Cybercriminals, Hackers and Governments continue to enhance their abilities to enter your computing environment. The tools are becoming more sophisticated and their skill to go undetected is improving. These attacks have methods where history shows “elevated privileges” is the primary objective.The end goal then is to steal, replace, hold hostage or destroy your data. Now the problem, most if not all cyber defense tools and strategies are built to stop yesterday’s attack. That why when I sit through conferences they always say the same thing, “It not a matter of if, it’s a matter of when”.
Elevating privileges has been refined by the introduction of malicious code which cannot be efficiently controlled by antivirus software alone. This attack then calls in help as needed with only bad intentions, unauthorized access. The people after your data will want to come in undetected and control your data. One attack commonly used is Cross Site Request Forgery (CSRF) which a slave browser executes a HTTP requests giving them control over your database. Now they can elevate privileges, steal credit cards, medical records or execute account transfers. In order to remain undetected the slave must be logged into the target site with cookies and verified by the browser \ server as normal. Most common source of attack is when users open email or click on email links.
To mitigate these new tools (sometimes called “bots”) that focus on elevated privilege schemes is to introduce a firewall called the user. Best practices would promote the introduction of Captcha codes. Placing Captcha in key administrative areas of your software application stops the forgery and provides another layer of protection. Typical use of Captcha would be “change password” screens. Elevating privileges is about logging in as a user with higher privileges than you do. Bots comb your system’s databases, logs, email and network traffic to discover admin level credentials and gain access. Everyone should start thinking about the coming “best practices” of voice, picture, eye, fingerprint or any combination as the next firewall of defense as the threat evolves.
PaperClip as a vendor supporting compliance in its many elements has invented (patent pending) a new data storage model called “Shredded Data”. The concept involves SnipIts of data associated with a complex cipher. This technique removes the value proposition for stealing your data. Encryption today has two basic offerings, Symmetrical and Public key methods. Symmetrical Key means the same key is used to encrypt and decrypt. Public Keys require two keys, one Public Key that encrypts and one Private Key to decrypt. Public key users send their Public Key to their trading partners and ask them to use it when sending you confidential information. The receiving user then uses their Private Key to decrypt and read the message. Most databases use Symmetrical Keys to secure their content which is affective if the physical database was stolen. If privileges are elevated, then the threat walks straight through the front door, therefore encryption had no effect. In the Shredded data model, walking through the front just gives them unauthorized access to data shreds.
The Shredded Data Model (SDM) is considered an “Archive Storage”, not conducive to transactional computing. Relational databases are needed for business activities (i.e. searching, sorting, compiling, etc.). The most secure use of SDM is to store all data shredded and pull it back together on demand (Shredded at Rest). The optimal use of SDM is to shred selected NPI data items (i.e., Credit Card, SSN, Acct#, etc.) whereby this data is only pulled together programmatically when needed. Limited Liability use of SDM would be shredding after a period of time reflecting business activity whereby retention requirements extend the archiving of data (i.e., HIPPA, HR records, legal record, etc.) into years of storage.
PaperClip has committed to the SDM for our internal operations and plans to productize SDM into a Cloud born storage service in the next few years. SDM is the practical solution to cyber data thieves whatever their elevated privileges are.