Tag: data breach

5 Reasons WIRED.COM Got it Wrong – You Won’t Believe #3!

NYS_Cyber_Security_Conference

In the October 23, 2016, WIRED.COM article Inside the Cyberattack That Shocked the US Government”, author Brendan I. Koerner presents an excellent chronology of the cyber attack at the U.S. Office of Personnel Management (OPM). This overview, however, includes a reference to a fundamentally flawed but universally understood cyber security tenet; one that is THE reason we have been (and will continue to be) afflicted by massive data breaches:

“THERE IS A COMMON misperception that the surest way to frustrate hackers is to encrypt data… The first item groups like these usually swipe is the master list of credentials… the ideal is one that belongs to a domain administrator who can decrypt data at will.

At will no longer:  This dogma is about to be turned upside down.

A revolutionary new approach to cybersecurity removes the ability for the domain admin account (along with all other accounts) to view protected assets, all while continuing to allow people and systems to perform their necessary work functions. This is accomplished by combining already proven cryptographic approaches with a unique system of hardware, key and privilege management.

With the TSM Lockbox, we’re debunking several widely held misconceptions:

  1. The Queen Bee paradigm – Every security system/network contains ‘the’ account that ultimately has controls to all other locations and accounts.  Using our methodology, we have a hive where there are certain places the queen bee cannot go or see.
  2. The universal exception – The highest level account can turn off, reset, change, or cancel all known cyber security protections; for example passwords, multi-factor challenges, key stores, etc…  Using our approach, possessing these privileges will still not allow the domain admin (or any other account) to see protected information.
  3. Not in my backyard – In the cloud, the highest level account is held by third parties.  With our software, those third parties still cannot see protected data.
  4. Doing the same thing over and over again and expecting different results = #Insanity – Current cyber protections ignore the most persistent threat – the omnipotent domain admin account.  Launching our innovative solution, this most paramount vulnerability is addressed directly.
  5. Humans vs. the machines – Larry Ellison of Oracle believes pitting humans against the Artificial Intelligence (AI) soon to be brought to bear by hackers will only make vulnerabilities worse.  With our approach, no account (machine or otherwise) can see secured information.

The vast majority of the successful cyber miscreants of the world (see Equifax, OPM, Anthem, etc…) have very little interest or motive to tackle the plethora of formidable cyber fortresses wrought by the billions of dollars spent annually to keep them out; they don’t need to.  

Albert Einstein once wrote, “The world as we have created it is a process of our thinking. It cannot be changed without changing our thinking.” Big Al nailed it.

So long as the process of our current thinking is predicated on the universally accepted doctrine that the domain administrators must and will have access to the keys to the kingdom, hackers need only focus on getting these credentials–and they can–and they will.

The real question is:  What do you want them to be able to see when they get there?

Got questions? I have answers.  Email justin@jjdsoftware.com or Twitter @donohoe_justin.

Is Encryption Really Not the Answer?

I am starting to get the impression the phrase “Encryption is not the answer” is becoming the chic catch phrase ‘du jour’ among security professionals.  I was attending a high profile cyber-security conference recently and heard this statement uttered on more than one occasion to very large audiences (although I must add that one of these experts did add a meek “by itself” one time).

This trend is leading me towards my own new catch phrase of the day:  “When did this happen?”

I think this provocative catch phrase has gained traction in light of the latest round of large-scale data breaches.  In December 2013 Target reported a major data breach even though the data was encrypted.   Most recently, it has been reported that in the Anthem data breach the data was housed unencrypted, but the attack was sophisticated enough that experts have published blog entries stating that Anthem was right not to encrypt their data because it would not have stopped the breach.

Here I would like to point out one of the tremendous advantages of proper encryption – as long as the key is not compromised, encrypted data stays protected everywhere it goes.  This includes (but is not limited to) stolen hard drives, stolen backup tapes, breached database backups, stolen or intercepted data transmissions, stolen or compromised files with sensitive information, stolen laptops or other personal devices, etc…  It can be reasonably argued that data encryption is largely the reason why these types of data breaches are no longer in the news and fortress type breaches are now more the norm.  It makes me wonder if, had the attackers known the data at Anthem was not encrypted, they would have simply opted to ship one of the database backup files to an external data store.  Reportedly, the breach was detected when one of the system admins noticed a rogue query that he did not initiate being run using his identifier code.  By taking a backup file instead it is possible that the attackers never would have been detected.

To use a potentially misguided analogy, I feel like some of these experts are saying people are right not to wear seat-belts because recent automobile fatalities have been attributed to rollover accidents and passengers would have died anyway.  Perhaps a more appropriate assessment would be to continue wearing seat-belts but, in addition, take measures to reduce the risk of rollover accidents.  If we apply the transitive property (notice the addition of a misguided math analogy), I feel the more responsible expert opinion may perhaps be:  “In addition to encrypting sensitive data, care and resources need to be dedicated to protecting key user credentials, securing and monitoring networks, and training personnel on good cyber hygiene.”

If the pundits are trying to say that encryption alone without utilizing other measures is not enough, I can understand that position because it helps managers to realize that simply encrypting data does not mean that all threats are eliminated.  By leaving out the ‘alone’ or ‘by itself’ caveat, however, the mistaken impression can be that data no longer needs to be encrypted.  And that gets us into ‘out of the frying pan and into the fire’ type stuff – three analogies and I am out.