When an executive asks about security keys because of a recent publicized attack or request by security to upgrade, it's a great opportunity to educate. Although the encryption process is complex, part of our job as security professionals is to demystify it so executives and stakeholders can better support the organization’s security.
First, provide context as to why that is an insightful and timely topic. If your organization is like most, there are probably some weak keys / algorithms still in-use given legacy systems. This could be a good time to shine a light on those systems with the aim to encourage business and tech owners to get those updated.
If your organization is already using strong encryption tools, perhaps the keys are not changed as frequently as recommended. Even if doing well operationally, as hackers improve techniques and have access to faster computers, there will come a time for the organization to update its defenses. If the executive gains a better understanding of the encryption process, it will make it easier for you to request resources for upgrades.
Second, explain the goal of encryption process: Force the hacker to guess the key by systemically trying each combination such that the time required to try each combination is longer than the time the key is in-use.
Basically, it’s a relay race between your organization and the hackers. Your organization wants to enter a racehorse and not a donkey. And you want to change out to a new racehorse once it has become exhausted (cracking time is reached).
Third, dive into the methods to achieve the security goal and win the race:
1. Make the key random – Since executives have experience with personal passwords, you should explain that robust keys are randomly assigned to eliminate a dictionary attack. A dictionary attack takes seconds to crack the password and the organization loses the race immediately. (This also reinforces the best practice for personal passwords should also be randomly selected.)
2. Use a long and random key to create many combinations. A lottery analogy may be useful to illustrate. The odds increase dramatically for each additional number added. Approximate odds for:
· 2 numbers -> Odds are 1 in 10
· 3 numbers -> Odds are 1 in 100
· 4 numbers -> Odds are 1 in 2,000
· 5 numbers -> Odds are 1 in 145,000
· 6 numbers -> Odds are 1 in 45,000,000
3. Consider other contributors to a strong encryption process such as the algorithm and block size. Unlike the lottery, an encryption process has more complexity. A car analogy may be helpful. A lighter and aerodynamic car contributes to faster speed. So, making the engine smaller and less powerful can achieve faster acceleration by making the car lighter. (AES-128 is better than Blowfish even though Blowfish offers a longer key because of the AES block size.)
4. Review performance, specifically speed for the good guys to unencrypt. Robust security can’t get in the way of achieving the organization’s mission. Executives will appreciate that business interests really are considered by us security geeks.
5. Determine cracking time for your selected encryption process. Remind executives that even solo hackers (the proverbial guy in his mother’s basement) have access to powerful and cheap computing available from Amazon or other cloud services. If your organization is using a donkey (days to crack), then you must change the key more frequently. Since changing keys can be disruptive to business systems, upgrading to a racehorse provides business benefits.
6. Change the key regularly based on cracking time. Remember it’s a race and the time the key is useful has an expiration date.
7. Review cracking time at least annually because cracking time is constantly reduced with computer advances. You can mention that the organization checks NIST or other trusted source for guidance.
Keep the executive team updated on regular basis, such as including this topic on your security scorecard and addressing in the annual risk report. Any security professional worth his salt (pun intended) will make the effort to educate your executives, business partners and tech leaders. An informed organization is one of your best security tools.