As a result, in 2021, the global average cost of a data breach is $3.86 million, according to a survey conducted by IBM.

This means that encryption isn’t just enough to protect data anymore, and we need to deploy new methods on top of encryption to protect our data from such breaches.

Data encryption in a nutshell

Data encryption is aimed at protecting the confidentiality property of data by making it unintelligible to anyone with no proper authorization. The process put simply involves converting plain-text data into cypher-text using a secret password or key.

Encryption has come a long way since its inception, from the earliest known Caesar cypher to the modern-day AES or RSA encryption algorithms. These algorithms have complicated mathematic formulas and functions used to compute cypher text from a given plain-text.

In the current day and age, there are two different types of encryption systems based on the secret key that is used to encrypt and decrypt the plain-text into cypher-text.

An encryption system where the same secret key is used to encrypt and decrypt the data is known as symmetric encryption. On the other hand, when two different keys are used for encryption and decryption, it is known as asymmetric encryption.

Symmetric encryption

An encryption system where a single encryption key or secret key is used for both the encryption as well as decryption process. The use of a single key reduces the overhead for the encryption/decryption algorithm making the process a tad bit faster.

A simple symmetric encryption process using the same key for both encryption and decryption

Image source – “Quantum Cryptography” scholarly paper by Maneesh Yati

Examples of encryption algorithms using symmetric encryption include DES (Data Encryption Standard), AES (Advanced Encryption Standard), Rivest Cipher, etc.

In a communication system that uses this encryption standard, the secret key must be shared between the sender and the receiver. This is one of the largest flaws of this system due to the possibility of an attacker stealing the key while being shared.

Asymmetric encryption

Asymmetric encryption, also known as public-key cryptography, involves a separate key for encryption and decryption. Here, since there are two different keys for the entire process of encryption and decryption, there is no need for key sharing, which prevents any key theft.

Asymmetric encryption process known as public-key cryptography where a different key is used for encryption and decryption

Image source – ssl2buy.com

Examples of algorithms that use asymmetric encryption include RSA (Rivest, Shamir, Adleman) algorithm, Diffie-Hellman key exchange protocol, Elliptic-curve cryptography, etc.

However, a system using asymmetric encryption would require additional functionalities to support the generation of the two different secret keys as well as keeping the system in compliance with various standards set by asymmetric encryption algorithms.

Both these types of encryption systems have quite a lot of mathematical formulas and concepts applied for the computation of cypher-text as well as the secret key. Understanding their detailed work requires quite a bit of knowledge in the field.

However, the practical applications of these algorithms for you and me are quite simple, and mostly through encryption software used to secure our personal data and sensitive information. These include, but are not limited to, the following:

  • Password managers – Used to protect your passwords from being stolen, such as Dashlane & LastPass.
  • Local data encryption tools – Used to encrypt local files and folders on your computer, such as BitLocker & VeraCrypt.
  • Data compression software – Used to compress the size of your files or folders with tools such as WinZip or 7Zip.

In this article, I shall list a few data encryption mechanisms and tools, followed by exploring why data encryption on its own isn't enough to secure all user data. I shall then demonstrate a sample attack to break the encryption of a simple data encryption tool and finally wind up with a few pointers to improve data security.

The most popular encryption tools

While I wouldn't be doing a detailed tool review in this section, it is aimed more at just introducing and explaining a few features in these tools that help in data encryption.

1. BitLocker


Pros
Cons
  • Integrated into Windows requiring no additional software installation
  • Encrypts entire disk drives
  • Allows encryption of removable media such as external storage
  • Target of most security researchers for flaws
  • Slows down boot-up
  • No option to recover a lost password

  • Price – Free
  • Platform – Windows
  • Verdict – 9/10

The BitLocker Administration & Monitoring window accessed on a Windows computer

Image source – docs.microsoft.com

BitLocker is a Windows-only data encryption utility that is built-in to the Windows operating system and encrypts entire drives. The tool uses a 128- or 256-bit AES algorithm for all encryption needs and uses a master password for encryption/decryption.

BitLocker also supports automated encryption of any new files or data that are added to a volume that is already encrypted.

The downside to the software is that it is a popular target of the attack to security researchers and malicious actors alike due to it being a built-in tool for the Windows OS.

2. VeraCrypt


Pros
Cons
  • Open-source code allows transparency to users
  • Supports multiple encryption cyphers
  • Regularly updated
  • Immune to brute force attacks
  • Steep learning curve and can’t be deployed immediately
  • Very tedious on macOS

  • Price – Free
  • Platform – Windows, Mac, & Linux
  • Verdict – 10/10

The VeraCrypt tool running with the Volume Creation Wizard window opened

Image source – wikipedia.org

VeraCrypt is the most popular and secure data encryption tool and also has open-source code that offers user transparency. VeraCrypt uses 14 rounds of the 256-bit AES encryption algorithm for the data encryption requirements.

VeraCrypt is also immune to any Brute-force attacks, which protects it from any attackers trying to extract your master password.

The only serious drawback to the software is that it requires quite a bit of technical know-how for the initial setup.

3. LastPass


Pros
Cons
  • Cross-platform synchronization for stored data
  • Works with secure logins for sensitive data
  • Analyzes password strength and suggests strong passwords
  • Importing databases from other platforms is tedious
  • Updating passwords is troublesome

  • Price – Free
  • Platform – Windows, Mac, Linux, Chrome, & other browsers
  • Verdict – 10/10

The LastPass user interface displaying all the different login credentials stored on it

Image source – lastpass.com

LastPass is a password manager or a password encryption tool that helps a user store all of their login credentials or passwords securely. The software uses a 256-bit AES algorithm for all encryption & decryption purposes.

The software also has other helpful features such as autofill for login credentials, secure password generation, password audit, and two-factor authentication.

Since the tool also has a web browser plugin, it can work without any additional software installations.

The tool can not only store passwords but can also store credit/debit card information, monitor the dark web for any password database leaks, and so much more.

4. WinZip


Pros
Cons
  • Easy to use
  • Quick & efficient encryption/compression compared to others
  • Self-extracting ZIP files
  • No new features have been added
  • Used as compression software rather than encryption

  • Price – Free for Windows
  • Platform – Windows & Mac
  • Verdict – 8/10

The WinZip user interface showing various options of extracting ZIP file

Image source – filehippo.com

WinZip is one of the most popular and widely used file compression tools that encrypt data as well as compresses it to reduce its size in the storage. WinZip runs using a 128- or 256-bit AES encryption algorithm along with a compression algorithm called ‘DEFLATE’.

The AES algorithm works to improve the security of data, while the deflate algorithm reduces its size.

However, WinZip, unlike most other data encryption tools, doesn't actively support the encryption of entire volumes but rather just individual files or folders. Whether you consider this a good feature or bad is entirely up to your requirements.

5. FileVault 2


Pros
Cons
  • On-the-fly and quick encryption/decryption process
  • Built-in to macOS and no additional software required
  • Military-grade encryption
  • Can’t recover lost master password
  • No option for multi-user systems

  • Price – Free
  • Platform – Mac
  • Verdict – 9/10

The macOS with the settings opened to enable the FileVault 2 encryption utility

Image source – support.apple.com

FileVault 2 is a macOS-only data encryption tool that offers "military-grade” encryption which allows you to even remotely wipe the hard drive using ‘Find My Mac' if the computer gets stolen. The software is built-in into macOS and does not require any additional software installation.

According to Apple, the software runs “XTS-AES-128 encryption with a 256-bit key”, which is what we have referred to as the 256-bit AES algorithm.

The main issue with FileVault 2 is that it uses the computer’s user password as the master password for encryption/decryption. This means that if your user password is compromised, so is your encrypted data.

The trouble with encryption

As seen in the previous section, there are plenty of ways in which you, as a user, can encrypt your data to protect them from unauthorized access. But in today's world, this is simply not enough.

Attacking data availability

In the past, attackers used to target the confidentiality of data, with being able to access a piece of data through a network or a computer worthy of a ransom. If you had access to sensitive data, you could extort a ransom from the owner of the data.

The CIA Triad for information/data security showing the three main points – availability, integrity & confidentiality

Image source – ibm.com

However, this came with the added trouble of having to find what data was sensitive and what wasn't for each user. For example, imagine social media credentials. They could be very important to one user, while to others, it wouldn't be.

They also had to sort through data to ensure the authenticity of whether the piece of data they have was real or fake. All this was an unnecessary overhead for an attack demanding a ransom or other benefits.

Not to mention the added requirement of having to break encryption which is very common in most data-based systems today.

So, attackers simply took a detour from this concept and started targeting the availability of the data as such. This means that if the data isn’t accessible to the owner, it can’t be of any use and can even create loss if the data is important enough.

In such an approach, rather than worrying about what data is sensitive and what isn’t, the attacker simply seals off access to all data. This is the basic concept adopted by many of the recent ransomware attacks such as WannaCry, DarkSide, or Sodinokibi (REvil).

The WannaCry infection alert left on a computer informing user of the attack and providing the payment method for the ransom

Image source – wikipedia.org

In almost all such cases, the attackers demand the owners of the data to pay a ransom and/or meet certain demands. The attackers don’t allow the owner access to the data unless they meet the attacker’s demands.

Targeting the software

Sometimes, vendors of encryption software ignore their product after release until they encounter a flaw that could potentially cause a system crash. Otherwise, they don't release enough updates or patch any bugs and issues and almost entirely ignore the software.

While the reason for vendors ignoring the software is none of mine or this article’s business, the impact of it definitely is.

Various computing device systems being updated

Image source – arevtech.com

Imagine a new vulnerability is discovered for one of the protocols or technologies used within this software. If the vendor doesn’t bother patching this flaw or releasing updates for it, attackers will definitely target this vulnerability.

This means that, no matter how strong an encryption algorithm is used for the software, it can be brought down with a vulnerability that hasn’t been patched by the vendor.

Furthermore, if updates aren’t regular to keep such encryption software up to date with the latest trends, users tend to lose interest and not install such important patches. They simply leave the app installed with a very low frequency of usage.

Exploiting the human element

People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems

– Bruce Schneier (American cryptographer)

Homer Simpson relaxing & using a tablet, while the factory behind is in flames and being destroyed

Image source – The Simpsons TV show

No matter how well secured the data on your system is, the one flaw that can't be 100% prevented is Human error. While I do agree that it can be minimized through efficient awareness and training programs, it still isn't 100% removed because everyone, including you and I, are careless at times.

Putting this into perspective, in an information-based system, it is enough that the user uses a weak master password to access the encryption software. Such weak passwords can be easily cracked by attackers using readily available tools.

Furthermore, due to similar reasons, such systems are also prone to other attacks such as phishing, malware, or even man-in-the-middle attacks to exploit such human flaws.

Human error could also manifest in the form of unpatched software; here, I refer to a user not installing a patch for a vulnerability that was already released by the vendor. A user not installing all updates released by a vendor for such software is the lack of proper awareness of such vulnerabilities.

Cracking an encrypted file

In this section, I aim to crack an encryption and compression system of the WinRAR file compression software. WinRAR uses a 256-bit AES encryption and an in-house compression algorithm for the compression of all data.

While cracking the AES encryption itself would require a gifted genius with access to unlimited computing resources, cracking the WinRAR password for encryption itself is quite simple.

For this exercise, I would be using the Kali Linux OS along with a password cracking tool known as ‘John the Ripper’.

Disclaimer:The password cracking tools shown in this article are for educational purposes only and are not to be used recklessly for malicious activities. Neither I nor CoolTechZone takes any responsibility for damage caused through improper use of these tools.

Step 1 – Creating a target

First, to mount an attack, we need a target or a victim that is password protected. Since attacking a random stranger's data is against the law, I would be creating my own victim file.

The Secret Phrase.txt file holding some secret information

The My Secret folder holding the Secret Phrase.txt file

Not anything fancy, it is a simple .txt file named 'Secret Phrase.txt’, with some content (will be revealed later). The file is stored within a folder named ‘My Secrets', which is compressed and encrypted using WinRAR in a ZIP format.

The My Secrets folder encrypted with WinRAR in ZIP format with ‘abcde’ as the password

A password is also added to this ZIP file for our purposes. The password is set as 'abcde’ to keep it simple as we do not have the time to crack a more complex password.

Step 2 – Mounting a brute force attack

Next, I download the ‘My Secrets.zip’ to a Kali Linux OS to begin the password cracking process. To begin, I use the ‘zip2john’ command to create a password hash for the zip file and store it in a file named ‘hash.txt’.

The My Secrets.zip file downloaded to a Kali Linux OS

Using the ‘Zip2John’ command to create a password hash for the My Secrets.zip file

The password hash generated for the My Secrets.zip file using John

Now that the password hash is created, it's finally time to run the password cracking tool. This is done using the command 'john’ with the password hash given as input. The tool then brute forces various combinations of characters to find the right password.

The password cracked by John the Ripper tool using the John command

If you have a look at the output, you can see that the password found by the tool is the same as the initial password that I used during the encryption.

Step 3 – A successful attack

Once John the Ripper tool runs successfully, it gives the right password as output which can then be used to extract the ZIP file and access its contents.

Using the cracked password to extract the contents of the My Secrets.zip file

The My Secrets folder extracted from the ZIP file

The Secret Phrase.txt file inside the My Secrets folder

The information stored inside the Secret Phrase.txt file that reads n3v3r_g0nn4_g1v3_y0u_up

This gives me the My Secrets folder, with the text file entitled ‘Secret Phrase.txt’. Opening this file shows the data that the owner(me) was trying to protect.

Implications

As you can see, the contents of the file that I was trying to protect was just a random sentence, but this is not always the case. In some cases, this data could be much more important such as important files, or documents, or even sensitive data of the owner.

In the real world, such password attacks are very common, and even though I only used it against WinRAR with a very simple password, it can be easily scaled up to tackle bigger challenges.

Also, even though I only demonstrated a password attack here, data can be exploited in a variety of ways, even if it is encrypted. Like I said before, various Ransomware attacks run only based on this concept where they don't care about any data encryption but simply block all access to the data.

Improving data security

Encrypted data, at the end of the day, even with all its benefits, is very vulnerable to quite a few different types of attack. In this section, we will be looking at a few different methods of preventing such attacks against data that has already been encrypted.

Malware protection

Antivirus or antimalware is the most basic protection for any system against all sorts of computer viruses or malware. The data in a system infected with malware are vulnerable to all kinds of attacks.

The Bitdefender antivirus interface showing various options to scan the computer

Image source – bitdefender.com

92% of malware is delivered through email into a system as part of a phishing attack, where the user is tricked into downloading a seemingly innocent file or software. Once the user downloads the malware into their computer, it then “activates” and begins to run its operations.

The basic operations of malware include, but are not limited to, the following:

  1. Transmit user data as well as activity to the attacker
  2. Allow the attacker remote access to the system
  3. Allow the attacker to control the computer remotely
  4. Crash the computer or make all data inaccessible to the user

All of the aforementioned can be avoided simply by installing antivirus software on your computer. Some new of most antivirus software even scan for vulnerabilities in the system that an attacker can exploit.

Personally, I would recommend you use Bitdefender or McAfee antivirus, as they store almost all malware signatures and can identify them quickly. Furthermore, they also have vulnerability scans, online payment protection, and internet security.

User awareness

Like I’ve mentioned plenty of times before, the human element of any system is one of the most vulnerable aspects of it. Therefore, to make a system completely safe, it is of paramount importance that human error is kept to a minimum.

A basic user using a computer

Image source – osibeyond.com

Users need to be extra careful while browsing the internet and downloading data from various websites. Attackers also try to exploit the user's computer by sending them malicious links or files that, when opened, infect the computer with malware.

Lack of user awareness also manifests as weak passwords for various important applications and website logins. Such weak passwords can be easily cracked using simple tools, as shown in the earlier section.

A few points to keep in mind could be:

  • Be mindful of the links, websites, and files you access on the internet
  • Don’t give out your personal information or passwords to anyone whom you don’t trust
  • Use long and complex passwords with alphabets, numbers, and special characters
  • Regularly install updates for your computer and every software you installed, when available
  • Always use antivirus or antimalware software while you are using your computer or the internet

Backups

After all the precautions you take, it is still not guaranteed that your data will not be exploited by a malicious attacker. A simple ransomware attack could have you lose all your important data if you can't afford to or don't want to pay the ransom.

Furthermore, it is always good to have a contingency plan or a plan B that you can deploy in the worst-case scenario.

For this reason, always keep a backup of your most valuable data in an offline data storage such as an external hard drive. Even in case of a total compromise of your computer where you end up losing a lot of important data, you wouldn’t have to start from scratch.

A poster for the WD My Passport external hard drive

Image source – amazon.in

You must keep the backup stored offline so that no one besides yourself can access it through means of a wireless or remote connection. Most external hard drives these days also offer their own encryption along with password protection.

The WD My Passport would be a good place to start if you’re looking for a good hard drive that offers good security as well.

Infographics

Infographics for data encryption and security with various statistics about data breaches as well as tips to improve security

Feel free to share the code of infographics

<iframe width="574" height="2597" frameborder="0" scrolling="no" style="overflow-y:hidden;" src="/sites/default/files/pictures/data-protection/data-encryption-isnt-enough/data-encryption-isnt-enough-26.jpg"></iframe>

Conclusion

With the advancements of technology both on the user side as well as that of a malicious hacker, the importance of data security has only increased exponentially. This also means that not one method of data security is enough on its own to protect data.

Even though the method of data protection explored in this article is data encryption, the points also apply to other forms of data security procedures.

So, it is of paramount importance that data is protected using a combination of all different methods of security, as explained in this article.

If you enjoyed reading this article or have any suggestions or experience to share, please let us know by leaving a comment below.

Author
Rakesh Naik
Freelance Cyber Security Analyst and Writer practicing in Infosec Assessment.

Leave a comment

click to select