Call:+31 (0) 85 00 68 750
Search
Shopping cart
0
My account
Categories
Pages
  1. Home
  2. >
  3. Knowledge base
  4. >
  5. Data security prevents catastrophic consequences for your organization
 Naar overzicht

Data security prevents catastrophic consequences for your organization

Data security is an essential process to protect your digital data. It is super important today to prevent unauthorised access and data loss

We see extremely high fines for inadequate security of personal data, but also the entire strategy of a company can be ruined if the competition gets hold of important information. Not to mention the damage that individuals may suffer if their data is exposed. On this page you can read more about software encryption, encryption and encryption of data and important security accreditations.

Why data security?

With the digital transformation, data and applications are becoming more and more important and bigger. Moreover, they are also becoming increasingly vulnerable as long as you are  not in control if your data security. Business-sensitive and personal data are usually recorded. As an organization, you are required by the GDPR regyulation to adequately protect your sensative data.

It should be clear that data security is important for your organization. The figures on data loss due to cyber threats have risen explosively. Think of data loss due to technical malfunctions, human errors and cyber attacks, such as:

Why is encryption alone not enough?

This has everything to do with encryption only being the shell of a data block. If the data blocks and/or authentication processes are not in order, then the data can still be accessed via a workaround.

Recommendation: hardware-based symmetric AES encryption

We recommend hardware-based symmetric AES cryptography with a minimum key length of 256-bits. Furthermore, you can think of secure data blocks in CBC (Cipher block chaining) or XTS (ciphertext stealing) mode. In contrast to weak software-based encryption, hardware-based encryption does offer protection on the data blocks.

In systems with encryption on a hard disk or USB stick, it is completely off during use. This is why encryption is also called DAR (Data-At-Rest). The secret keys in the authorizations should also be well protected. Hashing and salting are techniques that offer no guarantee. Moreover, hashes and passwords can already be easily cracked using rainbow table and BitCracker applications.

We therefore recommend a hardware-based encryption (AES-256 bits) of which the secret DEK (Data Encryption Key) is provided with a so-called "Always-On" encryption. This in combination with a Random Key generator where the secret keys are stored externally and exchanged (not via the standard RAM or CPU of the computer system concerned) by means of a smart card or a USB token.

Certification of data security

For secure data, FIPS certification is often sufficient. However, that means that all defenses are publicly available on the  NIST webpage are described. This also means that there may be other attack surfaces or backdoors to break data security. After all, hackers have insight into the defense mechanisms that are deployed.

One step further is a national pen test certificate. Here, attack techniques are let off for a few weeks and a report is issued. This can be positive or negative. With this you can show within a few months that these products have been tested by a national security company after which in the Netherlands, for example, a BSPA certificate is issued.

The costs for this research are easily between € 25.000 and € 100.000. The costs depend on which attack surfaces are performed with the corresponding certification, think of BSPA certification or an even heavier certification of EAL5+ or higher.

National certification

These are national studies that go beyond pen testing. Each bit is reversed, as it were, and extensively documented. In the Netherlands we know these levels of classification:

  • Restricted
  • Confidential
  • Secret
  • Top secret

The higher the certification, the longer a national certification will take. In addition, higher certification will also have strict requirements such as:

  • Product
  • Technical documents
  • Technical development and redevelopment
  • Requirements for all production environments
  • Requirements for new innovations. New updates should first be consulted with the organization that evaluated the product
  • Requirements for all employees of the developer and associated production lines
  • The key management, process and distribution
  • Order process

The benefits of a national certification is that the country that have it done, have the sense and confidence that a product's data security meets certain classification levels and requirements. These examinations go far beyond pen testing. The technical documentation is not online and if there are any vulnerabilities, they should be resolved through a software/firmware update. You can say that this type of national certification also has a high degree of security within the government.

Differences between hardware and software encryption

  • With software encryption without datablock protection, a header can be read out of a data block. Consider that a secret file (for example, a PDF file) can be read out in its entiretyn
  • Software-based encryption offers no resistance to brute-force + password rewind attacks
  • Software disk encryption via a TPM 2.0 chip also ensures that all outgoing data is displayed as plain text including the decryption key. In addition, certain TMP 2.0 chipsets are also vulnerable against Factorization attacks.
  • In addition, you can wonder how the secret keys are exchanged in software-based encryption. Via the RAM memory of the computer it can still be retrieved by perorming the right side-channel attack. Good software encryption can be recognized by the fact that the RAM memory is erased before the computer is switched off. This can take a few minutes in practice and is not a user-friendly process for employees within the organization.
  • Hardware encryption requires no maintenance and works seamlessly after every system update. This is in contrast to software encryption which often causes problems and incurs unnecessary IT costs.

COVID-19 indicates how vulnerable data is

Since COVID-19, many employees have been working from home. This also changes the attack surface by cybercriminals with the number of cyber incidents increasing by an average of 30%.

Well-known examples are:

Vulnerable applications installed by employees: because employees will install their own applications on their own work computers (think of the concept “Bring Your Own Devices”) are the risks and vulnerabilities incalculable. Installing unapproved applications exposes business applications and sensitive data to vulnerabilities.

Solution: Don't give home users administrator rights to install applications and educate them about digital dangers. Organizations do not need to purchase expensive desktops or laptops. A secure bootable Windows USB-stick vis also sufficient to set up a complete working environment in a simple and cost-effective manner.

Vulnerable VPN connections: remote workers still use traditional VPN connections. VPN connections are outdated and therefore vulnerable to zero-day attacks. Moreover, VPN connections give full network access after the tunnel is established. In addition, multi-factor authentication (MFA) also does not work after the tunnel is established. Read more about VPN vulnerabilities in our blog:

Preventing a zero-day attack with Zero Trust? Thé solution for secure working from home

Solution: defend against zero-day attacks and optimize your current VPN or replace it with the world's most friendly Zero Trust solution from ZoneZero Software Defined Parameter (SDP). Moreover, this solution works seamlessly in any complex network: whether in the cloud or on-prem.

Vulnerable email and management software such as Exchange, SolarWinds en Kaseya: these attacks have had a major impact worldwide. By providing critical systems, applications and protocols with an additional MFA authentication layer, these attack surfaces could have been prevented. In short, the impact would not have been so great. Want to know more about these vulnerabilities and attack techniques? Read our blogs below:

Avoid Supply Chain Attack as SolarWinds Orion?

The Exchange Marauder hack could also have been prevented

Why cyber-attacks are increasingly successful and how you can arm yourself against them with 2 excellent solutions

Solution: Use a multi-layered endpoint security from ESET and modernize your entire network, applications and protocols with our Zero Trust solution from ZoneZero.

Vulnerability due to human error: because the number of phishing attacks has increased significantly, one wrong click can have major consequences for an organization. Malware can be installed and the hacker is inside the network and can then operate unseen and undisturbed for a long time. In addition, ransomware attacks are also becoming increasingly sophisticated due to this hack within a network. More information about ransomware can be found in our knowledge base:

The ultimate preparation against Ransomware

Solution: Use multi-layered endpoint security from ESET and modernize your network, applications and protocols with ZoneZero. Make daily backups and check that they are working properly.

Completely preventing ransomware is not (yet) possible. If you continue to properly inform every employee about the dangers of clicking and opening e-mails and files, then you can prevent it.

Vulnerability due to criminal activity: The deliberate processing or reselling of illegal personal data by its own employees. Well-known examples of this are GGD GHOR from Amsterdam and the Dutch Tax government.

Solution: with ZoneZero, you retain control over authentication and, in addition, you can perform audits. This not only enforces the policies within the organization, but also complies with the laws and regulations of the General Data Protection Regulation (GDPR).

Data security

There is no more time left. Get your data security in order. Be on time and start investing in data security, step by step if necessary. Organizations must comply with GDPR legislation and in the event of an incident you can avoid huge fines (up to 4% of global turnover) and inestimable damage to your reputation. In the event of a ransomware attack, your IT costs for a long investigation (~8 weeks) can be very high. This could be followed by a fine from the EU's data protection authorities and the damage to your reputation is impossible to express in monetary terms. Finally, your customers will be happy to do business with you if your data security is in order.

Hart 4 Technology enables optimal data security

Secure data and files and protect your corporate network from intruders? Contact Hart 4 Technology. Our staff is ready to advise you on the security of your business data.