The Secret Handshake ft. Bryon Singh, RailWorks Corporation

The Secret Handshake ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On June 28, 2023

This blog just leveled up. My good friend and colleague Bryon Singh, Director of Security Operations at Railworks Corporation has agreed to collaborate on this blog to bring not only the WHY but also the WHAT & HOW to becoming more secure. Hope you enjoy!

Steve’s Thoughts

When it comes to protecting sensitive data, encryption is the secret handshake of the cybersecurity world. It's like the clandestine cult language that ensures your information remains secure and impervious to prying eyes. For this CIS Safeguard, encryption is the holy grail, the mystical artifact that shields your data from the clutches of cyber villains.

Picture yourself as a member of an ancient encryption cult, surrounded by cryptographers draped in mysterious robes, diligently crafting unbreakable codes. Each line of code is a sacred incantation, carefully constructed to transform your data into an indecipherable puzzle, confounding even the most skilled adversaries. The encryption cult knows that vulnerabilities lurk in the shadows, waiting to exploit any weakness in your security defenses.

Just as cult members remain ever vigilant, so too must you, as a guardian of your organization's cybersecurity. Encryption becomes your talisman, protecting the sanctity of your digital realm. It fortifies your data with unbreakable barriers, ensuring that only those who possess the sacred key can unlock its secrets.

In the world of cybersecurity, encryption is the revered cult leader, guiding organizations towards secure and impenetrable defenses. Embracing CIS Control Version 8: 3.6 means adopting encryption as a fundamental practice within your data management strategy. By doing so, you join the ranks of the cybersecurity faithful, harnessing the power of encryption to protect your organization's most valuable asset: its data. So, let the encryption cult be your guiding light as you navigate the intricate labyrinth of cybersecurity, ensuring your organization remains safe and resilient in the face of ever-evolving threats.

Bryon’s thoughts

This practice not only shields data from unauthorized access, but also safeguards it in case of device loss, theft, or compromise. In light of the growing trend towards remote working and Bring Your Own Device (BYOD) policies, adherence to this safeguard is no longer optional but an imperative. Data encryption transforms readable data into a coded format, only decipherable with the correct encryption key. Without access to this key, the encrypted data remains inaccessible, thereby preserving its security.

First, encrypting data on end-user devices in your company involves a series of strategic steps to ensure that all sensitive data on end-user devices is effectively encrypted.

  • Define What Constitutes Sensitive Data
  • Identify the End-User Devices Holding Sensitive Data
  • Choose Suitable Encryption Tools
  • Develop an Encryption Policy
  • Train Your Staff
  • Implement the Encryption
  • Monitor and Audit
  • Plan for Key Recovery

Secondly, in today's highly digitized world, securing end-user devices is not just an option, but a necessity. With the help of native encryption tools like BitLocker, FileVault, and dm-crypt, implementing this safeguard becomes a manageable and effective task.

Windows: BitLocker

BitLocker is a full-disk encryption feature that comes standard with Microsoft Windows, designed to protect data by offering encryption for entire volumes. By default, it uses Advanced Encryption Standard (AES) algorithms, with a 128-bit or 256-bit key that ensures strong data protection.

BitLocker can be activated through the 'BitLocker Drive Encryption' panel in the Windows Control Panel. The encryption process is simple and includes additional authentication mechanisms, such as Trusted Platform Module (TPM), PIN, or USB key, to ensure enhanced security.

macOS: FileVault

FileVault is a disk encryption program available in Mac OS X 10.3 and later. It leverages XTS-AES-128 encryption with a 256-bit key to thwart unauthorized access to information on the startup disk.

FileVault is activated through the 'Security & Privacy' tab in the System Preferences panel. After activation, the software encrypts the entire drive. Users must enter their password or recovery key to access their information, making it a reliable security layer.

Linux: dm-crypt

For Linux users, dm-crypt offers a transparent disk encryption subsystem. It is part of the device mapper infrastructure that provides a virtual layer of block devices, leading to powerful and flexible disk encryption options, including whole disk and partition encryption.

Linux Unified Key Setup (LUKS), based on dm-crypt, is a standard disk encryption method in Linux. Cryptsetup, and other similar tools, can be used to manage LUKS encrypted volumes, providing high security and flexibility.

Remember! That the objective is to protect sensitive data and reduce the potential damage from lost or stolen devices.

Here’s a link to a Data Management Policy Template provided free of charge from the fine folks at Center for Internet Security:

Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 3 – Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Implementation Group 1

CIS Safeguard 3.6 – Encrypt Data on End User Devices

Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.