The world has become increasingly aware of the threat of cyber attacks and data breaches, but not all organizations know how to defend themselves against them. Systems breaches great and small have more than doubled in the past five years, and the attacks have grown in sophistication and complexity.
From DDoS attacks to data loss, a cyberattack can have devastating consequences for a brand. Not only does it lead to a loss of consumer confidence, but the manner in which a company handles an attack can also have a significant impact on the business’s bottom line and reputation.
Nascent industries like cryptocurrency are also feeling the impact. Accounting agency KPMG told Bloomberg in March that the cryptocurrency market must enhance its digital asset security before $245 billion of the crypto industry can expand.
While it may seem hopeless and at times even impossible, the good news is it’s not. There are a few key steps every organization can take to protect its digital landscape. To protect digital assets, it’s good to start with the basics, like getting organized, understanding attack and breach implications.
The evolution of digital security has made digital asset management more transparent, accessible and streamlined than ever. But protecting digital assets comes with its own set of unique challenges. In this article, we’ll take a bird’s-eye view at the current state of the digital asset threat landscape, technology, and solutions.
What Is a Digital Asset
A digital asset can be anything in a digital format, from a text document to a private key to a database. In determining the priority of assets to protect, organizations must confront both external and internal challenges. The idea that some assets are of critical importance to a company must be at the heart of an effective strategy to protect against cyber threats.
The Difference Between a Digital Asset and a Digital Security
It may be surprising, but the first digital asset was in fact Bitcoin when it launched in 2009. Now, digital assets are prominent in discussions by the SEC, the Financial Crimes Enforcement Network, and other regulatory bodies. Digital assets have become a permanent fixture in finance.
Mason Borda, CEO of TokenSoft, outlined the distinction between the two. “A digital asset is a digital representation of something of value, for which ownership is verified and recorded on a distributed ledger.”
A digital security, on the other hand, is a “digital representation of an asset that happens to be a security, often an investment contract, for which ownership is verified and recorded on a distributed ledger. A digital security, which is subject to traditional securities laws, is often referred to as a security token.”
For example, a digital security could be a share of a corporation, a portion of a note, or a debt security. In some cases, it could also be fractionalized interest which some commentators have discussed as being an especially suitable use-case for the security token concept.
Digital Asset Threat Landscape
Industries around the world, from health to finance have seen their fair share of threats over the past decade. As companies and clients continue to expand their digital services, they’ll continue to face ongoing threats to their security’s IT and infrastructure.
Credential stuffing is a type of cyberattack that usually targets the personal data of banking customers. Using stolen account credentials, hackers can gain unauthorized access to user accounts using automated large-scale login requests.
The stolen information can then be used to bombard websites and servers in order to try to gain access to critical IT infrastructure. This practice is known as credential stuffing.
Credential stuffing differs from a brute force attack because in credential stuffing operations attackers are often using usernames and passwords that are known to have been good at some point or another. For banks, credential stuffing is an emerging and credible threat that will only get worse as the number of data breaches increases.
Phishing is a common type of cyberattack that’s often used to steal user data, including login credentials and credit card numbers. Phishing occurs when an attacker tricks an unsuspecting victim into opening a malicious link, leading to an installation of malware which then freezes the system as part of a ransomware attack. This can have devastating results on a business.
One of the major news stories of 2013 was the Target data breach that affected 110 million users, including 41 million retail card accounts. It turns out that cybercriminals did not attack Target directly. They targeted a third-party HVAC vendor, which had trusted access to Target’s servers. Upon compromising FMS’s servers, gaining complete access to Target’s was simple.
Ransomware is a type of malware that encrypts data, making it impossible for the owners of that data to access it unless they pay a hefty fee. In March 2017, the WannaCry virus spread independently through the networks of unpatched Microsoft Windows devices, leaving thousands of computers infected and making off with a total of 327 payments.
Ransomware has cost businesses more than $75 billion per year in damages (Datto), and ransomware remains the most common form of cyberattack. Banks remain top targets for ransomware attacks, as cybercriminals follow the money for big payoffs.
While a majority of exploitation attempts stem from software vulnerabilities, they can just as easily begin from vulnerable pieces of hardware. Anything from an employee device to a router connected to an unsecured network can put an entire organization’s digital infrastructure at risk. Unbeknownst to many is how easily exploitable their IoT devices are since they’re often not required to have the same level of security scrutiny as computers.
Unsecured IoT devices, such as home routers, printers, and IP cameras are all vulnerable to attack. As institutions continue to connect more gadgetry to the internet, the number of potential security weaknesses on their networks are also more likely to increase. To breach an institution, attackers will target insecure devices to create a pathway to other systems. Once they have an entryway from an IoT device, they have full access to the entire network.
Cloud Storage Vulnerabilities
For many enterprise solutions, opting for a simple cloud-based solution often can do more harm than good. Trusting cloud providers can be risky business –– or better yet, a major risk for your business. However you choose to look at it, while many cloud providers promise to keep highly sensitive data secure many also fail to do so.
With the Wall Street Journal’s release of their investigation into the global hacking campaign known only as ‘Cloud Hopper,’ the true depth of the risks associated with compromised cloud data couldn’t be more evident, or alarming.
With so much information stored on the cloud, particularly for the use of public services, cloud providers have become easy targets for malicious attackers. To get a clearer picture of the problem, consider that over 1.4 billion records were lost to data breaches in March 2017 alone –– many of which involved cloud servers.
Contrary to what many may believe, the sole responsibility for protecting corporate and customer data in the cloud lies with the cloud customer, not the service provider. Hence, no cloud provider is legally or contractually obligated to ensure the safety of customer data –– as much as they may promise to do so.
In cases of breached data, a company may be required to disclose the breach to authorities and alert customers and potential victims. Regulations like HIPAA and HITECH in the healthcare industry and the EU Data Protection Directive are laws that outline the necessity of such disclosures.
Using legally-mandated breach disclosures, regulators can issue hefty fines against a company, and it’s not uncommon for consumers whose data was compromised to file lawsuits.
Many cloud services available today have a number of stringent security protocols in place to protect the data they store. However, it’s the responsibility of any given organization to implement a plan for protecting their customer’s data on the cloud. Here are just a few ways your digital assets are vulnerable when stored on the cloud.
Cloud data storage security has forced today’s cybercriminals to invent new ways to circumvent today’s cyber solutions in order to gain access to the sensitive data of millions of businesses and individuals.
A data breach can have huge consequences for a company, both legally and reputationally. A data breach can expose sensitive customer information, intellectual property, and trade secrets, all of which can lead to serious consequences for any business. Companies could potentially face lawsuits and hefty fines, as well as damage to the brand image that could last for years.
In May 2016, hackers stole an estimated 167 million LinkedIn email addresses and passwords causing irreparable damage to the brand’s customer trust. While cloud storage providers work to implement rigorous security measures, the same threats that impact traditional storage networks also threaten those of the cloud.
Today it’s possible for a hacker to listen for a ‘side-channel timing exposure,’ signaling the arrival of an encryption key on another VM of the same host. This kind of breach can lead to an organization’s most sensitive internal data falling into the wrong hands.
A data breach can lead to data loss which can take place when a disk drive dies without a proper backup in place. Like losing the key to your house, data loss occurs when the owner of encrypted data loses the key that unlocks it.
A data loss could occur as a result of a malicious attack. On Easter weekend in 2011, small amounts of data were lost for some Amazon Web Service customers as its EC2 cloud suffered “a re-mirroring storm” due to human operator error.
While the chances of losing all your data in the cloud aren’t that high, there have been reports of hackers gaining access to cloud data centers and wiping all the data. That’s why it’s critical for organizations to distribute their applications across several zones, and backup their data using off-site storage if and when possible.
On top of this, companies need to be aware of compliance policies that dictate what they can and can’t do with the data they collect. By complying with these rules, companies can work to protect their data and the data of their customers’ in the event of a data breach.
Since both data breaches and data losses can lead to a loss of consumer confidence in a brand, the manner in which a company handles an attack will also have a significant impact on the business’s bottom line and reputation.
Although account hijacking sounds too simple to be a serious concern for cloud services, consider the impact of a compromised account. An attacker with control of an account has the ability to eavesdrop on transactions, manipulate data, provide false responses to customers, and redirect customers to a phishing or competitor’s site. Even worse, if a compromised account is connected to other accounts, it’s possible to quickly lose control of multiple accounts all at once.
There are many security threats that can be easily prevented with the creation of secure, unique passwords. While remembering complex passwords can be a challenge, the use of a trusted password manager like Dashlane or OnePassword can really simplify things.
Businesses that provide employee training in order to raise awareness of such vulnerabilities can stress the importance of creating secure credentials on a company-wide scale. In addition to using strong passwords, companies can also work to protect themselves by defining the right user roles and creating processes for identifying critical changes made by other users.
Hacked Interfaces and Insecure APIs
In today’s cloud era, companies try to make services available to millions while limiting any damage anonymous users may do to their service. They do this with the use of APIs, or public-facing application programming interfaces, that defines how a third party connects an application to the service.
Most cloud services use APIs to communicate with other cloud services, leaving a wide gap for potential exploitation. As a result, the security of APIs has a direct effect on the security of the cloud services, and the chances of getting hacked increases. Such a hack has the potential to cause a business to lose confidential information related to their customers or other parties.
The best way for businesses to protect themselves from API hacks is to implement threat modeling applications and systems into the development lifecycle. It’s also recommended to perform comprehensive code reviews regularly to ensure that there aren’t any security gaps that have the potential to be exploited.
DDoS and DoS Attacks
DDoS attacks have the potential to cripple an organization’s public cloud and affect the availability of enterprises that run critical infrastructure in the cloud. This kind of malicious attack can be debilitating for a business, slowing systems down or timing out requests while consuming huge amounts of processing power.
Today’s attackers have improvised increasingly sophisticated ways of carrying out an assault before hundreds of thousands of automated requests for service can be detected and screened.
This makes it harder than ever to detect which components of incoming traffic are the bad actors and which are legitimate users. For companies, experiencing a DoS attack feels like being caught in rush-hour traffic with no way out –– and there’s nothing you can do about it but sit and wait it out.
While DoS attacks have been around since the dawn of the decade, cloud computing has made DoS attacks more prevalent than ever. In some cases, persistent DoS attacks can be too costly and time-consuming; it forces businesses to shut down their service until remediations can be made.
Many cloud services have systems in place for protecting cloud customers against these kinds of attacks, but the best way to ensure you don’t fall victim to one is to prevent an attack from happening in the first place.
With blockchain’s industry value estimated to hit $23B by 2023, it’s hard to keep track of the number of blockchain-based solutions developed to date. While security features inherent in blockchains make Distributed Ledger Technology (DLT) resistant to attack, they do not make it immune.
In fact, DLT technology is subject to a number of issues that centralized databases are not. While industry experts continue to remind the public that DLT technology is eons beyond current data security solutions, many still believe companies should take extra precautions when safeguarding their data.
Blockchains’s unique security features don’t make it immune to exploitation. Rather, with far more limited attack vectors, blockchain security relies heavily on the security of its weakest endpoint: the cryptographic key.
The Role of Private Key Infrastructure (PKI)
Encryption is most commonly used on documents and messages before they’re transmitted, but if the recipient of the information cannot verify its source or the identity of the sender, the authenticity of the information may not be trustworthy.
This is the primary reason for the use of keys when decrypting data. Keys are shared between the sender and receiver of encrypted communications and verified by digital certificates in order to establish the integrity of any incoming information.
Public Key and Private Keys
In the world of data encryption and decryption, there are typically two kinds of encryption, asymmetric and symmetric. Symmetric, is when both the sender and recipient of the information have an identical key that allows for the translation of the incoming data. In cases of symmetric encryption, both parties must make efforts to keep the key secret and safeguarded –– which is inherently more risky.
That’s asymmetrical cryptography and the use of public keys come in useful. Used more often today, a public key can be used to encode information and a private key is used to decrypt it. A good example of this would be credit card usage, such as pin transactions.
Decryption Using Public Keys
The Public Key Infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke private keys, digital certificates and public-keys. Public keys are the basis for a Public Key Infrastructure when encrypting highly-sensitive data. PKIs enable the use of digital signatures and encryption across large user sets.
Often they help establish the identity of people and devices, enabling controlled access to systems and resources, protecting data and authenticating transactions. Many of today’s emerging technologies, especially within the fintech space, are becoming more and more reliant on PKI technology to guarantee security and protection of sensitive data.
Generating Cryptographic Private Keys
All cryptographic private keys generated within a PKI infrastructure must be random. By design, a computer is unable to generate a truly random value because it is a finite-state machine.
Therefore, a unique physical process is needed in order to generate random numbers and keys. HSM devices contain unique hardware that uses a physical process to generate a reliable source of randomness, that in turn is used to generate truly perfect random keys.
Hardware Security Modules (HSMs)
That leads us to the important role hardware security modules play in critical infrastructure security. A hardware security module, or HSM device, is a dedicated cryptographic processor designed to protect highly critical and sensitive keys and assets. Customizable HSMs act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world.
This piece of hardware may look small but is mighty powerful. It has the ability to securely manage, process, and store cryptographic keys inside its hardened, tamper-resistant shell.
The Use of HSMs
Outside of banking, enterprises use HSM devices to protect anything from transaction data, identity, and applications. HSMs are excellent at securing cryptographic keys and encryption, decryption, authentication, and digital signing services for a wide range of applications, including database encryption and SSL/TLS for web servers.
With wide-ranging use, many industries and businesses have come to rely on programmable HSM devices to provide quick, safe and secure data transactions and verification. Whatever the use case may be, the key elements of any programmable HSM device require that it:
- Is designed using specialized hardware that is well-tested and certified.
- Has a security-oriented Operating System.
- Has access to a network interface controlled by strict internal parameters.
- Actively stores and protects cryptographic material.
The Use of HSMs for Blockchain
With blockchain’s industry value estimated to hit $23B by 2023, it’s hard to keep track of the blockchain-based financial solutions taking off left and right, such as ICOs and STOs. Proponents of distributed ledger technology (DLT) consider it to be one of the best ways to secure transactions.
But while blockchains have many desirable features –– such as transaction efficiency –– there are still other conditions to consider when it comes to leveraging its technology. The growing consensus among blockchain security experts highlights the need for blockchain-compatible security solutions that will directly address the threat of data theft and exploitation.
There are many ways in which customizable HSM devices can be used in blockchain, leveraging this established hardware technology to protect keys. After all, this emerging industry needs more and better solutions to protect currencies and mitigate risks of theft, hacks, or security breaches.
There are six potential uses of flexible HSM hardware to foster security in the blockchain:
- Generation of private and public key pairs: The HSM needs to support the blockchains specific algorithms.
- Secure storage for private keys: Private keys must remain secure and private.
- Secure signature and verification: Send valid transactions to the blockchain by signing them and verify transactions whenever needed.
- Hierarchical deterministic wallet support: Ability to derive key-pairs in a secure environment from a single key master according to BIP32.
- Encryption, decryption and use of keys records from key databases: A significant number of applications require secure key storage and a secure environment for their usage.
- Logging: Usage tracking needs to be secure as well. Being able to audit and monitor how and when keys are used without the ability to modify and alter the logs.
HSM Operating Environment
Any programmer would normally mix the database access code, business-logic and cryptographic calls in one single application, leaving it dangerously vulnerable to exploitation and attack. This is a dangerous approach, as an attacker can leverage crafted data to access cryptographic materials, steal keys, install an arbitrary certificate, and so on.
To prevent such intrusions, advanced customizable HSM devices require two separate operational zones. A single one that holds the business logic, and a second for cryptography which is entrusted with the cryptographic operation.
Remote HSM management allows multiple security teams to perform tasks from a central remote location without the need to travel to a physical data center. A flexible HSM management solution provides users with operational cost savings and flexibility. Remote HSM management capabilities are distinctive in that they require more stringent security controls.
Banks and other institutions have been wrestling with these unique challenges for decades. That’s why it’s become important for the blockchain community to embrace tried and tested solutions, such as programmable HSMs, which may be crucial in helping blockchain evolve and mature.
In the face of such diverse and imminent threats, companies often make the right decision to spend more on cybersecurity. But many are unsure how to go about it, often misallocating time, money and resources in their mitigation strategies.
For example, a global financial-services company might leave cybersecurity investments mainly to the discretion of the chief information security officer (CISO). This can lead to security teams being isolated from business leaders, and the resulting controls were not focused on the most critical assets that require protection.
Another example may be a healthcare provider that makes patient data its only priority, while other infosec areas are neglected, such as confidential financial data relevant to big-dollar negotiations.
These common examples illustrate the growing need for a unified, enterprise-wide approach to cyber risk which involves the business and the risk, IT, and cybersecurity groups.
Leaders of these groups must begin to work together in order to identify and protect an organization’s critical digital assets as a priority. Critical infrastructure security investment must be a key part of the business budget cycle and investment decisions must be more evidence-based and sensitive to changes.
Whether the future of many of the world’s largest industries will evolve to adopt blockchain technology is still up for debate. But if history teaches us anything, it’s that it’s going to take a lot more to protect our digital assets in 2020.