Security

What exactly is AES 256-bit encryption?

AES (Advanced Encryption Standard,) is a symmetric block cipher chosen by the U.S. government to protect classified information and is implemented in software and hardware throughout the world to encrypt sensitive data.

Mathematically, 256-bit encryption refers to the key length of the symmetric encryption technology. The key is made of 256 binaries (zeroes and ones) and there are 2^256 possible combinations. This comes out to be 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 (78 digits) possible combinations. This would take current supercomputers hundreds of thousands of years to crack.

The growing complexity of cyber security is becoming a threat to technology industries around the globe. Nelson Technology implements advanced security measures to protect our customers' sensitve data such as 2 factor authentication, stringent password requirements, and a daily local archiving that uses AES 256-bit encryption and is stored in a fire proof vault. Athough these measures seem comprehensive, these steps are often not necessary if attention is given to the basic foundation of strong security: a good password. According to the 2018 Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. The report finds a staggering “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” The takeaway here is that for technology companies, employee education regarding strong password practices is a requirement to protect customer data. Consider the following scenario:

The average modern computer has an 8 core, 2.8 GHz processor. Using a standard SHA512 hashing algorithm, and conservatively assuming the average password will be cracked when half of the possible combinations are checked, this readily-available computing power can use brute force to crack passwords in seconds. Most sophisticated attacks are performed on supercomputers, which can speed up the attack by a factor of 100,000. Consider the following examples of password selection, and corresponding time studies using this brute force cracking method:

Brute Force Password Crack Time Study

-A numerical-only password is generated from a 10-character set (0 through 9).

-The password "123456789" is a 9 digit password from a 10-character set. Considering the constant 1.7x10^-6, and the aforementioned assumption that the password will be cracked when half the possible combinations are checked, the amount of time it will take to crack this password is (1.7*10^-6 x 10^9) seconds /2 = about 14 minutes. Considering a supercomputer's power factor of 100,000, this is about .0001 seconds.

-A lower-case alpha only password is generated from a 26-character set (A through Z).

-The password "junkyard" is an 8 digit passsword from a 26-character set. It will take the average computer (1.7*10-6 x 26^8) seconds/2 = 2 days, or 1.8 seconds on a supercomputer.

-A mix of uppercase and lowercase alpha password is generated from a 52-character set (26 for upper, 26 for lower).

-The password "cHiPmUnK" is an 8 digit password from a 52-character set. It will take the average computer (1.7*10^-6 x 52^8) seconds /2 = 1.43 years, or 7.6 minutes on a supercomputer.

-A mix of uppercase alpha, lowercase alpha, and numbers generates a password from a 62-character set.

-The password "t2Rbe9W6" is an 8 digit password from a 62-character set. It will take the average computer (1.7*10^-6 x 62^8) seconds /2 = 5.88 years, or 31 minutes on a supercomputer.

-A mix of uppercase alpha, lowercase alpha, numbers, and symbols generates a password from an 80-character set.

-The password "%RBQu8)5" is an 8 digit password from an 80-character set. It will take the average computer (1.7*10^-6 x 80^8) seconds /2 = 45.2 years, or 4 hours on a supercomputer.

Considering this information, Nelson Technology requires all passwords to be at least 10 characters, and a mix of uppercase alpha, lowercase alpha, numbers, and symbols. A password that meets these minimum requirements would take the average computer (1.7x10^-6 x 80^10) seconds /2 = 289,409 years, or about 2.9 years on a supercomputer. This rigorous password requirement coupled with other security requirements are what resists brute force attacks, malware, ransomware, and other types of data breaches. These internal measures are what helps lay a foundation of trust and security with our customers.

10 Facts About Cyber Security

-95% of breached records came from only 3 industries: government, retail, and technology

-There is a hacker attack every 39 seconds

-65% of companies have over 500 users who are never prompted to change their passwords

-45% of cyber attacks target small business

-The average cost of a data breach in 2020 will exceed $150 million

-Over 75% of the health care industry has been infected with malware over the last year

-By the year 2020, there will be roughly 200 billion connected devices

-95% of cybersecurity breaches are due to human error

-31% of organizations have experienced cyber attacks on operational technology infrastructure

-54% of companies say they have experienced one or more attacks in the last 12 months

In 2018 the average cost of a data breach to a US company was $7.91 million, and on average took 196 days to identify. ​-Ponemon Institute’s "2018 Cost of a Data Breach Study" for IBM

In 2018 the average cost of a data breach to a US company was $7.91 million, and on average took 196 days to identify.

-Ponemon Institute’s "2018 Cost of a Data Breach Study" for IBM