Should I Be Encrypted?

penetration_testWith all the personal data that has been stolen over last couple of years making headlines, prime time news stories, and an endless barrage of hacker-themed TV programs (Scorpion, Person of Interest, Mr Robot, etc.), cybersecurity has become a mainstream topic of interest.  Everyone wants to know how to protect themselves and their data from attack.  Encryption is beginning to look like one solution that has the ability to defeat all the data exfiltration attacks that have been happening the last several years.

So what is encryption and how easy is it to implement?

The first thing to understand is that all data exists as a numerical value.  Computers convert the letters we use into 8 bit binary numbers. So computers are basically high tech calculators good at converting numerical (digital) information into words, sounds, and images that we humans prefer.  And taking our words, sounds, and images and converting them quickly into binary (digital) information streams.  We can encrypt, or “scramble” this numerical information by multiplying two very large prime numbers and then multiplying the result again the numerical value of our data.  This data can only be recovered if I have both of the very large prime numbers, called “encryption keys,” so my computer can do the math backwards and recover my original data.  These numbers are so large that trying to “brute force” a decryption is impossible because it would require epoch-like amounts of time.

Setting up encryption takes a bit of doing, and is not for the faint of heart, and the subject of a future post.

Data can be encrypted while in motion, or when sitting still.  We are all familiar with the HTTPS encryption used by our web browser to secure online financial transactions. That is an example of encrypting data in motion, as it travels over the Internet.  When the data arrives at the destination, it is generally decrypted by the receiving server.  What is amazing to me is that often this information is stored in a fully decrypted state, in plain text.  The HIPAA-HITECH regulations actually do not require that stored patient medical records be encrypted in storage, only in transmission.  This is the data gold mine that cyber-criminals are after.

So we need to get serious about encrypting our data when it is at rest, when it is stored on a hard drive or on flash memory.  There are two basic approaches to this:  full-disk encryption or file level encryption.  Full disk encryption encrypts everything on the computer’s hard drive, including the applications and operating system itself.  File level encryption is used to selectively encrypt some or all of the information stored on the hard drive, but not the operating system and applications.  While full disk encryption is easier to implement and sounds like better security, this is not necessarily the case.

Full-disk encryption protects your data when it is on the computer, but is fully decrypted and sent in plain text when in transmission over a network, or when stored to a cloud service such as DropBox, or even when stored to an external USB backup drive.

File level security encrypts the data in such a way that is is encrypted on the original computer’s hard drive, and it remains encrypted in transit across a local network or the Internet, or stored in the cloud, and can only be decrypted by the recipient if you provide them with the decryption keys.

So the message here is that if you are planning to implement encryption, you need to be thinking about what data you need to protect, where you need to protect it, and from whom.  This may not be the best do-it-yourself project, because of you choose incorrectly, the protection you think you have may not be there when you need it.  For more depth on this subject, check out the two articles I linked to on Sophos.

More Information:

  • Sophos – Practical IT: What is encryption and how can I use it to protect my corporate data?
  • Sophos – Public Key Encryption


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.