This blog just leveled up. My good friend and colleague Bryon Singh, Director of Security Operations at Railworks Corporation has agreed to collaborate on this blog to bring not only the WHY but also the WHAT & HOW to becoming more secure. Hope you enjoy!
Steve’s Thoughts
When it comes to protecting sensitive data, encryption is the secret handshake of the cybersecurity world. It's like the clandestine cult language that ensures your information remains secure and impervious to prying eyes. For this CIS Safeguard, encryption is the holy grail, the mystical artifact that shields your data from the clutches of cyber villains.
Picture yourself as a member of an ancient encryption cult, surrounded by cryptographers draped in mysterious robes, diligently crafting unbreakable codes. Each line of code is a sacred incantation, carefully constructed to transform your data into an indecipherable puzzle, confounding even the most skilled adversaries. The encryption cult knows that vulnerabilities lurk in the shadows, waiting to exploit any weakness in your security defenses.
Just as cult members remain ever vigilant, so too must you, as a guardian of your organization's cybersecurity. Encryption becomes your talisman, protecting the sanctity of your digital realm. It fortifies your data with unbreakable barriers, ensuring that only those who possess the sacred key can unlock its secrets.
In the world of cybersecurity, encryption is the revered cult leader, guiding organizations towards secure and impenetrable defenses. Embracing CIS Control Version 8: 3.6 means adopting encryption as a fundamental practice within your data management strategy. By doing so, you join the ranks of the cybersecurity faithful, harnessing the power of encryption to protect your organization's most valuable asset: its data. So, let the encryption cult be your guiding light as you navigate the intricate labyrinth of cybersecurity, ensuring your organization remains safe and resilient in the face of ever-evolving threats.
Bryon’s thoughts
This practice not only shields data from unauthorized access, but also safeguards it in case of device loss, theft, or compromise. In light of the growing trend towards remote working and Bring Your Own Device (BYOD) policies, adherence to this safeguard is no longer optional but an imperative. Data encryption transforms readable data into a coded format, only decipherable with the correct encryption key. Without access to this key, the encrypted data remains inaccessible, thereby preserving its security.
First, encrypting data on end-user devices in your company involves a series of strategic steps to ensure that all sensitive data on end-user devices is effectively encrypted.
- Define What Constitutes Sensitive Data
- Identify the End-User Devices Holding Sensitive Data
- Choose Suitable Encryption Tools
- Develop an Encryption Policy
- Train Your Staff
- Implement the Encryption
- Monitor and Audit
- Plan for Key Recovery
Secondly, in today's highly digitized world, securing end-user devices is not just an option, but a necessity. With the help of native encryption tools like BitLocker, FileVault, and dm-crypt, implementing this safeguard becomes a manageable and effective task.
Windows: BitLocker
BitLocker is a full-disk encryption feature that comes standard with Microsoft Windows, designed to protect data by offering encryption for entire volumes. By default, it uses Advanced Encryption Standard (AES) algorithms, with a 128-bit or 256-bit key that ensures strong data protection.
BitLocker can be activated through the 'BitLocker Drive Encryption' panel in the Windows Control Panel. The encryption process is simple and includes additional authentication mechanisms, such as Trusted Platform Module (TPM), PIN, or USB key, to ensure enhanced security.
macOS: FileVault
FileVault is a disk encryption program available in Mac OS X 10.3 and later. It leverages XTS-AES-128 encryption with a 256-bit key to thwart unauthorized access to information on the startup disk.
FileVault is activated through the 'Security & Privacy' tab in the System Preferences panel. After activation, the software encrypts the entire drive. Users must enter their password or recovery key to access their information, making it a reliable security layer.
Linux: dm-crypt
For Linux users, dm-crypt offers a transparent disk encryption subsystem. It is part of the device mapper infrastructure that provides a virtual layer of block devices, leading to powerful and flexible disk encryption options, including whole disk and partition encryption.
Linux Unified Key Setup (LUKS), based on dm-crypt, is a standard disk encryption method in Linux. Cryptsetup, and other similar tools, can be used to manage LUKS encrypted volumes, providing high security and flexibility.
Remember! That the objective is to protect sensitive data and reduce the potential damage from lost or stolen devices.
Here’s a link to a Data Management Policy Template provided free of charge from the fine folks at Center for Internet Security:
https://www.cisecurity.org/insights/white-papers/data-management-policy-template-for-cis-control-3
Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 3 – Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Implementation Group 1
CIS Safeguard 3.6 – Encrypt Data on End User Devices
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt