Page 137 - Cyber Defense eMagazine September 2022
P. 137
Never make your own keys – physical or digital
When it comes to managing access keys in the real world, it is a straightforward process.
Companies give keys to employees, landlords to tenants, car dealers to car buyers. No one thinks they
need to become a locksmith and start to cut out their own keys – keys are just received and used. The
misconception starts when we moved to the digital world and people believed they had to make their own
keys. It is both inefficient and unnecessary. As much as you don’t need to make and cut out your keys,
you don’t need to create or remember passwords. After all, a password is just a digital key.
The only difference between a physical and a digital key is the absence of physical obstacles to stealing
a digital key. In the physical world, a thief needs to be in reach of the key to steal it. But in the digital
world, a thief can be located anywhere in the world and phish or guess your digital keys or passwords.
So the question should be how to ensure those keys aren’t stolen. The answer lies in history: make them
secret.
Solution: encrypt all digital keys!
As narrated in The Code Book: The Secrets Behind Codebreaking by Simon Singh, people throughout
history have used cryptography to keep secrets. For digital keys, the best way to keep passwords secret
from anyone, including the user, is to encrypt them from creation, distribution, storage, use, to expiry -
since you cannot leak what you don’t know.
Passwords keep the same properties as keys: they are flexible, changeable, discardable and can work
for anything. By encrypting all digital keys, you remove the threat of human errors over credentials, which
represent 82% of all data breaches according to Verizon’s Data Breach Investigations Report 2022. Not
only would it remove the risks of weak and reused passwords, but it would also prevent hackers from
stealing or buying credentials from current and former employees as well, as was recently the case at
two dozen major natural gas suppliers and exporters.
There are different ways to manage encrypted passwords for different needs. In the business world,
companies can distribute end-to-end encrypted passwords for every system to all of their employees into
a digital fortress with multiple levels of security. By utilising end-to-end encryption, they remove
passwords from the control of employees, who can only use them as keys to open doors without the
need to know or see them. Not knowing passwords means employees cannot give them away in a
phishing attack – which represents 83% of cyber-attacks according to the Office of National Statistics in
2021. Not knowing passwords also means employees not forgetting passwords, which saves
organisations money on password resets and productivity.
Not your keys, not your data
In reverse, when companies let employees create and control the keys to their data, they do not control
the keys to the data. Not controlling the keys to the data means not being able to control and protect the
data. Hackers know that and how easy it is to get to any employee to phish or guess their keys, which
Cyber Defense eMagazine – September 2022 Edition 137
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.