Lecture 3 - 1

Data States
 Lecture – 2 Summary
• Data Integrity
• Integrity Mechanisms
• Availability
• Methods to Achieve Availability
• Security control categories
• Authentication & Authorization
• Attack Surface
• Attack Tree
Outline of Lecture 3 Part 1
• Data States
• Data at Rest
• Attacks & Controls
• Data in Motion
• Attacks & Controls
• Data in Use
• Attacks & Controls
Outline of Lecture 3 – Part 2
• Cryptography – Main Terms
• Evolution of Ciphers
• Caesar Cipher
• Vigenère Cipher
• Transposition and Substitution Ciphers
• One Time Pad
• Book Cipher
• Rotor Machine
5

States of Data
6
7

Data at Rest
Data that is not being accessed and is stored on a physical or
logical medium.
Examples may be files stored on fileservers, records in
databases, documents on flash drives, hard disks etc

This also involves data that is stored with high latency (low-
changing state)
.
• It is not being processed by a CPU.
8

Data at Rest
1
0

Data at Rest - Attacks

Data at Rest Protection
• Documentation is considered secure at rest when it is
encrypted
• Requires an unworkable amount of time in a brute-force
attack to be decrypted
• The encryption key is not present on the same storage
medium
• Full disk encryption or device:
• File-level encryption:
• Public-key or symmetric encryption allows you to encrypt
files
• Valid for storage, but can also be protected in transit, when
they are sent for example as attachments in an email.
• Risk: Once the document has been decrypted by the recipient,
it can be stored unprotected, resent unprotected, etc.
 Data at Rest Protection
Database Encryption:
• SQL Server or Oracle use TDE– Transparent Data Encryption to protect
data stored in databases
• TDE technologies perform encryption and decryption operations on data
and log files in real time
• Allows application developers for example to work with encrypted data
seamlessly
• The encryption uses a database encryption key (DEK)
 Data at Rest Protection
• Protection through Digital Rights Management (DRM/IRM):
• Allows the encryption of documentation by applying persistent protection to
it
• The documentation at rest is encrypted and is only accessible to users who
have access rights to it
• Unlike encryption at file level, the receiving user can access it to read and
even modify it, but cannot completely decrypt the file

• MDM (Mobile Device Management):

• Allow limiting access to certain corporate applications, blocking access to the
device or encrypting data on the mobile or tablet
• As with standard encryption, they are useful in the event that a device is lost,
but when the data is sent to the outside of the device, it leaves unencrypted
 Data at Rest Protection
• DLPs (Data Loss Prevention):
• Enables classification/identification of sensitive data on an endpoint or network
repository.
• In the case of data in repository, DLP block access to certain users in case it
violates any security policy
• Valid while the data is inside the organization

• CASB (Cloud Access Security Brokers):

• Allow us to apply security policies to the documentation we have in cloud
systems such as Office 365, Box, Salesforce, etc.
• DLP system applied to a cloud application instead of the organization’s perimeter.
 Challenges of Data at Rest Protection
• The data can be stored in different media and equipment
• File servers, or document managers,
• Users’ PCs, USB devices, etc.
• Scattered on mobile devices (May be personal)
• Inability to control cloud storage
• Many storage providers offer encryption and protection of the data they
manage at rest.
• The encryption keys are owned by the storage provider

• Solution:
• IT Departments must analyze the main risks they face regarding the
management of their data at rest and select the technology or technologies
prioritizing those that will eliminate or mitigate those most likely and/or of
greatest impact to their organization
 Data at Rest – Sec Controls
• Data encryption

• Hierarchical password protection

• Secure server rooms and outside data protection services

• Multifactor factor authentication

• Strict data security protocols for employees

• Backups

• For some types of data such as medical records, specific

security measures are mandatory by law (Like HIPPA)
8
1
8

Data in Motion

Data in motion is data that is moving or being transferred

between

locations within or between computer systems.

2
0

Data in Motion - Examples

• Data moving in file storage point

• Data moving within a computer system

• Over a wireless or Wired connection

• Files dragged from one folder to another

• Emails are considered data in motion.

• Around 4.3 Billion email users today
• Transfer from One Network to Another
• Public to Private
• One Security Category to Another
 Data in Motion - Attacks
Rogue Access Point

Blackhole Attack Grayhole Attack 11

 Malicious Hardware
• Backdoor: sometimes the physical chips within our devices are
intentionally made faulty, allowing them to create a weakness that can be

used by criminals.

• Hardware keyloggers: a method of capturing and recording computer

users' keystrokes, including sensitive passwords.

Special Chips Will Detect Malicious Hardware - Business Bigwigs 12

 Malicious Hardware
Backdoor
• Backdoors are a means for an authorized or unauthorized person to gain access
to a closed system.

• It is a covert method of bypassing normal authentication or encryption in a

computer or an embedded device.

13
 Malicious Hardware
Backdoor in Cisco Routers
• In 2013, a German paper showed that the NSA was taking advantage of certain backdoors in Cisco’s routers (Der
Spiegel).

• In 2014, a backdoor was found in Cisco’s routers, which could allow attackers to
access user credentials and issue arbitrary commands with escalated privileges.

• In 2015, a group of state-sponsored attackers started installing a malicious backdoor in the Cisco’s routers that
have the default administrative credentials.

• In 2017, Cisco, discovered a vulnerability in its own routers that allowed the CIA to remotely command over 300 of
Cisco’s switch models.

• In 2021, APT28 (the hacking arm of Russia’s GRU military intelligence agency) used infrastructure to masquerade
simple network management protocol (SNMP) access into Cisco routers worldwide
Backdoors Keep Appearing In Cisco's Routers | Tom's Hardware (tomshardware.com)
14
 Data in Motion - Attack
Mirai Malware

• It infects internet Router, NAS and IoT devices such as Camera.

• It turn them into a bot and used to launch DDoS attacks.

• It selects random IPs and tries to log in through the SSH, Telnet, FTP and HTTPS ports.

15
Inside the infamous Mirai IoT Botnet: A Retrospective Analysis (cloudflare.com)
 Data in Motion - Attack
Malicious Hardware: - USB port attack

• USB sticks and external hard drives can be a convenient way to move your

data from computer to computer.

• They can also be an very risky way to do it.

• The ports you plug your devices in could be leaking your personal data,

according to an Australian research team.

16
USB Ports Could Be Silently Leaking Your Personal Data To A Malicious Device (forbes.com)
 Data in Motion - Attack
Malicious Hardware: USB port attack

• Someone could eavesdrop on that crosstalk from a USB port that's next

to the one you're using.

• if a malicious device is plugged into adjacent ports on the same external

or internal USB hub, this sensitive information can be captured. (Dr. Yuval

Yarom)

USB Ports Could Be Silently Leaking Your Personal Data To A Malicious Device (forbes.com) 17
 2
8

Malicious Hardware
Cross talk
• Crosstalk is a phenomenon by which a signal transmitted on one circuit or channel of a
transmission system creates an undesired effect in another circuit or channel.
2
9

Malicious Hardware
USB Port Attack

• A mouse, keyboard, webcam, or printer might look innocent enough, but

all could be modified to stealthily steal data from neighboring ports.

• The research team found that 90% of the 50 devices (both computers and

external USB hubs) tested leaked data.

https://www.forbes.com/sites/leemathews/2017/08/15/usb-ports-could-be-silently-leaking-your-personal-data-to-a-malicious-device/?sh=5892ae691083
3
0

Data in Motion – Security Controls

• Encrypting the network session

• Secure tunnels can protect data along the path of

communications like Virtual Private Networks (VPN)

• HTTPS

• Use mechanisms such as Secure Socket Layer (SSL)/ TLS to encrypt

messages
 Data in Motion Protection

• Email encryption
• Provides end-to-end protection for message bodies and
attachments
• A wide variety of tools for encrypting email.
• Managed File Transfer (MFT)
• The file is uploaded to a platform and a link is generated to
download it.
• This link is sent by email or other means to the recipient who
makes the download via HTTPS.
• It is possible to set expiration dates for the link, password to
access it, etc.
Data in Motion Protection
• DLP (Data Loss Prevention)
• Able to detect whether an attempt is being made to send
confidential data outside the organization (e.g., credit card
numbers) and block the sending of such data
• They also allow for blocking copies of data to a USB drive, sending
to network drives, uploading to web or cloud applications, etc.
• Can be prone to false positives and block valid submissions that
should be allowed to pass through.
• CASB (Cloud Access Security Brokers)
• Can detect if a user tries to download sensitive data, and if he
does not comply with certain security policy.
• They apply security to a finite number of cloud applications,
usually the most well known.
Data in Motion Protection
• In-transit protection with digital rights
• Can be applied in the email to
• Encrypt the body and attachments,
• Apply usage rights leaving only the content to be viewed
• Restrict the forwarding of the email
 Challenges of Data Protection in Transit
• There are an infinite number of means and channels of
communication
• These tools are normally protecting a certain channel
such as email, web downloads, etc. but it is
complicated to reach any protocol and means of
communication.
• Infinity of Cloud applications to protect
• Difficulty determining what should be protected and
what should not
 3
6

Data in Use

It is the data that is currently being updated, processed,

accessed and read by a system.

Normally, behind the application there is a user who wants to access the data to view it,
change it, etc. In this state, the data is more vulnerable, in the sense that in order to see it,
the user must have been able to access the content decrypted (in the case that it was
encrypted).
3
7

Data in Use
• Data in use refers to data being processed by applications, as the CPU and

memory are utilized.

• Data in use, or memory, can contain sensitive data including digital certificates,

encryption keys, intellectual property (software algorithms, design data),

and personally identifiable information.

3
8

Data in Use
• An attacker with access to random access memory can parse that
memory to locate the encryption key for data at rest.
• Once they have obtained that encryption key, they can decrypt

encrypted data at rest.

COLD BOOT ATTACKS

 Data in Use - Attacks
Cold Boot Attacks

• RAM (Random Access Memory) is volatile and cannot hold data if the computer

is switched off.

• Research shows, RAM still holds data from few seconds to few minutes

before it fades out due to lack of electricity supply.

• Typically, cold boot attacks are used for retrieving encryption keys from a

running operating system for malicious or criminal investigative reasons

• Physical access required

https://www.sciencedirect.com/topics/computer-science/cold-boot-attack
What is a Cold Boot Attack and how can you stay safe? (thewindowsclub.com) 24
4
0

Data in Use - Attacks

Cold Boot Attacks

• Cold boot attack takes advantage of a known weakness in BitLocker, and a number

of other applications, where the encryption key is stored unencrypted in RAM

while the computer is fully booted.

• Once power is removed from the RAM, the data that it holds is removed within

seconds or minutes, based on the temperature of the RAM.

• The colder the RAM chips are, the longer they maintain their data.
• Spraying RAM with liquid nitrogen

Cold Boot Attack - an overview | ScienceDirect Topics

4
1

Data in Use - Attacks

Rootkits :
It is a malicious software, provides administrator level access to an unauthorized
user

Rootkit uses:

• Provide an attacker with full access

• Conceal other malware such as password-stealing key loggers

• Compromised machines as a zombie

4
2

Data in Use - Attacks

Bootkit:

• A kernel-mode rootkit variant called a bootkit can infect startup code like

the boot sector.

Bootkit uses:

• It intercept encryption keys and passwords.

4
3

Data in Use
Security Controls are:

• Encryption of data.

• Authentication of users at all stages. Should use strong Identity

management mechanism like Active Directory.

• Sign NON DISCLOSURE AGREEMENT about protecting info.

• System hardening
• Applying security patches
• Implementing the principle of least privilege,
• Reducing the attack surface and installing antivirus software
Data in Use Protection
• Identity management tools
• Identification through two-factor authentication.
• Conditional Access or Role Based Access Control (RBAC) tools
• Allow access to data based on the user’s role or other
parameters such as IP, location, etc.
• Through digital rights protection or IRM
• We can obtain effective protection in the use of the data as we
can limit what actions the user can take once they have accessed
the data.
 Challenges of Protecting Data in Use
• Most of the tools that control access to data do so before allowing
access, but once validated, it is more complex to control what can be
done with the data

• User can always take a picture

• Save Screen
 Data in Use
NON-DISCLOSURE AGREEMENTS (NDA)

• It is a legal contracts that prohibit someone from sharing

information deemed confidential.

• The confidential information may be:

– Proprietary information,

– Trade secrets like Processes, Formulas, Design document, and Devices

– Information about personal or events.

Non-Disclosure Agreement (NDA) Template – Sample (nondisclosureagreement.com) 34

NON-DISCLOSURE AGREEMENTS (NDA)

35
End of Part 1

37