The following is an excerpt from Chapter 4 of Penny Garbus, Jeffrey Garbus, and Gillian Garbus’ book Data is the New Gold which can be purchased here.
The U.S government said in “Protecting Your Networks from Ransomware” more than 4,000 ransomware attacks have occurred daily since the start of 2016. The attacks in 2016 were four times higher than in 2015. (#8F)
Most attacks are against financial, medical and retail business sectors. The ransoms are usually under $1,000 and most companies pay it. Attackers prefer payment through bitcoin which cannot be traced. However, in some cases the data and files are not completely freed up and some attackers will hold out until more money is paid. The worst scenario occurs when the attacker has so completely destroyed data files and infected hard drives they are unable to get back your data. The costs can run into thousands or millions to get a company up and running again.
The best way to protect yourself is to set up the proper security and off-site backups.
There are two basic types of ransomware. The first is locker room ransomware which basically locks you out of applications and processes on your computer. Locker room access is not necessarily an encryption virus. It may just create a barrier between you and the computer’s interface so the only thing you can do is see the ransomware attack screen which requests payment to release your computer. This type of ransomware uses threatening fake messages and tries to look like you have done something wrong. That’s why law enforcement is knocking on your door. It uses threatening images and is more of a psychological scare tactic; this ransomware can be cleansed from your computer and personal files restored. Also, virus protection services will be able to detect it and you can work with a provider to get rid of the ransomware should it attack undetected by the virus protection or firewall software.
It is best to consider paying for virus protection. Do research and make sure you are purchasing from a known brand. Be careful of virus protection software that appears magically through an email and declares it has found a virus. If you don’t recognize the brand, ignore the findings. Run your trusted provider’s processes. Sometimes viruses come in looking like they are doing a favor finding viruses on your computer but they are the virus. I had virus protection software that would interrupt me every few seconds while I was working on my computer, telling me I had a virus. I had to run my virus protection software, telling it to get rid of these files and email.
The second type of ransomware is a data lock or file encryption ransomware. This virus enters, encrypts and renames your files so you have no access and you can’t recognize the files. Renaming takes away their file extension as well as the name you created them with. This type of ransomware works more stealth-like than the others. It creeps quietly until all files are encrypted, then it allows itself to be known. The author demands payment to release your computer from control. They typically ask for payment by bitcoin. The computer will continue to work but files that are locked down will not be accessible. However, they use threatening messaging to encourage prompt ransom payment by saying the key for de-encryption will be deleted and lost forever if payment is not received within a specific time period.
The first thing to consider is to make sure hardware and software are protected with firewalls and software that scans the environment for worms, harmful attachments and attacks.
The second tier will be to set up procedures and protocols for data access. It is important to make sure access to data is limited by setting up rules and roles in the database. For example, the system administrator role should be handed out to a limited number of people, who should not be sharing login information with each other.
Many environments are too lax with limiting access and controlling database environment. If you are not sure your environment rules, review them. Then consider what processes you need to complete when employees leave. You need to make sure access is taken away and passwords are changed. Also you should consider encrypting data as it comes in and out of your environment.
Data is encrypted to keep its contents protected from prying eyes.
First, let’s make sure we’re on the same page from a terminology and process standpoint.
There are two basic components to data encryption: Encryption, where we store and protect data, and decryption, with which we retrieve and unscramble data.
On the encryption side, you need to be able to create and manage an encryption key, as well as to set permissions for logins who should have access. On the decryption side, you need to be able to transparently select from appropriate columns.
Data encryption meets both needs in data security: It protects data from friendly eyes, as well as unfriendly eyes, who have perhaps stolen a backup tape.
Encryption products have ability to create encryption keys and encrypt any other data in databases. This met a market need because there had been high-profile cases with stolen databases, leading to identity theft. Encryption has gotten better and easier, with ability to recover lost encryption keys, specify default values for data a user has no permission for, and additional datatypes that may be encrypted.
There are third-party products to perform the encryption, but performing the encryption at the database level is an improvement in performance and reduces need for a security tier. Don’t we have enough tiers in our environments?
Many DBMS manage security of keys by keeping them encrypted. There are two keys between user and the data: the column encryption key (CEK) and the key encryption key (KEK). The CEK encrypts data and users must have access before they can get to encrypted data. For security, it is stored in encrypted form. ASE (ASE SAP formerly known as Sybase Adaptive Server) encrypts the CEK with a KEK when you create or alter an encryption key. The KEK also is used to decrypt the CEK before you can access decrypted data. The KEK is derived internally from system encryption password, a user-specified password, or a login password, depending on how you specify the key’s encryption.
Decrypting (querying) the Data
Once the data has been encrypted using keys with user-defined passwords, things have to happen for a user to see data in the clear:
- You need select permission on the column to read the information, insert/update/delete permission (as appropriate) to modify the information.
- You need decrypt permission on the column to read (or if you’re going to use it for comparison purposes in a query predicate). If you have select permission, and do not have decrypt permission, you’re going to get either the default (if it has been applied) or a permissions error (if no default has been applied).
Key copies enable users to access encrypted columns using their own copy of a single key. This provides accountability for data because a key copy is designated for an individual user with a private password known only to the user. Without knowledge of the passwords protecting the key and its copies, not even SA (systems administrator) can access the data.
Column encryption generally uses Advanced Encryption Standard (AES), with 128, 192, or 256-bit encryption key sizes. The longer the bit string, the more difficult it is for a hacker to decrypt. On the other hand, the more complicated the encryption, the more CPU resources will be taken up by the encryption/decryption algorithm.
Which level is right for you? That’s a question for the site security officer. You should be aware most public, commercial products and projects are using 128-bit encryption, and the government uses that up to the SECRET level; Top Secret requires 192 or 256-bit encryption. How difficult is this to crack? It’s been calculated cracking a 128-bit algorithm requires 2120 operations, which is not considered feasible. (#9F)
That said, 128-bit encryption seems secure enough for most applications. But check with the security officer about your shop standard. If you go with a higher level, be sure to benchmark the effect of the higher level of encryption against CPU utilization.
If your application is hosted on the web, make sure you purchase an SSL certificate and an https URL rather than an http URL. This will add an extra layer of protection to your data and application to keep out unwanted access. The rule should be if you want to limit access to your application and have a login page, then your application should be using secure socket layer certificates and an https URL. The data then will be encrypted upon entering and sending the data. Not only will this keep folks from retrieving the data but from following holes into your systems.
In the majority of systems, access requires authentication and authorization. Authentication asks, and answers, the question, “Are you who you say you are?” Authorization asks, and answers, the question, “Are you permitted to take the action you are trying for?”
Authentication is managed with a login and a password. The login gives the security system something to use as basis for lookup, and the password is used to verify the person logging in is supposed to. You’ll find most systems have rules about mandatory password complexity. Without that, passwords are easy to guess or hack. Note if your password is less than 12 characters, it’s likely not as secure as you believe it is. Brute force hacking tools, that are shareware/downloadable, will often figure out those passwords in seconds or minutes.
Authorization is generally managed with permissions inside the application. So, once you have logged in, the application permissions control what you can read or change.
Software bug fixes and updates
As the system ages, you will find you will be provided bug fixes and sometimes upgrades for the software. Always review the bug fix, and install it in a development server first. Then test for everything from data integrity to performance before rolling up the bug fix. Keeping the software up to date is one key in protecting data. Try to keep your full environment in compliance. Software is aged out by vendors and if you have a corruption in an old database caused by a vendor software issue they will not help you once they have determined they are ending support for a particular version of the software.
The best way to keep data protected is to make sure the environment is kept healthy, so maintaining the software and hardware supported by the vendor adds a team that can help you when something bad happens. If you aren’t in compliance they will commiserate but they won’t help you. Security processes for the world outside your business need to be set up but you also consider these suggestions.
- Create a list of applications, software, file storage folders and applications you need folks to be locked out on when they leave the business. Then verify they no longer have access.
- Ask developers if they have hidden passwords or keys within the application to assist in testing. If they have, make sure they are removed.
- Create a business protocol that defines how passwords should be stored. I know I am sometimes guilty of putting a Post-it note on my computer when I first use a new software product. We all know this is stupid, but I can’t tell you how many dozens of passwords I have to remember and use on a weekly basis. It’s almost to the point I hate to purchase software because there’s another username and password I need to deal with.
- Some developers store their passwords on outside sources lists. This is not a good idea.
- Make sure user access lists stay within the network of the organization. If you ask a vendor to create reports to demonstrate who has access to ensure people have been properly inactivated, keep this data behind the firewall or within your network. Don’t email this information and don’t put it into a document that could be released in any way. This data is an invitation to a hacker.
- Make sure equipment is returned and confidential data, code or proprietary property returned.
- At least once a year review all access vs. locked down procedures to ensure you have not left something off the list.
- Someone on staff should be given the job of researching security, reviewing procedures and then training staff. For example, anyone on a shared business network should be careful about opening files from an unverified source. Use an email spam collector, junk mail and clutter. I hate clutter because it is too protective; however, I saw it caught an email for me once I may not have. An email was sent to me that looked like it was from my clients; there was one character off in the email address. I may not have seen it if I just went through my hundreds of emails and clicked down my list. This email had a suspicious attachment, so I quickly deleted my entire clutter list to make sure the email was gone. So take the luck out of making sure you don’t open a bad email by using spam filters. Training your staff to know what to watch for is a good idea. Reminding them once a year about security protocol procedures also is a good idea.
- Lastly, make sure you have backups of your data. This includes all business files.
Core data should only be on a server behind a firewall and not on a shared server where you collect random or necessary files. Shared files and information should be set on a separate location, where they are opened and scanned for virus protection. You may have to create processes when a file is opened, the raw data inside the file is copied and entered into either an image or text format free of any code in the original file.
NOTE: It is a mistake to put antivirus on your database server. Whenever the database files change, the antivirus sees the file change and examines it. When database files are in the gigabytes, and every change triggers the antivirus, you get performance hits in the database response time and on the disks.
The old days of looking at a network and seeing everyone’s computer including the core data server are gone. The new standards are the core data servers should not be accessible by an open connection. There should be need for login processes to access your core data system. There should be process and personnel limitations as to who can access your core data systems.
Lastly, make sure your personal or business desktop/laptop is protected. Keep updated virus protection on your personal computer, particularly if you use it for emailing or other file sharing products. You also can back up your personal or work PC all the way down to the applications you use. Make sure you keep a series of backups as the latest one could have been corrupted before you knew the virus existed. If you protect your own workspace then you won’t run a lower risk of poisoning your work and friends.
A key person of a small company opened an email. The email opened a window that said, “You have been to an illegal illicit site. We will report your activity to the FBI if you do not pay us.” The computer was locked down. He couldn’t get to his files nor his pictures. Fortunately, he had not emailed anyone nor shared files so the infection stayed on his own device. The worst part of the story is he paid the ransom, but they did not share the key to unencrypt files and release his computer. They just disappeared with the money. Luckily, by uninstalling and reinstalling the operating system, the computer was recoverable and files were backed up so he was able to work again. The ransomware folks are all about payment. They don’t care about customer service.
There is an industry around ransomware. There are RAAS Ransomware as a Service providers who will attack based upon targets a third-party request them to attack when business is booming. They don’t care who they attack; there are no initial or favorite targets. They just look for a demographic that may be willing to pay, like novice computer users or companies where data is their lifeline. They also like to target public sites for notoriety to establish credibility that will resonate fear with subsequent novice targets.
Review security processes and procedures. When starting new projects make sure security requirements, including roles and data access limitations, are discussed with user, management team and developers. Then, ensure data can be protected from all angles.
Review security processes at least once a year. You may want to hire an outside source to review security and if you believe necessary, hire a professional hacker to look for holes in your systems.
Security is not limited to firewalls and SSL certificates. You need to review internal access procedures, password assignments and management of access of users. Are inactive users locked out of the entire environment? Importantly, make sure there are policies and procedures to lock out developers, dbas (database administrator) and security engineers to ensure they do not have a way into your environments.
Your computer is not the only device that can be a victim of an attack; phones, hand-held devices, and smartwatches also are potential targets. The virus once attacking you spreads through your contacts. The attack occurs through disguised websites and applications similar to useful or popular sites and applications. When you click to open the application or site, the virus launches. The application generally cannot be removed through normal means but instead, you must use the factory settings to remove the virus. Unfortunately, some viruses control the screen access which does not allow you to get to the settings reset. There are shortcuts for some devices you can use to reset to factory settings without using the screen. Sometimes this works through some other manipulations but often the device is rendered useless.
If you work in a secure environment, private vs. work devices could be a must. Downloading applications to a work device should be held to a minimum, making sure you are only accessing necessary and well-known applications.