A recent discovery indicates that the dark web maintains a trove of 1.4 billion credentials with cleartext (unencrypted) passwords that are not only accurate, but are stored in a searchable database. The contents of this database represent breached data from some of the best-known companies on the internet.
Even though strong authentication technologies and encrypted solutions have been around for an embarrassingly long time, ill-informed decisions on the part of websites have left users and data exposed, with adverse consequences.
On the one hand, it is hard to fault business managers making technological risk-management decisions. Technology is evolving so rapidly that it leaves professionals gasping for breath while assimilating change. Add to this a phalanx of consultants and industry analysts who don’t “eat their own dog food,” and you are left with a perfect storm of vulnerabilities that aid attackers rather than protect consumers and companies.
Is there a playbook that managers might use to understand current risks and learn how to effectively protect systems, data and users? While every system is unique, there are fundamental tenets you can apply when making risk-management decisions.
Information systems exist to receive, store and process data, so, to be useful, information must possess the following three properties:
- Confidential, where appropriate, and
Below are best practices for organizations to ensure their data meet these criteria, also referred to as ACT.
What is Authentic Data?
For a power company billing a customer, the meter reading must pertain to the specific customer, originate from an authorized meter and be accurate. This makes the information authentic. When data is accepted as being “authentic,” it establishes an initial level of trust. However, an initial level of trust does not necessarily make it trustworthy later on.
Not all devices have built-in components to guarantee data authenticity; the cost is still prohibitive for general-purpose computing. Consequently, the world has learned to use proxies to attest to the authenticity of information.
The technology used to authenticate humans to information systems is the vulnerability in such a proxy-based system. If an information system can be tricked into accepting a masquerader as the “authentic source”—which most current systems can—then assumptions that the data is authentic fall apart.
Most organizations are familiar only with user IDs and passwords as proxies for user identity authentication, created more than a half-century ago. In fact, it is estimated that more than 99 percent of systems continue to use user IDs and passwords to authenticate humans to systems. This technology remains the single largest vulnerability to systems on the internet.
In addition to authenticity, confidentiality is another critical data attribute. Data breaches destroy that confidentiality. Some of the wealthiest and best-known companies in the world have been affected by breaches, including Facebook, Yahoo and LinkedIn.
The reason for most breaches is the wrong assumption that it is easier to stop “barbarians at the gate” rather than actually protect sensitive data in the application. Consequently, companies over-invest in network-based security tools—such as firewalls, anti-virus, malware detection or intrusion prevention—rather than invest in the control mechanism that provides the highest level of protection: application-level encryption.
Data security today requires multiple controls to deter attackers. Short of eliminating sensitive data from a system, encrypting and decrypting it within authorized applications (combined with a hardware-backed, cryptographic key management system) provides strong protection control. When combined with FIDO-based strong authentication, risk mitigation becomes formidable.
Making It Trustworthy
Being able to trust the data is the third key to security. However, because of how standard database management systems are designed, it is always possible for a privileged user to modify data at rest directly without the knowledge of the application or users who created the record.
This risk is not easily mitigated, even when controls exist to ensure the database system records changes and stores audit logs that privileged users cannot access, because even database management systems use user IDs and passwords to authenticate.
This creates a breakdown in data trustworthiness.
Most applications today function on the premise that information stored within their databases is accurate. Even application programmers and system administrators are constrained in protecting the integrity of data for multiple reasons, including lack of knowledge or resources, or business imperative. Consequently, it is possible to implement FIDO-based strong authentication and application-level encryption but still remain vulnerable to integrity attacks.
Developing a holistic, trustworthy security strategy includes implementing digital signatures for both user transactions and stored database records. Transaction digital signatures using FIDO-based protocols ensure only authorized users can modify stored data. Similarly, database records should be secured using digital signatures generated by the applications themselves; the cryptographic key performing these signatures must be inaccessible to any human user—privileged or otherwise. Upon reading a database record, the application verifies the signature of the retrieved record. Only when the signature is verified successfully can the application be sure it is using the same data it stored previously, thus ensuring trustworthiness.
Today’s information systems work under an enormous security burden. The above guidelines create powerful controls to protect information, users and investments. Following them will ensure the authenticity, confidentiality and trustworthiness of your data.