Everybody knows that it is easier to hit a stationary target than a fast-moving target. Yet an enormous amount of resources are being used to encrypt data in motion, while any smart hacker (in its negative context of somebody trying to obtain data not intended for them) can tell you that data at rest is that much easier to decode and transmit to a second location.
While everybody has learned that the Internet has massively enabled hacking in regards to corporate data, the actual risks are still largely unknown and efforts seem to be targeted in the wrong places -- with complex and costly (in terms of CPU load) encryption schemes that serve little purpose.
For example, just the other day, I was watching a popular technology show on cable television that explained how Ethernet broadcasts all communications between two computers to all of the nearby computers, thus allowing a hacker with a sniffer (a piece of software that captures network traffic) to see other users' data.
While this was true in the old shared loop days, prior to 1994, in most small, medium and large enterprises today, data is almost always transferred on switched networks, with Ethernet switches retailing for less than $100, and thus is transferred from point to point -- with no visibility of that data by other network-attached devices. This fact alone prevents almost all sniffer-based hacking attempts from outside the corporate data center (and let's face it -- if the hacker is actually physically in the data center itself, you have a very serious and very different problem). The only way to circumvent this would be for the hacker to load their sniffer program onto the actual server itself, but even in this scenario, there would be much simpler ways to access the data directly.
Given this fact, the enormous amount of resources put into encrypting data in flight, traveling over the network, seems disproportionate. For example, iSCSI incorporates IPSec security, which can encrypt data as it is transferred between two devices, preventing a hacker with a sniffer from seeing the contents of that data -- nevermind that the hacker would first be lucky to get access to the data being routed from point to point, but they also would have to know ahead of time which packets to capture and decrypt from the thousands of packets per second traveling over a particular network segment.
For a long time, this danger was perceived as so great that IPSec was almost mandatory for iSCSI traffic, this requirement being removed just prior to the standard's ratification, when the extreme cost to implement any reasonable data rate was fully realized.
Rather than trying to decode thousands of network packets from many different sources, it is a much easier course for the hacker to get to the data where it is resting in a easy-to-read format on the edge device such as a server. Hacking a standard server is much simpler to do. Locating the data and uploading it to a secondary location is much simpler than trying to decode network traffic packet by packet. Given this, the lack of focus on encrypting data while at rest is surprising.
In fact, California has recently passed legislation to force companies to encrypt certain types of data, such as credit card numbers, social security numbers, etc. However, even encryption on disk is only going to prevent the data from being read if somebody were to steal the hard disk, an unlikely event. A clever hacker with a hijacked user account can still log onto the server and read the data as the file system will decrypt the data as it is read from disk and transfer it in its decoded state.
With all the attention being paid to encryption of data in motion, we need new software that introduces keys on both workstations and servers to ensure only trusted users can access the data from trusted workstations. This would raise the security bar and foil remote hacking attempts. In the majority of cases, a continued stream of additional encryption schemes are unlikely to help.
Copyright 2003, Blue Arc Corporation.
This was first published in May 2003