Encryption is a vital tool for protecting personal and sensitive information; however, it is not foolproof. There are times when encrypted data can be compromised. Wait, what? … encrypted data can be hacked?
Encrypted data can be hacked or decrypted with enough time and computing resources, revealing the original content. The most common way hackers hack encrypted data is by stealing encryption keys or intercepting data before encryption or after decryption.
Read on to find out the following:
Can Your Encrypted Data Be Hacked?
Yes, an encrypted file can be hacked. Hacking an encrypted file means being able to read its contents without having the encryption key. The encryption key is often a password that is used to decrypt the file.
Encrypting your data doesn’t mean you are making it unhackable; what it means is that you are making it so hard to hack that it is practically impossible.
For example, a file that is encrypted with a good encryption algorithm and a strong password can take thousands of years to hack and decrypt.
Let’s crack some numbers, 6.4 quadrillion years is the estimated time to decrypt a well-encrypted data using current classical computers.
So, the next time someone asks you if a well-encrypted file can be hacked, the answer is yes, if you are willing to work for a couple of thousand years to do it.
On the other hand, if you are using a weak password, then your encrypted file can be hacked very quickly. For example, the encryption algorithm used to encrypt zip files is very strong; however, if the user uses a weak password, then the zip file can be hacked in a matter of hours.
How Can Encrypted Data Be Hacked?
The most common way hackers hack encrypted files is by stealing the encryption key or intercepting the data before it is encrypted or after it is decrypted.
For example, if your encryption key is stored on an unsecured server, it can be stolen.
Similarly, if your encrypted data is sent over an insecure network or stored on an unsecured server, then hackers can intercept the data before it is encrypted or after it is decrypted and gain access to the original content.
So overall hackers target your encryption key or password. How strong is it to guess? Is stored in a secure place?
They also target the medium through which your data is being sent or where it is being stored. This is why it is not a good idea to visit HTTP websites or unsecured networks to transfer encrypted data.
Tips To Make Encrypted Files Less Hackable
Here are some guidelines for individuals.
1. Only Use Your Own Devices
If you’re handling sensitive data, it needs to be on your personal computer or smartphone. Using someone else’s device, or worse, a public computer, jeopardizes your data, whether encrypted or not.
2. Keep Your System and Software Updated
It’s age-old advice, but it holds especially true when handling data encryption.
Most software requires frequent fixes for bugs or errors in the code. Keeping your software and operating system updated ensures you receive patches for any bugs that might reveal decrypted data.
Operating systems and many installed software packages regularly check themselves for updates. But don’t rely on this 100% of the time. Schedule a day once a month to double-check your system is up to date.
3. Check You’re HTTPS-Connected
Most people accessing a website expect data exchanged between the user’s browser and the server to be encrypted. Unfortunately, between 4 and 24% of sites serve web content insecurely, according to Google’s Transparency Report.
Google Chrome and other browser makers include a warning in the address bar when all or part of your communication is not encrypted. At a minimum, form the habit of looking for a lock icon and https
at the beginning of the address.
Bad
Good
Alternatively, you can use the Electronic Frontier Foundation plug-in HTTPS Everywhere, which will attempt to change insecure connections to the encrypted HTTPS protocol.
4. Know The Programs You’re Using For Encryption
We already discussed that browsers include code that encrypts your data before being sent to the internet.
But there are times to add another layer of encryption to your internet connection by using a virtual private network (VPN). This additional piece of software installed on your device forces all communication to the internet to be encrypted.
Remember, your VPN does not encrypt regular text messages.
Your password manager is also encryption software. You entrust all your passwords to one app, so carefully select one that fits your privacy requirements.
For those who want a company with customer support, check out our Recommended Tech page for the password managers we like.
Finally, you may want to encrypt specific files or folders of data. Software like Cryptomater or Veracrypt provides an additional layer of encryption for files synchronized to online storage or saved to your local device.
5. Trust Yourself, Not The Cloud
If you store data online, don’t depend on your cloud storage provider to secure your data. Encrypt your files before uploading them to the internet using one of the previous sections’ file encryption apps.
For example, your secure and private notes app should be end-to-end encrypted, so only your devices can access your notebook’s decrypted contents.
The same goes for securing email. While you can use encrypted email providers like Protonmail, email apps like PGP email automatically encrypt all emails before leaving your computer or mobile device.
6. Handle Your Encryption Keys Properly
Hackers know that breaking modern encryption is mostly impossible. It’s more effective to capture encryption passwords or key files.
Securely store your decryption keys in a password manager, segregated offline storage, or even in an analog format like paper.
Never share your keys or transmit them online.
7. Remember What You’re Protecting
Ransomware is software that over-locks your encrypted files instead of trying to decrypt them. Hackers may not want access to your data. They want to control it. By encrypting your already encrypted files with their keys, they’re preventing you from accessing them. Overlocking is similar to a self-storage company placing an additional lock on the storage units of non-payers.
8. Use Full Drive Encryption On Your Device
Most computers and mobile phones have full disk encryption, which protects the device’s storage when it’s off.
While smartphones have this option enabled by default nowadays, you’ll need to enable this on desktop operating systems.
9. Your Advanced Options
Serious users and use cases call for advanced security operations and additional equipment.
Air-gapped computers that are not connected nor have the hardware to connect to the internet protect encrypted data by thwarting online attacks. They also enforce compartmentalization by separating specific tasks on separate equipment.
A hardware security module (HSM) is another way to protect encryption keys by isolating key generation, management, and deletion from encryption processing.
Image of a Yubico YubiHSM.
For businesses, do all of the items for individuals plus…
10. Run Penetration Testing Regularly
Contacting a security company to regularly perform penetration testing helps ensure your business procedures and data handling practices align with industry standards.
11. Avoid Offering Intranet Wi-Fi
It’s easier to control virtual property like encrypted data when you control physical access. Avoiding wireless access to your internal network or intranet increases the difficulty of data breaches by requiring an attacker to be located within your office or physical space.
Establish a second, heavily-firewalled, or separate network to offer Wi-Fi internet access to employees and visitors.
12. Physically Segment Networks
Physically separate your internal local area networks (LAN). Dedicate one for handling sensitive data (red net) and another LAN for day-to-day data processing (blue net).
Yes, this means having two sets of wires, routing equipment, and maintenance. Your red net is for collaborating over encrypted data should be much smaller and limited to a small number of employees. Additionally, there should be no internet subscription for the red net with external data transfer occurring across securely-handled USB drives between designated computers.
13. Limit Encrypted Data to Select Equipment
A limited-access red net and connected red computers dedicated to handling sensitive encrypted data should be available to select staff.
Restrict login and physical access to the machines and wiring. Dedicating specific rooms and shielded ethernet wiring goes a long way to protecting confidential information.
14. Limit Physical Access to Secure Network
Physically limiting employee access to a physically separate network of computers raises additional hurdles to attack. Add door entry tracking and two-factor, secured logins to a need-to-know staff that completed security training.
15. Require Security and Policy Training
Mandating all employees to take general cyber- and physical security training shortly after hiring establishes a baseline knowledge around secure data handling. Providing annual updates or expanded education to employees hardens the weakest link in cybersecurity: humans.
Staff regularly contacting sensitive and encrypted data require elevated training around security operations (SecOps). Upgraded access to your red net must hinge on these additional courses on an ongoing basis.
The data security company, Crypteron, published an in-depth post detailing enterprise-level encryption mistakes. It’s a good read.
These guidelines are not an exhaustive list, but implementing at least some of the above guidelines will keep your encrypted data safer.
FAQs
1. Why Data Is Encrypted?
Data is encrypted to protect the information from unauthorized access. Encrypting data in static storage and during transmission protects privacy, ensures integrity, and validates the trustworthiness of the encoded material. Any content may be encrypted, making it incomprehensible.
It’s no secret (joke intended) that everyone has private information. Some of your data is less sensitive. But conversely, other information like financial records and personally identifiable information (PII) lead to real-world harm if revealed to the public.
You can have data without information, but you cannot have information without data.
Daniel Keys Moran, computer programmer & science fiction author
Keeping all of your information encrypted when at rest and stored on digital drives protects it if your device or digital media is lost or stolen. It’s even more important to encrypt data sent across the public internet while in transit. Data in motion should have 2-3 layers of encryption to protect it.
Assuming we’ve sold you that you should encrypt your data, which types of data should be encrypted, and when is it okay to skip the additional step?
2. Is encryption safe?
Generally, encryption is safe. Data transmitted and stored with encryption is safer than when left unencrypted. The average user uses encryption automatically many times daily when using a web browser or mobile app. Manual file encryption is safe with responsible handling of the decryption keys.
Employing encryption manually does take a bit of knowledge, but with well-designed tools, the complexities are often automatically handled. In fact, users should consider using encryption on more than what they may realize.
3. What Data Should Be Encrypted?
All data should be encrypted. Even unimportant information can, in aggregate, unintentionally establish accurate facts. Provide special attention to encrypting personally identifiable information (PII) or any data that will harm people or businesses if revealed.
- All your internet traffic, especially within browsers, should be encrypted. Only uses sites that have a lock icon and have the “s” in the beginning part of the address
https://
(protocol). - All your text messages should be encrypted. Remember that regular SMS and MMS messages are not encrypted and worse. Refer to our article on secure text messaging.
- All your emails containing sensitive information, especially sent between email providers, should be encrypted.
From | To | Importance |
---|---|---|
@smallbusiness.biz | @anothercorp.net | Really Important |
@gmail.com | @icloud.com | Important |
@yourcompany.com | @yourcompany.com | Still Consider |
- All your files should be encrypted:
- when stored on your computer or online/cloud storage,
- when stored on your smartphone,
- when stored on backup drives.
- All your devices should have full hard drive or storage memory encryption turned on to protect the data when the device is powered off.
- All your company data should be encrypted, including but not limited to:
- customer data, especially personally identifiable information (PII),
- database columns/values, especially PII or financial records,
- connection information and configurations,
- files on network shares,
- backups for disaster recovery,
- server-to-server communication even within a company network,
- intellectual property, including R&D projects,
- financial and legal files,
- scans to PDF or image files,
- storage on and communications with IoT/smart devices
Final Thoughts
All encrypted data can be hacked. As we develop more powerful computers and higher-order mathematics, the spotlight gets more intense on the weakest link, the humans using encryption. It is essential to understand, develop, and use good information security practices in addition to worrying if encrypted data can be hacked.
Sadly, governments worldwide are attempting to ban and break encryption through state-sanctioned hacking or legislation like the United States’ EARN IT Bill.