Townsend Security Data Privacy Blog

Colonial Pipeline, ransomware and encryption – what to do right now

Posted by Patrick Townsend on Jun 8, 2021 11:21:40 AM

The Colonial Pipeline ransomware attack and resulting crisis that affected millions of people was shocking because of its scale and impact. Shocking, but it was not surprising. We have been watching an increase in the number of ransomware attacks over the last few months. No organization, large or small, has been immune from the attacks. Hospitals, schools, local governments, national agencies – even police departments and courts – have suffered from debilitating ransomware infections. Colonial Pipeline was the first publicly known attack on critical energy infrastructure, but it won’t be the last.

Most modern ransomware attacks have two components:

  • Encryption of your systems to deny you operational access, and
  • Theft of unencrypted sensitive data.

The attackers encrypt your data with a secret key and then promise to restore it when you pay the ransom. This is the well-known part of a ransomware attack. You typically must pay the ransom to a secret Bitcoin account controlled by the attackers. After payment, if you are lucky, the attackers will give you the secret key to unlock your data.

Case Study: Concensus Technologies There is another, less well-known aspect of ransomware attacks. And that is that the attackers often steal sensitive data before they encrypt it. Why do they do this? Well, if you are able to restore your systems without paying the ransom, they can then use the threat of releasing that data to extort the payment from you. And it is very effective. More on protecting yourself from this aspect of ransomware below.

There is good guidance from security groups and governmental agencies on how to protect yourself from a ransomware attack. Having good backups that are not connected to the network is an important part of that guidance. You should also deploy other security measures like active monitoring for anomalous behavior, appropriate segmentation of users, proper network controls, and so forth. And, never forget that training users in good security hygiene is absolutely essential.

I think a number of organizations have gotten reasonably good at this part of ransomware protection. There are still big gaps, of course. And smaller to midsize organizations are lagging in the deployment of these basic protections. But what to do is no longer the question. Getting it done and doing it right is the challenge.

But what about the second part of the ransomware attack? What happens when the attackers steal your unencrypted sensitive data?

We have to give credit where it is due. Cybercriminals who deploy ransomware are very good at what they do. They’ve learned to adapt to a changing landscape. As you got better at doing backups and recovering your data in a timely fashion, they added another technique to extort a payment – They are taking your very sensitive data. If you refuse to pay the ransom they threaten to release the data. To prove their point they will often release a very small amount of your data.

Imagine your shock when you see highly sensitive medical information showing up on the attacker websites. Or sensitive information about students, or sensitive court records. Suddenly the urgency is much greater, and many pay the ransom when this happens.

Having a good backup is not going to help you now. So, what can you do? It is time to add another tool to your defenses – encryption of your own sensitive data.

You should encrypt your sensitive data to deprive the attackers of access to it. If the attacker steals your data in an encrypted state, it is not usable. Encryption is the security control that you need to add to your ransomware strategy. I know, you’ve been putting implementing this important security control. But the stakes are higher now. If Sony or Equifax had encrypted their data, we would not still be talking about the massive loss of data and the disruption they experienced.

Here are some basics to keep in mind as you deploy encryption:

  • Create a map of your sensitive data, and a plan. You should encrypt the most sensitive data first.
  • Encryption key management is critical to your security. Use a professional key management system to store keys away from the data. Never store encryption keys on the same server that hosts the data.
  • Restrict access to the databases with sensitive data. Only those people in your organization who have a need to access sensitive data should be able to do so. Your DBA will know how to do this.
  • Monitor user access to your sensitive data and take immediate action for unautorized access. Use a professional SIEM solution to do this.
  • Monitor access to your encryption key management solution. Your KMS is a critical part of your encryption strategy.
  • Take advantage of database and storage vendor support for encryption and key management. Using VMware for your infrastructure? Implement encryption of VMs and vSAN. Using Microsoft SQL Server? Implement Transparent Data Encryption with an external KMS for the keys. It is fast and easy, and supported by the database vendor.

There are a lot of reasons why organizations are lagging in terms of encrypting their sensitive data. Fears about performance, fears about lost encryption keys, fears about the cost of key management systems, and so forth. All of these challenges have been overcome in recent years. Put your fears aside and protect your data.

Here is a hint:

Don’t let the PERFECT be the enemy of the GOOD. For example, you don’t have to encrypt everything at one time. Tackle the most sensitive data first, and tackle the easy projects first in order to build experience. Then tackle the remaining projects as quickly as you can. Also, don’t be afraid to deploy key management solutions from different vendors. KMS systems are so easy to manage now that having more than one system rarely increases administrative costs. Find the best, most cost effective KMS solution for your database and use it!

Encryption is your friend when you control it. It can provide protection from cybercriminals who attempt to steal your data in order to extort a payment. You can get encryption done quickly and at a reasonable cost. You don’t have to pay exorbitant licensing fees for a good key management system. If you have cost concerns, give us a call.

If you are a managed service provider trying to help protect your customers, you might like to know about our MSP Partner program. Give us a shout to learn more.

Patrick

Download Alliance Key Manager

Topics: Encryption, Key Management, Defense-in-Depth, Security News, Ransomware

The California Attorney General Just Changed How We Will Think About Data Security

Posted by Patrick Townsend on Feb 23, 2016 9:12:00 AM

Mic drop! California leads the way, once again.

eBook Turning a Blind Eye to Data Security California started the data breach notification revolution with SB 1386 back in 2003. Almost all of the other US states and territories followed suit passing their own versions of SB 1386, or passing even stronger protections.

Then California strengthened the original law with several new regulations that more stringently define what qualifies as encryption, and how law enforcement agencies interact with encrypted technologies.

THIS MONTH, the California Attorney General Kamala D. Harris published the “California Data Breach Report, 2012 - 2015”. Citing the California constitution’s guarantee of the “inalienable right” to privacy of its citizens, the report makes a new case for strong data protections.

You can read the entire report here.

Not only does the report make the case for strong data protection, it makes this statement as the first recommendation on about page 27:

Recommendation 1: The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

That’s right, the highest law enforcement official at the California Department of Justice just said that failing to implement the CIS Critical Security Controls demonstrates a lack of minimum reasonable security. While not intending to be legal advice, you can bet that this language will make its way into every lawyer’s lexicon when litigating a data breach or any failure to protect personally identifiable information (PII). Say this phrase over and over to yourself:

“A lack of reasonable security”

You are going to be hearing this a lot very soon.

There is no doubt that the 20 Critical Security Controls are very important. They encapsulate the best working knowledge of the security community on what you should do to protect your systems. They intentionally reflect the combined wisdom and experience of security professionals on what is effective and what has proven to work to protect systems.

You can read the CIS Critical Security Control here.

There is a lot of helpful documentation and guidance on the CIS web site. You will find practical guides for each of the 20 critical controls, a spreadsheet to help you organize your work, and other backing documentation. It will be a great resource as you start to move forward.

The change in mindset that this report signals won’t happen overnight. But it will happen and you should get prepared now. Here are some practical things you can do right away:

  • Read the California Attorney General’s report. It will be old news for you security professionals, but for everyone else it is a great place to start. You can hand it out to your executives, too.
  • Read the CIS Critical Security Controls which is now in version 6 (see the link above).
  • Download the CIS Critical Security Controls spreadsheet. This will give you a template for the work you will need to do.
  • Create a team to take the lead on implementing the security controls. You will need a member from your business leadership, a member of your compliance committee, a security professional, a manager from your application development team, and a manager from your network team. If you are a VMware shop, be sure to add someone from the VMware infrastructure team.
  • The team should review and prioritize the security controls as the first task.

Now get to work implementing the controls! Some will be fairly easy to accomplish, and some are going to take some time and additional budget. But as I hinted above, it is going to be cheaper to do this now than to pay litigation costs and then have to do it under the gun.

As Laozi said “A journey of a thousand miles begins with a single step.”

Patrick

Turning a Blind Eye to Data Security eBook

Topics: Encryption, Security News

Apple and the FBI - I'm with Tim Cook

Posted by Patrick Townsend on Feb 18, 2016 8:01:00 AM

As everyone is now aware the Federal Bureau of Investigation has acquired a court order requiring that Apple create a back-door to the iPhone that would allow bypassing the protection provided by strong encryption.

Tim Cook, the CEO of Apple, has strenuously objected to this order on the grounds that providing a back-door will make everyone less safe. You can read Apple’s reasoning and response here.

Like Apple, here at Townsend Security we create encryption products that do not have back-doors or ways to bypass security. We do not hold any encryption keys that would allow us to have access to customer information, and we also believe that this makes our customers that much safer. This approach is strongly supported by the security and cryptographic communities who have noted that law enforcement agencies have many other effective tools to help them prevent crimes.

I am in complete agreement with Tim Cook’s response and support his efforts to quash this initiative on the part of the FBI. Like Tim, we are appalled at the violence that took place in San Bernardino. I grew up close by and have family in the area. I believe that I can understand the fear that people feel. But we are all immensely safer when the technology products we use implement the best possible security.

I also have a great respect and admiration for local, state, and federal law enforcement. They are tasked with an unbelievably difficult and often dangerous job. They work hard every day to keep us safe and I know they want to have all of the tools they need to accomplish that job. In the case of encryption back-doors, we should have a dialogue as a people before handing this tool to law enforcement. The time for that dialogue is now.

It should be clear to everyone that providing back-doors that circumvent strong encryption protections will be the immediate target of cyber-criminals and state sponsored hackers. The risk to to those struggling for freedom against tyrannical regimes is truly frightening. Further, there will be an immediate loss of trust in US products that implement such back-doors. This is not good for Apple’s business or any US business that relies on the trust of its customers across the world. The damage to US commercial interests would certainly be quite large.

There is nothing certain about life and we all must face our many fears. Individually and as a people we do better when we face life from a place of courage and confidence. I strongly support Apple in their efforts to stop this unfortunate attempt to weaken their products and therefore the safety of their customers.

Patrick Townsend

Topics: Encryption, Security News

IBM i Access for Windows 7.1 Security Update Announcement

Posted by Patrick Townsend on Jan 12, 2016 9:54:00 AM

IBM i customers should be aware of a new security issue with IBM i Access for Windows version 7.1. This issue will affect a large number of IBM i users as Access for Windows is very commonly used by IBM i customers. US-CERT/NIST in the NVD database indicates this issue has a base score of 7.2 and an impact score of 10. This means that IBM i customers should give this issue attention as soon as possible.

  • The vulnerability ID is CVE-2015-2023 and you can find the details here
  • IBM provides a description of this issue on their website here
  • A fix from IBM is available with Service Pack SI57907 and can be found here

If you are an IBM security administrator I recommend that you sign up for notifications on the NVD website. While the volume of IBM i issues is relatively small, they do occur from time to time and some of them are severe enough to warrant quick action. You can also review IBM i security notifications on the IBM i website here (but be sure to monitor the NVD site too).

Patrick

Webinar: Sec

Topics: IBM i, Security News

The Most Frightening Data Breaches of 2014… So Far!

Posted by Michelle Larson on Oct 31, 2014 5:11:00 AM

It’s not just “Target”… everyone has a bullseye painted on their information!

Unprotected Data is Way Scarier than this guy! Forget about vampires, werewolves, and other things that go bump in the night.  If you want to be truly frightened this Halloween, just take a look at some of the 395 data breaches reported in the first half of 2014 alone.

According to the Identity Theft Resource Center there has been a 21% increase in breaches (and that is just the ones that have already been reported to regulators) in the same period as last year.  Some of these you may be familiar with, others might surprise you:

  • eBay - online retailer
    The breach is thought to have affected the majority of the 145 million members when a database containing customer names, encrypted passwords, email addresses, physical address, phone numbers, and dates of birth was compromised.
  • Home Depot
    In a large nationwide malware attack, 56 million card records were stolen through point-of-sale systems. In a second attack in Atlanta, 20,000 employees personal information was stolen and used to open fraudulent credit cards by 3 human resource employees.
  • Michaels Stores - craft stores nationwide
    The point-of-sale (POS) systems at 54 stores were attacked using malware and up to 3 million payment card numbers and expiration dates were obtained.
  • Snapchat (online photo app and delivery service)
    4.6 million accounts were hacked and millions of images stolen. The information (phone numbers and user names) database posted online at Reddit and another site that has now been taken down.
  • Neiman Marcus (retailer)
    1.1 million payment cards were compromised over a period of 8 months as hackers repeatedly breached the point-of-sale systems through a central processing server.
  • AIG (American International Group)
    774,723 customers - The insurance provider confirmed the theft of a file server and two laptops that held personal information was by a former financial adviser.

Those are some pretty significant numbers, and most likely everyone that reads this blog has been affected in some way by at least one of these events. What we all need to remember is that cyber crime isn’t limited to “Black Hat” hackers that only go after the big piles of data.  Sometimes it is a disgruntled employee that destroys or releases sensitive data. Sometimes it is an unintentional employee error, or loss of an employee’s laptop/thumbdrive that thieves go after.  Often it is the smaller company or mid-sized Enterprise that hasn’t yet implemented security steps, like encryption and authentication, to protect their sensitive information.  

If the first list didn’t give you a fright, here is another that might make you tremble with fear. However, we would prefer if it resulted in the topic of data security brought up at your next security and risk management meeting!

Data Breaches are even more terrifying than this

University of Maryland
307,079 individuals - personal records
*Hackers broke in twice and stole data

North Dakota University
291,465 student and staff records

Sutherland Healthcare Solutions
168,000 patients
*Stolen computer equipment containing personal health & billing information

Sally Beauty Holdings (retailer)
25,000 customers lost credit card data to a hacker

Catholic Church - Archdiocese of Seattle
90,000 employees and volunteers - database records

Goodwill Industries (charitable resale)
868,000 customers from approximately 330 stores

Jimmy John’s (national sandwich shop)
*undisclosed number of customers from 216 corporate and franchised locations

Internal Revenue Service (IRS)
20,000 individuals affected
*Employee incident - loaded an unsecure drive into insecure home network

Assisted Living Concepts
43,600 current and former employees in 20 states, had their payroll files breached when the vendor’s system was hacked.

Coco-Cola
74,000 people lost unencrypted personal information to a former employee from Atlanta who stole 55 laptops. Company policy requires laptops to be encrypted, but they weren’t.

The Montana Department of Public Health and Human Services
A server holding names, addresses, dates of birth, and Social Security numbers of approximately 1.3 million people was hacked.

Spec’s - wine retailer in Texas
Affecting as many as 550,000 customers across 34 stores, hackers got away with customer names, debit/credit card details (including expiration dates and security codes), account information from paper checks, and even driver’s license numbers.

St. Joseph Health System
Also in Texas, a server was attacked that held approximately 405,000 former and current patients, employees, and beneficiaries information.  This data included names, Social Security numbers, dates of birth, medical information, addresses, and some bank account information.

The US Department of Health and Human Services has a breach database of incidents related to exposure of personal health information.  Due to late entries, dates weren’t listed, but the following were reported:

  • 25,513 records at Dept. of Medical Assistance Services in Virginia
  • 22,511 records at Cook County Health & Hospital System
  • 18,000 records at Terrell County Health Dept. in Georgia
  • 10,000 records at Health Advantage in Arkansas
  • 84,000 records at St. Francis Patient Care Services in Tulsa, OK
  • 10,024 records at Missouri Consolidated Health care

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Five steps you can take to make sure this doesn’t happen to you:

  1. Have a defense-in-depth strategy that meets your level of risk tolerance
  2. Make sure you know where all of your sensitive data is stored, and who has access to it
  3. Use standardized encryption algorithms to make that data unreadable
  4. Use an encryption key management solution to protect keys away from the data
  5. Use two-factor authentication whenever possible, because passwords are no longer enough

To help open up the conversation around your conference table, download this eBook “Turning a Blind Eye to Data Security” and find out more about the tools & resources to begin discussions about data security in your company!

Turning a Blind Eye to Data Security eBook

Topics: Alliance Key Manager, Data Security, Encryption, eBook, Encryption Key Management, Defense-in-Depth, Data Breach, Security News

SSWUG is Someone You Should Know

Posted by Patrick Townsend on Jul 30, 2013 8:19:00 AM

This is in the category of people and organizations you should get to know:

SSWUG logoIf you are a Windows developer and work with Microsoft SQL Server, you should get to know the SQL Server Worldwide User Group (SSWUG). The web site is sswug.org and has a wealth of information about everything you would want to know about SQL Server. And they are even branching out to other database systems like Oracle and IBM DB2. But the emphasis at SSWUG has been on SQL Server and you will find a large number of articles, blogs, videos and other content on wide variety of topics related to SQL Server.

I’ve had the pleasure of working with Stephen Wynkoop on a number of occasions and really appreciate his depth of knowledge on security topics related to SQL Server. While not defining himself as a security specialist, Stephen brings a seasoned and mature approach to the subject of database security and I am always impressed with his thoughts and perspective.

Recently SSWUG dedicated a section of their web site to “Townsend Security Tips” where they present videos of Stephen and I discussing security topics ranging from securing data with encryption and key management on SQL Server (not just with EKM) to protecting data in the cloud. Additionally, they post a new security segment just about every week on their homepage, so there is always something fresh. Upcoming sessions include meeting evolving compliance regulations and how to make sure your data is secure when you when trusting it to a hosting company. We have a great time recording these videos, and if you haven’t seen any yet, I urge you to check them out.

In addition to the content on the SSWUG website, SSWUG also holds virtual conferences and Summer Camps that are great online resources for developers.

SSWUG - Get to know them!

Patrick

DOWNLOAD WEBINAR: Encryption & Key Management with Microsoft SQL Server

Topics: Security News, SQL Server

2012 Data Security in Review

Posted by Jacob Ewing on Feb 15, 2013 8:06:00 AM

Podcast: Data Privacy for the Non-Technical Person

LinkedIn Podcast

Download the podcast "Data Privacy for the Non-Technical Person"

Click Here to Download Now

2012 was a big year; we survived an apocalypse, screamed our lungs out at the Olympics, and watched another big election year come and go.  However, in the midst of all the hullabaloo people’s lives were being wrecked, computers stolen, and governments attacked.  With each new cyber attack, security breach, and internet scam the world of tech got a bit more scary for all of us.

Below are five stories that I feel best capture the state of data security in 2012.

#1 - Apple+Amazon Personal Information Protocol

In the early part of August, Mat Honan, a well-known tech writer, released an article on Wired that detailed how in 1 hour his entire digital life was taken over and erased.  His information was stolen through a hack, rather the two perpetrators tricked Apple and Amazon customer service representatives (CSR) into believing that they were Mr. Honan and then giving them access to his personal information.  The thieves were then able to access, control, and wipe his iPhone, Macbook, and many of his online accounts.  His tech and online life had been hijacked from just a few calls to two companies.

I won’t detail the specifics here, but I will point out that this was a relatively easy loophole to exploit.  Honan explained that he was also able to do it multiple times with other peoples’ accounts (in a controlled environment).

With the publication of the story both Amazon and Apple have since changed how they handle phone access to personal information.  Amazon CSRs will no longer be able to change the settings on credit cards and email addresses over the phone.  Apple is now pointing customers to use its online ‘iforgot’ system to recover passwords.  This system requires much more personal information than their previous solution.

In the end Honan was able to recover a majority of his personal data that had been erased

#2 - South Carolina Department of Revenue (DoR) Breach

On August 13th an employee at the South Carolina DoR opened and clicked a malicious phishing email.  The link then executed malware that infected the employee’s computer giving the hacker access to their username and password.  Two weeks later, the hacker entered the system remotely by using the credentials that they had previously obtained.

During the following month the hacker was able to access the entire DoR system without being detected.  To do this the hacker used 4 legitimate username and passwords and 33 pieces of malicious code.  The hacker, among other things, was able to access 44 DoR systems and create 7-zip files that contained 74.7 GB of uncompressed data.  That data included almost 3.8 million Social Security numbers and 387,000 credit and debit card numbers.

When administration of South Carolina broke the news about the breach, they defended their actions by saying they were following industry standards and there was nothing they could have done to prevent the breach.  This, however, was later proved to be a false claim.  If the state had used proper encryption and key management practices, they could have most likely avoided the breach.

The total cost of the breach to the State is around $14 million (a $20 million bailout was approved to help the State cover additional costs).  The total cost to taxpayers both directly and indirectly is yet unknown.

#3 - NASA’s Halloween Trick

Halloween is usually a night where kids can go around the neighborhood getting free candy at nearly every door.  This past Halloween, however, a NASA employee received a nasty surprise in return; somebody had broken into his car in the night, and stole an unencrypted laptop containing personal information of at least 10,000 employees, contractors, and others.  This was the second published breach in 2012 and the third known breach in the past two years.

The director of NASA has offered 1 year of credit monitoring and identity protection to all affected persons.  On top of that he has mandated that all laptops containing personal information must be encrypted by December 21, 2012.

#4 - Nortel’s Hacking Demise

In February a news report was released by the Wall Street Journal detailing how hackers gained access to (the now defunct Canadian corporation) Nortel top-level executives’ usernames and passwords in early 2000.  The hackers had access to business reports, internal communications, and employee information.  The hacks didn’t go unnoticed by employees.  In 2004, one employee noticed monthly downloads being made using China IP addresses and the credentials of an executive.  He made numerous recommendations regarding Nortel’s database security, but a decision was later made to only change the compromised passwords.

In 2009 Nortel went bankrupt, and sold off its assets to various other companies.  When the report was released in early 2012 the former CEO of Nortel insisted that the vulnerabilities could not have been passed onto those other companies.

A former senior security advisor at Nortel, Brian Shields, said that he was certain that being hacked played a role in the demise of the company, “When they see what your business plans are, that's a huge advantage. It's unfair business practices that really bring down a company of this size."

#5 - Lieberman, Collins Cybersecurity Bill Shutdown

On November 14, 2012 a piece of cybersecurity legislation was rejected by the Senate in a vote of 51-47.  This was the second piece of cybersecurity legislation rejected in 2012.  Senator Lieberman and Senator Collins proposed the bill to the Senate because of the increasing number of attacks on critical infrastructure in the United States (i.e. banks, utilities, transportation).

Lieberman wrote an op-ed comparing the the threat of cyber attacks on America to the surprise attack on Pearl Harbor in 1941.  In his article he quoted defense secretary Leon Panetta saying, “The collective result of these kinds of attacks could be a cyber-Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation.”

Such attacks have already taken place in the US.  Early last year a Texas water pump was hacked and taken over remotely in 10 minutes.  Several websites of major banks were barraged by a denial of service attack that either knocked them off-line or crippled their performance.  These attacks aren’t exclusive to the US either; a Saudi Arabian oil company had 30,000 of its computers hacked, hindering the company’s operations.

With this latest cybersecurity bill being rejected by the Senate, the US government is shirking implementing security measures to prevent widespread attacks.

Data security breaches affect all of us whether we are the Average Joe or a C-Suite level executive.  What can be done individually, as a company, or as a government agency to make sure that 2013 won’t be like 2012 for personal information?

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

 

Click me

 

Topics: Data Privacy, Security News

SHA-1 Use Expiring for Digital Signature Generation

Posted by Paul Ohmart on Jan 4, 2013 7:58:00 AM

How LinkedIn Could Have Avoided a Breach

LinkedIn Podcast

Download the podcast "How LinkedIn Could Have Avoided a Breach"

Click Here to Download Now

SHA-1 is perhaps the most often encountered hash algorithm in use today. But its use in digital signatures will be restricted by NIST in the near future. NIST has already restricted use of SHA-1 for federal organizations starting back in 2010, but the weaknesses found in the SHA-1 algorithm has prompted NIST to restrict it’s use for all digital signature generation.

Digital signatures have two aspects: signature generation and signature verification. In January 2011 NIST issued Special Publication 800-131A titled "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths." Digital signature generation is addressed in Appendix B.2, Digital Signature Generation Using Asymmetric (Public) Keys and SHA-1. Here NIST states, "Some applications, such as signing a public key certificate, are very high risk and the use of SHA-1 in those applications should be avoided as much as possible. In NIST’s view, after 2013, the risk is unacceptable in all applications, and the use of SHA-1 when generating a digital signature is not allowed after that date."

Signature verification of already calculated hashes will still be allowed in what is termed a "legacy-use" period.

SSL uses X.509 certificates which are frequently seen with the Signature Algorithm attribute sha1WithRSAEncryption. As December 31, 2013 is fast approaching you may want to consider recreating these certificates with one of the newer SHA-2 algorithms such as SHA-256 or SHA-512. For example when creating certificate signing requests with OpenSSL try using "openssl req -new -sha256 etc...".

NIST has good reason to restrict the use of SHA-1 after 2013. Not only have experts found weaknesses in the SHA-1 algorithm through differential attacks, companies using SHA-1, such as LinkedIn, have already fallen prey to hackers. LinkedIn’s data breach this year could have likely been prevented if they had been using stronger hash algorithms with proper salting.

Is your company still using SHA-1 hash algorithms? Learn more about why you should move to SHA-2 or higher  in our podcast, “How LinkedIn Could Have Avoided a Data Breach” featuring security expert, Patrick Townsend.

 

Click me

 

Topics: security, NIST, Security News

5 Data Security Myths Debunked: Part 2

Posted by Liz Townsend on Dec 7, 2012 11:46:00 AM

Podcast: The Data Protection Trifecta - Encryption, Key Management, and Tokenization

university encryption

Learn more how encryption, key management, and tokenization can keep your data secure.

Click Here to Listen Now

These are the last two myths in our installment “5 Data Security Myths Debunked.” With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #4: There is nothing you can do to prevent your company from being hacked

Fact:
There are many actions a company can take to protect its network and prevent a data breach:

  • Know which parts of your data is considered “sensitive”, and know where all of your sensitive data is stored. Is it on one server or many servers? Is it stored in applications or databases? Do you have multiple data centers that store sensitive information?
  • Use file integrity monitoring (FIM) or system logging to be alerted to changes in system configuration, sensitive data, or unauthorized access in real time.
  • Develop and enforce a unified, proactive data security policy to protect data at rest and in transit across your company’s entire network.
  • Use AES standard encryption to encrypt sensitive data at rest and FIPS 140-2 compliant key management to protect your encryption keys.
  • Automate updates to firewall configurations, password changes, and system patches.
  • Restrict employee access to sensitive data.

Myth #5: CEOs do not need to be concerned about data security.

Fact:
Data security isn’t just the Chief Information Security Officer’s (CISO) problem, it’s a business problem that affects both the C-level and the IT level of an organization. IT security is often not made a priority due to the disconnect of perceived vulnerability and actual vulnerability within a company’s IT infrastructure. A recent survey by CORE Security found that approximately 75% of CEOs surveyed didn’t believe their networks were under attack or already compromised, while 60% of CISOs felt very concerned about attacks and believed their systems were already breached.

Poor data security is a business risk. The consequences of a data breach include loss of reputation, loss of customer trust, and hefty fines. In 2011, the average data breach cost an organization $5.5 million. Despite these often highly publicized repercussions, 65% of CEOs surveyed by CORE Security reported that they did not have the information they need to translate IT risk into business risk.

Topics: Data Privacy, Best Practices, Data Breach, Security News

5 Data Security Myths Debunked: Part 1

Posted by Liz Townsend on Dec 3, 2012 3:18:00 PM

Webcast: Four Solutions for Data Privacy Compliance

4 solutions for data privacy compliance

Learn what regulations say about data protection and how encryption, tokenization, key management, and system logging can help keep your company in compliance.

Click Here to View Webinar Now

With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #1: Encrypting social security numbers is not a standard in most industries, including banks. 

Fact:
Most banks and financial institutions adhere to state laws and industry regulations (such as FFIEC and GLBA) regarding the protection of social security numbers.


For example, California data privacy laws identify Social Security numbers as a critical piece of personally identifiable information (PII) that must be protected using “reasonable security procedures and practices appropriate to the nature of the information” such as encryption or redaction (1798.81.5) . The law upholds businesses within the state, financial or otherwise, to the same data security laws that the state itself must adhere to which state that any business owning or licensing computerized data containing personally identifiable information (PII) such as names and Social Security numbers must protect that data using encryption, redaction, or other methods that render the data unusable in order to avoid data breach notification (1798.29). The average cost of a data breach is $5.5 million (Ponemon, 2012).

The FFIEC IT Handbook action summary states that “Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include: Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk, effective key management practices, robust reliability, and appropriate protection of the encrypted communication endpoints” (ithandbook.ffiec.gov).

Myth #2: Encryption is too complicated for my IT and database administrators.

Fact:
Most database platforms such as SQL Server, Oracle, and IBM i are designed to easily implement encryption and encryption key management solutions. SQL Server and Oracle, for example, use Transparent Data Encryption (TDE) and Extensible Key Management (EKM) to easily encrypt data. IT professionals agree that these tools make encryption easier. “TDE is relatively straightforward” - Michael Otey, SQL Server professional (www.sqlmag.com). Encryption with TDE on SQL is “Easy to Implement and administer” -Brad M. McGehee, SQL Server professional, MCTS, MCSE+I, MCSD (https://www.bradmcgehee.com).

Learn how to set up TDE and EKM on SQL Server 2008/2012 in 10 minutes or less here.

Myth #3: Data breaches are usually caused by highly sophisticated hackers.

Fact:
The top four mechanisms for a hacker to break into a company’s network are: exploiting system vulnerabilities, default password violations, SQL injections, and targeted malware attacks (Symantec, 2009). These techniques are not considered highly sophisticated. They are used often to penetrate networks with inadequate security.

Curious what the final two data security myths are? View "5 Data Security Myths Debunked: Part 2" to find out if there is really nothing you can do to prevent your company from being hacked and whether or not CEOs should be concerned about data security.

 

Topics: Data Privacy, Best Practices, Data Breach, Security News