Differently vulnerable and not more vulnerable

February 11, 2008

Bryan Betts writes at security.itworld.com that “Encryption could make you more vulnerable, warn experts”. I’ve to vigorously disagree! Data encryption creates a different kind of attack vector, but that is not such a good headline I guess. Sure DOS attacks against the key infrastructures must be added to the list, but it helps against simpler attacks like the “loss” of a medium. As that kind of attack is much easier to execute, encryption even decreases the target surface.

Conclusive I can say this news is provided by some consulting firms which want sell to scared companies. Nonetheless you should always keep an eye on the processes you implement concerning DOS attacks. An example for a bad process is a remote access via SSL VPN which disables a user account not only on the VPN server after some failed logins but on the backend too (like an Active Directory). An attacker needs only a guess the user name, which is not that hard most of the times (email address part before the @ is a good start in most cases) to make it impossible for a given user to work.

In summary all things come with inherent risks, and the risks of any particular action must be weighed against the rewards thereof. Encryption is necessary for many businesses, and if such attacks are truly a worry, they should be addressed in the same manner as any other risk.

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 35 queries. 0.070 seconds.