Most companies not only talk a lot about encryption but also bind a significant number of resources into encryption. Encryption is by default, a justifiable investment and a fantastic tool for privacy, security, and anonymity. I firmly believe that encryption is one of the most reliable tools we have in Cybersecurity that works. Because of its effectiveness and efficiency, adversaries avoid attacking encryption directly in most cases. They will most likely attempt to bypass it entirely.Security training 101 teaches all interested security individuals that adversaries with knowledge of what they are doing against their target always attack “The Low Hanging Fruits”. For instance,no knowledgeable adversary ever tries to brute-force a password for disk encryption when it would be much easier to install a key-logger on a system first, watch over one’s shoulder or even send a phishing email.Attackers will and always try to bypass encryption. While designing security, always take this into account since security is a “WEAK LINK PHENOMENA”. Thus, security is only as strong as the “WEAKEST LINK IN A CHAIN”. In most companies, proper encryption has always beentheir STRONGEST LINK, while the human’s beings proved to be the WEAKEST LINK.When dealing with OPSEC, great emphasis should be put on human weaknesses. Measures that can be taken to prevent them should be the outcome of such a discussion during the operational security. We have witnessed a client put much effort into security, but ended up missing something as big as not patching employees browsers, having a deplorable password policy, amongst other points that seem simple to them but did expose them to the fullest. Based on our observation, they were just as insecure as if they had no security measures in place.With the “nothing to hide attitude” that many people in their private capacity and even some companies have, one should always take into consideration that adversaries always have an advantage. The reason here is that adversaries only have to be lucky once while the targeted haveto be lucky every time. Attackers notice that they always target the weakest points first. This approach by the adversaries explains why every company and individuals who value their privacy and security should make sure that they mitigate their weakest links first before running around implementing complex security solutions. A security engine needs to be running well andoiled before one attempts to tune the engine.At MoSec Solutions, we always emphasize on implementing a “RISK-BASED APPROACH” when it comes to security. We have observed cases in which companies spend huge in implementing complex Multi-Factor Authentications (MFA) for their web presence while failing or doing very little on their weakest spots like browser and email-based attacks. These weaknesses are serious ones and would bypass disc encryption any day, any time.
All in all, it’s about risk and prioritizing the risks, including the resources to mitigate the most significant risks first.