Why Policing Network Traffic Is Not Enough & the Data Itself Must be Secured

- Ken Hawkins, BOHH CTO

With Point of Sale (POS) attacks becoming more common with each passing day, securing your network traffic and data inside the network has reached a paramount point in today’s digital age. Sadly, this is not a new attack on the rise, but instead just one that has been around for a while. The tools that have worked are still working effectively and many corporations are simply walking a tightrope of risk management and data security, putting end user’s data they hold at risk. What this signifies to the end user is that their potentially sensitive data transmitted to the business is only worth securing up to a monetary tipping point, and perhaps the damage done by exposing sensitive data might well be costlier for said business to protect than to reimburse the user for that damage if it happens. I believe this is not a nefarious act by an uncaring business, rather the reality in the complexity of securing data on a business’ network, especially those who employ some type of third party POS solution who arguably have twice as many network security issues to manage based on the deployment of those POS terminals that can be another doorway both into and out of your network. This statement might not ring true in its entirety because generally through some isolation methodologies you can manage the network traffic and there are some real wizards in the realm of network traffic marshalling.

However, where I’d like to focus is on the data itself, both at rest and in transport. Both states of data are often managed via modern AES based encryption methodologies. These are strong but have one weakness that is continually exploited and is most easily described as “brute force type attacks,” which are generally defined as continually asking “can I have it?” or “Is this item correct?” Given how cheap today’s hardware is, coupled with great speed improvements in processing power, have made this questioning-based attack extraordinarily efficient on not only network attacks but also attacking blockchain-based systems like what bitcoin is based upon, but that is another discussion all together. Once we come to terms with this inherent weakness of AES we can start to effectively address the problem.

Given that a business will easily spend millions to protect access to data, it would only make sense to secure the data itself as well. But wait you say we do that, right? Well if you rely solely on the TLS/SSL transport, then you are not protecting data, rather you are attempting to hold the horde at the castle gate by monitoring access to potentially unencrypted data. Once inside, more often than not the network is wide open to the malicious code or individual and like a kid in a candy store data can be easily taken control of in some fashion and an unencrypted database can be a gold mine of information. In the enterprise business IT environment, TLS/SSL based securities can be as easily circumvented by an errant upgrade to expose data, which we have seen too many times. If that update has malicious code within it, that update could tear open a hole in it and at minimal siphon your businesses’ important documents, and worse, it could set up residence within the network. Once there, it can report back anything that happens on the network and/or machine it is on. Now of course this appears on face value to be a simple ok, just verify the updates and smart IT professionals would never, EVER blindly apply an update to a production facing server, right? Well it does happen and the majority of big breaches we hear about today are a product of that scenario. In our collective rush to “live update” hardware and software so we can develop at a faster pace and in theory adjust for attacks in real time, we forget that people make mistakes and one seemingly small mistake can destroy a company’s livelihood, not to mention the individuals who could also be affected based on the data stolen.

Once we ween ourselves off the blind reliance of secure TLS/SSL protocols to do policing of network traffic, the problem of securing data in the network is more easily addressable and ultimately your data is safer. I’m not knocking the router companies or the many permutations of lite security-based web servers and/or software-based managers. We have come a long way, and coupled with today’s learning networks, they can be effective when included with other methodologies involving elaborate routing and reporting systems and make a pretty good gate keeper against TCP layered attacks. However, most of those systems still rely on TLS/SSL as the core transport mechanism verifying the requestor, entering, exiting the network and accessing data.

In order to properly isolate data access and monitor intrusions, the IT professional today will have to take at minimal a three-pronged approach to securing the data.

1. Network traffic monitoring – Yes watch and react quickly to questionable external and internal network traffic.
2. Implement up to data access methodologies – This can be timed password rotation, hard locks on computers, etc.
3. Encrypt the data – Ensure all data on the system or systems is properly encrypted at all times.

Properly addressing these areas is no small challenge for any of us as individuals, however, for the IT professional it can seem practically impossible to always stay up to date and ahead of the hackers. Particularly addressing data encryption and access can be an ongoing battle as users want data to be secure but not have to have a complicated means of accessing it. Unfortunately, todays encryption methods use a password or some form of unique key/passphrase to encrypt data and we like to only use one password. This is a problem and always will be until we build a better mouse trap in regard to data encryption and access.