In this blog post, we’ll review some of the greatest breaches of 2017 & 2018, and how they could have been avoided by proper use of encryption and key management best practices, including crypto-anchors.
So without further ado, here is the list:
At the end of November 2018, hotel group Marriott admitted it had suffered a massive data breach affecting the records of up to 500 million customers. The firm revealed its Starwood division’s guest reservation database had been compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers. The company identified roughly 383 million records “as the upper limit for the total number of guest records that were involved in the incident,” according to the latest release, though it noted that some of those records were duplicates. Of those 383 million, approximately 5.25 million guests’ unencrypted passport numbers were included, as well as 20.3 million encrypted passport numbers. Approximately 8.6 million encrypted credit or debit card numbers were also exposed.
Exactis, a marketing and data aggregation firm based in Florida, had left a database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses. As of this writing, Exactis has not confirmed the exact number of people affected by the breach, but Troia said he was able to find close to 340 million individual records. He also confirmed to Wired that the incident exposed affected consumers’ email addresses, physical addresses, phone numbers, and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children.
Hong Kong-based airline Cathay Pacific says the personal details of 9.4 million passengers were inappropriately accessed in March, a breach that was confirmed by the company in early May 2018. The data accessed includes names, nationalities, birth dates, phone numbers, email addresses, physical addresses, passport numbers, identity card numbers, frequent flyer program membership numbers, customer service remarks and historical travel information, according the airline’s advisory. In addition to 860,000 passport numbers and about 245,000 Hong Kong identity card numbers, the hackers accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV), Cathay said.
Equifax, one of the three largest credit agencies in the U.S., suffered a breach that may affect 143 million consumers. The compromised information included full names, birth dates, Social Security numbers, addresses, and more. Furthermore, the stolen data included around 200,000 credit card numbers and almost 200,000 additional documents containing personal-identifying information. Due to the sensitivity of data stolen, it is hailed as one of the worst breaches ever. The breach is said to have occurred due to a vulnerability found in an open source software used by Equifax which allowed attackers to access the sensitive registries.
OneLogin, a San Francisco-based company that allows users to manage logins to multiple sites and apps through a cloud-based platform, reported a troubling data breach. OneLogin provides single sign-on and identity management for about 2,000 companies in 44 countries, over 300 app vendors and more than 70 software-as-a-service providers. A threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. An attacker obtained and used highly-sensitive keys for its Amazon-hosted cloud instance from an intermediate host–effectively breaking into its service using its front-door key. The company added that while it encrypts sensitive data, the attacker may have “obtained the ability to decrypt” some information.
Clothing retailer Forever 21 announced that some of its customers may have been affected by a potential data breach. Upon receiving a tip from a third-party, Forever 21 launched an investigation and found certain point-of-sale (PoS) devices were compromised—likely between March and October of this year. The company said while it implemented “encryption and tokenization solutions” in 2015, it appears that the targeted PoS devices had encryption that was not actually operating. According to newest payment card security incident report, Forever 21 explained that in addition to the lack of encryption in some of the retail stores’ POS devices, investigators hired in October “found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data.”
While these breaches are indeed unique, they still have a common denominator–if you lose the encrypted data with the encryption keys – it’s “game over”, as the malicious adversary can decrypt the data at will. In the next part, we’ll demonstrate how these and probably many more cyber attacks and data breaches could be prevented altogether.
Software Crypto Anchors
A critical security best practice to prevent hearing about your company in the headlines is to keep the sensitive data encrypted both in transit and at rest. This requires first mapping various data sources and their classification. Once this is achieved, the weight shifts to the proper protection of encryption keys, as in today’s world they are the keys to the digital kingdom. In order to prevent hackers from decrypting huge masses of restricted information (often including a lion’s share of customer’s PII data), there is a need first to prevent the key compromise, because otherwise the attacker can decrypt the information at will. In addition, one must circumvent out-of-ordinary usage key usage. Crypto anchors are all about preventing the first possibility from taking place, and monitoring and/or proactively preventing the second one.
In other words, following the maritime metaphor, there is a need to tie the encryption keys to some sort of anchor, that cannot be moved or stolen, due to its properties. HSMs (hardware security module), as was suggested by Diogo Mónica in his seminal blog, though this modus operandi is extremely difficult and cumbersome. Not many organizations have the large and skilled teams to operate HSMs at this level. HSMs are physical dedicated servers that are hardware designed to keep the keys secure, but they are notoriously known for been hard to operate, rigid and inflexible, lacking the suitability for today’s software and cloud-based world. While HSMs had their place in the legacy topologies of on-premises data centers, with the ever-growing move to the cloud, one cannot simply cloudify a purpose-built hardware appliance, without severely compromising the architecture and usability.
With the introduction of vHSM technology, this approach is taken to next level, offering the first mathematically-guaranteed protection for cryptographic keys and secrets in a pure-software solution that runs on any endpoint, server or cloud, at a security level comparable with physical HSMs. Software Defined Cryptography safeguards keys and secrets at all times (in memory, on disk, in network), ensuring that they are never exposed throughout their entire lifecycle. Using this technology, one can provide a software-based crypto anchor, enabling enterprises to create an exfiltration resistant architecture for their infrastructure by making crypto anchors accessible to the majority of the market, not only those with massive IT teams that are well versed with advanced operational knowledge of HSMs.
The following figure depicts the underlying principle of the software crypto-anchor—the hacker is trying to steal the encrypted data from a database, but the ex-filtration is futile as the keys that used to encrypt the data are safeguarded within the software boundary of the Software-Defined Cryptography (SDC) system.
In addition to making the encryption keys dissolve, essentially disappearing under the nose, there is a strong need to monitor and enforce policies on the key’s usage through the key lifecycle (generation, distribution, usage, storage, rotation, backup and destruction).
Utilizing a module that can correlate and enforce the keys usage within the SDC system (according to certain parameters such as threshold, low & slow, gradual change over time, crypto-commands analysis, user’s commands, etc.) and alert accordingly. This can allow to detect and prevent malicious usage, detecting hackers breach attempts, rogue insiders or well-meaning employees that make honest mistakes.
Applying software crypto-anchors approach allows to couple the security of the data with the security of the cryptographic keys. As the protection of the data shifts from safeguarding the data itself to the security of the encryption keys, key protection and management become the highest priority task. SDC technology ensures that the keys are never exposed while allowing strict policy enforcement on keys usage, enables the protection of your enterprise from making tomorrow’s headlines in this negative context.