The process of taking data and rendering it unreadable is known as which of the following?

1.1.5 Protection of Data at Rest and in Motion

Data at rest means data that has been flushed out from the memory and written to the disk. Data in motion means data that is in communication or is being exchanged during a communication. Data in motion is categorized into two categories:

Client-node communication

Internode communication

Most of the NoSQL databases do not employ any technique to protect the data at rest. Only a few provide encryption mechanisms to protect data. To safeguard the data in storage, encryption techniques are used and are referred as de facto standards of encrypted data. Encryption makes the data unintelligible [8] and hence of no use to malicious intruder. Most of the industry solutions lack horizontal scaling while offering encryption services.

The popular NoSQL databases offer following encryption services for protection of data.

Data at Rest:

Cassandra uses TDE (Transparent Data Encryption) technique to protect data at rest. This feature helps to protect data at rest. This feature helps to protect sensitive data. In Cassandra databases, encryption certificates are stored locally, so a secured file system is required to implement TDE. Also the commit log of Cassandra Database is not encrypted, which also leads to breach of security.

MongoDB does not provide any method to encrypt the data file. Data files can be encrypted at the application layer before writing the data to the database which require strong system security.

Data in Motion:

Client-node communication: This is not encrypted in Cassandra. Encryption is done by generating valid server certificates at the SSL layer.

MongoDB does not support SSL client-mode communication. To encrypt the data using SSL client-node communication, MongoDB needs to recompile by configuring SSL communication.

Internode communication: Cassandra doesn’t support encrypted internode communication.

Using Cassandra.yaml file, Server encryption options can be edited to configure internode SSL communication. MongoDB doesn’t supports internode communication at all.

Encrypting Database Data

Accidental or premeditated access to, damage of, or theft from an enterprise database may come from many different sources. A remote attack might occur from a public network like the Internet. An internal user might attempt unauthorized access or “short-cuts” across a local area network or from a locally-attached terminal. Simple precautions and thoughtful design of database access control will stop most unwanted activity. However, determined attackers often use different software tools to persistently attempt multiple password schemes, to search for “back door” entry points, and to “sniff” and monitor sessions containing authorized users' userids and passwords to gain access to an enterprise database.

Encryption, or translation of data into a secret code, may be one of the most effective ways to achieve data security. To make sense of encrypted data, a user must have access to both the original encryption algorithm and the secret key that enables him to decrypt it.

Securing Data in Motion and Data at Rest

Data at rest denotes data stored in computer systems, including files on an employee's laptop, company files on a server, or copies of these files on an off-site tape backup. Securing data at rest in a cloud is not drastically different than securing it outside a cloud environment. A customer deploying in a PaaS environment needs to find the risk level acceptable and make sure that the cloud provider is the primary custodian of the data.

Data in motion indicates data that is transitioning from storage, such as a file or database entry, to another storage format in the same or to a different system. Data in motion can also include data that is not permanently stored. Because data in motion only exists in transition (computer memory, between end points), its integrity and confidentiality must be ensured. The risk of third party observation of the data in motion exists. Data may be cached on intermediate systems, or temporary files may be created at either end point. The best method to protect data in motion is to apply encryption.

Analysis of data at rest

Data at rest refers to data that is stored on nonvolatile memory, as against data stored in RAM or in transit across the network. This type of data is acquired through a forensic acquisition (see Chapter 5) and the resulting image is then analyzed for data.

Depending on the type of mobile user, a wide range of data can be recovered from data at rest. Many chapters in this book discuss the array of information and data files that can potentially be stored on an iOS device, including default application data such as text messages, call logs, contacts, voice mails, pictures, videos, web history, and more. In a corporate environment, not only can this basic data be found but business users will typically sync their device with their corporate e-mail account as well. On top of that, there is also the possibility of data storage involving attachments, voice mails, and faxes containing sensitive internal information.

One example to highlight the significance of accessing data at rest involves the iPhone's built-in e-mail application. Assuming a user's Microsoft Exchange e-mail account was synced to the device, data related to this account was stored in a central location, namely user names, Exchange Servers, and the protocol and port over which the account was synced. Passwords are also stored in the database, but in an encrypted format. On devices running iOS 4, these passwords can be recovered quite easily (see Chapter 5, section on “Backup Acquisition,” for more details on how this password can be recovered). Researchers in Germany were also successful in performing an attack on the iPhone, which accessed and decrypted passwords contained in the Keychain database on the device. Here, e-mail passwords were recovered, as well as voice mail, VPN, Wi-Fi, and certain application passwords as long as they leveraged the Keychain file for storing credentials (International Data Group, 2011).

There are two primary techniques that can be used by either a forensic examiner, or potentially an attacker, in the event of a device being stolen. The first technique, typically used by examiners, requires physical access to the actual device. With this method, a forensic acquisition and analysis is performed using one of the various tools available. The remaining chapters in this book go into this technique in great detail, with Chapter 5 covering Forensic Acquisitions and Chapter 6 covering Application and Data Analysis. Chapter 7 walks the reader through the use of many of the commercially available forensic tools. While physical access to a device is not necessarily easy to achieve for a potential attacker, possible scenarios include lost or stolen phones, as well as phones that are replaced with newer models but not securely wiped. In addition, people who travel internationally, especially executives at corporations, may find that their phones are temporarily confiscated and examined by customs officials as they enter a country. In this scenario, the officials have physical access to the device.

The other technique, more commonly used by attackers, is accessing data at rest through remote exploits, vulnerabilities, and malicious software. One exploit involved the ability to spoof web pages even when traffic was running over an encrypted SSL connection. In this attack, a configuration file is modified and, as long as the user accepts the changes (which appear to be coming from a valid source), the attacker has the ability to modify a variety of settings. The Safari web browser could be disabled or other applications on the device affected, depending on the particular change made in that configuration file (Goodin, 2010). Another example occurred in August 2010. This attack allowed a jailbroken iPhone to be remotely connected to using a PDF exploit. Days later, Apple did release a patch for this vulnerability (USA Today, 2010). Given these examples, the possibility of remotely exploiting an Apple device is real, and protective measures are necessary to prevent such attacks.

Data at Rest

Data at rest refers to any data in computer storage, including files on an employee's computer, corporate files on a server, or copies of these files on off-site tape backup. Protecting data at rest in a cloud is not radically different than protecting it outside a cloud. Generally speaking, the same principles apply. As discussed in the previous section, there is the potential for added risk as the data owning enterprise does not physically control the data. But as also noted in that discussion, the trick to achieving actual security advantage with on-premises data is following through with effective security.

Referring back to Figure 5.1, the less control the data owning organization has—decreasing from private cloud to public cloud—the more concern and the greater the need for assurance that the CSPs security mechanisms and practices are effective for the level of data sensitivity and data value. (But in Figure 5.2, we saw that the owning organization's responsibility for security runs deeper into the stack for the owning organization as they move from SaaS to PaaS and again to IaaS.)

If you are going to use an external cloud provider to store data, a prime requirement is that risk exposure is acceptable. (Refer to Chapter 1, Cloud Computing and Security: An Introduction.) Risk exposure varies in part as a function of service delivery as it does for deployment.

A secondary requirement is to verify that the provider will act as a true custodian of your data. A data owning organization has several opportunities in proactively ensuring data assurance by a CSP. To begin with, selecting a CSP should be based on verifiable attestation that the CSP follows industry best practices and implements security that is appropriate for the kinds of data they are entrusted with. Such certifications will vary according to the nature of the information and whether regulatory compliance is necessary. Understandably, one should expect to pay more for services that involve such certifications (This is discussed further in chapter 8, Vendor Claims and Independent Verification.) One likely trend here is that higher assurance cloud services may come with indemnification as a means of insurance or monetary backing of assurance for a declared level of security. Whatever the future may hold, we can expect that practices in this space will evolve.

At Rest

Protecting data at rest is an area in which security is often lax and is an area in which we choose not to emphasize security. Data are considered to be at rest when they are on a storage device of some kind and are not moving over a network, through a protocol, and so forth. Although it might sound somewhat illogical, data at rest on media can also be in motion; for example, we might ship a load of backup tapes containing sensitive data, carry in our pocket a flash drive containing a copy of our tax forms, or leave in the back seat of our car a laptop containing the contents of a customer database.

We can see this type of incident on a somewhat disturbing frequency basis in the media. In August 2013, the Advocate Medical Group in Park Ridge, Illinois, announced it had a breach of personal information due to the theft of four computers containing unencrypted storage media. The media contained sensitive information such as names, addresses, Social Security numbers, and dates of birth of more than 4 million patients [5]. Had the group taken the necessary steps to protect its data at rest by encrypting it, not only would it have not had such a large security incident, but it also may have been spared from having to disclose the incident had occurred, thus saving quite a bit of embarrassment [6].

Encryption methods for data at rest

Data at rest encryption options can be broken down into three high-level categories:

File- or folder-level encryption.

Full-disk encryption (FDE).

Database encryption.

Let’s examine the advantages and disadvantages of each as you consider how and where they might fit into your program for protecting cardholder data.

Full-disk encryption

FDE or “whole-disk” encryption methods encrypt every file stored on the drive (or drives), including the operating system/file system. This is usually done on a sector-by-sector basis. A filter driver that is loaded into memory at boot encrypts every file as it is written to disk and decrypts any file that is moved off of the disk. This happens transparently to the end-user or the application generating the files.

Advantages

•

Everything on the drive (or drives) is encrypted, including temporary files and swap space, increasing security of all your data, not just card data. If deployed on all in-scope systems, the card data would be guaranteed encrypted.

•

Encryption of data is forced on end-user, alleviating decisions on what or what not to encrypt.

•

Encryption/decryption is transparent. When information needs to be accessed, it can be saved off the system and is automatically decrypted. If a processing application is installed on the system, the use of encrypted data is also easy.4

•

Since all data on the drive is encrypted, even if an alternative boot medium is used against an encrypted system, the data on the drive is unreadable and therefore useless to the thief. Thus, card data is protected even when the system is turned off.

Disadvantages

•

Some FDE programs can cause an increase in data access times. Slight delays in writing and reading data can occur, especially with very large files and high transaction volumes.

•

System password management and key management processes have to be defined and put into place. If a user loses his password that grants access to the encrypted system, he has no access to his data at all. Key management procedures defined in Requirement 3.5 are more critical for FDE. By the way, as per 3.4.1, “Decryption keys must not be tied to user accounts!”

•

For data centers, this technology is largely useless for security (as opposed to laptops that may be stolen or lost in the field) since most data centers have significant physical controls keeping their hardware safe.

•

FDE does not necessarily protect data on a laptop if the system is compromised while in use. It primarily helps to prevent data disclosure resulting from physical theft.

•

Some FDE implementations leverage Windows AD credentials. Be careful deploying such systems as it would violate Requirement 3.4.1.

FDE is more suited to protecting data on workstations and mobile devices, whereas file-level encryption is more useful as a method on large-volume storage devices. The much publicized cases of database managers or analysts putting thousands of clients at risk because a laptop was stolen that had been used to download large volumes of sensitive data from a storage device only serve to demonstrate this fact.

In Figure 7.3 illustrates the difference in architecture between file-level encryption and FDE.

Figure 7.3. File-Based Encryption versus Full-Disk Encryption

BitLocker Drive Encryption, included with the newer Microsoft operation systems such as Windows 7, is the primary example of such technology. Additional encryption products can be used as well. For example, TrueCrypt is a free, open-source disk encryption software for Windows, Linux, and even MacOS (which also natively includes FileFault), which can perform FDE. It can be found at www.truecrypt.org. The latest Pretty Good Privacy (PGP) Whole-Disk Encryption (www.pgp.com) is not free but is found in frequent use.

Note

Before you reach out for the encryption tools, remember and repeat the mantra: “Do I need to keep this data?” Even with “free” tools there are management costs to operate and maintain them in your environment. The best bet is to never carry the data in the first place.

6.3.6 Data at Rest

•

Is data at rest encrypted? (Y)

What kind of encryption is used? (Item)

Who controls the encryption keys? (Item)

How are keys protected? (Item)

Where/how are the keys backed up? (Item)

Are backup copies of encryption keys stored in an offsite location? (Y)

How are the keys managed? (Item)

Can multiple keys be created and used to segregate users? (Y)

Can a master key be created? (Y)

Can keys be revoked? (Y)

What’s Different about Mobile?

Managing and controlling data-at-rest on a legacy PC is difficult. The operating system provides very little in terms of isolating corporate data from personal. And in most cases all applications have access to all data on the PC. If you have access to the PC, you’re considered a trusted user. This provides a huge threat surface leading to data loss, malware attacks, and breaches (Figure 1.1).

Mobile operating systems are different from their PC counterparts in that they employ operating system sandboxing. This sandbox approach separates each app and its data from other apps and their data. This also includes isolation from the operating system as well. But there are features in the mobile operating systems that provide ways in which data can be shared and are typically user-driven. A user can receive an email with an attachment in the email app, open that attachment in a secondary app that allows for it to be edited, and then open the document in a third app to print it over-the-air to a printer, and furthermore upload it to a cloud service. Additionally, features like copy/paste, screenshot, email forwarding, and more exist as well. But what’s important is that much of this is user-driven or user-defined rather than allowing an app to natively perform these functions.

Another important aspect of the mobile era is that the traditional network edge has now become blurred. Mobile devices are very ubiquitous and access enterprise data over the network in a variety of ways. Whether its cloud services, web 2.0, data backup services, multiple network services (cellular, Wi-Fi, NFC, etc.); all make management of this data far more challenging. No longer can we look at the network as a single entry point, the network edge has disappeared, now data lives everywhere.

Last, but certainly not least, is the emergence of BYOD (Bring your own device). In the PC world, IT provided the computer preconfigured with security controls. But in the mobile world, people show up with their personal devices looking to connect them to their enterprise network or cloud. And even those organizations with Corporate issued devices, inevitably find that the user will use it for personal use. In either circumstance, the user has a plethora of features by which they can share, forward, or upload data to and from the network. This has also made the end-user the low hanging fruit for attack. Since these mobile devices are always connected, this provides a much larger window of compromise for attack and exfiltration of data.

Protecting Data in Motion and Data at Rest

Data at rest is stored data that resides on a disk and/or in a file. Data in motion is data that is being transferred across a network. Each form of data requires different controls for protection, which we will discuss next.