Earlier this week, McAfee published information about a new cyber security threat it dubbed Operation Shady RAT. Operation Shady RAT, and others like it that have emerged over the past months, represent a new kind of cyber crime called advanced persistent threats. These threats are a step up in computer crime: They are massive, they target specific high-value data and they lie dormant, undetected within computer systems, until remotely activated. These threats target specific high-value data, not just credit cards and customer account data but often records, in the form of email, legal contracts, design schematics and operational plans and images, pertaining to IP and trade secrets.
In the specific case of Shady RAT, spear fishing emails were sent to the target containing links to a web page that, when clicked on, automatically loaded a malicious remote access tool (RAT) program on the computer, thus gaining access to the network and the high-value information.
The new security threats
In the “old” days, it was fairly straightforward to imagine boundaries around your business data. Today, it’s fair to say, with the rapid adoption of cloud and mobile computing and the overall consumerization of IT, traditional boundaries have become fluid and, in most cases, nonexistent. In today’s world, hackers have figured out how to target the data when it is most exposed, whether it’s on a corporate server, an iPhone or in the cloud.
In this new IT world without boundaries, the traditional “layered” approach to enterprise data security becomes ineffective. Instead of assuming that data perimeter protection (protecting the networks and data “containers”) will keep data safe, we need to assume the bad guys are smart enough to not care about the containers and to instead attack the data. As the continued severity of data breaches show, bad guys are interested in the data itself, whenever it might be, and whenever they decide the time is right to strike.
What do we do in this new world? How do we protect data so that it is locked down and unusable by the bad guys while it is still accessible to those who need to use it for business purposes? While we can’t ignore the old approaches and steps for data protection, such as protecting IT infrastructure and putting in place effective monitoring approaches, we need a new step. Encryption, and not the traditional public key encryption, is the only way to keep sensitive data protected while at the same time keeping it usable.
Secure the data, not the perimeter
Protecting private and sensitive data in a cloud/mobile world is difficult, expensive and increasingly mandatory to comply with federal and state regulations as well as to protect brand and business reputations. Thus, we need to think about data protection from a data-centric point of view, where the data itself is protected. When you start thinking about how to protect your data in a world without boundaries, think about these four things:
- Monitoring matters. Monitoring is an essential component of your overall security; network monitoring and database monitoring solutions help identify the kinds of attacks that are all around, such as script kiddies. They are also very useful for identifying internal threats such as unauthorized access to the database. These approaches give you a lot of information about what has happened, but they don’t actually stop an attacker from getting high-value data.
- Keep data safe when it’s on the move. Of course not all encryption is created equal. Many encryption solutions are like bank vaults — they protect the money, but as soon as the money is moved, or thieves break in and steal the money, the money is out in the open and can be used. So now, many banks use dye protection packs, which make the cash useless if it is stolen, and as soon the cash is removed from the vault the dye packs explode, making it clear the cash has been stolen. A data-centric encryption approach renders stolen data useless to the attacker.
- Protect your keys. Encryption and other types of protection mean there are keys or tables involved that can give you access to the original data. These must be protected too. The best security solutions have keys that are never stored, so they can’t be stolen. The keys are computed only as needed. The recent RSA SecureID breach illustrates that hackers are getting more sophisticated and are going after keys.
- Make yourself less of a target. The price for credit card data has dropped from $500 per “gold” card to less than $50, driving attackers to plan and execute more-sophisticated attacks designed to pull out more valuable data. This includes trade secrets, legal documents, more complete customer records than can be mined for high-net-worth individuals, etc. Hackers look for the highest reward, profits or publicity, with the lowest protections in place. If they hack you and all they get is encrypted data, they will move on.
We can win
We can beat the bad guys. We have the technology to stop these new advanced persistent threats. Data-centric protection focuses on encrypting the digital assets, emails, documents, database records, in a way that they remain encrypted wherever they go. If they are stolen, those assets cannot be used, credit cards will not validate, emails will show up garbled and documents will not reveal their contents.
Format Preserving Encryption (FPE/FFX), which is the encryption technology underlying data-centric encryption, is being standardized by NIST and is backed by several solution providers like Voltage, Verifone and Ingenico. With Shady RAT, data-centric encryption would not have stopped the programs from taking the data, but they would prevent the attackers from using it. Data–centric encryption turns gold into straw, making the data useless.
Matt Pauker is the co-founder of Voltage Security.