Revolutionizing Data Security to Protect Against a New Era of Cyber Attacks
With ever increasing frequency we’re seeing an increase of cyberattacks reported in the news. With an unprecedented number of people working from home , those with the inclination and knowledge of cyber vulnerabilities that exist within security systems have been using the pandemic market shift as an opportunity to attack critical infrastructures of both countries and private companies.
The Growing Prevalence of Cyber Threats
Most notable and recent in the United States was the Colonial Pipeline attack in April 2021. Colonial Pipeline is one of the largest pipeline operators, supplying almost 45% of the East Coast of the United States with fuel. The attack forced Colonial to cease operations while gathering the necessary information to determine the nature of the attack. The attackers gained access through a virtual private network (VPN) account that allowed employees to access the system remotely while working from home. The account was not in use at the time of the attack but still retained access to Colonial’s network. Following the attack, Colonial paid the attackers a ransom of $4.4 million.
Globally, there are many recent examples similar to Colonial. One threat in particular that has stood out to the cybersecurity community was the Kimsuky attack on the Korea Atomic Energy Research Institute's (KAERI) network in May. KAERI, established in 1959 to achieve self-reliance in nuclear core technologies, is a prime target for an energy-starved North Korea. According to United States officials, Kimsuky is likely tasked by North Korea with a global intelligence-gathering mission. The group has also been attributed to several other attacks on South Korea using a backdoor called AppleSeed for Windows and Android systems. After being publicized, KAERI issued a statement explaining that an unidentified outsider accessed parts of its systems, exploiting a weakness in their VPN. In response, they blocked the IP address and updated their security once the attack came to light on May 31. As of now, the damage of the breach is unknown, but the group could have gained access to information that would benefit the nuclear programs in North Korea, as KAERI has information on small modular reactors and other power sources. This information is especially important for North Korea, as only 26% of their population has access to electricity.
Similar to the DarkSide group’s Colonial attack, the infamous Maze group developed a ransomware attack used by a group called Egregor until they were arrested in Ukraine in February this year. Many security experts believe the Egregor group is a successor to the Maze group operating with a "Ransomware-as-a-Service" model, renting out malware and using other cybercrime groups to launch attacks. The tactic involves locking up systems in exchange for ransom, but also the threat of releasing stolen sensitive information online if the ransom isn’t paid. In addition, they also sell stolen data on the dark web or use the stolen information to attack clients and partners. At the end of 2020, the Maze team put out a press release stating that "the project is closed." The group, which attacked companies in 2020, including Cognizant, Chubb, ExecuPharm, Visser, and Kimchuk, is not thought to be done, however, but in a stage of rebranding.
What’s become abundantly clear is that today’s run-of-the-mill cybersecurity standards and practices are not enough to protect data. In recent higher-profile ransomware attacks, we have seen cyber criminals exploit vulnerabilities in VPNs to gain access to systems. Once the bad actors have penetrated the systems, they’re able to access and exfiltrate data. Various security models, such as the Zero Trust architecture, are a good start but are not enough on their own. These cybersecurity postures are designed primarily for ease of use, but are not sufficient defenses against today’s sophisticated attacks.
Regulatory Requirements for Data Encryption
In response to the increasing number of cyberattacks, the President of the United States, Joe Biden, issued an executive order on May 12, 2021. In its opening lines, President Biden states: "The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy." The executive order sets forth bold actions on the part of the federal government to improve the security of American institutions, including by working with the private sector.
Data at Rest
Within the executive order, President Biden looks to modernize the federal government's cybersecurity in multiple ways by adopting new security practices. First by advancing towards Zero Trust architecture, then to "accelerate movement to secure cloud services… [and] centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks."
The order outlines the steps necessary to achieve best practices, including adopting “multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with federal records laws and other applicable laws."
These new best practices, outlined in the executive order, should be entirely consistent with the major regulations that protect personal information today. For regulations like HIPAA, CCPA, NY DFS, and GDPR, compliance is met by employing cybersecurity protocols to protect personal information. Protections may come through a Zero Trust model or some other form. But the addition of multi-factor authentication and data encryption will add to the existing compliance paradigm enhanced protections and require new systems for various federal agencies.
The goal of the new mandate is to prevent an attacker from accessing information even if the attacker has successfully infiltrated the organization’s network. To achieve this, encryption is critical so that data can be decrypted by authorized users only, even if the encrypted information is available to or stolen (i.e., exfiltrated) by the attacker. Essentially, while the attacker can get into the safe, the only thing they can get their hands on is lead while the gold remains secured.
Identity and Access Management and Accessibility to Files Must be Disconnected
The difference between cybersecurity and information security is critical because they dictate different courses of action. Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or illegal use and the practice of ensuring confidentiality, integrity, and availability of information. Information security is more specialized and specific as it is the measures that protect and defend information by ensuring their availability, integrity, and confidentiality.
In definition, both cybersecurity and information security are paths to the same goal of protecting information, but the standard practices of both are, in reality, different. Identity and access management (IAM), which is the backbone of many cybersecurity programs, works much like a castle. There are walls erected in this system that work as a broader cybersecurity measure, but they do not lend themselves to information security in the event of a breach. When imagining a castle built on IAM, picture it again without the walls, which is what any sophisticated hacker will achieve given the right set of circumstances. Once the bad actors have access to the network, they have access to the files.
This potential is why files need to be encrypted: it will prevent access and exfiltration of data and maintain data integrity. With an encryption system untethered from IAM that protects the actual data, a hacker can gain credentials and access confidential files,but will be unable to decrypt and use them.
Protecting Files as Employees Continue to WFH
During 2020, we saw a rise in cyberattacks as many companies needed to pivot to remote work quickly to address social distancing requirements that would not be feasible in many company headquarters. For the safety of their employees, as infection rates rose, those that could switch to hybrid or strictly working from home models had to pivot quickly, leading to a broader attack surface. Many companies were unprepared for a 100% remote workforce.
Making the switch without the proper infrastructure in place meant that many employees were, in some cases, accessing company data from their personal devices, which may have varying degrees of security in place. There is no telling without a deep dive whether an employee’s personal device was compromised before remote work began.
The Human Factor
HP conducted a recent study that analyzed the cybersecurity risks associated with remote work and found that: "70% of office workers surveyed admit to using their work devices for personal tasks, while 69% are using personal laptops or printers for work activities. Almost one-third (30%) of remote workers surveyed have let someone else use their work device." This concerning behavior is coupled with two new trends.e First, the likelihood that an employee will fall for a phishing scheme because they are not in the office, out of the loop, and reluctant to come forward with a problem in fear of having done something wrong. Second, a 238% increase in global cyberattack volume during the pandemic, as discovered by KuppingerCole, an international, independent analyst firm.
In its study, HP also found that: "71% of employees surveyed say they access more company data, more frequently, from home now than they did pre-pandemic – with the most common types of data being accessed being: customer and operational data (43% each) and financial and HR records (23% each)." Accessing this information is part of their job and a necessary function that they need to perform. With a system based entirely on IAM, access is ready and available for a sophisticated bad actor.
These new normals create the perfect storm for hackers in the right place at the right time to successfully attack more businesses than ever before. Right now, as the debate on work from home continues as we update business plans, cybersecurity and information security are more important than ever.
Employees require access to the data they need to perform their functions. With Atakama, the employees can access the data while it remains protected at all times with multi-factor encryption. This strategy is the only way to ensure IAM is disconnected from information security, thereby protecting the organization in the event an attacker compromises the system or the network is breached.
What It Is
Atakama has developed file-level encryption software that runs on distributed key management. File-level encryption is the future and response to today’s attacks, as federated identity and roots-of-trust-based systems continue to fail. Not to say that these systems should be scrapped entirely, but they cannot act alone. Encryption is not a problem solved by an IAM system. Unless files are encrypted separately from the IAM system, anyone who can access the network with usable credentials can decrypt the available data.
The human element is the network’s weakest link, and employees working from home are at a higher risk to cybersecurity threats.
Atakama’s system provides multi-factor encryption at the critical file level. There are no usernames or passwords. Instead, each file is protected with its own unique encryption key. Keys are elegantly and automatically split and distributed to every user who has access to the encrypted files and is enabled with Atakama. Built with a ero Trust design for data at rest and in transit that relies on the underlying distributed key management that this solution intelligently brings to the table. The system offers ease of access for those who need to access to protected files while retaining security. Atakama eliminates the gap between security and usability by creating a system that goes where the files are.
What It Does
Atakama works in three steps. First, each file is encrypted with its own unique key using AES with 256 bits, a military-grade NIST standard encryption algorithm. Then, each key is split into multiple shards and distributed across physical devices of every authorized user running Atakama, which happens behind the scenes and is invisible to the end user. There is no master key, key server, or centralized key storage that a hacker can attack.
Second, when a user accesses a file, it looks and feels very much like a multi-factor, 2FA, or SSO solution, where they get a push notification on the Atakama Mobile app running on their phone, an interaction most people have seen before and become accustomed to. The reality of the experience to the end-user is that it feels like they are unlocking a file with their phone, so anyone who can open an app and press a button can use it.
Third, when the user approves unlocking the file on their phone, the device sends back a key shard for that file to the computer where the key is reconstituted and the file decrypted. It is seamless, efficient, and easy to use. By disconnecting file access from IAM, Atakama delivers true information security.
Atakama’s powerful encryption solution prevents unauthorized file access. Unless a bad actor can gain access to two physical devices (e.g., phone and computer) belonging to the same user, they will be unable to access the encrypted files. There is no possibility of stealing files wholesale during an attack. These features allow Atakama to provide added security when so many businesses face the potential for disastrous attacks.
Request a demo with our customer success team to learn how Atakama can help your organization.