Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: data communication through winzip files - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
data communication through winzip files
whether data communication through winzip files can be considered
as sufficient encryption in banking sector?

4 Posts

WinZip proposes two kinds of encryption: strong AES encryption and the legacy Zip 2.0 encryption. Please be sure to use AES only (128-bit and 256-bit AES are supported).
There is also a WinZip Enterprise version which is FIPS 140-2 compliant.

The key question is: which kind of data will you exchange via zip files? My advice is to discuss this topic with your internal auditor / CISO.
Keep also in mind that the password used to encrypt the zip files must be strong enough.

369 Posts
ISC Handler
A "strong enough" password means the time to brute force the password must exceed the lifetime of the data. If your data has a usable life of two weeks, like a forthcoming earnings release that will soon go public, you're probably OK. If it's payment card data and the latest card expires four years from now, your password needs to outlast all current and upcoming methods of brute-forcing including GPUs and cloud resources. Anonymous

Since you're asking in the Auditing forum, I'll assume that you're an auditor. There are various aspects to consider. You would first have to determine whether a current, approved Information Security policy exists and satisfies all applicable regulatory requirements. If so, does the policy specifically allow or prohibit it's use? If it does not specifically address it, your evaluation should include:

o Where does the communicated data fall in the organization's data classification hierarchy?
o Does winzip meet applicable encryption requirements?
o Do the passwords used satisfy the organization's InfoSec policy?
o How is the password communicated?
o Are there effective controls over who will receive the data/password?
o Are there reasonable, available alternatives that are more secure?

If the version of winzip provides sufficient encryption strength for the data, the passwords are sufficiently complex, the passwords are communicated out-of-band, and there are effective controls around who receives the data and password, winzip could be considered acceptable.

2 Posts
thank you for answer baltlokis

1 Posts

Sign Up for Free or Log In to start participating in the conversation!