Documents recently leaked by former National Security Agency contractor Edward Snowden allege that the NSA has been involved in wholesale harvesting of encrypted Internet communications in a project referred to internally as Bullrun. These allegations have had a dramatic impact on the information security community. We have based the protection of our organizations on the very technologies and tools that NSA Bullrun is exploiting. We have relied on government standards organizations to test and certify new encryption technologies without doubting their intentions. Our trust has been violated by the very organization that was supposed to be defending us in cyberspace, changing the foundation of infosec management and the way we protect corporate data overnight.
In light of the NSA Bullrun program, it is time to revisit how to protect corporate data, including whether encryption still plays a part.
NSA Bullrun: How enterprises should respond
In the leaked Bullrun documents, the nation's top crypto-cracking agency is described as using a number of different methods to secretly decrypt Internet communications, including requiring tech companies to turn over private encryption keys, compromising endpoints where private encryption keys are stored and even weakening published encryption standards to allow for easier brute-force cracking. Bullrun also mentions the existence of a database of private encryption keys for many commercial software products that can be used when all other decryption methods prove unsuccessful. There is even a reference to forcing American companies to install backdoors into computer hardware ordered by a foreign intelligence agency.
Our trust has been violated by the very organization that was supposed to be defending us in cyberspace.
One of the most troubling aspects of project Bullrun is the confirmation that backdoors have been installed in commercial hardware and software. Backdoors pose a particularly high level of risk because they may be used by anyone, not just the NSA. The best way to mitigate this risk is to migrate away from proprietary technologies and utilize open source options wherever possible, with the highest priority being to migrate infrastructure services to open source equivalents. There are also excellent open source alternatives for file services, DNS, DHCP, certificate management, Web services, routing, IDS/IPS, and firewalls. Firewalls should probably be addressed first from this list as they perform one of the most critical roles in the network. They are also invaluable for monitoring and identifying any unusual network traffic that could be an indication of backdoors installed in other infrastructure.
The NSA Bullrun leaks also divulged that corporations providing technical services or software were being compelled to give up their private keys to allow unfettered access to their encrypted data communications. To mitigate this risk, companies should consider moving private key management to an in-house certificate authority. Once a company is managing its own keys, it should be sure to generate private keys using strong encryption algorithms such as AES to limit the potential of brute-force attacks. Despite a rising distrust of encryption recently, it seems clear from the Bullrun information that strong encryption is still the best defense against intercepted communications; otherwise, access to these private keys would not have been necessary for the NSA's activities.
The risk of unauthorized covert access to data stored by cloud providers is more difficult to mitigate. Cloud service providers, possibly including those outside the U.S., are seemingly being forced to comply with government demands for access to customer data. There are some instances where company data can be protected by using a private encryption key that is not stored by the cloud service, which could be an effective mitigation strategy for data storage in the cloud. Many cloud services will not be compatible with this encryption methodology, however, so these services should be evaluated for migration to a private cloud where key management can remain in the purview of the customer.
The shocking news of project Bullrun has served as a much-needed wake-up call for all of us in the information security field. The technologies that we trusted to keep us secure have instead been used for mass surveillance. Even worse, the types of attacks highlighted in the NSA Bullrun documentation could be performed by many other malicious actors on the Internet. Companies must respond by developing new mitigation strategies, such as the use of open source infrastructure, internal private key management and private cloud hosting, to protect critical data assets. Bullrun has shown that the threat landscape on the Internet has evolved and information security must evolve with it.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in health care information technology. He is an active independent author and presenter in the healthcare information technology and information security fields. He is frequently consulted by the media and interviewed about various healthcare information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade, with many different implementations in the medical and financial services industries.