High Value Data, High Exposure

1947 0

It is a known-known fact that one of the most valuable assets we may own and have access to is money. However, my opposition argument to this statement is that there is another asset, which has even more intrinsic value attached, an asset which can be shared, replicated multiple times, and can be distributed with impunity. The asset I refer to can be in the form of both Business, and Personal profiles. It is an entity which may be used to expose sensitive material, and in the obtuse, may be leveraged to expose misdealing’s, criminal activities, and even collusion between international parties – such exposed materials could even change the direction of an election to high office which in the worse-case of scenarios could lead to legal action, or even imprisonment. The asset I am referring to here is ‘Data’.

In both Personal and Business perspectives we live in a world driven, and supported by technology, and as such no matter the position in society there is a heavy reliance on technology to support our lifestyles, which by inference means, as an expectation, we as end-users, employees, and businesses alike hold, are custodians of, and/or have access to a lot of information in electronic format – AKA Information (Data) – which from my observations over the last decade does not always seem to accommodate the required level of awareness, or security.

In 2018 I was providing several Delegates training in the form of a Certified Cyber Security Course. Upon arriving at the module covering the subject of Data Security, one attending delegate from a large SME organisation commented that they did not as an organisation have the budget for any in-depth Cyber Security Defences, and thus relied and trusted on their approach only based on what Windows provided in the form of the following:

  • User Profile, Strong
  • Strong Log-on Password
  • Dell Laptops which were enabled with a FIPS- Biometric Fingerprint Scanners

To that end, our delegate considered the security approach taken to be adequate to defend the stored data assets, when at rest, and when outside the office! My own opinion to the statement was obtuse – not to prove the delegates wrong, but to retrain his opinion to the good of his organisational security over the owned, business sensitive stored and transported assets. I then asked the other attending delegates if they could see any flaw in the way security model had been evolved and enabled- The response was with the exception of only 1 (out of 10) an affirmative that the device in question was secure!

With permission granted, I then demonstrated how one could gain access to override the enabled security, and attempted to use a series of log-on attempts, under Guest, Admin, Administrator and so on – all of which failed, so access was denied, and at this stage, and the expectation of adequate security would seem to have been extant – and the owner delegate was happy with the outcome. I then asked if I would try another route to overriding the presumed level of Adequate Security to which they agreed.

My second attempt was based on a small cross-hair screwdriver which I used to remove the laptops hard-drove from the side of the case. The next step was to setup my own Laptop with a device costing around $30 (see Fig 1 below) to which I attached the removed Laptop hard drive. And at Fig 2 I also attached second drive as part of the demonstration which was removed from another systems – an office bound Windows 10 Desktop secured under the same principles of Windows Adequate Security.

Once the drive(s) were attached to the connected 3.0 USB SAT&IDE Drive Converter it is a simple case of mounting and accessing the drive via the on-board File Explorer with full rwx (read, write execute) and of course purge (delete) – from here one may then discover the contents, look for items of potential value, and acquire as required. At Fig 3 and Fig 4 below are examples, one of which shows a stored key on the Laptop drive under examination!

Agreed, this is not rocket science, but it is a misapprehension of security I have encountered on many occasions, from Outsourcing Companies, Local Authorities (Social Services Child Protection Cases), through to Large Corporates, and multiples upon multiples of SME end-users, and of course those who work from home on a regular basis. And this is not to mention the cases involving Junior Barristers and Lawyers who are the custodians of, and transporting with them High Value and HMG Classified Sensitive Data between their offices and the Royal Courts of Justice – and here I speak on all these occasions from first-hand observations and experiences – and of course, not forgetting my delegate whose drive I must now replace!

OK, so maybe one answer is to secure the said drives with a level of encryption – but:

  • Will it be adequate?
  • What about support?
  • Where will the Keys be stored (will they be accessible)?
  • Will it need to be Tamper Proof – FIPS-140/2
  • Will the system use TMP (Trusted Platform Module), or will it be a USB key-based solution?
  • Will the secured data be Transportable between devices?
  • And finally – can your choice be trusted and tested to be of a fully secure profile?

And of course, there are other questions relating to Physical Security and Storage. In my world of paranoia, I am concerned with seven areas when it comes to the security of my data, and any other data I happen to be the custodian of, and they are as follows:

  • Does the solution meet and comply with rigorous testing and compliance to a recognised standard (e.g. FIPS-140/2)?
  • Can I physically carry it on my person with on-mass capacities of data stored thoron?
  • Am I able to remove it from my main system and physically secure it when not in use (ideal expectation for multi-user environments)?
  • Can I use the device to share data cross-platform?
  • Is it Certified to meet the expectations of any of my HMG/Public Sector Clients?
  • Is it cost effective?
  • And finally – is it easy to use?

My Solution – Another One of my Favourite Things: As you may have gathered from some of my previous articles, I use what I call my Favorites Things in the Cyber Security defence sense – and in the area of Data Security my preferred choice is the iStorage diskAshur for my mobile use, and the heaver diskAshurDT for my in-office solution – See Fig 5 – for an image of my secure-twins. But why?

As I have eluded to above, I am a tad paranoid when it comes to data, and thus I wish to seek a solution which will both accommodates the storage of sensitive data which I may access and use on all my systems (and other where appropriate). I also tend to travel a lot, and as such on those occasions when I am laden with baggage, I am always able to find some small place to store my secure drive whilst I am in transit – where I can keep eyes-on my data assets. Last but not least, if I should be unfortunate enough to suffer the theft of any of my mobile, or deskbound assets, I do not suffer the indignation of knowing that my most valuable assets are lost – the data is safe. Remembering that I can always go out and buy a new system, but as for the year-on-year build-up of valuable data, that I entirely another problem.

The drives in question also meet my seven deliverable expectations for security, up to and including FIPS-140/2 Level 2/3 Logical and Tamperproof security which has been subject of rigorous testing, and which are Certified to the following standards:

  • NCSC CPA (UK)
  • NLNCSA BSPA
  • NATO RESTRICTED Level

So, the above, linked to all the benefits associated with my secure-twins are the reason they enter my remit of trusted Favourite Things.

Cryptocurrencies:  We started off by taking about the value of money – well here our conversation relating to Data and Finance meet at the crossroads of the security debate. It may be that you only have a few Bitcoins, or some other form of e-currency; or maybe you are one of those lucky people who have made a killing. Well it is here where the solution I am presenting also brings the maximisation of security to the table of those involved in the world of Cryptocurrencies – and as such highly recommend solution as the medium by which you secure your hard come by digital wealth – remembering that if you suffer loss of your account information, it is close to, if not  impossible to recover, and not forgetting the massive scale of growth of Cryptocurrency Mining Malware seeking out your stored digital wealth – so placing it in a secure, off-computer location does make a lot of sense, with a recognisable ROI in real terms.

Ransomware: Last of all on the proactive side of Cyber-Defence, I have lost count just how many organisations I am aware of, from SME, up to large corporates and Local Authorities who have suffered from a successful Ransomware attacks where they have been locked out from their sensitive and important business data assets. Here, as example, in one case in 2016 halted an entire Local Authorities operations – unable to pay bills, staff, and resulting in a very dire read in the local newspaper – again such a solution as a secure off-line protected drive to segregate and secure the valuable assets would have gone a long way to effect recovery from those implicated systems. And here I recall the East Midlands based Engineering Works who paid £350 to recover a small amount of valuable data post a successful Ransomware attack against a single PC – more than the cost of purchasing a secure drive – this simply does not make economic sense in any accountants return.

CSIRT Operations: In my case, one of the real benefits of using the mobile solution is in the area of Incident Response where I leverage the medium as my Computer Security Incident Response (CSIRT) Toolkit on one secure drive. Allowing me to travel to and engage the scene of an incident with a fully formed First Responder Toolkit which will accommodate a robust level of security around the on-board Artifact Repository I have created – thus enabling me to attest without doubt that any recovered artifacts or other items of evidential value have been secured from tampering.

Finishing where we started off – such a solution as a secure, encrypted drive which may be removed and physically secured, not only removes the danger of a drive being directly interfaced into a tool such as described above, it provides the assurance that data may be secured away when not in use from both logical physical insecurities, and other forms of malignant tampering.     

Conclusion: My conclusions here has to be, given the exposure to data which is reliant on the Windows approach (as outlined above), the lack of awareness as to the impending and extant exposure, linked to the impact of a Ransomware attack, the loss of Cryptocurrency or the loss of sensitive and important data as the result of a theft, not to mention the exposure of materials in the hands of lawyers attending the Royal Courts of Justice. To sum-up (please pardon the legal pun) it is simply a no brainer when it come to the low offset cost of security. We live in an insecure world, which feeds off those who do not take the commensurate steps to secure their data, or any data which they may be the custodians of – you have been warned, so listen to the many who have gone before you and lost!

Professor John Walker
john_walkerVisiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia [to 2015], Independent Consultant, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts (RSA), Board Advisor to the Digital Trust, Writer for SC Magazine UK, Originator of DarkWeb Threat Intelligence, CSIRT, Attack Remediation and Cyber Training Service/Platform, Accreditation Assessor and Academic Practitioner and Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics.
Twitter: @SBLTD 
John Walker is also our Expert Panel member.  To find out more about our panel members visit the biographies page.

Professor John Walker Web Site

In this article