fbpx
0

10 Ways to Compromise your Sensitive Data

10 Ways to Compromise your Sensitive Data

In this blog post by Professor John Walker, we will consider the areas surrounding data security and look at the multiples of ways in which it may be breached, altered or compromised. Some may be obvious, others not so. We will explore this topic based on the security four table legs of CIA+A:

Confidentiality, Integrity, Availability and Accountability.

1.

Fake Secure Drives

I have encountered several, ‘secure, encrypted drives’ for sale which are nothing more than a drive sealed within a pin-protected casing. Thus, any security minded users who purchase such a device will be storing their sensitive data assets with the impression they are protected and secured by encryption – when in fact they are open to anyone who may remove the drive from its casing to view the insecure content.

Mitigation: If you care about robust security of your files, only user Certified,
trusted, encrypted drives which are built to the FIPS-140/2 Standard.

2.

Change of Domain Policy

A Nottingham based Financial Services business were unfortunate enough to be hit with a zero-day computer virus, which spread with some speed within their operational environment. A Major Incident Board was convened, and a team was brought together including senior members of the IT security team, and directors from the companies Technical Services Board. They concluded that to deploy the style of patch required in the most expedient way would be achieved by changing the domain policy to open up access to each of the client systems (desktops/laptops), which would be followed up by a quick push of the updated .DAT signatures, quickly followed by a reapplication of the required domain policy to bring all systems back to their original security posture. Once this was completed, the team stood down; however, it was soon apparent that something had gone wrong when members of the IT Security Team were receiving calls from ordinary users reporting that, in one case they could see all files located on the Human Resources Director’s local drive, and the calls continued. The issue was, what had not been appreciated by the technical Services Board Director, and the associated Information Security Team was, whilst you may remove the permissions across the domain with the click of a box, to reapply them requires end-system action of a reboot to reinstate the required level of security posture – thus all systems and stored were exposed cross-domain!

Mitigation:

  1. Ensure that those in key positions are fully trained and above all competent.
  2. Where there is need to take additional steps to secure data (e.g., the HR  Director) encrypt the locally stored files.
  3. Consider utilising off system, secure, encrypted removable drives to secure sensitive data.

3.

Trust your Staff

I recall when working for a Local Authority in the East Midlands with an IT Director who could never surprise his staff. He commented to me, ‘no matter what I tell the team at our town hall meetings, they always seem to know before I pass on the information’. That was because they did, as due to poor security and open folders, some members of the IT Team had full access to the stored data and communications of said IT Director – so yes, they were always aware what was going on!

Mitigation:

  1. Ensure that folders and storage areas are appropriately protected, and not visible to any members of the IT Team (or any other unauthorised user or that matter).
  2. With any sensitive data it is always best practice to store such sensitive data-objects offline, on removable, encrypted storage devices.

4.

MFD – The forgotten Technology

I have previously worked as a Consultant for a London based UK Government Agency who worked on sensitive data of the highest classifications. Given their concern over data security, they ran a project to virtualise all desktops/laptops, which were limited to only storing data on servers located within the secured computer room. However, they overlooked the fact that on every floor in the building stood an MFD (Multi Functional Device) AKA, a computer, IP addressable, with on-board Print Server, Spooler, Web Server, Hard Drive(s) Storage, that just happens to offer printing facilities, on which the drives were accessible, and of course on this occasion not encrypted, leaving the sensitive data open to both physical and logical abuse!

 

Mitigation:

  1. Always run a risk assessment of data flows and storage when engaging such a project.
  2. Ensure that where there are configuration options (and there were) apply a level of encryption to the dives to secure any stored data objects.
  3. Where physical access may be achieved to the on-board drives, always ensure they are physically secure by lock-and-key.
  4. When these devices reach end-of-operational life, at the very least ensure the disks are securely overwritten/purged – at best, physically destroyed.

5.

Trust in Logon Security

Whilst there may be a great faith in the local security associated with say, Windows, or other such operating systems, this can be a false sense of security when we consider the security of the data objects stored thereon. Take the average Windows desktop or laptop – our user has the full confidence that only they can get to the on-board data objects as they are using a very strong password, along with the associated logon credentials – so all is secure and tucked away from the illicit view of others. However, what our user needs to realise is that, notwithstanding their security credentials, to gain access to the stored data, it is a simple case of physically removing the drive, and then mounting it on to an awaiting laptop via an interface, such as the USB3.0 TO ODE/SATA device – from there on, full access to said content may be enjoyed.

 

Mitigation:

  1. Encrypt Local Drives with Bitlocker etc (Keep Keys on USB, or ensure the machine is accommodated with a TPM Chip (Trusted Platform Module).
  2. Better still, use a removable, FIPS-140/2 encrypted drive accommodated with some form of additional security mechanisms – say Pin Protected.

6.

Cloud

If you are using Cloud, and most are in some form or another – ensure that you have completed a full Due Diligence of the Third-Party Supplier, remembering that Cloud, and Third-Party Supply Chains are a known known potential area to introduce insecurity. Consider technologies such as AWS S3 Buckets, and ensure they are secured. Cloud environments are one of those areas which can reveal a lot to an OSINT (Open-Source Intelligence) mission which can lead to the acquisition of valuable information. To mitigate any potential exposure when using a Third Party (TP) Services, or Cloud, some may consider encrypting the sensitive objects within the TP environment, or on the Cloud to secure them from prying eyes, should the external service fall victim to a hack or compromise – an excellent security consideration. However, the user organisation must keep in mind that, dependent on how the actual encryption keys are stored (protected) within the TP, or on the Cloud, it may still be the case that if the TP/Cloud is subject to a hack/compromise, it should be anticipated that the attackers will go looking for the encryption keys or Digital Certificates which have been employed to actually secure the, supposed, secured assets! In my experience, this is not a matter of theoretical consideration, but a circumstance which I, and many others have observed in real-world attacks, in which the actual security credentials to the golden nuggets of data have also been stored in an exposed, inappropriate, insecure way, and thus also fallen to compromise.

Mitigation:

  1. Consider running your own RED-TEAM activity against any procured, or to be procured service to gain an insight into the overall footprint.
  2. Conduct an in-depth review of the service provider at all levels.
  3. Once procured and operational, ensure regular service update meetings are held – say every three months.
  4. Where valuable logical assets are implicated, consider utilising an Escrow agreement to accommodate security over such assets lodged with the Third Party (Just in case). Where there is an objective to achieve a secure, robust security schema to leverage encryption within a TP, or on the Cloud, one complimentary methodology is to store Digital Certificates, and Encryption Keys external to the TP/Cloud environment, under the sole custodianship of the user, or user organisation. This approach offers the most pragmatic, and secure methodology to maximise the security footprint of the deployment. Thus, never exposing the security credentials to any potential of a sniffing attack, and always ensuring that such security credentials are held under the safe, and sole custodianship of the owner of the sensitive data -objects.

Explore our unique encrypted cloud solution

cloudAshur eliminates all the security vulnerabilities that exist with cloud platforms, such as lack of control, unauthorised access and human error.

7.

Equipment Disposal

Frequently I have witnessed the disposal of devices such as MFD’s, mobile phones, IoT devices, printers, computers, and servers. On each of these occasions, these data-holding systems have been disposed of, containing corporate and sensitive data. From mobile phones which have been allowed to connect to corporate systems, to hard drives populated with Local Authority data relating to case files of vulnerable children.

Mitigation:

  1. Create and promulgate a Policy/Process to drive the way end-of-life equipment is processed out from the business.
  2. Create a register to document the end-of-life journey that all devices take.
  3. Hold all such devices in physically secure location until such time they are correctly processed in accord with the mandated policy/process.

8.

Paper

Don’t suffer from tunnel vision when securing you data assets – remember, it not just about the digital aspects, but also needs to encompass the other potential carriers of insecurity – e.g., paper. I recall my very first contract on the South Coast. The Project Manager said to me on my very first day, ‘you need to make a difference and quick to convince the executive we need to look at the company’s overall security posture’. 4 hours later I presented him with a sack, full of paper holding client personal details, credit card information, and client bank account details, all of which had been cast out into the general waste bins.

Mitigations:

  1. Accommodate the facilities with secure, locked, clearly marked classified waste bins.
  2. Produce and promulgate a policy to dive the mandated requirements.
  3. Consider using on on-site Secure Paper Shredding/Disposal Service.
  4. Educate end users.

9.

MetaData

MetaData is data about data, and can provide much, unintentional information which can range from user profiling, departmental data, telephone extensions, right down to IP Addresses and software versions.  Consider the fact that such unintended information can be leveraged to adverse interest to footprint and target an organization, or individual, and can provide a very good launch-point for a social engineering attack.

Mitigation:

  1. Employ some form of methodology to remove any unwanted MetaData from documents prior to release.
  2. It may be obvious but ensure that documents are not released with the underlying Track Changes embedded.
  3. Consider using secured PDF formats (locked down, encrypted with password or certificate).

10.

DNS

The area of Domain Name System is so often overlooked, and yet is as important to any penetration test focused on aspects of IP Addressing. As with some of the aforementioned areas, when inspected under the gaze of an OSINT Methodology, DNS can also produce much intelligence which may be leveraged to attack the organisation. From Zone Transfer, which in one case led to identifying servers with Hard Coded Users ID and password within scripts, through to the discovery of poor security DNS postures, and other such associated aspects, such as lack of SPF (Sender Policy Framework). DNS Security is a very big area, and one I would encourage you to peruse in the interest of a robust security posture – if that is, you have not already done so.

See RFC 4033 URL for more information:
https://datatracker.ietf.org/doc/html/rfc4033

Mitigation:

  1. Review your organisations DNS environments – include DNS in your penetration testing programmes.
  2. Conduct regular security inspections to ensure your DNS environments are secure and serving the required security posture.
  3. If not familiar, read RFC 4033.

Understanding and Surviving Ransomware

Understanding & Surviving Ransomware

By Professor John Walker

Professor John Walker PGCert FRSA CFIP
Expert Witness, Digital Forensics & Training

What is ransomware?

Ransomware may be defined as:

‘An adverse logical condition with the inbuilt technological objective of compromising a targeted asset(s) to deny the legitimate user(s)/owner(s) access to the contents stored thereon’

There are basically two types of Ransomware Agents, and these are:

  • File Ransomware: This type of agent will encrypt the files but leave access to the host computer.
  • System Level Ransomware: System Level Ransomware will lock the entire system and deny the authorised user access to the host.

How is ransomware delivered?

Email: The most effective method which may be applied is of course delivery of the malicious object via email, presenting a high potential of target hit rate – all it takes now is to encourage the recipient user to be engineered into delivering the last element of the Attack Chain ‘Click’.

USB Based Delivery: Where the organisation allows the introduction of USB Keys to an endpoint asset, there will always be the potential for the introduction of a malicious component, which in this case is of course focusing on Ransomware. As an example of the dangers posed to the integrity of Digital Assets, consider the following real-life event which impacted the entire operations of an Outer-London based SME.

The Event: As users arrived at their place of work early one morning, some individuals noticed a USB key was laying in the car park. However, unbeknown to the multiples of individuals, they are not the only one to make such a discovery. Each USB key had various labels on the outside of the key to act as a Social Engineering Component, marked as, but not limited to:

  • Pay Grades
  • Julie – Pictures from Holiday
  • Executive Salary Increases
  • Sensitive Business Files
  • New Year Promotions

 

Spam: There are occasions when it is necessary to look back, to understand where we have arrived at. For many years Spam (Unsolicited email) was tolerated as a nuisance – in fact just over ten years ago I presented a paper to the House of Lords Technology Committee on the potentials threats such communications carried. However, at that time, one senior member of the committee stressed with force, that Spam carried no threats, and could be ignored as presenting zero dangers. Again, my counter argument was it was a dangerous conduit into the enterprise. Here we are in 2021 now realizing that the toleration was a mistake, and Spam was more dangerous than was thought!

Network: At the Network level we are faced with many challenges when we focus on Ransomware such as the existent dangers of the mix of PowerShell and Windows Domain Controllers.

Proactive Defense:

The best-practice method of applying defense in any circumstance of adversity is to be in a position of preparedness – so:

Be Proactive [Before the Fact]

  • Ensure that all important files are backed up [not forgetting Home/Mobile Users] at agreed intervals
  • Conduct periodic tests of backups to ensure they are working as expected, and may be recovered
  • Consider using a Write Protected Secure, Encrypted FIPS/140-2 drive – an example of which is the iStorage NCSC Certified Drive range
  • Ensure that all system Updates and Patches are in place
  • Maintain Anti Malware/Virus applications in a current state
  • Self-Training – ‘if I don’t know it, don’t click it’ [NLP Strapline]
  • Ignore those unexpected, unsolicited calls about your ‘detected errors’
  • Where possible – deploy USB Controls
  • Educate Users – Build that Human Firewall [again, not forgetting Home/Mobile Workers]
  • Maintain Data Asset Registers – know your Critical and Sensitive Data Assets
  • Deploy Infrastructure based Robust Backup Systems
  • Where practical, create a SOC (Security Operations Centre)
  • Evolve a CSIRT (Computer Incident Response Team (First Responder Team))
  • Ensure that the teams who are expected to respond to such incidents are fully trained, and equipped with an adequate, up-to-date toolset
  • Have up-to-date Policies deployed

Response (Reactive):

In the Reactive Mode, consider the following steps:

First Response reaction [After the Fact]

  • Stop and think – do not be driven to an uncalculated response
  • Do not turn the computer off
  • If you must terminate the Network Connection, pull the cable – not forgetting WiFi
  • Record the displayed screen – [camera, phone etc] – this is a key Artifact
  • Do not respond to, or pay any demands
  • Report the Incident to your IT Team, Service Desk, and CSIRT [await advice]
  • Whilst waiting– assess Data Impact – say PCI-DSS, or GDPR Potentials
  • Confirm the last backup status – and assess the potential for recovery from the held images/files
  • If you have no Service Support – use another off-network system [e.g., PC] to investigate the implication
  • Home User – Report this as an incident to the Police – they may not always be interested, but this incident is a CRIME
  • Business Users – Record this as a Security Incident, and Educate Users – feed into the extended SOC – for purpose of Situational Awareness Alerting

Conclusion

To conclude, it may be an accepted opinion that the threats posed by Ransomware are significant, regular, and, it would seem such threats are able to overcome even the most stringent of supposed Cyber Security Postures. It may also be further concluded that, such is the success and financial gain for the practicing criminal actors, this is not going to be a digital threat that will disappear anytime soon.

The time has come in which all individuals, SME, Corporates, Government Agencies, and any other member of the Digital Generation who seeks Electro nic Survival will have to start to practice a posture of pragmatic and meaningful Defence in Depth to accommodate the desired level of protection. Time has arrived at a digital juncture that is accepting Digital Transformation, and Zero-Trust in an age that is anything but digitally secure. It is time to take Cyber Security and the Ransomware Pandemic seriously at the pragmatic level –  and to move over into a mindset that is focused on security, rather than on buzzwords that infer that a state of total zero-trust is achievable.

Respecting data privacy rights through data encryption

Respecting data privacy rights through data encryption

Data rights are human rights.

Whilst that principle is embedded within and encouraged by data regulations, including GDPR, DPA, CCPA and HIPAA, it is counteractively provoked by technologies, such as live facial recognition surveillance, that carry the looming risk of abuse and weaponization. Data privacy is often the price for services, whether it be police protection, app use or be given targeted, more relevant advertisements. This dichotomy has been the source of much debate, scrutiny and concern.

Data privacy must be a top priority for all organisations and should be considered from the outset of data sharing initiatives. Of course, avoiding hefty fines, job losses or suffering brand damage are all significant impetuses to protecting data. However, respect for consumers’ data privacy rights will drive organisations to go the extra mile to ensure data confidentiality.

This begs the question; how can data privacy be achieved? Whether or not data privacy, on a wider and global scale, can ever be truly achieved would perhaps be a more appropriate question. However, small measures taken to keep sensitive information protected and confidential can have a positive ripple effect. Individual organisations can take the lead in respecting their customers’ data privacy by encrypting data in transit and at rest.

How can you encrypt data in the cloud?

Encrypting data is a requirement of most compliance standards. Yet, a study in 2020 found that an alarming 43% of cloud databases are not encrypted. Organisations are under constant attack and, regardless of whether the attack makes headlines or not, the data should be protected. To ensure data privacy when faced with common threats, such as DDoS and malware attacks, data must be encrypted before it is sent to the cloud, in transit and at rest.

For ultra-secure encryption, that data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key. Confidential information stored on a local computer or drive, sent via email or file sharing services (such as WeTransfer) and shared in the cloud should be securely encrypted.

The more people the data is shared with, the greater the challenge to ensure data privacy. Storing data in one place and accessed by authorised users only, who have a copy of the encrypted encryption key at hand, can allow for efficient working whilst ensuring data security. Sharing encrypted data securely allows for instant collaboration in the cloud, saving time in what would be days of posting encrypted USB flash drives to and from colleagues.

Controlling the encryption key

If the data is stored in the cloud, control of the encryption key is important. Granted, most cloud service providers (CSPs) will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

The user needs full and secure control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked. Having your own key management system will not only give you more control of encryption keys but is also more convenient for those using a multi-cloud solution.

Security measures must go beyond the cloud login credentials. If a hacker obtains the user’s credentials, the breach will go unnoticed to the CSP as they won’t be able to decipher between a legitimate user from an attacker. By keeping the encryption key, which should be encrypted itself within an ultra-secure Common Criteria EAL5+ (Hardware Certified) ready secure microprocessor along with a PIN authenticated code, away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as a five-factor authentication.

Back up encrypted data using USB flash and hard-disk drives

Backing up valuable data onto an encrypted hard-disk drive can save organisations the trouble of losing access to important information during a ransomware attack. Using a PIN protected hard disk drive will secure the data even if the drive is lost or stolen, avoiding the risk of their data being accessed or viewed by unauthorised persons.

To avoid losing sensitive information in the event of a ransomware attack, sharing information using PIN protected USB flash drives is another safe option. This can be especially useful for remote workers as they can securely protect and back up their confidential data whilst on the go.

Encrypting data within a unique and dedicated hardware based Common Criteria EAL5+ (Hardware Certified) ready secure microprocessor is the ideal solution. The ultra-secure microprocessor employs built-in physical protection mechanisms, designed to thwart cyber-attacks, such as side-channel attacks designed to defend against external tampering, bypass laser attacks and fault injections.

All critical components within the drive should be covered by a layer of super tough epoxy resin, which is virtually impossible to remove without causing permanent damage to the critical components. If breached, the drive’s tamper evident design will provide visible evidence that tampering has occurred. Brute force limitation is an excellent feature to look for in a drive. If the PIN is entered incorrectly 10 consecutive times, the PIN will be deleted and the drive can only be accessed by entering the Admin PIN to reset the User PIN. If the Admin PIN is entered incorrectly 10 consecutive times, the encrypted encryption key is deleted along with all data previously stored in the drive.

Conclusion

To keep sensitive information confidential, data stored locally on a computer, on a drive or in the cloud, or shared via email or file sharing service, must be encrypted. Data encryption is an important stride towards data privacy, helping organisations comply with regulations like GDPR. As fears of a looming Big Brother dystopian future grow and as data breaches hit headlines on a regular basis, organisations can stand out as data privacy pioneers and earn their customers’ trust.

Hybrid Working: 5 Tips to Protect your Data.

5 Tips for protecting your data when hybrid working

As the last year has unfolded, the working dynamic has distinctly shifted to a new landscape. With Accenture reporting that 83% of 9,326 workers surveyed saying they prefer a hybrid model; hybrid working is set to become the newfound way of living for millions of employees across the country.

Despite hybrid working creating various opportunities and benefits for employees and employers alike, the hybrid working model raises questions on the vulnerability of data security. Constantly carrying sensitive data between home and the office could place companies at risk due to continuous issues such as unsecure personal networks or human error.

Today we wanted to provide our top 5 tips on improving security hygiene whilst hybrid working to minimise risk of data protection.

1.

Keep a safe back up of sensitive information.

All-important files should be regularly and securely backed up. Backing up valuable data onto a PIN-authenticated, encrypted USB flash drive or HDD/SSD can save businesses the trouble of losing access to important information during a ransomware attack. It is worth noting the importance of all staff, especially those working remotely, having a secure Wi-Fi connection, and checking all security software is up to date to avoid such an attack from occurring in the first place.

Using an encrypted drive for backing up data is essential. For ultimate protection, the selected drive should preferably have an on-device crypto-chip offering the ultimate standard of encryption, known as AES-XTS 256-bit hardware encryption. As a result, if the encrypted device, such as a USB flash drive or hard disk drive, is lost or stolen, it will not result in a data breach for the exposure of client or company data.

The encrypted USB flash drive or HDD/SSD should additionally include an extra added layer of security such as a Common Criteria EAL 5+ (Hardware Certified), which employs built-in physical protection mechanisms, designed to thwart an array of cyber-attacks, such as side-channel attacks.

2.

Transport files securely.

Securely carry work home with you using a PIN protected, encrypted USB flash drive or HDD/SSD. In the worst-case scenario of the drive getting lost or stolen when employees transport files or work out of the office, an encrypted drive as described above will allow organisations to avoid the risk of their data being accessed or viewed.

Moreover, if the drives are only accessible by entering a unique 7-15-digit PIN, it will prevent unauthorised access to the data stored on the drive. Another feature worth considering is brute force limitation. If the PIN is entered incorrectly a designated number of times, all data previously stored in the drive is deleted and the drive is reset.

When power to the USB port is turned off, or if the drive is unplugged from the host device or after a predetermined period of inactivity, the drive should automatically lock to prevent unauthorised access. Using a drive that can also be configured as a read only (write protect) will ensure the data is not illegally modified.

3.

Encrypt data stored in the cloud.

The cloud is often the preferred option for hybrid working. However, cloud security is a common major concern, meaning most businesses will hesitate to store any highly confidential information in the cloud. Is there a way around this issue?

To ensure data privacy when faced with common threats, such as DDoS and malware attacks, data must be encrypted in transit and at rest. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft or inadvertent data leakage.

Encryption cannot be dependent on the cloud service provider (CSP). With serverside encryption, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff. It is therefore best for organisations to individually encrypt data stored in the public cloud. The user needs full and secure control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked. Having your own key management system will not only give you more control of encryption keys but it’s also more convenient for those using a multi-cloud solution.

An ideal solution to control the encryption key is to quite literally remove it from the cloud and physically store the encrypted encryption key within a PIN authenticated USB module. The module will not store any data. Rather, it will act as a key to encrypt data and access any data in the cloud. It can thus be used to securely encrypt confidential information stored on a local computer or network drive, sent via email or sent using a file sharing service.

4.

Ensure authorised access to data.

Using specific software, such as iStorage KeyWriter, all critical security parameters between the primary encryption module and as many secondary encryption modules as required can be copied, including the randomly generated encryption key and all PINs. Only those with a copy of the encryption key will be able to decrypt the shared data. This allows for secure and instant collaboration in the cloud between authorised users, regardless of location.

Businesses need a clear procedure that all staff follow to uphold adherence to data protection regulations, even more so with the rise of remote workers. Multifactor authentication is a highly recommended best practice for data protection compliance. If a hacker obtains the cloud user’s credentials, the breach will go unnoticed to the CSP as it won’t be able to decipher between a legitimate user from an attacker. On the other hand, the encryption module increases security measures to an unprecedented five-factor authentication, as the encryption key is kept away from the cloud.

5.

Manage access to data remotely

Handing authorised staff an encryption module will contribute to reducing the risk of data loss due to human error. Still, this does not entirely eliminate the possibility of such an occurrence. For example, an individual may lose the encryption module or be dismissed and keep the device. This is where central management is needed.

Those responsible for cloud and data security in the organisation should be able to monitor file activity, set geo-fencing and time fencing restrictions, encrypt file names and disable users’ access to the data remotely. This will go a long way in eliminating security risks in the cloud and help managers have full visibility and administration of sensitive data and user access

These measures will contribute to maintaining business continuity, upholding compliance to data protection regulations and eliminating any complexity of remote working.

At iStorage, we can assist organisations with remote workers to: (1) safely transport and back up data using our datAshur or diskAshur range, and (2) securely share and manage data in the cloud using our cloudAshur solution.

Encryption: An introductory guide on why it matters

An introduction to encryption

Encryption is often a subject that we see thrown around within the media, but for a lot of us it still may not be a term that we fully understand. Whilst it can be a complicated issue, with the right information and tools we can all implement a basic level of encryption within our lives in order to protect ourselves online. We’re here to provide and simplify the information you need to make these essential changes.

What is encryption?

Encryption is a form of scrambling data to ensure a piece of information can only be deciphered by the owner of that data. In technical terms, it is the process of translating and un-translating text from original readable text into incomprehensible text also known as cipher text. This cipher text makes any data unreadable to the human eye, therefore rendering the data as useless to unauthorised readers.

Why is encryption important?

Digital data is becoming increasingly pivotal to our personal lives, our economic prosperity and our general security. Just as we would lock up the doors into our homes each night to protect ourselves from unauthorised access, we must continue this way of living through to our online lives. Implementing digital security can support the way we communicate, to the way we bank, socialise and shop. At the heart of this digital security lies encryption, which equals privacy, GDPR compliance for businesses and most of all, peace of mind.

How does encryption work?

Encryption is essentially a piece of encoding data that encodes a file or message by scrambling text. This text can then be translated back into its original form when the correct recipient accesses the data, a term known as decryption. In order to translate this data, the recipient will have a unique encryption key. This key can be a password, sequence of numbers or another alternative sequence of numbers or letters.

Are encryption and cryptography the same thing?

It may be difficult to understand exactly what the difference is between encryption and cryptography, as essentially their roles are similar. Both roles can however be distinguished based from their purpose. Cryptography is the art of disguising your writing, a strategy which has been famously used for centuries originating from the Ancient Greeks and Spartans. Encryption however is a form of cryptography which specifically converts plain text data into cyphertext. Whilst encryption is a form of cryptography, they are not inherently the same.

Can encryption be hacked?

Whilst it isn’t as straightforward as it sounds, encryption can in fact be hacked. However, to hack this would take an excessive amount of time, resources, and technical knowledge. A hacker would fundamentally hack encryption either by intercepting data before encryption or after decryption, or they would use the method of stealing your unique encryption key. Often, data storage companies will have a sole purpose of ensuring their product is as hard to hack as possible. For example, cannot be accessed unless a hacker were to have a physical iStorage drive, and the PIN Number acting as the key. The hacker will have a total of 10 attempts to guess the 7-15 length unique PIN before the drive gets wiped and all data is lost forever. The hacker will also be unable to access the core of the drive due to the super tough epoxy resin which covers all components within the device, which would essentially cause permanent damage to the drive if tampered with.

Are all levels of encryption the same?

When investing in encryption, it may be worth understanding what the standard level across the globe is. Not all encryptions are the same, with each standard offering various levels of protection.

The current standard within most government or IT departments within all industries is known as the ‘Advanced Encryption System’ (known as AES). This system originated as being the encryption standard for the US government in 2001 before slowly being integrated internationally as the overall standard level of encryption. Within AES, there are three levels of encryption: 128, 192 and 256 bits. AES 256-bit is commercially the most robust and strongest form that is available today. All iStorage devices are encrypted using AES-XTS 256-bit hardware encryption, ensuring your data receives the ultimate line of defense.

 

Overall, using this newfound knowledge on encryption, we highly recommend that you make a plan to move your digital life onto encrypted storage, create a back up and then you can be sure that your private life and confidential data stay just that way – private and confidential.

GDPR Three Years On: What is next for the regulation

GDPR Three Years On: How can the European Commission support SMEs to reach an impeccable level of data protection compliance?

Who doesn’t remember the implementation of GDPR? It’s hard to believe that it was just three years since GDPR was introduced in the EU. Today, we’re taking a look back to understand just how GDPR has changed or improved the livelihoods of businesses and consumers today, whilst contemplating what exactly is next for the regulation and the European Commission.

Initial reactions & shift in focus

When GDPR was initially announced in 2017, a persisted sense of skepticism hung across organisations of all sizes across the union. Mainly, this related to the lack of time given to allow firms, in particular SMEs, to uphaul their operations to fit into this new sense of operating, as well as the fear of what fines may be in store for organisations failing to comply. Many businesses argued that EU governments would expect businesses to put new strategies into place with no help or guidance from regulators themselves. It wasn’t until the infamous Cambridge Analytical Scandal in 2018 that consumers and businesses alike truly understood the urgency of personal data privacy, thus accepting the new regulation with open arms. At this point forward, a shift in GDPR focus converted from an irritating regulation or even obstacle towards business operations, to one of massive importance.

One year on – Impact & predicaments.

One year later – leading us to May 2019, GDPR had been adopted and businesses all over the EU were scrambling to ensure that they could avoid any heft fines. Following initial concerns, there were in fact multiple teething problems which the European Union and firms were forced to face. It was primarily contended within the first year of operation that GDPR did not in fact live up to expectations due to pitiful fines being handed out by regulatory bodies. SMEs felt as if they had been left behind in the GDPR conversation as they were left to struggle to implement efficient operations in place in time. Even consumers were already feeling a sense of fatigue due to the influx of unclear communications from organisations across the EU, leaving consumers feeling lost and unclear on how they could take full control of their data.

Despite these initial complications, GDPR was universally accepted as a positive force and change to come. According to a 2019 report published by Deloitte, 44% of survey respondents believed that organisations hold the protection of customer data as a higher priority and care about consumer privacy significantly more since GDPR law came into place. Consumers also felt empowered to reshape the conversation about their data, enabling those who felt concerned about the way in which their data was stored and shared to demand better. GDPR also ignited a worldwide discussion, sparking a conversation for countries such as the USA to discuss how they should be protecting the data of their citizens.

adam-nowakowski-D4LDw5eXhgg-unsplash

Two years on – Lessons learned.

Moving forward to 2020 – two years on from the implantation of GDPR, despite numerous organisations now taking GDPR within their stride to reach a reasonable level of compliance, there remained a percentage of SMEs still struggling with the costs involved in ensuring compliance. Whilst technical compliance towards GDPR had begun to be reasonably met, operational compliance still fell short from the mark due to issues such as complex processes, lengthy documents and general lack of training and awareness. The European Commission specifically pronounced 2020 as great groundwork being put into the protection of personal data; however, did admit that more still needed to be done, specifically in the realms of re-enforcement and highlighting the needs for national Data Protection Authorities to engage with EU representatives of overseas operators rather than the operators themselves who, sitting overseas, may feel less urgency regarding compliance.

Overall, the European Commission had found that across the first two years of regulation, there had been a number of improvements brought about by the GDPR, including a level playing field for businesses across Europe, a greater awareness of citizens’ rights, and the GDPR’s flexibility to adapt to new technology.

Three years on: Where are we now and how do we proceed?

Reflecting on the past three years on GDPR, its clear that the regulation has held a lasting impression and insightful impact across the globe, with places such as California and the United Kingdom (post Brexit) even implementing their own versions of GDPR into commercial law. Concerning issues that had stemmed within the first two years of operating, it seems that regulators have vastly improved the fairness and operations involved. Fines regarding GDPR for example totaled to £245.3 million throughout Europe as of January 2021, and a total of 160,921 personal data breaches have been recorded. The greatest fines have been cast to Google, British Airways, H&M, Marriott and Telecom. Fines typically were considered to be higher depending on the severity of a data breach, which in retrospection is considered a fair system for organisations.

Despite GDPR creating this impact however, reflecting on the 2020 pandemic and the rise of worldwide data breaches, it is perhaps time that the European Commission shifts from focusing on GDPR as ‘groundwork’ into a fool proof aid in which organisations can follow to fully protect the rights and data of their consumers. Despite this being a priority for the European Commission to consider within the next five years however, there are still glaring issues regarding the lack of resources and financial aid for SMEs to follow through with this basic groundwork level of regulations.

The primary limitation of GDPR which is considered to be prominent within business operations is the cost and limited resources available for organisations to improve their compliance, with no certifications or training provided for specific GDPR matters. The closest that organisations can currently run is the International Association of Privacy Professionals as the gold standard; however, this has not had approval from GDPR regulators. This has caused many SMEs to still fall behind on GDPR expectations, as there is still an overwhelming lack of support.

It is therefore essential as we move forward into the world of GDPR, that the European Commission create a fair and equal playing field to allow all organisations of any size to access low cost resources which can enable them to improve the level of compliance for their consumers, especially if regulations will tighten over the next five years. Although there are several low-cost solutions within the data storage market, such as affordable data storage hardware encrypted drives by certified and GDPR compliant vendors, the European Union must do more to provide low cost training and resources for SMEs before discussing how GDPR regulations can be strengthened.

Backdoor Access: Could cybercriminals be secretly accessing your data?

MicrosoftTeams-image (8)

Could cybercriminals be secretly gate crashing your data?

No one is keen to host an unwanted guest, but what if you are unaware that they are even there? Trusted global leader in encrypted hardware data storage solutions – iStorage Limited, dissect the idea of backdoor access and how this could affect your personal data.

Imagine you’re a thief, eyeing up a stunning four-bedroom property for your next job. With a Ring Doorbell and security sign in sight at the front of the house, you decide to hop over the fence and try your luck around the back. Once you reach the back door, you’re delighted to find that the door is unlocked, allowing you access to the property – how kind! With this backdoor access, you also have the sound knowledge of knowing that residents will be unaware that you have accessed this property, unless of course you leave the home completely ransacked. You also have the opportunity to burgle this home multiple times, at least whilst this backdoor is still accessible.

Now that you have pictured this scenario, how would you feel if we told you that your computer works in the exact same way? If you use software or hardware to house your data, there may still be a chance of your device being accessed without your consent, or even knowledge. In simple terms, this cybersecurity situation is known as ‘backdoor access’.

How do cyber criminals receive secret access to your device?

Cybercriminals will often search far and wide to find devices with vulnerabilities that may give them backdoor access. This backdoor access may be created by cybercriminals themselves through a backdoor malware or may even be automatically implemented into your software or encrypted hardware by the manufacturer. This may be for the reason of the developer accessing a drive if a customer accidentally locks themselves out or may be a government requirement such as in China.

Backdoor malware is commonly known as a Trojan virus, accurately named after the Trojan Horse in Greek Mythology; as much like the city of Troy, device users may also be in for a nasty surprise as a Trojan Virus will enter a device and implement malware, backdoors and will steal data.

What could be the implications of backdoor access?

An example of just how serious backdoor malware can be is found in the 2019 SolarWinds hacking scandal. In this circumstance, Russian criminals were able to implement a Trojan virus into the company’s software system named Orion. With 33,000 customers using Orion, SolarWinds unknowingly passed the virus to their customers whilst issuing an update for the software, spreading a malware virus to SolarWinds’ top clients. Victims of this malware attack included the Pentagon, the US Department of Homeland Security, Cisco, Microsoft, Deloitte and more. As this attack was carried out so stealthily, security experts stated that many victims may never know if they were even attacked.

How to minimise vulnerabilities within your network and devices:

The thought of unknowingly having your personal data accessed and stolen can be scary, but the good news is that it can be preventable. As the thought leaders and experts in encrypted hardware data storage solutions, we wanted to share with you our top advice on how you could prevent the possibility of a Trojan and backdoor access compromising your personal data.

The first ultimate tip on how to protect your data from backdoor access is simple. Use a complicated password. Although we have all heard this tip over a thousand times before, it still needs to be stressed. With the most common password in the UK still being ‘password’ or ‘1234’, you are automatically almost inviting criminals with open arms to take a look at your data, just as the homeowner left their door unlocked in the scenario above. A complicated password should be made up of a mix of a random characters, including numbers, capital letters and special characters. Apps like password manager can also be used to ensure you don’t forget these passwords, as complicated passwords can often be forgotten!

Secondly, a great tip to prevent backdoor or malware access is to carefully examine and monitor any suspicious behaviour on your device. This can vary from inspecting any suspicious emails that are received in your inbox to ensuring there are no random data spikes within your network activity. To make this process easier, invest in a suitable firewall for your device. A firewall will essentially carry out all of this work for you in the background whilst you carry out any tasks. It will alert you if anything suspicious is found on your device and will give you the option on how you want to deal with it.

The third and final essential tip we have is to invest in a sound and certified cybersecurity storage solution. Certifications such as Common Criteria, FIPS and NCSC CPA will examine just how easy it is to create a backdoor access within a device or software and will award solutions on the level of security they can provide to a customer. A product with no certifications may indicate that there may be a vulnerability within the solution, enabling backdoor access to be easily created. A popular backdoor access route within hardware devices may be BadUSB, a common vulnerability in hardware which allows hackers to implement malware viruses through a USB connector.

At iStorage, we take data security to the highest level, ensuring that none of our products have the potential of a backdoor implementation. Our range of products include our encrypted hardware diskAshur2 range which is the world’s first and only range of devices to be certified to FIPS 140-2 Level 2/3, NCSC CPA, NLNCSA BSPA and NATO Restricted, whilst also implementing a Common Criteria (EAL 5+) secure microprocessor that protects data at the very core. Our devices have also been tested against having any vulnerabilities regarding BadUSB. We are currently offering free 30-day trials for all of our products, to allow you to try out our devices and to personally experience the superior level of security they can provide for your data before committing to any financial obligations.

Mitigating cyber risks around cryptocurrency

Mitigating cyber risks around cryptocurrency

Hackers stole 523 million NEM (valued to £385 Million) from the Japanese cryptocurrency exchange – Coinbase in 2018. NEM Foundation president Lon Wong described it as “the biggest single theft in the history of the world.”

Cryptocurrency is currently causing a frenzy across the globe and are rapidly becoming a widely used type of currency. Bitcoin in particular is now stated to be worth up to $53,000 (£38,000) per Bitcoin. Recently, philanthropist and CEO of Tesla & SpaceX – Elon Musk, announced that Tesla would begin taking Bitcoin payments, with Microsoft, Twitch, Lush and Expedia also accepting Bitcoin transactions in the UK.

With this new form of finance beginning to take control across the world, it is crucial that we stop to think about the cyber risk that entails cryptocurrency. In 2020 alone over $1.9 billion (£1.4 billion) was stolen through crypto cyber-attacks, with 122 attacks taking place on cryptocurrency exchanges, blockchain apps and decentralised apps on the Ethereum platform. Considering the inflation of crypto rates, this would be worth around $3.8 billion (£2.7 billion) today.

What is Cryptojacking?

The vulnerability of cryptocurrency is a direct consequence of the currency’s anonymity due to the issue of blockchain technology in cryptocurrency being decentralised, meaning there is no authority who can overview each transaction or crypto activity. Therefore, this structure allows criminals to find the perfect opportunity to thrive. On top of this troubling issue, cryptocurrency is the number one preferred form of exchange during ransomware attacks, meaning companies are at risk of losing corporate data in exchange for a hefty crypto payment. This form of attack is formally acknowledged as cryptojacking.

Golden bitcoins. Cryptocurrency on black background.

How to minimise risk of crypto specific attacks

Despite the financial benefit that cryptocurrency can bring to consumers and businesses alike, due to the clear vulnerabilities in the structure of crypto, it is therefore apparent that any business involved with a form of cryptocurrency is in immediate risk of falling victim to a cyberattack. We do want to assure you however, that despite this threat, there are in fact strategies can be implemented into a personal or organisational structure to ensure you can either minimise risk of attack or are not at risk of losing money or data. Firstly, to minimise risk of a hack, it is essential to remain vigilant when opening any emails, messages or other forms of communication. To access a cryptocurrency account, use suitable security hygiene and create a complicated password with two factor authentication to minimise the risk of an intelligent hacker discovering your password. When storing cryptocurrency , it is highly recommended to store any savings to an encrypted storage solution, preferably with government approved certifications such as FIPS 140-2, to ensure that there is no backdoor access in which a criminal could steal your hard earned savings.

At iStorage, we are already working with cryptocurrency exchange services and decentralised app hosts to provide secure solutions to any crypto specific threats facing their organisation. If you are concerned about cryptocurrency impacting your security, ask an expert today to understand how we can assist you.

Share this blog: