Townsend Security Data Privacy Blog

Patrick Townsend

Recent Posts

Townsend Security Closing - and Gratitude!

Posted by Patrick Townsend on Dec 6, 2023 10:11:45 AM

Dear Customers, Partners, Colleagues and Friends,

Today I am announcing the closing of the Townsend Security business at the end of this year and a termination of the corporation at the end of next year. It has been my honor to serve you and work with you for these many years, and I know that our security solutions have kept many safe from harm.

In the formative years of my IT experience, I worked shoulder to shoulder with customer IT teams in a wide variety of businesses in the financial, insurance, retail, and manufacturing segments. I developed a deep appreciation for the commitment and character of the people I worked with. They worked hard for their organizations while also supporting their families and communities. This emotional connection inspired me to want to provide security solutions to help them protect their customers and their colleagues. I am grateful for that experience and for their patience with my foibles.

More than anything, I am grateful to my wife, my family and my team members, current and past, in their mentorship and guidance in helping me become a better person and a better leader. Any success that we have had is due to them. Because of them I learned to listen better. I learned the immense value of an engaged group of colleagues. I learned the value of creating and maintaining an emotionally healthy, respectful, and honest work environment. I learned that you can lead from a position of love and gratitude and that nothing is more satisfying. And I learned how important it is to have a truly diverse team of colleagues. You won’t find diversity in the asset column of a financial statement, but it may be your most valuable asset. I hope you find a team to work with as amazing, talented and awesome as I have!

The IT security arena is again undergoing rapid change. I am confident in a new generation of engaged and diverse security professionals and their ability to help protect us. My best wishes to them. And my best wishes to all of our customers, partners and employees as they progress through life.

Love is love, and is the only thing that matters.

Patrick Townsend

Edit: Sight edits for wording.

Topics: CyberSecurity, #Gratitude

IMPORTANT: AWS customers of Alliance Key Manager

Posted by Patrick Townsend on Jul 7, 2023 11:06:03 AM

If you are a current user of the fee-based instance of Alliance Key Manager on AWS, please read this message.

On June 1, 2023 Townsend Security announced the end of life for Alliance Key Manager as of November 30, 2023. There is no replacement for this solution, and no software updates or software support will be available after this date. 

Unfortunately, Amazon does not allow us to send you a formal notice of the End of Life for this solution. And, unless you registered with us at the time you launched our solution from the marketplace on AWS, we do now know who you nor do we have your contact information. 

It is important that you understand the impact of this notice and take appropriate actions now to avoid potential outages. Please read the following announcement.



Alliance Key Manager EOL Notice

June 1, 2023

Dear AWS Fee-Based Customer of Alliance Key Manager

This letter constitutes formal notification of the End of Life (EOL) of the Townsend Security Alliance Key Manager product effective at the end of the business day on November 30, 2023 (EOL Date). The following sections of this letter describe important information about software support and maintenance for this licensed software product, and information that may be helpful in your migration to a different solution.

Effects of End of Life termination

Please be advised that no further development of Alliance Key Manager will occur after the EOL Date. Critical security issues will be addressed as needed prior to the EOL Date. It is important that you start planning for the migration to an alternative key management solution as soon as possible. Townsend Security will provide you with support and guidance through our customer support portal only through the EOL Date.

Software support and maintenance

Townsend Security will continue to provide software support to support customers pursuant to the terms of the Townsend Security Maintenance Policy until the EOL Date. 

Alternative solutions

The following solutions are possible replacements for Alliance Key Manager. Please be aware that this list does not imply a recommendation by Townsend Security. Please contact these vendors directly if you would like more information.

Thales:

https://cpl.thalesgroup.com/encryption/key-management

Entrust:

https://www.entrust.com/digital-security/key-management

Fortanix:

https://www.fortanix.com/platform/data-security-manager/key-management-service

IBM:

https://www.ibm.com/products/ibm-security-key-lifecycle-manager

Vormetric:

https://cpl.thalesgroup.com/encryption/vormetric-data-security-manager

How to contact us

For technical support, please contact us through the support portal:

https://townsendsecurity.com/support

For licensing and administrative support please contact us by email:

info@townsendsecurity.com

To contact us by mail:

Townsend Security, Inc.

105 8th Avenue SE, Suite 301

Olympia, WA 98501

USA

Sincerely,

Townsend Security, Inc.

#AWS #AKM #KMS

Topics: #AWS, #AKM

Post Quantum Cryptography - some pointers and some help

Posted by Patrick Townsend on Feb 11, 2023 12:09:21 PM

Should you be doing something about Post Quantum Cryptography (PQC)?

The answer is Yes, but probably not in the way you are thinking.

For most organizations there is no urgent need to make near term changes to your application and network encryption strategy. The threat of quantum computing to encryption is real, but most security researchers feel that a practical threat to current encryption methods is still in the future. Of course, there may be certain highly sensitive information that should be protected now to prevent future loss due to network capture and archiving, but this probably affects a very small segment of organizations who fall into this category. Think intelligence and defense organizations. So, most organizations do not need to be making software changes right now.

But there is something you should be doing!

You will need a team with a plan and you will need a good security inventory of your systems. Waiting until there is a real threat is a really bad idea. The executive team will not have the information and understanding they need to make decisions, and you won’t have a prioritized list of the most sensitive items to tackle first. That would be a painful situation to be in. And we will all be in that situation some day!

Where can you get some help with organizing these initial tasks?

There are multiple sources of information about post quantum cryptography planning. But the one I like the best is from the Cloud Security Alliance. It has practical guidance about how to talk to key decision makers in the organization, and how to build an initial team that includes management, IT and users. The CSA framework recognizes that there will need to be common agreement about tackling this problem as it will require both human and financial resources. The CSA document is titled “Practical Preparations for the Post Quantum World” and you can find it here:

https://cloudsecurityalliance.org/artifacts/practical-preparations-for-the-post-quantum-world/

This plan starts with the education of the management team and users first. That is exactly the right place to start. When it comes time to start taking inventory of your applications and systems, the management team will need to approve the use of employee’s time. And there may be a need to engage outside vendors in the discussion.

So, now is the time to get started. Remember the Y2K panic? The PQC transition is going to be much larger and more complicated, in my opinion. You won’t regret being ahead of the curve.

The CSA main website is here:

https://cloudsecurityalliance.org/

And you can follow CSA on LinkedIn here:

https://www.linkedin.com/groups/1864210/

Patrick

#encryption #PQC #postquantumcryptography #postquantumencryption

Topics: #pqc

Your KMS as an early warning system

Posted by Patrick Townsend on Jan 30, 2023 3:58:05 PM

Companies deploy our key management system for a number of reasons - meeting security best practices, meeting compliance requirements, ransomware protection, and so forth. Encryption with proper encryption key management is a crucial part of a defense in depth strategy. In addition to providing proper protection for encryption keys, did you know that your key management system (KMS) can play a bigger role? 

Let’s explore some ways you can leverage that KMS system!

With your encryption keys protected by the KMS there are opportunities to leverage the KMS for early warning of an attack. (I am using our own Alliance Key Manager as the basis for these points, if you use a different KMS there might be variations in how to accomplish these tasks.) Here are some suggestions:

Monitor the KMS audit logs

Almost all KMS systems produce audit logs of user and administrator activity. When an Protecting Encryption Keys in AWS attacker attempts to get access to protected data this can produce unusual activity in the audit log. Watch for the anomalies - for example, an unusual user account making a key retrieval attempt, an unusual time of day or day of week for activity, and so forth. And you can watch for unusual key management functions being performed. For example, it is rare that you would decrypt your database. So, an attempt to perform a database decryption at 1am on a Saturday night should raise an alarm. All of this assumes that you have a SIEM or other tool to automate the monitoring and alerting. You can leverage the KMS audit log to help raise an alarm.

Monitor the KMS exception logs

Similar to the previous item, some KMS systems provide a separate exception log. Hackers probably don’t have access to KMS exception logs and you can use this to your advantage. Forward your exception logs to your SIEM or monitoring system and give KMS exceptions a high level of priority.

Monitor the KMS system logs

Your KMS probably runs in its own operating system environment. As an example, our Alliance Key Manager is delivered as a self-contained virtual machine that includes the Linux operating system. That means there are Linux system logs available for monitoring, too. If an attacker is attempting a brute force attack on the KMS, the system logs will have valuable real-time information to help identify the attack. Send the system logs to your SIEM for monitoring and alerts.

Monitor client-side certificates

Most KMS systems use client-side certificates to create a secure TLS session to the key manager. This often involves a CA certificate, client certificate and private key. Attackers may try to access these credentials using a non-standard user account. You can use this to your advantage, too. Restrict access to client-side credentials and monitor for access failures. If your system is humming along and you suddenly see access failures on KMS credentials you should send up a flare! This is almost certainly an indicator of an attack.

Monitor Windows Certificate Manager

If you are protecting data in a Windows environment the KMS credentials may be stored in the Windows Certificate Store. This gives you another ability to detect an attacker’s attempt to gain access to KMS credentials. Monitor activity on the Windows Certificate Store and raise an alert on unusual activity.

Monitor SQL Administrator functions and commands

If you are an attacker and you can get elevated DBA privileges you might try to decrypt the database before exfiltrating it. That would require activity on the KMS to retrieve or unlock the encryption key. You can catch this by monitoring SQL administration commands. (And you can monitor this on the KMS side for unusual key retrieve or unlock activity - A Twofer!). Consult with your database administrator on how SQL administrative commands are logged. All modern databases log this kind of activity.

Monitor privileged database accounts

Database engines often run under special privileged accounts. These accounts usually do not have authority to log onto a system and are restricted to database functions only. Monitor all of your privileged database user accounts for unusual activity. For example, attempting to assign a password to this kind of account is a big red flag. Use this to your advantage.

Monitor client side software changes related to the KMS

You are probably already monitoring the installation of suspect software on your systems. Consider monitoring any client-side KMS software changes, too. For example, the Microsoft SQL Server database makes calls to an Extensible Key Management provider program when you activate Transparent Data Encryption. Most KMS vendors deliver this EKM Provider software as a DLL. You should monitor any unexpected changes to this software and raise an alert.

As you can see there are lots of ways you can leverage your KMS system to improve your security posture. Most of the techniques described here are easy to implement and don’t require programming or changes to your applications. A very easy win!

Patrick

Encryption Key Management for VMware Cloud Providers

Topics: Encryption, Encryption Key Management, Security Strategy, KMS

Blockchain, cryptocurrencies, IPFS and Web3

Posted by Patrick Townsend on Nov 21, 2022 11:20:32 AM

 

The ongoing crisis in cryptocurrencies is casting a negative shadow on the underlying blockchain and similar Web3 technologies. I’ve never been a fan of cryptocurrencies and NFTs, and I don’t have any investments there. But I do have some technical experience with blockchain and similar Web3 technologies like the InterPlanetary File System (IPFS). I thought I would share some thoughts on Web3 technologies and their potential. A bit scattered, but here goes:

A nerd’s view

My background is in encryption technologies and data privacy. When I started learning Encryption & Key Management for VMware Cloud Providers about blockchain a few years ago I developed a sense of wonder at the technological beauty of the invention. Blockchain uses cryptography, a distributed architecture, a creative internet communications technology, an automated consensus method, and an application model (smart contracts) to create a truly different way of storing and sharing information. No really new cryptographic inventions in all of this, but blockchains are an amazing way to use cryptography in a new distributed fashion. Pretty cool stuff.

Cryptocurrencies and blockchain

Bitcoin is a cryptocurrency that is built on blockchain technologies. Almost all cryptocurrencies are built on some variation of the blockchain architecture and technology. Digital currencies were one of the first uses of blockchain, but by no means the only use. I know of efforts to use blockchain technologies in the areas of real estate, supply chain management, banking, and insurance. Blockchain is great when you need solid provenance and a resilient distributed system. But, of course, money and financial instruments have a lot of emotional appeal, and so we have been inundated with news and information on cryptocurrencies. That’s unfortunate, in my opinion.

Cryptocurrency noise and distraction

A number of cryptocurrency advocates focus on the supposed benefits of eliminating centralized finance intermediaries, like banks, that control the exchange of money. The complaints often include excessive costs of these intermediaries, limitation of some level of freedom imposed by them, and a variety of other implied nefarious activities by large banks. About cryptocurrencies we often hear something like “Look, it's built on cryptography. It’s trustless and can’t be corrupted!” Or something along those lines. As we now know cryptocurrencies are not immune to corrupt operators and practices, and when you lose money you really miss those intermediaries! It turns out that intermediaries bring with them a level of governance, regulatory control, and insurance against loss. Nice to have when things go off the rails!

Web3 applications and value

Can new Web3 technologies provide any lasting value? We can admire the technology behind Web3 technologies, but at the end of the day I believe that applications built on Web3 need to prove that they can provide better value to individuals and businesses. I think new Web3 applications need to:

  • Provide a great user experience. No one wants to fuss with complicated technologies, it has to be intuitive and easy to use.
  • Perform well. No one wants to wait for an hour for their data and messages to get delivered.
  • Work seamlessly on our PCs and our mobile devices. 
  • Be resilient in the face of hardware and network failures. Can we stop losing files now?
  • Provide better security. Is there a way to avoid losses from phishing emails and poisonous websites?
  • Insulate us from unwanted advertising and snooping. Do we really need to see 5,000 ads every day?

Successful Web3 applications must have a WOW factor. They have to be a lot better than what we have now. I am convinced that Web3 technologies can deliver on these goals. But it is not guaranteed this will happen.

Application challenges with blockchains

My experience with blockchain application development tells me that blockchain technology will be great for some applications, but will be difficult for general user and business applications. While blockchain technologies (Ethereum, hyperledger, etc.) seem stable, they have real challenges for application developers. Here are some issues that can impact application development:

  • Blockchains can perform well with a small number of transactions, but may have difficulty with performance as usage scales up.
  • Blockchains are good for small transactions, but do not handle larger amounts of data well.
  • Smart contracts (blockchain applications) can be harder to code and test, and there are a limited number of experienced developers.
  • By their nature smart contracts cannot be easily modified. This is good when it comes to resisting hackers, but bad when it comes to pushing code and security fixes.

But there is hope! Blockchain is not the only Web3 technology.

InterPlanetary File System 

The InterPlanetary File System, or IPFS, is a Web3 technology that may provide a much better platform for many new Web3 applications. Despite its clunky name, it embodies many of the cryptographic functions that you find in blockchain technology, but without some of the drawbacks such as smart contracts. It is an open source project maintained by Protocol Labs and freely available to use. Developing applications on IPFS avoids some of the problems associated with blockchain. While there are drawbacks in the areas of security, it holds some real hope as a new application platform. 

Today you will find that a lot of NFTs are using IPFS for storage. But I think a lot of these early types of applications will fade in importance as serious applications are developed using this technology. While IPFS has been out in the wild for a few years, and seems stable, we will continue to see the platform enhanced. I think IPFS holds promise. You can find more about it here:

https://ipfs.io

Patrick

Case Study: Concensus Technologies

 

Topics: Encryption, Blockchain, CEO Insights

KEY MANAGEMENT FOR SQL AZURE DATABASE

Posted by Patrick Townsend on Nov 15, 2022 4:57:20 PM

 

Our customers often ask about encryption key management for the Microsoft SQL Azure Database on the Azure cloud. SQL Azure Database is the Microsoft Azure Database-as-a-Service offering based on SQL Server. It is a natural question because SQL Server has a convenient interface for plugging in a key management solution through their Extensible Key Management (EKM) interface. And our Alliance Key Manager has supported this for more than a decade and is available in the Azure marketplace. 

Here’s the rub: 

Unlike normal SQL Server, the Azure SQL Database offering does not support the normal SQL Server key management interface. It does support encryption of the database, but only by using the Microsoft Key Vault service. So Azure customers are locked out of managing and controlling the encryption keys when using SQL Azure Database. 

This is not a problem with Azure itself! We have customers who have deployed SQL Encryption Key Management in Windows Azure Server in a virtual machine on Azure and use our Alliance Key Manager in Azure with no problems! Microsoft does not allow the use of a key manager and only allows the Azure Key Vault or a Bring Your Own Key (BYOK) option..

Is there anything you can do? 

Sure! Let me describe one approach you can use in a web application that uses SQL Azure Database that gives you exclusive control and access to your encryption keys, and supports a real time mirroring of encryption keys to a key server outside of the cloud. And a bonus is that if you are mirroring data out of the cloud to an on-premise SQL Server database, the key management synchronization and failover will be automatic.

Here is what to do in Azure:

First, deploy Alliance Key Manager right from the Azure Marketplace. It will automatically license for a 30 day no-cost evaluation period (Azure charges may apply). When you access the key manager in Azure Marketplace you will have a link to documentation, and you will be eligible for technical support. Create an AES key to use for encrypting data in SQL Azure Database. Here is the quick start guide to help you get started:

https://docs.townsendsecurity.com/akm_for_microsoft_azure_quick_start_guide

Then, modify your Windows .NET application to make a call to Alliance Key Manager to encrypt or decrypt information using the AES key you created before you insert or update data in a column. Alliance Key Manager provides a simple Windows .NET SDK to make this easy. There is no charge for the SDK and you can download it from the Townsend Security website. Here is the link to the Windows .NET SDK:

https://docs.townsendsecurity.com/akm_guide_for_windows_dot_net_developers

Backups of the Azure SQL Database and all data you copy out of Azure will now be encrypted and under your control. 

What to do in your data center:

You can easily mirror encryption keys from Azure to your own data center. Download Alliance Key Manager for VMware, launch it in your VMware environment, and set up mirroring between Alliance Key Manager in Azure and Alliance Key Manager in your data center. Keys are mirrored in real time and your on-premise applications can use the same logic as in the cloud to decrypt data as needed. Here is the VMware quick start guide:

https://docs.townsendsecurity.com/akm_for_vmware_quick_start_guide

Your applications in your on-premise deployment can now use the same Windows .NET SDK as mentioned above to do decryption when needed.

Voila!

You now have your data encrypted in SQL Azure Database, in your on-premise SQL Server database, and you have full control of your encryption keys! You also have a lot more flexibility about your choice of Cloud Service Providers. 

A few more thoughts:

Triggers, UDFs and Stored Procedures

If modifying your applications is not feasible or costly, consider adding Triggers and Stored Procedures to the database to achieve encryption and decryption tasks. This can be much easier to implement than making code changes. See the resources below to get started.

How to implement User Defined Functions and Stored Procedures in Azure SQL Database:

https://bookshelf.erwin.com/bookshelf/public_html/2020R1/Content/User%20Guides/erwin%20Help/Define_SQL_Azure_Stored_Procedures.html

And

https://www.sqlshack.com/executing-stored-procedures-from-data-pipelines-in-azure-data-factory/

And Alliance Key Manager provides guidance on Triggers and Stored Procedures:

https://docs.townsendsecurity.com/akm_guide_for_windows_dot_net_developers

Mirroring keys in the cloud

Sometimes you are not mirroring SQL Azure Database data to your on-premise database. If you have a backup strategy that involves failover to another Azure availability zone be aware that you can run a second copy of Alliance Key Manager in that zone. Alliance Key Manager will mirror encryption keys across any availability zones and regions.

Mirroring keys to AWS

If you really want to mirror your encryption keys out of the Azure cloud, but don’t want to bring the keys in-house, you can mirror them to AWS! Alliance Key Manager is also available in AWS and fully supports cross-cloud key mirroring.

Alliance Key Manager for Windows Azure - complimentary product evaluation

Topics: Encryption, Microsoft Azure, KMS

VMWARE MARKETPLACE IS GREAT FOR VENDORS

Posted by Patrick Townsend on Aug 4, 2022 1:15:36 PM

Townsend Security has been a VMware partner for many years. I’ve always found their technical and marketing teams great to work with. A decade ago we started with a basic partnership, then achieved a PCI Data Security Standard validation of Alliance Key Encryption Strategies for VMware Environments Manager through their partnership with Coalfire, and then achieved certified status of our key manager with VMware encrypted VMs and vSAN. Now we are working towards an enhanced marketplace presence where our customers can actually purchase our key manager through the VMware marketplace portal.

Here is a blog that we wrote together and just published on the VMware blog:

https://blogs.vmware.com/tap/2022/07/21/vmware-marketplace-benefits-from-a-partners-point-of-view/

If you are a VMware partner and have a solution that enhances the VMware customer environment you should really look at the new marketplace features!

Patrick Encryption Key Management for VMware Cloud Providers

Topics: VMware, vSAN, vSphere Encryption

Verizon 2022 Data Breach Investigations Report (DBIR)

Posted by Patrick Townsend on Jun 14, 2022 2:10:41 PM

I really like the annual Verizon Data Breach Investigations Report. The Verizon team succeeds at making the report detailed enough to be helpful, but also easy to read. The 2022 DBIR report is now out and it is a good read (see the link below to get the report). Here are just a few of my take-aways on the new report.

Phishing and stolen credentials are still the most common pathways to a ransomware infection and a data breach. Cybercriminals use phishing emails with poisoned links or attachments to break into your local system, and then worm their way into the IT infrastructure of your company or organization. Also, cybercriminals leverage the gains of past work to use compromised credentials to break into your systems. Because we humans tend to re-use our passwords, or use weak passwords, stolen credentials are one of the main ways criminals get access to our systems. There are other methods of compromise, but phishing and compromised credentials are the most common ways of gaining access. More on what you can do below. Encryption Strategies for VMware Environments

We are still very much reliant on email to conduct our work. Yes, we use other messaging methods like Slack and Microsoft Teams, but we still tend to use a lot of email. Cybercriminals know they can target us through phishing emails. And we shouldn’t be naïve. These emails are now very sophisticated and can be hard to recognize. They look like the come from a colleague, or business partner, or vendor, or even our family members. But they contain deadly links and attachments.

What can we do thwart phishing emails? Here are a few of the ways we can protect ourselves:

  • Conduct employee training on how to detect phishing emails. It is amazing how effective this can be. We do this at Townsend Security on a regular basis. And there is a bonus for acing the test! Full disclosure – I did not ace the test the last time, but I learned a lot from the exercise and we will do it again.

  • An overlooked way to minimize the threat is to use an email service that builds in phishing email protection. Here at Townsend Security we use commercial Google Gmail infrastructure which helps in this area, but other email systems also provide this. If you are on an older email server infrastructure, it makes sense to migrate now.

  • You should also disable macros in Word and Excel. Never allow code to execute from an untrusted party, and always be suspicious even if you think you know the person sending the email to you. If you are not expecting the email with an attachment or link, do not trust it. I’ve often just picked up the phone and called the sender to check.

Stolen credentials are also a big problem. Here are a few steps you can make to minimize this threat:

  • Activate Multi-Factor Authentication (MFA) on all of your important accounts. This will go a long way to preventing the use of stolen credentials. Applications like Authy or Google Authenticator can make this easier.

  • Use strong passwords and avoid re-using a password. This is incredibly hard without the use of a password manager. There are many password managers that you can use. LastPass and 1Password come to mind. But there are others.

  • Periodically check to see if your credentials have leaked. Use the “Have I Been P0wnd” website to check your email address. If you use the Google Chrome browser you can use the built-in feature to show you where your passwords may have been leaked.

When it comes to analyzing who the main targets are, the report is very helpful. Many of the industries come as no surprise. Banks and financial services are high on the list. And healthcare providers are right up there, too. But did you know that schools are a target? And technology companies? And manufacturers? It turns out that almost everyone is a target! The report breaks these vertical segments out in some detail and it is enlightening to research your own industry segment for helpful pointers on how attacks are likely to play out.

Here are a few other items in the report that I found interesting:

The SolarWinds attack was a supply chain attack that was surprising and new. It made the news because of its devastating and rapid spread. It represented a relatively new attack vector with a high level of sophistication. Related to this is a new focus by attackers on MSPs and ITSOs. MSPs represent a valuable target as they often provide access to a large number of downstream end customers. Perhaps because of the SolarWinds attack the federal government is trying to strengthen the security posture of its suppliers. The new CMMC regulations are a part of this.

Ransomware is still on the rise. In spite of the fact that we are now quite aware of ransomware and how it works, it is increasing in terms of the frequency and number of attacks. This is probably because the attackers find it easy to execute and because it is so profitable. While the Verizon report does not talk much about data exfiltration due to ransomware, this is now a part of most ransomware attacks. If you don’t pay the ransom you will be threatened with the release of your sensitive data. That’s why we here at Townsend Security have been talking about encrypting all of your sensitive data.

In the past the health industry was a target due to the availability of patient medical information. Now the health industry is a target because of Personally Identifiable Information (PII). Perhaps this is because medical records systems are better at protecting patient medical information, but have not yet extended protections to good old PII?

Manufacturers are an increasing target. In the past manufacturers were the target of espionage efforts for IP theft. This is still true, but now the ransomware attackers are looking for quick gains from manufacturers. Espionage attacks are harder to detect as the attacker often does not want to be discovered. On the other hand, ransomware attackers WANT you to know they are there! And manufacturers are motivated to quickly make ransom payments in order to get their facilities back up and running.

If I did not mention your industry segment be sure to read the report. It covers a lot of different segments!

Hey, small businesses – heads up! You are now a prime target of ransomware attacks. You might be thinking that you are small fish and not worth the bother. That’s not true – payment of a small ransom is just fine for attackers. No more putting our heads in the sand. From the Verizon report:

“Contrary to what many may think, very small organizations are just as enticing to criminals as large ones, and, in certain ways, maybe even more so. Threat actors have the “we’ll take anything we can get” philosophy when it comes to cybercrime. These incidents can and have put small companies out of business. Therefore, it is crucial that even very small businesses (10 employees or less) should take precautions to avoid becoming a target.”

Small businesses especially need to improve their security around phishing and stolen credentials. If you are a small business and are being served by an outside Managed Service Provider, contact us. We have a special program that will empower your MSP to deliver encryption of sensitive data at a very reasonable cost.

The Verizon report doesn’t just tell us what happened. It gives some good pointers on what we can actually do to help prevent a data breach. See page 76 of the report for a very practical and achievable set of steps you can start taking right now.

If you are a security professional, this report is well worth a read. It helps us understand the mindset of the cybercriminal and how their techniques are evolving. If you are not a security professional, you might also like to peruse this report. It is very readable and even has some not-so-lame humor!

Patrick

Resources:

The Verizon Data breach report:

https://www.verizon.com/business/resources/reports/dbir/

CISA ransomware prevention guidance:

https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

Google phishing training:

https://phishingquiz.withgoogle.com/

Have I been Pwnd:

https://haveibeenpwned.com/

New call-to-action

Topics: Encryption, Phishing, CyberSecurity

Your KMS as an Early Warning System for a cyber attack

Posted by Patrick Townsend on Jun 2, 2022 1:28:54 PM

Cyber-attacks are executing at much faster speeds now. In the past you might find that an attacker waited weeks or months after gaining access to your system before stealing sensitive data. Those days are mostly gone. An attacker now can execute in a few minutes or hours. Early detection is critical for interrupting an attack. And a fast response is crucial to stopping the attack. Encryption Strategies for VMware Environments

There is a good chance that you are already encrypting your sensitive data to prevent it from being used for extortion by a ransomware attacker. If you are already encrypting your data, you are also probably using a key management system (KMS) to store your encryption keys. That is a security best practice, and the right thing to do.

Are you ready for the next step?

Did you know that your KMS can play an important part in early detection of an attack? Your key management system should be collecting key retrieval activity into real-time logs. For example, our Alliance Key Manager logs every single action that takes place including key creation, retrieval, deletion, and so forth. Why not use these logs to help detect an attack? After all, the attacker is going to try to steal the data, and that means there will likely be activity on the key manager. And that means a KMS log can help you thwart an attack.

How can we implement this in a real environment?

Our Alliance Key Manager solution comes with log forwarding capability already built in. It is easy to start forwarding the KMS activity log to your SIEM solution using the common syslog-ng protocol. All SIEMS can ingest the KMS activity log, so just start forwarding them.

Next, train your SIEM to detect anomalies. A good SIEM is really good at anomaly detection! So let’s put it to work. Here are some KMS events that should be early warning signs of an attack in progress:

  • Retrieving an encryption key at an unusual time of the day.
  • Retrieving an encryption key on an unusual day.
  • Failure to retrieve a key for an extended period of time.
  • Unusually high level of key retrieval requests.
  • Unexpected user attempts to retrieve a key.
  • Attempts to retrieve a key that does not exist.
  • Failed TLS negotiation to retrieve a key.
  • Key retrieval request from an unusual IP address.

As you can see there are many events or patterns that can indicate the activity of an attacker. And KMS logs are likely to show this activity early in the attack. Training your SIEM to alert on this activity is usually pretty easy to do, but that depends on the functions of the SIEM.

Another big bonus for integrating the KMS with your SIEM is that many SIEMS can now take pro-active and automatic steps to thwart an attack. In addition to alerting the IT staff of a potential attack, some SIEM solutions can execute scripts that take a database off-line, or even take the key manager off-line. You can get very creative with the automatic responses to a cyber-attack.

Your KMS can be your “canary in a coal mine”. The features are there ready to be put to use.

If you are running our Alliance Key Manager solution just raise a problem ticket with our support team to get some pointers on how to forward logs to your SIEM. It will be easy to do.

Patrick Podcast: State of Encryption Key Management

Topics: Encryption, Key Management, Ransomware, KMS

Interview with website planet

Posted by Patrick Townsend on Apr 14, 2022 10:13:26 AM

 

Web developers have some unique challenges when it comes to securing data at rest. It is now standard practice to implement secure connections via HTTPS to protect data in motion. This was probably helped along by Google search as it prioritizes secure Protecting Encryption Keys in AWS websites. But in my opinion there has not been the same focus on securing sensitive data at rest in web files and databases. So I accepted an invitation to talk to the folks over at Website Planet. You can find the interview here:

https://www.websiteplanet.com/blog/townsendsecurity-interview/

Disclaimer: Neither I nor Townsend Security have any business relationship with Website Planet.

Enjoy.

Patrick

 

 

Podcast: State of Encryption Key Management

Topics: Encryption, Key Management, Defense-in-Depth, Cloud Security