Townsend Security Data Privacy Blog

Your KMS as an early warning system

Posted by Patrick Townsend on Jan 30, 2023 3:58:05 PM

Companies deploy our key management system for a number of reasons - meeting security best practices, meeting compliance requirements, ransomware protection, and so forth. Encryption with proper encryption key management is a crucial part of a defense in depth strategy. In addition to providing proper protection for encryption keys, did you know that your key management system (KMS) can play a bigger role? 

Let’s explore some ways you can leverage that KMS system!

With your encryption keys protected by the KMS there are opportunities to leverage the KMS for early warning of an attack. (I am using our own Alliance Key Manager as the basis for these points, if you use a different KMS there might be variations in how to accomplish these tasks.) Here are some suggestions:

Monitor the KMS audit logs

Almost all KMS systems produce audit logs of user and administrator activity. When an Protecting Encryption Keys in AWS attacker attempts to get access to protected data this can produce unusual activity in the audit log. Watch for the anomalies - for example, an unusual user account making a key retrieval attempt, an unusual time of day or day of week for activity, and so forth. And you can watch for unusual key management functions being performed. For example, it is rare that you would decrypt your database. So, an attempt to perform a database decryption at 1am on a Saturday night should raise an alarm. All of this assumes that you have a SIEM or other tool to automate the monitoring and alerting. You can leverage the KMS audit log to help raise an alarm.

Monitor the KMS exception logs

Similar to the previous item, some KMS systems provide a separate exception log. Hackers probably don’t have access to KMS exception logs and you can use this to your advantage. Forward your exception logs to your SIEM or monitoring system and give KMS exceptions a high level of priority.

Monitor the KMS system logs

Your KMS probably runs in its own operating system environment. As an example, our Alliance Key Manager is delivered as a self-contained virtual machine that includes the Linux operating system. That means there are Linux system logs available for monitoring, too. If an attacker is attempting a brute force attack on the KMS, the system logs will have valuable real-time information to help identify the attack. Send the system logs to your SIEM for monitoring and alerts.

Monitor client-side certificates

Most KMS systems use client-side certificates to create a secure TLS session to the key manager. This often involves a CA certificate, client certificate and private key. Attackers may try to access these credentials using a non-standard user account. You can use this to your advantage, too. Restrict access to client-side credentials and monitor for access failures. If your system is humming along and you suddenly see access failures on KMS credentials you should send up a flare! This is almost certainly an indicator of an attack.

Monitor Windows Certificate Manager

If you are protecting data in a Windows environment the KMS credentials may be stored in the Windows Certificate Store. This gives you another ability to detect an attacker’s attempt to gain access to KMS credentials. Monitor activity on the Windows Certificate Store and raise an alert on unusual activity.

Monitor SQL Administrator functions and commands

If you are an attacker and you can get elevated DBA privileges you might try to decrypt the database before exfiltrating it. That would require activity on the KMS to retrieve or unlock the encryption key. You can catch this by monitoring SQL administration commands. (And you can monitor this on the KMS side for unusual key retrieve or unlock activity - A Twofer!). Consult with your database administrator on how SQL administrative commands are logged. All modern databases log this kind of activity.

Monitor privileged database accounts

Database engines often run under special privileged accounts. These accounts usually do not have authority to log onto a system and are restricted to database functions only. Monitor all of your privileged database user accounts for unusual activity. For example, attempting to assign a password to this kind of account is a big red flag. Use this to your advantage.

Monitor client side software changes related to the KMS

You are probably already monitoring the installation of suspect software on your systems. Consider monitoring any client-side KMS software changes, too. For example, the Microsoft SQL Server database makes calls to an Extensible Key Management provider program when you activate Transparent Data Encryption. Most KMS vendors deliver this EKM Provider software as a DLL. You should monitor any unexpected changes to this software and raise an alert.

As you can see there are lots of ways you can leverage your KMS system to improve your security posture. Most of the techniques described here are easy to implement and don’t require programming or changes to your applications. A very easy win!

Patrick

Encryption Key Management for VMware Cloud Providers

Topics: Encryption, Encryption Key Management, Security Strategy, KMS

Data Security for Working Remotely - Needed Now More Than Ever

Posted by Patrick Townsend on Mar 27, 2020 7:29:13 AM

We are all working from home now. At least, in the technology world that seems to be true. What does this mean from a security standpoint? Here are a few thoughts:

Data SecurityTechnology workers (programmers, project managers, customer support staff, pre-sales engineers, etc.) are generally pretty comfortable with remote work. This is the result of a multi-year trend driven by talent shortages, distributed organizations, and out-sourcing. However, traditional finance and administrative workers tend to be more office-centric. They are rapidly adjusting to working at home and figuring out how to balance work in a home environment. Kids in your space? Yup, it’s a big adjustment for everyone when you suddenly move from office to home.

With COVID-19, we are doing work-from-home to better protect our colleagues, our families, and our friends and community. It is critical that we do physical distancing and get it right. It is truly a matter of life and death. 

I believe that there are security implications to this change, too. Corporate systems are at more risk. 

When we move workers from the office to home, we expand the attack surface. Our home PCs and networks have probably not had the same security scrutiny that office systems have. But those home PCs now have access to the corporate network. There is a lot of use of VPN, Remote Desktop Protocol (RDP), and terminal emulators like GoToMyPC to get connectivity. I think in a lot of cases the security exposure has increased as we deal with the COVID-19 pandemic. 

We need to take this expanded threat to our corporate systems seriously. Cybercriminals will happily use any new weakness to access our sensitive data. It may be a lot easier to break into your home network and jump to the corporate network.  Here are some things you can do right away:

  • Start reviewing home PCs and networks like you would internal systems. And start with your system and network administrators. They often hold highly authorized credentials. Create a special team to get this done as quickly as possible. 
  • Make a prioritized list of your application databases that hold sensitive data. Or, if you have the list, do a quick review and update as needed. You probably have some databases that are easy to protect with encryption and good encryption key management.
  • These databases are fast and easy to protect: Microsoft SQL Server (TDE), MySQL, MongoDB, and Oracle Database. You can get these common databases under encryption protection very quickly. 
  • Do you use VMware for your IT infrastructure? You probably do. It is very fast and easy to implement encryption of VMs and vSAN. This is a fast and easy win.
  • Get management buy-in. We all know that we have an emergency on our hands. Enlightened management will get on board quickly. They are going to have to approve new human resource assignments and some new budget. 

We are in uncharted territory with COVID-19. Here at Townsend Security we are committed to helping you survive this challenge. We will help you get the data security you need. Just talk to us.

Patrick

The Encryption Guide eBook

Topics: Security Strategy

Financial Services and Creating a Security Strategy

Posted by Patrick Townsend on May 9, 2017 9:04:17 AM

I recently spent the better part of an hour talking to a new IT director for a small financial services company. He was feeling overwhelmed at the scope of the work ahead of him, and was bemoaning the lack of any guidance on how to start. The set of tasks in front of him seemed gargantuan in terms of the number of tasks and the scope of work. I can understand that sense of panic when you realize that you are behind the curve and that your organization is facing real threats. I want to share with you some of the advice I gave this IT director (with a tip of the hat to all of those hard working security professionals who’ve shared with me!).

It’s a Process, Not a Destination

Compliance Ready Encryption for Financial Services The first error I see many IT managers make is that they look at security as a set of tasks to accomplish rather than a set of new IT processes. We technical folks really like to make a task list and check them off. We have a sense of accomplishment when we get to the end of the list. It’s done! Hallelujah!

Sorry, security is never done. It is important to realize that a security program means that many people throughout your organization are going to be doing things differently, and will be adjusting to new threats over time. For example, we used to think that the use of strong passwords was adequate to protect our access to corporate web services. But it isn’t enough now. Now we have to use multi-factor authentication in addition to strong passwords. Why? The attacks on password protected assets has become more sophisticated. We have to step up our game. And this is true across a number of security practice areas.

If you are successful you will be changing how your organization OPERATES over time. Not just completing a set of tasks.

Know Where Your Sensitive Data Is

It is very common that businesses do not actually know where their sensitive data resides in the organization, and where it goes outside of the organization. Business are always undergoing change to meet new objectives, counter emerging competitive threats, accommodate new technologies, and comply with new compliance regulations. Managing a business is like fighting a war on many fronts – it is barely organized chaos!

It is understandable then that an IT organization may not have a clear map of its critical data. But you will need that map before you can start really protecting those assets. For example, you might have data extracts uploaded to your web site for customers but not know that the upload process was put in place 5 years ago and the development has moved on. That sensitive data just gets uploaded every night and might not be properly protected.

It’s time to do some archeology.

Be sure you have an inventory of all of your critical applications along with the data the process. This is going to seem like a tedious job, but it will be critical to everything you do. Make the map and then hold a celebration and invite your executive team.

In the process don’t forget the data feeds. Document every place that data enters your organization from the outside, and where you send data to outside services.

Find a Dynamic Security Framework

Now you need a plan! Fortunately you won’t have to figure out a plan on your own. There are several good sources of dynamic security planning guides that you can use as a starting point. A good plan will cover the essential security tasks, and will prioritize them by importance. A complete plan with prioritized tasks will help you focus your attention in the right areas!

Here are some sources for security plans that you can access and use right away:

The great thing about these security plans and frameworks is that you can get started with them very quickly. For example, the CIS Critical Security Controls is available as an Excel spreadsheet. You can make a copy and start working through the sections from top to bottom.

Do the Important Things First

We are sometimes tempted to do some of the easy things first in order to convey a level of accomplishment to our management team. I recommend that you try to resist this tendency as much as possible. Start with the most important items in your priority list and tackle those first. They often give you a lot of security benefit and many do not require a lot of investment or work. It is important to do the most effective and critical tasks first.

Get Your Management Buy-in

Security takes commitment, human resources, financial resources, and much more. You will need to get your management buy-in as quickly as possible. Start by sharing some stories from other companies in the financial services segment. We don’t necessarily want to scare our managers, but they need to have a realistic idea of the threat.

Educating your management team means explaining your need for budget resources. Some things can be done on the cheap, and you won’t want to overlook inexpensive steps to take that improve security. But some things are going to take some budget dollars to deploy. For example, continuous monitoring of system logs with a SIEM solution is one of the most effective security strategies you can deploy. But this will almost certainly mean the deployment of a commercial SIEM solution and this will require fiscal expenditures.

Any steps you take to educate your management team will be worth the effort.

Don’t Forget About Employee Education

Remember that you live in the security world, but the employees in your organization don’t. They are not likely to be up to date on the latest threats. Educating employees on how to identify spam email messages has a lot of benefits. Find ways to work in a few minutes each week into employee schedules a simple security awareness exercise.

You’ve probably heard of Bug Bounties – how about providing some small rewards to employees that discover and report spam emails with potentially harmful content? It is amazing how effective programs like this are.

Rinse and Repeat

Let’s go back to that first point. A security program is something that changes how you and your colleagues live your professional lives – it is not a set of checkboxes. Create an annual calendar of security tasks and review points. Make sure that this includes periodic reviews with the upper management team. If you are doing this right you will be making periodic adjustments to the security program and things that are important today may be eclipsed by new threats tomorrow. That’s not a particularly happy thought, but if you keep adjusting you will be in a safer position.

Finally, we make progress one step at a time. Once you start down this road it will get easier as you progress. Good luck with your new security programs!

Patrick

Compliance

Topics: Data Security, Security Strategy