We hear about a new data security breach on a weekly basis.
Here are just a few reports from 2017: According to cyber defense firm Cryptonite’s 2017 Healthcare Cyber Research Report, IT/hacking events attributed to ransomware by health care institutions increased by 89 percent from 2016 to 2017. In early March 2018, credit-monitoring firm Equifax uncovered another 2.5 million people exposed by its massive data breach in 2017 bringing the total number to 147.9 million. Yahoo fessed up that 3 billion accounts were hacked in 2013—three times what was first reported. Then there’s just plain sloppiness, such as when a GOP data firm misconfigured a security setting in its cloud storage service exposing nearly 200 million voter records.
It all just makes you #WannaCry.
Mitigating Risk of Data Breaches
The grim reality begs the question: how can we protect the most sensitive data from being breached? First and foremost, don’t connect the computer or group of networked computers containing highly secure data to any other computer or enterprise network—and certainly not to the internet. Enter the air-gapped system. An air-gapped system, such as that used in many military and highly classified situations, may be the most secure. The system is not connected to the outside, and it is physically isolated from the intranet. It is also limited to one or a few connected computers containing data. An air-gapped architecture isolates computers and servers, protecting them from tampering or malware while allowing control by remote operators.
Some air-gapped security systems are even designed to separate control room operators from the systems they control.
Protecting the Air Gap
While the air-gapped approach is the best first defense, it is humans who seek to breach. Additional measures can be taken to prevent this.
Beware the USB device. According to an article in the IEEE Spectrum, in June 2010 the Stuxnet Worm infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. Stuxnet entered the systems via a USB stick and proceeded to infect all machines running Microsoft Windows. It is reported but not confirmed that Stuxnet destroyed some of Iran’s centrifuges.
Instituting best practices for use of mobile devices, USB thumb drives, and removable media security is highly recommended for organizations wanting to protect any level of data.
The National Institute of Standards and Technology's (NIST) issued its own policies and technical requirements on USB thumb drive security, which was furnished to other federal agencies. Tops on the list is that all personally owned removable media is banned from use.
When data does need to be stored on removable media, NIST has a strict mobile device encryption policy. In addition, a removable media disposal procedure was implemented.
There are several more levels of protection, such as a cage that prevents electromagnetic radiation (EMR) from escaping air-gapped equipment, and solutions that prevent key strokes or screen images from being intercepted.
While not necessarily a matter of national security, I think I’ll write a letter to my senator suggesting a few cages are ordered to prevent our personal information being compromised over and over again.
Cindy Davis is the contributing editor of AV Technology.
