fbpx
0

World Backup Day: Why 31st March should be a day to act

World Backup Day: Why March 31st should be a day to act

According to Transport for London (TfL) an average of two laptops are left on the London Underground every single day , while the average cost of data breaches in 2022 is reported to total $4.35 million . Ransomware attacks too are on the rise, and these are not limited to the bigger companies but targeted at smaller businesses as well as individuals. This places the integrity of business and personal data on a critical footing, with the potential for cybercriminals to steal your data and sell it on the dark web for illicit purposes which should raise alarm bells.

Having a plan in place to back up your data is one of the most important ways to protect information and keep data safe. Backing up ensures that even if it falls into the wrong hands, a copy of the data is retained, secure and instantly accessible. Here are our 3 tips for World Backup Day:

1. Back up data using a 3-2-1 strategy

Getting into the habit of regularly backing up data will offer a lifeline should data ever be lost, corrupted or stolen. Employing a 3-2-1 strategy, as advised by the National Cyber Security Centre , means having at least three total copies of the data, two of which are local but on different mediums, and at least one copy stored off site. Flash drives, such as those in our datashur® range, offer a light, pocket-sized secure solution for those constantly on the move; for those commuting between office, co-work or work hubs, the diskashur® hard drives provide greater capacity but are still light and flexible; and if more heavy-duty, robust storage is needed for weekly backups, pick the diskashur DT2®.

2. Make sure the data is encrypted

When backing up your data, encryption is critical. Pocket-sized flash drives are light and flexible, but can be lost or stolen, so make sure your data is locked away. Encryption vastly improves the security of files, but it’s critical to select the right device. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with on-device crypto-chip and AES-XTS 256-bit encryption offers complete data integrity, even when brute force action is used. Additionally, using a device with an internal microprocessor that is Common Criteria EAL5+ Certified, and encrypting data with a FIPS certified AES 256-bit encrypted encryption key brings into play military grade protection, which is as good as it gets.

3. Protect data stored in the cloud

When looking to store photos, documents and personal or business files, many people look to the convenience of the cloud. Cloud providers often offer encryption as part of a managed service, which, on the surface makes life simpler when this burden is taken away. However, an encryption key is required to decrypt the data, and this is also stored in the cloud which presents a degree of risk. Keeping the encryption key, which is itself encrypted within a secure microprocessor stored on a hardware encrypted security module, away from the cloud increases the number of security measures from just one layer of authentication - the cloud account login - to up to a five-factor authentication using our cloudAshur solution.

Following these simple tips will put you in a strong position, helping to eliminate security risks while providing fuller assurance as to the integrity of your vital information. This provides peace of mind to those backing up personal data, while for businesses, retaining full responsibility for data encryption and management will contribute to maintaining business continuity and upholding compliance to data protection regulations.

So, if you do nothing else this World Backup Day on March 31st, back up and encrypt your data.

Learn more about improving data security: https://istorage-uk.com/

Avoid paying a King’s ransom for your data

Avoid paying a King’s ransom for your data

By John Michael

The path of digital transformation, accelerated by the unique requirements of the pandemic, has led to untold efficiencies and revolutionary connectivity – but it has also ushered in a new era of threat. More pernicious ransomware puts data at greater risk than ever, and the rise of remote and hybrid working means criminals now have a vast number of new avenues through which it can be deployed. Analysts are calling this the ‘golden age of ransomware’ – and it’s time for the industry to fight back.

Ransomware works

Recent ransomware attacks have demanded upwards of US$70 million1 and cybercrime itself costs organisations $6 trillion per year in global damages2. Spreading through means including phishing emails, unprotected personal computers, exposure to public Wi-Fi, and Zero-Day vulnerabilities, 46% of those hit with a ransomware attack pay the ransom at an average of over US$800,0003. The money behind ransomware makes it an increasingly professional criminal endeavour.

Ransomware-as-a-Service (RaaS) sees ransomware authors offering clients off-the-shelf malware variants and cybercrime expertise. Criminals are also getting bolder, moving from locking down data to stealing and threatening to share it – known as double extortion – or making ransom demands to a business’s third-party clients, called triple extortion. An attack could cause serious reputational damage as well as significant business downtime4 and the resulting financial loss.

Ransomware:

Avoid paying a King’s ransom for your data

The human element is a greater liability

Ransomware’s rise has much to do with the vast growth in network-connected hardware and software. IoT devices, particularly if not patched, can act as a gateway to an improperly secured network. The speed at which IT departments were forced to roll out remote access systems during the pandemic left many inadvertent loopholes. These are easier to exploit following the move to more home and hybrid working, which sees employee hardware placed on insecure home networks and public Wi-Fi.

While Zero-day attacks, which exploit platform vulnerabilities, are a real and present threat, they aren’t something that can be easily prepared for. Moreover, phishing – a common method of network infiltration – has become ever more complex and devious over time. The richest prizes have come from those with the highest level of access, and hackers perform detailed reconnaissance on key targets.

Employing a Zero Trust strategy

Minimising the possibility of IT infrastructure attack means taking a Zero Trust approach – building a framework whereby no entity which interacts with your organisation has any implicit trust. Every device, user, platform, tool or vendor must clearly demonstrate its security credentials, particularly as liability for data breaches is highly unlikely to be passed on to third parties. Employees must be trained to understand this, and a workplace culture must be built around cyber hygiene and resilience.

However, even savvy employees can slip up in a tired moment. Hackers with enough insider knowledge may be able to gather sufficient information to infiltrate a network regardless of an organisation’s policies. The tactic now must be to secure the key asset of any business – its data – by implementing consistent encryption and employing a backup policy. Backups must be as protected as core data, ideally with strong encryption, and kept in triplicate online, offline, and off-site.

Protecting the keys to the kingdom

Key access must be protected. The Zero Trust philosophy is doubly important here: trusting keys to a cloud storage provider, for example, could result in the data and keys being compromised in the event of a data centre breach. Moving encryption to a hardware module ensures that data can be protected end-to-end and rendered functionally useless as collateral for hackers. Using hardware encryption on backup drives or USB sticks further strengthens protection in the case that the media is lost or stolen.

There may be no real technological way to stop ransomware attacks from happening, particularly with the human element so vulnerable. True security comes from physical and logical separation between keys and data: if we can render ransomware attacks useless and have a plan in place for recovery, they will end up little more than a very temporary inconvenience.

Learn more about ransomware and how to better protect your business

1 - https://www.theverge.com/2021/7/5/22564054/ransomware-revil-kaseya-coop

2 - https://www.sdxcentral.com/articles/news/cisco-ceo-cybercrime-damages-hit-6-trillion/2021/05/

3 - Sophos State of Ransomware 2022 - https://assets.sophos.com/X24WTUEQ/at/c5234fvn45pvmk5w6nhh4vkh/sophos-state-of-ransomware-2022-infographic.pdf

4 - https://www.statista.com/statistics/1275029/length-of-downtime-after-ransomware-attack/

Maximising data protection for secure remote working

Maximising data protection for secure remote working

By John Michael

The dynamic of the workplace has shifted. A hybrid or flexible model has become the preferred method of working for millions of employees, with remote capabilities allowing greater freedom to collaborate and innovate outside of the confines of the 9-5 office. Yet, despite its many benefits, remote working raises questions about data vulnerability.

Rising cybercrime and the emergence of ‘ransomware-as-a-service’ means that the safeguarding of company and personal data has never been more critical. With data being regularly moved between home, fixed office and even a co-work space, it’s imperative to consider security hygiene and how it can be improved if the hybrid model is to succeed long term.

Transport files securely

The demand for flexible working means a growing number of devices that are potentially on the move, rather than being kept at a permanent desk within a fixed office. The likelihood of a device being left or stolen, therefore dramatically increases, potentially placing sensitive files and company data directly into the hands of a malicious threat actor.

The demand for flexible working means a growing number of devices that are potentially on the move, rather than being kept at a permanent desk within a fixed office. The likelihood of a device being left or stolen, therefore dramatically increases, potentially placing sensitive files and company data directly into the hands of a malicious threat actor.

Encrypt data in the cloud

The cloud is often the preferred option for remote workers to connect and collaborate. However, concerns over cloud security mean that a business might hesitate to utilise its services for data storage. To ensure total privacy, data must be encrypted, but this requirement for encryption cannot be dependent on the cloud service provider (CSP) where the encryption key is stored in the cloud and therefore accessible to hackers and cloud staff alike.

The solution is to remove the encryption key from the cloud and physically store it within a PIN authenticated external USB module. This allows users to access data stored in the cloud, while also being able to securely encrypt information from a local computer, a network drive, or sent via email or file sharing service.

Centralise data management

Multifactor authentication is a highly recommended best practice for data protection compliance. If a hacker were to obtain a cloud user’s credentials, the breach would go unnoticed to the cloud service provider as it wouldn’t be able to differentiate a legitimate user from an attacker. The encryption module increases security measures to as much as five-factor authentication.

Use of an encryption module by authorised staff will reduce the risk of data loss due to human error but doesn’t eliminate the possibility entirely. This is where central management is needed, enabling those responsible for cloud and data security to monitor file activity, set geo-fencing and time-fencing restrictions, encrypt file names and disable users’ access to data remotely.

Back up sensitive information

Regularly backing up encrypted files is essential best practice. Using a 3-2-1 strategy, for example, means having at least three total copies of the data, two of which are local but on different mediums, and at least one copy stored off site.

Consideration should also be given to the means of data storage. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with an on-device crypto-chip and AES-XTS 256-bit hardware encryption offers the highest levels of protection. Adding an extra layer of security, such as a secure microprocessor that is Common Criteria EAL5+ Certified, utilises physical protection mechanisms designed to prevent a wide array of cyber-attacks.

Retaining full responsibility for data encryption and management will contribute to maintaining business continuity, helping managers uphold staff compliance to data protection regulations and eliminating any complexity associated with flexible working models. This ultimately results in peace of mind and safer data.

Learn more about improving data security.

Three critical ways to help financial services protect their data in the cloud

Three critical ways to help financial services protect their data in the cloud

By John Michael

As the digital transformation agenda continues the majority of retail and commercial banks aim to triple their use of cloud services by 2025, according to research1. Cloud-hosted data will enable them to improve agility and take advantage of greater storage capacities, streamline processes and move away from legacy systems. Yet, keeping that data secure can be incredibly challenging. In this blog we look at three critical areas that should be addressed to ensure high levels of data security while still benefitting from cloud technology.

Use encryption technologies to reduce risk

State-of-the-art encryption could save a business from hefty fines in relation to the GDPR in the event of a data breach. Yet worryingly, recent figures suggest that as much as 82% of the databases in the public cloud are not encrypted2. While cloud providers do offer encryption to customers, the only information required to access their data is a username and password. It therefore falls to financial services organisations to take matters into their own hands and ensure data is securely encrypted before it is sent to the cloud, both in transit and at rest.

For ultra-secure encryption, data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key, providing the highest levels of security and protection. The user should retain full control of this key, ensuring that it is stored separately to their data. Taking this approach means that even if the cloud account is targeted and hacked, the data cannot be accessed.

Share information securely using multi-factor authentication (MFA)

In the financial services sector, highly sensitive information is shared regularly between businesses. While the cloud facilitates instant collaboration, co-operating parties should ensure that data is encrypted and that relevant stakeholders are provided with a copy of the encrypted encryption key to access the files. This introduces a multi-factor authentication (MFA) security procedure, even when data is sent to a third party.

As an example of unsecure third-party access causing major issues, a data breach suffered by a South African bank in 2020 effectively put the data of 1.7 million customers at risk. While the bank’s own network remained secure, the breach concerned the premises of a third-party business who had been entrusted with customer data for marketing purposes. Here, encrypted data with an encrypted encryption key stored separately would have prevented the incident.

Control access and centralise data management

Controlling access is a major factor in mitigating the risks associated with human error. Through centralised management, those responsible for cloud and data security in the organisation will be able to monitor and control file access, set geo-fencing and time fencing restrictions, encrypt file names and disable users’ access to data remotely. This will go a long way to eliminating security risks.

As financial services organisations continue to collect more data, the cloud can be a viable solution to the processing, storage and sharing of confidential information. But the cloud will only be useful in this regard as long as security measures can be enforced. High-quality encryption and effective centralised control of access to sensitive information will provide the financial services industry with the peace of mind that comes from having safer data.

Learn more about managing, sharing and encrypting data in the cloud.

Who is liable for your data in the cloud?

Who is liable for your data in the cloud?

By John Michael

In an age of ‘cybercrime-as-a service’, cyberattacks, arising from both state-sponsored groups and hacking collectives, are now inflicting unprecedented levels of damage, with the Cisco CEO reporting it now costing USD $6 trillion per year1. According to the Allianz Risk Barometer 20222, cyber incidents have become the most important business risk, increasing in regularity and complexity. In a single month (May 2022), 49.8 million records were breached3 with extensive media coverage reminding organisations to be mindful of their responsibilities.

Despite initial concerns about data hosted in the cloud, providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. The terms and conditions of many major cloud providers include a ‘limitations of liability’ clause which places data-security responsibility with the cloud user. More stringent measures, therefore, should be considered when considering cloud storage.

Encryption and key storage

When looking to establish robust security measures for cloud data, a vital step is to consider encryption. Cloud providers will offer encryption as part of their service, which, on the surface makes the roles of IT and security personnel easier when this burden is taken away as part of a convenient managed service. However, there is a pitfall in relation to the way this data can be accessed.

Unlocking the stored data requires an encryption key. As this is often also stored in the cloud, it therefore has the potential to be accessible, not only by malicious threat actors, but also by anyone working on the systems that hold the data. To be truly secure, the user needs to have full control of the encryption key, and to ensure that it is stored separately to their data. Following this approach will mean that, even if the cloud account is targeted, the data it contains cannot be accessed.

Controlling shared data

While encrypting data to be shared is imperative, posting encrypted USB flash drives to and from stakeholder becomes time consuming and highly impractical. Sharing encrypted data securely in the cloud allows for instant collaboration. Keeping the encryption key, which is itself encrypted with a PIN authenticated code, away from the cloud, increases the number of security measures from just one authentication - the cloud account login - to up to a five-factor authentication.

1 SDX Central (2021): Cisco CEO – Cybercrime damages hit $6 trillion

2Allianz (2022): Allianz Risk Baromter 2022: Cyber perils outrank Covid-19

3https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-may-2022-49-8-million-records-breached

Safer data and how to protect it in a multi-cloud environment

Safer data and how to protect it in a multi-cloud environment

By John Michael

Multi-cloud has grown considerably in popularity for many businesses due to its ability to increase agility whilst minimising vendor lock-in, improving disaster recovery and boosting application performance, all while streamlining costs. However, data protection issues are of increasing concern. This is because multi-cloud in the enterprise often comes about organically to meet evolving requirements, so is not always planned. When business departments create their own complicated silos of data, this decreases visibility and can impact upon compliance. But what is the solution?

Encrypting confidential data

A multi-cloud architecture can make data migration easy, but managing access to the data and keeping it confidential can be challenging. Regardless of the mode of transfer or method of storage, information remains a valuable commodity that is vulnerable at all possible points of connectivity. The most effective methods to address such vulnerability is to consider secure encryption.

Encrypting data both in transit and at rest is critical. Data should preferably be encrypted with a FIPS certified, randomly generated, AES 256-bit encrypted encryption key to be ultra-secure. Confidential information stored locally on a computer or hard drive, sent via email or file-sharing service, or shared via data transfer in the cloud should equally be securely encrypted. Taking such an approach guarantees ongoing protection, keeping data confidential and giving IT leaders peace of mind.

Check out our

Goverment certifications

Centralised remote management

As the use of multi-cloud environments means that sensitive data is stored in silos and transferred across numerous servers, it’s important for security managers to gain a holistic view as to which cloud providers hold which data, where that data is located and who holds access permissions within the organisation. This will enable geo-fencing and time fencing restrictions to be set, filenames to be appropriately encrypted and remote access to be enabled or disabled depending on requirement.

Key management for encrypted information is also important. Authorised users can be given a copy of a physical encrypted encryption key; a randomly generated encryption key stored within a USB module to allow ultra-secure and real-time collaboration in the cloud. Having a key management system in place provides greater control of encryption keys when using a multi-cloud solution, helping to facilitate a more centralised administration and management approach to data security.

Learn how can you

Securely collaborate in the cloud using our KeyWriter software

Multi-factor authentication

Businesses need to have clear processes in place that all employees follow to uphold adherence to data protection regulations, regardless of where they choose to store the data. Incorporating multi-factor authentication will help in relation to data protection governance and is an important step in standardising policies, procedures and processes across multiple cloud providers.

If a malicious threat actor obtains a user’s credentials and compromises an account, the breach is likely to remain unnoticed by the cloud service provider who will not be able to tell the difference between a legitimate user and an attacker. Using an encryption key that is kept away from the cloud increases the number of security measures from just one level of authentication - the cloud account login - to as many as five-factors of authentication. The encryption key should itself be encrypted within an ultra-secure Common Criteria EAL5+ secure microprocessor along with a PIN authenticated code.

As more businesses move toward a multi-cloud setup, security leaders should be looking to follow such recommendations to bring peace of mind to the enterprise and, ultimately, result in safer data.

Learn more about

Managing and encrypting data in the cloud

You may also like

Launch of Lockbit 3.0 ransomware and bug-bounty program

Viewpoint

Launch of Lockbit 3.0 ransomware and bug-bounty program

Recent news points to a new version of Lockbit ransomware which includes a bug-bounty program. The program offers payment in exchange for information about vulnerabilities in its own code as well as for intelligence about high-profile individuals. With cybercrime constantly on the rise, the emergence of ‘ransomware-as-a-service’ presents real cause for concern, meaning that the safeguarding of company and personal data has never been more critical.

Cyberattacks, arising from both state-sponsored groups and hacking collectives, are now inflicting unprecedented levels of damage, with figures reaching USD $6 trillion per year1. Information held on any device, and even in the cloud, is vulnerable to such threat, but there are simple and effective steps that can be taken to minimise risk and maximise protection.

How can you

Protect your Data against Ransomware?

Firstly, data should be encrypted and regularly backed up. Using a 3-2-1 strategy, for example, means having at least three total copies of your data, two of which are local but on different mediums, and at least one copy stored off site. This ensures that businesses always have an up-to-date record of their valuable information, and that even if it falls into the wrong hands, it remains secure.

In addition, data should be encrypted with a FIPS certified, randomly generated, AES 256-bit encrypted encryption key. AES 256 is a military-grade encryption algorithm that can be embedded into appropriate hardware as required. Confidential information stored locally on a computer or hard drive, sent via email or file sharing service, or shared via data transfer in the cloud should equally be securely encrypted.

Check out our

Goverment Certifications

Secondly, the encryption key should itself be encrypted within an ultra-secure Common Criteria EAL5+ secure microprocessor along with a PIN authenticated code. Storing the encryption key away from the data means that even if the data is obtained, it cannot be unlocked.

Retaining full responsibility for the encryption of sensitive information, even when stored in the cloud, will bring companies the peace of mind that comes from ensuring compliance with privacy and confidentiality laws, and ultimately, having safer data.

1 SDX Central (2021): Cisco CEO – Cybercrime damages hit $6 trillion

Ransomware bundle offer:

Prepare, prevent and protect yourself from ransomware

You may also like

10 Ways to Compromise your Sensitive Data

10 Ways to Compromise your Sensitive Data

In this blog post by Professor John Walker, we will consider the areas surrounding data security and look at the multiples of ways in which it may be breached, altered or compromised. Some may be obvious, others not so. We will explore this topic based on the security four table legs of CIA+A:

Confidentiality, Integrity, Availability and Accountability.

1.

Fake Secure Drives

I have encountered several, ‘secure, encrypted drives’ for sale which are nothing more than a drive sealed within a pin-protected casing. Thus, any security minded users who purchase such a device will be storing their sensitive data assets with the impression they are protected and secured by encryption – when in fact they are open to anyone who may remove the drive from its casing to view the insecure content.

Mitigation: If you care about robust security of your files, only user Certified,
trusted, encrypted drives which are built to the FIPS-140/2 Standard.

2.

Change of Domain Policy

A Nottingham based Financial Services business were unfortunate enough to be hit with a zero-day computer virus, which spread with some speed within their operational environment. A Major Incident Board was convened, and a team was brought together including senior members of the IT security team, and directors from the companies Technical Services Board. They concluded that to deploy the style of patch required in the most expedient way would be achieved by changing the domain policy to open up access to each of the client systems (desktops/laptops), which would be followed up by a quick push of the updated .DAT signatures, quickly followed by a reapplication of the required domain policy to bring all systems back to their original security posture. Once this was completed, the team stood down; however, it was soon apparent that something had gone wrong when members of the IT Security Team were receiving calls from ordinary users reporting that, in one case they could see all files located on the Human Resources Director’s local drive, and the calls continued. The issue was, what had not been appreciated by the technical Services Board Director, and the associated Information Security Team was, whilst you may remove the permissions across the domain with the click of a box, to reapply them requires end-system action of a reboot to reinstate the required level of security posture – thus all systems and stored were exposed cross-domain!

Mitigation:

  1. Ensure that those in key positions are fully trained and above all competent.
  2. Where there is need to take additional steps to secure data (e.g., the HR  Director) encrypt the locally stored files.
  3. Consider utilising off system, secure, encrypted removable drives to secure sensitive data.

3.

Trust your Staff

I recall when working for a Local Authority in the East Midlands with an IT Director who could never surprise his staff. He commented to me, ‘no matter what I tell the team at our town hall meetings, they always seem to know before I pass on the information’. That was because they did, as due to poor security and open folders, some members of the IT Team had full access to the stored data and communications of said IT Director – so yes, they were always aware what was going on!

Mitigation:

  1. Ensure that folders and storage areas are appropriately protected, and not visible to any members of the IT Team (or any other unauthorised user or that matter).
  2. With any sensitive data it is always best practice to store such sensitive data-objects offline, on removable, encrypted storage devices.

Slide

Don’t just take our word for it, test our products before committing by requesting a free 30-day evaluation

Try Now

4.

MFD – The forgotten Technology

I have previously worked as a Consultant for a London based UK Government Agency who worked on sensitive data of the highest classifications. Given their concern over data security, they ran a project to virtualise all desktops/laptops, which were limited to only storing data on servers located within the secured computer room. However, they overlooked the fact that on every floor in the building stood an MFD (Multi Functional Device) AKA, a computer, IP addressable, with on-board Print Server, Spooler, Web Server, Hard Drive(s) Storage, that just happens to offer printing facilities, on which the drives were accessible, and of course on this occasion not encrypted, leaving the sensitive data open to both physical and logical abuse!

 

Mitigation:

  1. Always run a risk assessment of data flows and storage when engaging such a project.
  2. Ensure that where there are configuration options (and there were) apply a level of encryption to the dives to secure any stored data objects.
  3. Where physical access may be achieved to the on-board drives, always ensure they are physically secure by lock-and-key.
  4. When these devices reach end-of-operational life, at the very least ensure the disks are securely overwritten/purged – at best, physically destroyed.

5.

Trust in Logon Security

Whilst there may be a great faith in the local security associated with say, Windows, or other such operating systems, this can be a false sense of security when we consider the security of the data objects stored thereon. Take the average Windows desktop or laptop – our user has the full confidence that only they can get to the on-board data objects as they are using a very strong password, along with the associated logon credentials – so all is secure and tucked away from the illicit view of others. However, what our user needs to realise is that, notwithstanding their security credentials, to gain access to the stored data, it is a simple case of physically removing the drive, and then mounting it on to an awaiting laptop via an interface, such as the USB3.0 TO ODE/SATA device – from there on, full access to said content may be enjoyed.

 

Mitigation:

  1. Encrypt Local Drives with Bitlocker etc (Keep Keys on USB, or ensure the machine is accommodated with a TPM Chip (Trusted Platform Module).
  2. Better still, use a removable, FIPS-140/2 encrypted drive accommodated with some form of additional security mechanisms – say Pin Protected.

6.

Cloud

If you are using Cloud, and most are in some form or another – ensure that you have completed a full Due Diligence of the Third-Party Supplier, remembering that Cloud, and Third-Party Supply Chains are a known known potential area to introduce insecurity. Consider technologies such as AWS S3 Buckets, and ensure they are secured. Cloud environments are one of those areas which can reveal a lot to an OSINT (Open-Source Intelligence) mission which can lead to the acquisition of valuable information. To mitigate any potential exposure when using a Third Party (TP) Services, or Cloud, some may consider encrypting the sensitive objects within the TP environment, or on the Cloud to secure them from prying eyes, should the external service fall victim to a hack or compromise – an excellent security consideration. However, the user organisation must keep in mind that, dependent on how the actual encryption keys are stored (protected) within the TP, or on the Cloud, it may still be the case that if the TP/Cloud is subject to a hack/compromise, it should be anticipated that the attackers will go looking for the encryption keys or Digital Certificates which have been employed to actually secure the, supposed, secured assets! In my experience, this is not a matter of theoretical consideration, but a circumstance which I, and many others have observed in real-world attacks, in which the actual security credentials to the golden nuggets of data have also been stored in an exposed, inappropriate, insecure way, and thus also fallen to compromise.

Mitigation:

  1. Consider running your own RED-TEAM activity against any procured, or to be procured service to gain an insight into the overall footprint.
  2. Conduct an in-depth review of the service provider at all levels.
  3. Once procured and operational, ensure regular service update meetings are held – say every three months.
  4. Where valuable logical assets are implicated, consider utilising an Escrow agreement to accommodate security over such assets lodged with the Third Party (Just in case). Where there is an objective to achieve a secure, robust security schema to leverage encryption within a TP, or on the Cloud, one complimentary methodology is to store Digital Certificates, and Encryption Keys external to the TP/Cloud environment, under the sole custodianship of the user, or user organisation. This approach offers the most pragmatic, and secure methodology to maximise the security footprint of the deployment. Thus, never exposing the security credentials to any potential of a sniffing attack, and always ensuring that such security credentials are held under the safe, and sole custodianship of the owner of the sensitive data -objects.

Explore our unique encrypted cloud solution

cloudAshur eliminates all the security vulnerabilities that exist with cloud platforms, such as lack of control, unauthorised access and human error.

7.

Equipment Disposal

Frequently I have witnessed the disposal of devices such as MFD’s, mobile phones, IoT devices, printers, computers, and servers. On each of these occasions, these data-holding systems have been disposed of, containing corporate and sensitive data. From mobile phones which have been allowed to connect to corporate systems, to hard drives populated with Local Authority data relating to case files of vulnerable children.

Mitigation:

  1. Create and promulgate a Policy/Process to drive the way end-of-life equipment is processed out from the business.
  2. Create a register to document the end-of-life journey that all devices take.
  3. Hold all such devices in physically secure location until such time they are correctly processed in accord with the mandated policy/process.

8.

Paper

Don’t suffer from tunnel vision when securing you data assets – remember, it not just about the digital aspects, but also needs to encompass the other potential carriers of insecurity – e.g., paper. I recall my very first contract on the South Coast. The Project Manager said to me on my very first day, ‘you need to make a difference and quick to convince the executive we need to look at the company’s overall security posture’. 4 hours later I presented him with a sack, full of paper holding client personal details, credit card information, and client bank account details, all of which had been cast out into the general waste bins.

Mitigations:

  1. Accommodate the facilities with secure, locked, clearly marked classified waste bins.
  2. Produce and promulgate a policy to dive the mandated requirements.
  3. Consider using on on-site Secure Paper Shredding/Disposal Service.
  4. Educate end users.

9.

MetaData

MetaData is data about data, and can provide much, unintentional information which can range from user profiling, departmental data, telephone extensions, right down to IP Addresses and software versions.  Consider the fact that such unintended information can be leveraged to adverse interest to footprint and target an organization, or individual, and can provide a very good launch-point for a social engineering attack.

Mitigation:

  1. Employ some form of methodology to remove any unwanted MetaData from documents prior to release.
  2. It may be obvious but ensure that documents are not released with the underlying Track Changes embedded.
  3. Consider using secured PDF formats (locked down, encrypted with password or certificate).

10.

DNS

The area of Domain Name System is so often overlooked, and yet is as important to any penetration test focused on aspects of IP Addressing. As with some of the aforementioned areas, when inspected under the gaze of an OSINT Methodology, DNS can also produce much intelligence which may be leveraged to attack the organisation. From Zone Transfer, which in one case led to identifying servers with Hard Coded Users ID and password within scripts, through to the discovery of poor security DNS postures, and other such associated aspects, such as lack of SPF (Sender Policy Framework). DNS Security is a very big area, and one I would encourage you to peruse in the interest of a robust security posture – if that is, you have not already done so.

See RFC 4033 URL for more information:
https://datatracker.ietf.org/doc/html/rfc4033

Mitigation:

  1. Review your organisations DNS environments – include DNS in your penetration testing programmes.
  2. Conduct regular security inspections to ensure your DNS environments are secure and serving the required security posture.
  3. If not familiar, read RFC 4033.

Read More:

datAshur helps Kettering Borough Council meet GDPR regulations.

iStorage helps Kettering Borough Council meet GDPR regulations Case Study: Kettering Borough CouncilEnsuring GDPR compliance with datAshur flash drives from iStorage To effectively provide services to local businesses and residents, Kettering Borough Council need to collect sensitive and confidential personal data. Collecting such data can place local authorities in a vulnerable position, as GDPR regulations [...]

Hybrid Working: 5 Tips to Protect your Data.

5 Tips for protecting your data when hybrid working As the last year has unfolded, the working dynamic has distinctly shifted to a new landscape. With Accenture reporting that 83% of 9,326 workers surveyed saying they prefer a hybrid model; hybrid working is set to become the newfound way of living for millions of employees [...]

GDPR Three Years On: What is next for the regulation

GDPR Three Years On: How can the European Commission support SMEs to reach an impeccable level of data protection compliance? Who doesn’t remember the implementation of GDPR? It’s hard to believe that it was just three years since GDPR was introduced in the EU. Today, we’re taking a look back to understand just how GDPR [...]

Understanding and Surviving Ransomware

Understanding & Surviving Ransomware

By Professor John Walker

Professor John Walker PGCert FRSA CFIP
Expert Witness, Digital Forensics & Training

What is ransomware?

Ransomware may be defined as:

‘An adverse logical condition with the inbuilt technological objective of compromising a targeted asset(s) to deny the legitimate user(s)/owner(s) access to the contents stored thereon’

There are basically two types of Ransomware Agents, and these are:

  • File Ransomware: This type of agent will encrypt the files but leave access to the host computer.
  • System Level Ransomware: System Level Ransomware will lock the entire system and deny the authorised user access to the host.

How is ransomware delivered?

Email: The most effective method which may be applied is of course delivery of the malicious object via email, presenting a high potential of target hit rate – all it takes now is to encourage the recipient user to be engineered into delivering the last element of the Attack Chain ‘Click’.

USB Based Delivery: Where the organisation allows the introduction of USB Keys to an endpoint asset, there will always be the potential for the introduction of a malicious component, which in this case is of course focusing on Ransomware. As an example of the dangers posed to the integrity of Digital Assets, consider the following real-life event which impacted the entire operations of an Outer-London based SME.

The Event: As users arrived at their place of work early one morning, some individuals noticed a USB key was laying in the car park. However, unbeknown to the multiples of individuals, they are not the only one to make such a discovery. Each USB key had various labels on the outside of the key to act as a Social Engineering Component, marked as, but not limited to:

  • Pay Grades
  • Julie – Pictures from Holiday
  • Executive Salary Increases
  • Sensitive Business Files
  • New Year Promotions

 

Spam: There are occasions when it is necessary to look back, to understand where we have arrived at. For many years Spam (Unsolicited email) was tolerated as a nuisance – in fact just over ten years ago I presented a paper to the House of Lords Technology Committee on the potentials threats such communications carried. However, at that time, one senior member of the committee stressed with force, that Spam carried no threats, and could be ignored as presenting zero dangers. Again, my counter argument was it was a dangerous conduit into the enterprise. Here we are in 2021 now realizing that the toleration was a mistake, and Spam was more dangerous than was thought!

Network: At the Network level we are faced with many challenges when we focus on Ransomware such as the existent dangers of the mix of PowerShell and Windows Domain Controllers.

Slide

Read the full
Whitepaper here

'Understanding and Surviving Ransomware' by Professor John Walker

Download now

Proactive Defense:

The best-practice method of applying defense in any circumstance of adversity is to be in a position of preparedness – so:

Be Proactive [Before the Fact]

  • Ensure that all important files are backed up [not forgetting Home/Mobile Users] at agreed intervals
  • Conduct periodic tests of backups to ensure they are working as expected, and may be recovered
  • Consider using a Write Protected Secure, Encrypted FIPS/140-2 drive – an example of which is the iStorage NCSC Certified Drive range
  • Ensure that all system Updates and Patches are in place
  • Maintain Anti Malware/Virus applications in a current state
  • Self-Training – ‘if I don’t know it, don’t click it’ [NLP Strapline]
  • Ignore those unexpected, unsolicited calls about your ‘detected errors’
  • Where possible – deploy USB Controls
  • Educate Users – Build that Human Firewall [again, not forgetting Home/Mobile Workers]
  • Maintain Data Asset Registers – know your Critical and Sensitive Data Assets
  • Deploy Infrastructure based Robust Backup Systems
  • Where practical, create a SOC (Security Operations Centre)
  • Evolve a CSIRT (Computer Incident Response Team (First Responder Team))
  • Ensure that the teams who are expected to respond to such incidents are fully trained, and equipped with an adequate, up-to-date toolset
  • Have up-to-date Policies deployed

Response (Reactive):

In the Reactive Mode, consider the following steps:

First Response reaction [After the Fact]

  • Stop and think – do not be driven to an uncalculated response
  • Do not turn the computer off
  • If you must terminate the Network Connection, pull the cable – not forgetting WiFi
  • Record the displayed screen – [camera, phone etc] – this is a key Artifact
  • Do not respond to, or pay any demands
  • Report the Incident to your IT Team, Service Desk, and CSIRT [await advice]
  • Whilst waiting– assess Data Impact – say PCI-DSS, or GDPR Potentials
  • Confirm the last backup status – and assess the potential for recovery from the held images/files
  • If you have no Service Support – use another off-network system [e.g., PC] to investigate the implication
  • Home User – Report this as an incident to the Police – they may not always be interested, but this incident is a CRIME
  • Business Users – Record this as a Security Incident, and Educate Users – feed into the extended SOC – for purpose of Situational Awareness Alerting

Slide

Ransomware Protection

With our secure, anti-malware and backup bundle*

Find out more >

*Available with all purchases of diskAshur2, diskAshur PRO2 and diskAshur DT2

Conclusion

To conclude, it may be an accepted opinion that the threats posed by Ransomware are significant, regular, and, it would seem such threats are able to overcome even the most stringent of supposed Cyber Security Postures. It may also be further concluded that, such is the success and financial gain for the practicing criminal actors, this is not going to be a digital threat that will disappear anytime soon.

The time has come in which all individuals, SME, Corporates, Government Agencies, and any other member of the Digital Generation who seeks Electro nic Survival will have to start to practice a posture of pragmatic and meaningful Defence in Depth to accommodate the desired level of protection. Time has arrived at a digital juncture that is accepting Digital Transformation, and Zero-Trust in an age that is anything but digitally secure. It is time to take Cyber Security and the Ransomware Pandemic seriously at the pragmatic level –  and to move over into a mindset that is focused on security, rather than on buzzwords that infer that a state of total zero-trust is achievable.

Read More:

datAshur helps Kettering Borough Council meet GDPR regulations.

iStorage helps Kettering Borough Council meet GDPR regulations Case Study: Kettering Borough CouncilEnsuring GDPR compliance with datAshur flash drives from iStorage To effectively provide services to local businesses and residents, Kettering Borough Council need to collect sensitive and confidential personal data. Collecting such data can place local authorities in a vulnerable position, as GDPR regulations [...]

Hybrid Working: 5 Tips to Protect your Data.

5 Tips for protecting your data when hybrid working As the last year has unfolded, the working dynamic has distinctly shifted to a new landscape. With Accenture reporting that 83% of 9,326 workers surveyed saying they prefer a hybrid model; hybrid working is set to become the newfound way of living for millions of employees [...]

GDPR Three Years On: What is next for the regulation

GDPR Three Years On: How can the European Commission support SMEs to reach an impeccable level of data protection compliance? Who doesn’t remember the implementation of GDPR? It’s hard to believe that it was just three years since GDPR was introduced in the EU. Today, we’re taking a look back to understand just how GDPR [...]

Respecting data privacy rights through data encryption

Respecting data privacy rights through data encryption

Data rights are human rights.

Whilst that principle is embedded within and encouraged by data regulations, including GDPR, DPA, CCPA and HIPAA, it is counteractively provoked by technologies, such as live facial recognition surveillance, that carry the looming risk of abuse and weaponization. Data privacy is often the price for services, whether it be police protection, app use or be given targeted, more relevant advertisements. This dichotomy has been the source of much debate, scrutiny and concern.

Data privacy must be a top priority for all organisations and should be considered from the outset of data sharing initiatives. Of course, avoiding hefty fines, job losses or suffering brand damage are all significant impetuses to protecting data. However, respect for consumers’ data privacy rights will drive organisations to go the extra mile to ensure data confidentiality.

This begs the question; how can data privacy be achieved? Whether or not data privacy, on a wider and global scale, can ever be truly achieved would perhaps be a more appropriate question. However, small measures taken to keep sensitive information protected and confidential can have a positive ripple effect. Individual organisations can take the lead in respecting their customers’ data privacy by encrypting data in transit and at rest.

How can you encrypt data in the cloud?

Encrypting data is a requirement of most compliance standards. Yet, a study in 2020 found that an alarming 43% of cloud databases are not encrypted. Organisations are under constant attack and, regardless of whether the attack makes headlines or not, the data should be protected. To ensure data privacy when faced with common threats, such as DDoS and malware attacks, data must be encrypted before it is sent to the cloud, in transit and at rest.

For ultra-secure encryption, that data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key. Confidential information stored on a local computer or drive, sent via email or file sharing services (such as WeTransfer) and shared in the cloud should be securely encrypted.

The more people the data is shared with, the greater the challenge to ensure data privacy. Storing data in one place and accessed by authorised users only, who have a copy of the encrypted encryption key at hand, can allow for efficient working whilst ensuring data security. Sharing encrypted data securely allows for instant collaboration in the cloud, saving time in what would be days of posting encrypted USB flash drives to and from colleagues.

Controlling the encryption key

If the data is stored in the cloud, control of the encryption key is important. Granted, most cloud service providers (CSPs) will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

The user needs full and secure control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked. Having your own key management system will not only give you more control of encryption keys but is also more convenient for those using a multi-cloud solution.

Security measures must go beyond the cloud login credentials. If a hacker obtains the user’s credentials, the breach will go unnoticed to the CSP as they won’t be able to decipher between a legitimate user from an attacker. By keeping the encryption key, which should be encrypted itself within an ultra-secure Common Criteria EAL5+ (Hardware Certified) ready secure microprocessor along with a PIN authenticated code, away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as a five-factor authentication.

Back up encrypted data using USB flash and hard-disk drives

Backing up valuable data onto an encrypted hard-disk drive can save organisations the trouble of losing access to important information during a ransomware attack. Using a PIN protected hard disk drive will secure the data even if the drive is lost or stolen, avoiding the risk of their data being accessed or viewed by unauthorised persons.

To avoid losing sensitive information in the event of a ransomware attack, sharing information using PIN protected USB flash drives is another safe option. This can be especially useful for remote workers as they can securely protect and back up their confidential data whilst on the go.

Encrypting data within a unique and dedicated hardware based Common Criteria EAL5+ (Hardware Certified) ready secure microprocessor is the ideal solution. The ultra-secure microprocessor employs built-in physical protection mechanisms, designed to thwart cyber-attacks, such as side-channel attacks designed to defend against external tampering, bypass laser attacks and fault injections.

All critical components within the drive should be covered by a layer of super tough epoxy resin, which is virtually impossible to remove without causing permanent damage to the critical components. If breached, the drive’s tamper evident design will provide visible evidence that tampering has occurred. Brute force limitation is an excellent feature to look for in a drive. If the PIN is entered incorrectly 10 consecutive times, the PIN will be deleted and the drive can only be accessed by entering the Admin PIN to reset the User PIN. If the Admin PIN is entered incorrectly 10 consecutive times, the encrypted encryption key is deleted along with all data previously stored in the drive.

Conclusion

To keep sensitive information confidential, data stored locally on a computer, on a drive or in the cloud, or shared via email or file sharing service, must be encrypted. Data encryption is an important stride towards data privacy, helping organisations comply with regulations like GDPR. As fears of a looming Big Brother dystopian future grow and as data breaches hit headlines on a regular basis, organisations can stand out as data privacy pioneers and earn their customers’ trust.

Read More:

datAshur helps Kettering Borough Council meet GDPR regulations.

iStorage helps Kettering Borough Council meet GDPR regulations Case Study: Kettering Borough CouncilEnsuring GDPR compliance with datAshur flash drives from iStorage To effectively provide services to local businesses and residents, Kettering Borough Council need to collect sensitive and confidential personal data. Collecting such data can place local authorities in a vulnerable position, as GDPR regulations [...]

Hybrid Working: 5 Tips to Protect your Data.

5 Tips for protecting your data when hybrid working As the last year has unfolded, the working dynamic has distinctly shifted to a new landscape. With Accenture reporting that 83% of 9,326 workers surveyed saying they prefer a hybrid model; hybrid working is set to become the newfound way of living for millions of employees [...]

GDPR Three Years On: What is next for the regulation

GDPR Three Years On: How can the European Commission support SMEs to reach an impeccable level of data protection compliance? Who doesn’t remember the implementation of GDPR? It’s hard to believe that it was just three years since GDPR was introduced in the EU. Today, we’re taking a look back to understand just how GDPR [...]