February 11, 2008
Bryan Betts writes at security.itworld.com that â€œEncryption could make you more vulnerable, warn expertsâ€. I’ve to vigorously disagree! Data encryption creates a different kind of attack vector, but that is not such a good headline I guess. Sure DOS attacks against the key infrastructures must be added to the list, but it helps against simpler attacks like the â€œlossâ€ of a medium. As that kind of attack is much easier to execute, encryption even decreases the target surface.
Conclusive I can say this news is provided by some consulting firms which want sell to scared companies. Nonetheless you should always keep an eye on the processes you implement concerning DOS attacks. An example for a bad process is a remote access via SSL VPN which disables a user account not only on the VPN server after some failed logins but on the backend too (like an Active Directory). An attacker needs only a guess the user name, which is not that hard most of the times (email address part before the @ is a good start in most cases) to make it impossible for a given user to work.
In summary all things come with inherent risks, and the risks of any particular action must be weighed against the rewards thereof. Encryption is necessary for many businesses, and if such attacks are truly a worry, they should be addressed in the same manner as any other risk.