This content is part of the Security School: CISSP Domain 2: Asset security

How to use data encryption tools and techniques effectively

Data protection does not have a one-size-fits-all solution. Understand which encryption tools and methods best fit different scenarios.

The following is an excerpt from the Official (ISC)2 Guide to the CISSP CBK, fourth edition, edited by Adam Gordon,...

CISSP-ISSAP, ISSMP, SSCP. This section from Domain 2 provides a comprehensive overview of which data encryption tools, techniques and protocols can most effectively protect different types of media.

The protection of stored data is often a key requirement for an organization’s sensitive information. Backup tapes, off-site storage, password files and many other types of sensitive information need to be protected from disclosure or undetected alteration. This is done through the use of cryptographic algorithms that limit access to the data to those who hold the proper encryption (and decryption) keys. (Note: Because password files are hashed instead of encrypted, there are no keys to decrypt them.) Some modern cryptographic tools also permit the condensing or compressing of messages, saving both transmission and storage space.

Malicious users may gain unauthorized physical or logical access to a device, transfer information from the device to an attacker’s system and perform other actions that jeopardize the confidentiality of the information on a device.

Removable media recommendations

Removable media and mobile devices must be properly encrypted following the guidelines below when used to store covered data. Mobile devices include laptops, tablets, wearable tech and smartphones.

1. Develop and test an appropriate data recover plan.
2. Use compliant data encryption tools and algorithms.

a. Whenever possible, use Advanced Encryption Standard (AES) for the encryption algorithm because of its strength and speed. For more information, refer to NIST's Guide to Storage Encryption Technologies for End-User Devices.

3. When creating a password, follow strong password requirements. Do not use the same password from other systems. Passwords must:

a. Contain nine characters or more
b. Contain characters from two of the following three character classes:

• Alphabetic (e.g., a-z, A-Z)
• Numeric (i.e., 0-9)
• Punctuation and other characters (e.g., [email protected]#$%A&*O_+I_=V{})

4. Use a secure password management tool to store sensitive information such as passwords and recovery keys.

a. Where passwords need to be shared with other users, ensure that passwords are sent separately from the encrypted file (e.g., call the person to verbally communicate the password).
b. Do not write down the password and store it at the same location as the storage media (e.g., Post-it note with the password next to the encrypted USB drive).

5. After the covered data is copied to a removable media:

a. Verify that the removable media works by following instructions to read the encrypted covered data.
b. If applicable, securely delete unencrypted covered data following secure deletion guidelines.

6. Removable media (e.g., CDs, hard disks) should be labeled with the following information:

a. Title. For example, Project ABC
b. Data owner. For example, Snoop Dog
c. Encryption date. For example, 12/1/15

7. When unattended, the removable media should be stored in a secured and locked location (e.g., cabinets, lock boxes, etc.) where access is limited to users on a need-to-know basis.

8. Document the physical location of removable media, along with the label information (specified above), for tracking and future reference.

Compliant data encryption tools

The various tools to encrypt data can be divided into three broad categories: Self-encrypting USB drives, media encryption software and
file encryption software.

Self-encrypting USB drives

Portable USB drives that embed encryption algorithms within the hard drive, eliminating the need to install any software-based data encryption tools. The limitation of such devices is that the files are only encrypted when residing on the encrypted USB drive, which means files copied from the USB drive to be sent over email or other file sharing options will not be protected.

Media encryption software

Software that is used to encrypt otherwise unprotected storage media such as CDs, DVDs, USB drives or laptop hard drives. The flexibility of this software allows protection to be applied to a greater selection of storage media. However, the same limitation on collaboration applies to media encryption software as it does to self-encrypting USB drives.

File encryption software 

Allows greater flexibility in applying encryption to specific files. When using file encryption software properly, resource owners can share encrypted files over email or other file-sharing mechanisms while maintaining protection. To share encrypted files, ensure that passwords are shared securely following the recommendations in item four above.

The following is a sample list of data encryption tools that comply with removable media encryption requirements:

Removable media encryption requirements
Data encryption tools for removable media

Data in transit

One of the primary purposes throughout history has been to move messages across various types of media. The intent was to prevent the contents of the message from being revealed even if the message itself was intercepted in transit. Whether the message is sent manually, over a voice network or via the internet, modern cryptography provides secure and confidential methods to transmit data and allows the verification of the integrity of the message so that any changes to the message itself can be detected. Advances in quantum cryptography also theorize the detection of whether a message has even been read in transit.

Link encryption

Data are encrypted on a network using either link or end-to-end encryption. In general, link encryption is performed by service providers, such as a data communications provider on a frame relay network. Link encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit or T1 line). Because link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing. The data packet is decrypted and re-encrypted at each point in the communications channel. It is theoretically possible that an attacker compromising a node in the network may see the message in the clear. Because link encryption also encrypts the routing information, it provides traffic confidentiality better than end-to-end encryption. Traffic confidentiality hides the addressing information from an observer, preventing an inference attack based on the existence of traffic between two parties.

End-to-end encryption
End-to-end encryption is generally performed by the end user within an organization. The data are encrypted at the start of the communications channel, or before, and remain encrypted until they are decrypted at the remote end. Although data remain encrypted when passed through a network, routing information remains visible. It is possible to combine both types of encryption.

Comparison of link and end-to-end encryption
Link and end-to-end encryption comparison

Description of risk

Malicious users may intercept or monitor plaintext data transmitting across an unencrypted network and gain unauthorized access to that, jeopardizing the confidentiality of the sensitive data.

Covered data must be encrypted when transmitted across any network to protect against eavesdropping of network traffic by unauthorized users. In cases where source and target endpoint devices are within the same protected subnet, covered data transmission must still be encrypted as recommended below due to the potential for high-negative impact of a covered data breach. The types of transmission may include client-to-server and server-to-server communication, as well as any data transfer between core systems and third-path systems. Email is not considered secure and must not be used to transmit covered data unless additional email data encryption tools are used.

When attempting to secure data in transit, the security practitioner should consider the following recommendations to design secure transmission of data.

1. Where the covered device is reachable via web interface, web traffic must be transmitted over Secure Sockets Layer (SSL), using only strong security protocols and transport layer security.

2. Covered data transmitted over email must be secured using cryptographically strong email encryption tools such as PGP or S/MIME. Alternatively, prior to sending the email, users should encrypt covered data using compliant file data encryption tools and attach it to email for transmission.

3. Non-web covered data traffic should be encrypted via application-level encryption.

4. Where an application database resides outside of the application server, all connections between the database and application should also be encrypted using FIPS-compliant cryptographic algorithms.

5. Where application-level encryption is not available for non-web covered data traffic, implement Network-level encryption such as IPsec or SSL tunneling.

6. Encryption should be applied when transmitting covered data between devices in protected subnets with strong firewall controls.

Examples of insecure network protocols and their secure alternatives include:

Examples of insecure network protocols
Insecure network protocols alternatives

CISSP® is a registered mark of (ISC)².

This was last published in August 2017

Dig Deeper on Careers and certifications