According to Experian’s Global Fraud Report 2018, 75 percent of businesses have agreed with the statement: “We would be very interested in more advanced security measures and authentication.”
In terms of advancing cybersecurity, the company StrongKey has been working closely with the U.S. National Cybersecurity Center of Excellence at the National Institute of Standards and Technology (NIST) on new guidance to help retailers and e-commerce merchants.
Arshad Noor, CTO of StrongKey, shares with Digital Journal readers the best practices outlined in the report.
Digital Journal: What is the state of cyberattacks on businesses?
Arshad Noor: Currently, it is unfortunately, abysmal. When the world’s first breach disclosure law was passed by the State of California in 2004, a data-breach would be announced at the rate of about once a month. Today, the rate is trending at 2-3 per day. Officially, more than 9,000 data-breaches have been disclosed by law. However, most of those breaches were not discovered by data-owners for days, weeks, months or, sometimes, years. So, the true state of cyberattacks on businesses may be far worse than what we know publicly.
A second problem is, despite most people in this field having studied computer “science”, the information technology sector is extremely unscientific. If there was an epidemic due to a new biological virus, a doctor and/or a hospital is mandated to report it to the Center for Disease Control (CDC). There, scientists go through a structured process, to analyze it, determine the most optimal curative and preventive mitigation controls to stop the epidemic. This information is then distributed to all healthcare professionals and institutions, as well as publicly if warranted.
In the field of information technology, while there is a Computer Emergency Response Team (CERT), it is only as effective as the reports it receives. If a business is breached and chooses not to disclose it but takes matters into its own hands – as Uber did a few years ago – then nobody knows about it. Nobody learns about the vulnerability, the attack vector or the appropriate mitigations. When it is eventually discovered, the information may be too late to have prevented similar compromises at other businesses. This culture needs to change.
DJ: Where are these attacks coming from?
Noor: Technically, from all over the world. As with all vocations, attackers come in many different categories: “script kiddies” looking for kicks, opportunists from within the company seeking personal gain from insider information, professional gangs out to make money, business espionage agents, state actors who have an interest in creating chaos within a country, and so on. Professional attacks rarely come from the originator’s home-country or computer, directly. With the use of a variety of technology, professionals will compromise many other computers to create a “zombie army” and use them to launch attacks on the final target, so as to hide their traces. Tracing the true source of the attack is not within the realm of most business IT departments. Perhaps, with the help of law-enforcement, they might be able to pin-point where the attacks originated, but it may not lead to any resolution depending on the country of origin and extradition treaties between the countries involved.
DJ: What can businesses do to reduce cyber threats in terms if current practices?
Noor:Nearly thirty years ago, when businesses embarked on connecting themselves to the internet, they punted on addressing the real problem – insecure applications – by succumbing to the siren call of the “network firewall”. By doing so, application developers abrogated their responsibility to the people responsible for connecting wires between routers, switches and computers. Since then, the field of information technology has been mired with network-based protection in all sizes and shapes – leading to where we are today.
Businesses need to recognize that the responsibility for securing data belongs with the applications team – not the network team. Business applications collect, store and use data. Therefore, it is the responsibility of the application to protect data first, and not relegate that responsibility to devices and tools that have no business purpose to interact with that data.
DJ: Which types of new technologies can boost protection?
Noor:Ironically, the technology that could protect businesses a quarter of a century ago, public key cryptographic systems (PKCS), are the same technologies that can protect businesses currently.
PKCS is the only technology that has the unique property of delivering three data protection benefits to businesses:
To provide the true provenance of information at the time of capture or receipt. This is accomplished through the use of digital signatures. When a system produces data – whether it is a medical device, an automobile, an e-commerce or banking system – it has the ability to produce a digital signature on the data that would establish the origin of that data. Where a human must transcribe the information into a computer system, the human could produce a digital signature with the aid of appropriate capability in the system. This digital signature not only establishes the provenance of the data records, but ensures that it can be verified years after its creation;
To protect the confidentiality of the information through the use of encryption. While public-key cryptography is not used directly to protect information for a variety of reasons, the industry paradigm is to generate a symmetric encryption key – such as an Advanced Encryption System (AES) key – encrypt the information using the AES key, and then to encrypt the AES key using the PKCS. This allows the PKCS to be used to encrypt billions of symmetric keys while the symmetric keys can be used to encrypt an unlimited number of data records and/or files;
To protect and verify the integrity of information through the use of digital signatures. Similar to the use-case where the provenance of information is verified through the original digital signature at the time of information capture, each time the information is modified for business reasons, the appropriate PKCS can be used to create a digital signature at the time of each modification to create a signature trail that verifies the information as it is transformed through authorized business processes.
DJ: What is the StrongKey solution?
Noor:StrongKey’s solution is a hardware appliance that enables the three data protection capabilities as webservices, so business application developers who must enable these protections within the applications may simply call the webservices to have the protections enabled on the data. The business application neither needs to understand the mechanics of the PKCS nor does it need to be concerned with the operational characteristics of the PKCS – they are abstracted outside the business application much as a database or filesystem is abstracted outside the applications that use it to store and manage vast quantities of data and files, respectively.
The reason it is a hardware appliance is because a PKCS involves the use of cryptographic keys, which are the most sensitive parts of an information technology infrastructure. As a result, businesses must ensure that the PKCS is protected from all the known threats that may compromise the PKCS. The industry has developed best practices around the design, construction and operations of such PKCS and the use of cryptographic hardware to manage the PKCS is critical. Numerous “home-grown” PKCS solutions have been compromised, leading to spectacular breaches due to the lack of the use of cryptographic hardware and commensurate controls to protect the PKCS.
DJ: How did you develop your technology?
Noor:StrongKey began its business life nearly two decades ago, designing and constructing Public Key Infrastructures (PKI) for large organizations. Out of this experience, an open-source, internet-scale key-management system was designed and contributed to the internet community in 2006. This in turn, led to the creation of an appliance to deliver the data protection benefits as an integrated solution to companies wrestling with the challenge of protecting sensitive data for compliance to regulations such as Payment Card Industry Data Security Standards (PCI-DSS), Health Information Portability and Accountability Act (HIPAA) and similar regulations.
As technology evolved, StrongKey kept pace by including support for the new strong-authentication protocols defined by the FIDO Alliance; and leveraged the Federal Information Processing Standards (FIPS) 140-2 Level 2 certified Trusted Platform Module (TPM) as a low-cost cryptographic hardware module within its appliances. Realizing that this level of protection is necessary even to small and medium-sized businesses, it created a small appliance that brings enterprise-grade security at the price of a departmental copier to even a one-person company with sensitive information. Finally, recognizing that without robust security, the internet will fail in its ability to provide a trustworthy medium to run a business operation, StrongKey delivers all its solutions with open-source licenses to dramatically reduce costs. This continuous innovation translates into significant value to StrongKey’s customers.
