|
|
|
|
|
|
by wglb
3183 days ago
|
|
|
Encryption is not a panacea. If the vulnerability got to admin level, then since the database can read everything, all is lost. Encryption at rest essentially protects the disks from being compromised if they are physically stolen. Or if the attacker manages root on the system and reads at the sector level. But even then, if you are root, you can find the key, and you are in anyway. |
|
|
Sure. But it is a good first step, a must really when dealing with sensitive data. Proper encryption at rest, like let's say a 256 bit AES encryption with a symmetric key itself encrypted with a PKI key pair with private key physically stored on a separate physical machine and frequent key rotation procedures in place would go a long way towards protecting the data.
It's not 100% clear exactly what happened at Equifax so it's hard to tell if at-rest encryption would have helped, from what I understand the working theory is that apache struts CVE-2017-5638 was exploited but it's not 100% clear exactly what went on so yes encryption might have not helped in this particular case.