Detection is Not Enough Protection

- Becca Bauer, Director of Marketing & PR

Another day, another breach. For today’s purposes, let’s look at the recent data breach from Dixon Carphone, where the names, addresses, and email addresses of anywhere from 1.2 million users to 10 million users was exposed. While the breach just came to light recently after GDPR came into effect, the breach actually occurred back in July 2017. That’s right – for just short of a year, the company had NO idea it was subject to a data breach.

While details on the how, who, and why of this particular attack are still coming to light, it does bring up the fact that breach detection is not protection. In fact, in a recent study sponsored by IBM Security with research independently conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study finds that the Mean-time-to-identify (MTTI) a breach is 197 days, and the Mean-Time-to-Contain (MTTC) is 69 days. This means that on average, it takes half a year to identify a breach! Just imagine how much data an attacker could get in that amount of time while going unnoticed.

This figure is unacceptable, especially since the security industry as seen an influx in support for threat detection tools over the last several years. This ranges from everything like network threat detection to understand and monitor traffic patterns and endpoint threat detection to track information/behaviors on user machines to popular threat intelligence tools like AI and ML for their self-learning capabilities and ability to recognize patterns and anomalies.

Unfortunately, the industry has made people believe that detection can work. We are not saying that no detection solutions work and they should be removed from your security strategy all together, but it’s clear detection alone is not enough. What we need is a new way to protect our data. 

At BOHH, we believe the core focus must be on protecting the data at the foundation level. Given that a business will easily spend millions on their data protection solutions, it would only make sense to secure the data itself as it comes through and sits in your database. BOHH Labs has developed a Secure Data as a Service (SDaaS) solution that acts as a layer between the user/application and the back-end data store and enables protection of all stored data, no matter where it is located, by uniquely providing field level security, removing these fields from the source, storing the encrypted data and separately, without changing the underlying database structure or using a keystore to manage the encryption keys. By doing this we are removing not only the hacker threat to the data, but also the more prominent insider threat, which is often very difficult to detect. By putting the security focus on the data itself, not just where it is coming from, where it is stored or being transacted to, it enables better protection for both external and internal threats that organizations desperately need to keep sensitive information protected, and not just reliance on monitoring and detecting anomalies within the system.

Not All Encryptions Are Created Equal

In today’s volatile digital security world, encryption has become a standard security measure to keep your data protected. Many in the security industry would even goes as far to say that it is one of the most important methods for providing data security, especially for end-to-end protection of data transmitted across networks. The core foundation of encryption focuses on converting information or data into a form unreadable by anyone except the intended recipient. Once a file or data piece is encrypted, it becomes difficult for external sources to get access/understand the encrypted information.

While highly touted, encryption is hardly a new strategy with the origins of hidden messages and cryptography dating back to the 19th century. Since then, it has evolved and there are many different types of encryption algorithms that are used. However, not all of these are created equal or are completely secure. Below are several types of today’s popular encryption algorithms all of which have security loopholes.

Homomorphic Encryption

Homomorphic encryption requires a public key to enable search. This also means it requires a keystore to hold the private key to enable the encryption. The person with access to the keystore has access to your data! This means you are putting your data at risk to internal misuse and in the hands of who owns the keystore. You don’t believe you would have an internal person who abuse this power? Nor did the CIA until Edward Snowden fled the country.

Data Masking

Data masking has generally been created as an intermediate layer between the data store and the user and is becoming more common as part of the GDPR regulations. The masking gateway accesses the data as an administrator and transforms (masks) the data on a user query. However, the stored data remains in clear text and is vulnerable. Simply put, this is really just application redaction.

TDE – Transparent Data Encryption

This technology encrypts the data file on disk, stopping anyone from reading it, while it is at rest on the disk drive. HOWEVER, as soon as it is loaded in to the database, it is decrypted and available to be viewed by all who have admin privileges. This puts the encrypted data at risk to internal misuse as admins have approved access to the keys and could decide to capitalize on this access to sensitive information. 

Column Level Data Encryption

Column level data encryption is generally implemented with a keystore, which means that those with access to the store also have access to the data. However, just as importantly, if this is implemented post production, it requires whole-sale changes to the database and the calling applications, leading many implementations to remain incomplete, as well as expensive.

As you can see, many of these encryption tools are lacking in complete external and internal security.

At BOHH Labs, we believe that the parties at the two ends of a data message – the sender and requester – should be the only ones who have access to that data message. We believe encryption should be dynamic. In other words, your keystore should be dismantled and the encryption keys, IV’s Salts, should be created by the application based on different criteria at that moment in time. This means that each piece of data, each network message, or each file is encrypted to a unique key, so it doesn’t leave your data open on your key store and accessible to unauthorized employees.  Dynamic key creation encryption that has no reliance on web security or keystores is a cornerstone of BOHH’s data security service. Every data request is isolated from the requestor and is encrypted using transient keys that are destroyed after each transaction. This means the original data request never has direct access to the company network or backend database and terminates intercepting party connections and renders partial data a third party may get access to useless, making it very difficult for to steal useable data (including a database admin). Further, by uniquely providing field level security, removing these fields from the source, storing the encrypted data and separately, without changing the underlying database structure or using a keystore to manage the encryption keys, which removes not only the hacker threat to the data, but also the more prominent insider threat.

As such, despite being popular in the security industry, it’s clear that many of the current encryption methods that have backdoors, especially for internal misuse. If you are interested in more about BOHH’s keystore-less encryption method that makes these security loopholes obsolete, reach out to learn more.

How to Keep Up on the Latest in Cybersecurity News

Cybersecurity is always a hot topic, for a very good reason: the hits just keep on coming. Trying to keep up with the latest news and vulnerabilities is a daunting task, but you have to do it. Installing the latest security software and running the latest tests is not complete due diligence in the modern world of continuous cyber attacks. As the saying goes, “knowledge is power,” and it is especially so in the web-connected world.

So, how do you keep your knowledge at peak efficiency? Reading, of course. There are hundreds of technology sites and blogs that will help keep you informed about the latest issues but that’s a lot of reading. What follows is a list of the some of the best. You should recognize some of these if cyber security is not a new to you. Hopefully, the list includes some that you weren’t aware of and will add some bulk to your reading list.

The Hacker News 

The Hacker News is one of the largest and well-read information security sites. They feature news and thorough coverage of the information technology vulnerabilities and trends. The Hacker News is supported and endorsed by security experts, administrators, and members of various underground hacker groups and communities worldwide.

Krebs on Security

Brian Krebs is not your typical cyber export (but who is typical?).  His formal education includes a Bachelor of Arts degree in International Studies from George Mason University in 1994 (programming was a hobby). So, what prompted him to switch his focus to cyber security? In 2001 his home network was compromised by a Chinese hacking group. What followed was a self-taught crash course in computer and Internet security.

In his own words from his website, “Much of my knowledge about computers and Internet security comes from having cultivated regular and direct access to some of the smartest and most clueful geeks on the planet. The rest I think probably comes from a willingness to take risks, make mistakes, and learn from them.”

Open Web Application Security Project (OWASP)

Established in 2001, OWASP is a non-profit organization that has dedicated itself to the development of knowledge, tools, and best practices for secure application development. In their own words, they want to “be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.”

One of their most important projects in my experience has been the “OWASP Top 10 Most Critical Web Application Security Risks”. Not only do they describe the risks in detail but the also provide examples for mitigation in multiple languages.

Schneier on Security

Bruce Schneier’s blog has been in existence since 2004. He writes about security in articles, books, and academic papers. He is currently the CTO of IBM Resilient, a fellow at Harvard's Berkman Center, and a board member of the EFF.

The blog includes articles pertinent to current security issues and has an engaging comment area with lively discussions. He also produces a monthly, well-read newsletter.

Dark Reading 

Dark Reading is a long-time source for information about new cyber threats and current cybersecurity technology trends.

From their website: “Dark Reading.com encompasses 13 communities, each of which drills deeper into the enterprise security challenge: Analytics, Attacks & Breaches, Application Security, Careers and People, Cloud Security, Endpoint,  IoT, Mobile, Operations, Perimeter, Risk, Threat Intelligence, and Vulnerabilities and Threats. Each community is led by editors and subject matter experts who collaborate with security researchers, technology specialists, industry analysts and other Dark Reading members to provide timely, accurate and informative articles that lead to spirited discussions.”

Naked Security by SOPHOS 

Naked Security is SOPHOS’ news aggregator, providing the news, opinion, and advice on our favorite topic: computer security issues and the latest Internet threats.

Naked Security also produces a daily newsletter that provides a list of important cybersecurity news articles published within the last 24 hours. This is a must read.

Summary

I hope this list added a few more sources for your cybersecurity knowledge needs. Feel free to comment below on these and other sites that you have found invaluable to our work.