CIS Safeguard 3.10: Encrypt Sensitive Data in Transit

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

CIS Safeguard 3.10 mandates the encryption of sensitive data while it is being transmitted over networks. This includes data shared between internal systems or data exchanged with external parties. The goal is to protect the data from eavesdropping, tampering, and unauthorized access during its journey from one point to another. By encrypting sensitive data in transit, organizations can significantly reduce the risk of data breaches and maintain the trust of their stakeholders.

Real-World Failures of CIS Safeguard 3.10

Failure to encrypt sensitive data in transit can lead to catastrophic consequences. Here are some real-world examples where this safeguard was not followed, resulting in severe data breaches:

1. Equifax Data Breach (2017): Equifax, one of the largest credit reporting agencies in the United States, suffered a massive data breach that exposed the personal information of 147 million people. The breach occurred due to a combination of factors, including the failure to encrypt sensitive data in transit. Attackers exploited a vulnerability in Equifax's web application to gain access to unencrypted data, which included Social Security numbers, birth dates, addresses, and more. This breach highlighted the critical importance of encrypting data in transit to prevent unauthorized access.
2. Target Data Breach (2013): The infamous Target data breach compromised the payment card information of approximately 40 million customers. The attackers gained access to Target's network through a third-party vendor and intercepted unencrypted payment card data as it was transmitted to the company's servers. This breach underscored the necessity of encrypting sensitive payment information during transmission to thwart cybercriminals.
3. Marriott Data Breach (2018): Marriott International disclosed a data breach that affected approximately 500 million guests. The breach involved unauthorized access to the Starwood guest reservation database, and sensitive data such as passport numbers, credit card information, and personal details were compromised. One of the contributing factors to this breach was the lack of encryption for data transmitted between Marriott's systems and external networks. This incident demonstrated the far-reaching impact of failing to encrypt sensitive data in transit.

Implementing CIS Safeguard 3.10

To successfully implement CIS Safeguard 3.10, organizations should adopt the following best practices:

1. Use Strong Encryption Protocols: Organizations should utilize strong encryption protocols such as Transport Layer Security (TLS) to encrypt data in transit. TLS provides a secure channel for data transmission over networks, protecting it from interception and tampering. It is essential to configure TLS with up-to-date settings and disable deprecated versions to ensure robust security.
2. Implement Secure Communication Channels: Ensure that all communication channels used to transmit sensitive data are secure. This includes establishing Virtual Private Networks (VPNs) for remote access, encrypting email communications using protocols like Secure/Multipurpose Internet Mail Extensions (S/MIME), and using secure file transfer methods such as SFTP (Secure File Transfer Protocol).
3. Enforce Encryption for All Data Transfers: Organizations should enforce encryption for all data transfers, both internal and external. This includes encrypting data exchanged between internal systems, as well as data shared with third-party vendors, partners, and clients. Implementing encryption at the application layer using libraries such as OpenSSL can ensure data remains protected throughout its journey.
4. Conduct Regular Security Audits: Regular security audits are essential to identify potential vulnerabilities and ensure compliance with CIS Safeguard 3.10. Organizations should conduct audits to verify that encryption protocols are correctly implemented, and that sensitive data is adequately protected during transmission. Addressing any identified weaknesses promptly can prevent potential breaches.
5. Educate Employees and Stakeholders: Educating employees and stakeholders about the importance of encrypting sensitive data in transit is crucial. Training programs should cover best practices for secure data transmission, the risks associated with unencrypted data, and the organization's encryption policies. Awareness and vigilance among staff can help prevent accidental data leaks and reinforce the importance of adhering to security guidelines.

Conclusion

CIS Safeguard 3.10 plays a vital role in protecting sensitive data as it moves across networks. The real-world examples of data breaches at Equifax, Target, and Marriott illustrate the devastating consequences of failing to encrypt data in transit. By implementing strong encryption protocols, establishing secure communication channels, enforcing encryption for all data transfers, conducting regular security audits, and educating employees and stakeholders, organizations can ensure the confidentiality and integrity of their sensitive data. Adhering to CIS Safeguard 3.10 not only minimizes the risk of data breaches but also strengthens the overall security posture of the organization.

Resources

Here’s a link to the Data Management Policy Template for CIS Control 3 provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 3 – Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.