Secure Your Data at Rest, Stupid!

As I’ve mentioned on occasion, I was born in the city of Sheffield in the county of Yorkshire in that paradise on Earth known to the bards as Albion. Sheffield has an international reputation for metallurgy and steelmaking. In fact, it was this industry that established Sheffield as one of England’s main industrial cities during the 18th, 19th, and 20th centuries.

You may recall from my blog about my mom — The Times They Are a-Changin’ — Part 1 — that, following WWII, she started work in a typing pool (see also Part 2 about my grandfather and Part 3 about my dear old dad).

I was just chatting with mom via the wonders of FaceTime regarding the company she used to work for when I was a kid in the early 1960s. By that time, she had risen to be the personal assistant to the English industrialist Maurice Alberic Twisleton-Wykeham-Fiennes (he became Sir Maurice when he was knighted by Queen Elizabeth II in 1965). Although he had a commanding presence, I remember him as being an extremely nice guy who gifted me with pieces of colored glass from the fireplace in his office.

I always heard mom’s company referred to as Davy-United, but she just shared some additional details. For example, the “Davy” part came from the Davy Brothers, who set up a business in 1830 to make steam engines at Lady’s Bridge in Sheffield. If you ever get a chance to visit the Kelham Island Museum, you will see one of the company’s steam engine creations called the River Don Engine, which was built in 1906. This humongous and bodacious 3-cylinder beauty — which was used for hot rolling steel armor plate — is awesome to behold, especially if you are lucky enough to see it fired-up and running (I’ve been fortunate enough to experience this, and it’s a truly incredible sight).

The “United” portion of the Davy-United moniker came from the United Engineering & Foundry Company, which was founded in 1901 in Pittsburgh, Pennsylvania, USA, but let’s try to curtail ourselves from wandering off into the weeds (as part of which I will restrain myself from telling you the answer to the question posed in my recent blog, What’s Brown and Sticky?).

In 1960, Davy-United merged with the Power-Gas Corporation to form Davy-Ashmore, and then things started to get complicated. Suffice it to say that, at that time, Davy-Ashmore was the largest engineering company in Europe and had a worldwide footprint, which explains how my mom found herself making her presence felt whilst trekking across India in 1963 when I was but six years old; however, that’s a tortuous tale for another day.

Davy-Ashmore’s Sheffield facility started renting a mainframe computer from IBM in the mid-1960s (they had to rent it; they couldn’t afford to buy it). My mom says that, as part of this, they constructed a huge building in which to house the computer and they created a special subsidiary company to be in charge of everything. Everyone who worked in the computer building had to wear white coveralls, and anyone caught smoking in the building was dismissed without references on the spot. In order to cover its costs, the computer had to be run 24 hours a day 7 days a week. Although there were a lot of other large steel companies in Sheffield, none of them could afford a computer, so Davy-Ashmore rented time on the machine and ran the payroll programs for all of the other companies.

The reason for my waffling on about all of this here is that I was just musing how, even with all of the problems computer owners and users had to contend with back in those days of yore, at least they didn’t have to worry about Chinese, Russian, Iranian, and North Korean hackers breaking into their systems via the internet and other nefarious channels.

I think it’s safe to say that things are getting scary on the hacking front. As my chum Steve Leibson mentioned in his recent The Bad Guys are Winning in Cyberspace. Here’s One Way to Beat Them column, an incomplete list of very recent, very successful cyberattacks and their repercussions is as follows:

December 2020: Hackers inserted malicious code into SolarWinds’ widely used Orion IT management software, causing the exposure of sensitive data at several top US government agencies, corporations, and other organizations.
February 2021: An unknown hacker attempted to poison the residents of Oldsmar, Florida (population 13,591) by dangerously increasing sodium hydroxide levels in the town’s drinking water using remote access to the water treatment facility’s water-treatment equipment via the Internet.
March 2021: Hackers compromised more than 150,000 security cameras managed by Verkada and located in gyms, jails, schools, hospitals, and factories.
May 2021: The DarkSide Russian hacking group broke into Colonial Pipeline’s IT network and forced the company to cut the connection between its IT and OT networks, resulting in a shutdown of the company’s 5500-mile pipeline system for several days.

Personally, I think that we should go after these hackers with extreme prejudice, as it were, hunting them down and teaching them the error of their ways — setting an example of such eye-watering proportions as to make potential hackers of the future decide to take up embroidery instead.

I don’t know about you, but, for the longest time, to me it appeared as though no one in government was really paying attention. Thus, it felt like at least a small step in the right direction when, on 12 May 2021, President Biden enacted his Executive Order on Improving the Nation’s Cybersecurity. In part, this executive order directed all branches of the Federal Government to improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats.

While this executive order specifically addresses the United States Federal Government, enterprises and businesses of all shapes and sizes should also take steps to secure and protect their data.

Have you perchance read this executive order yourself? One thing that caught my eye was subsection (d) in Section 3: Modernizing Federal Government Cybersecurity, where it says: “Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest […],” which certainly sounds imposing, but what’s “data at rest,” when it’s at home?

Well, the first step in securing digital data is understanding that, at different times, it may exist in one of three distinct states. These states are data in transit (which may also be referred to as data in motion or data in flight), data in use, and data at rest. Data in transit is information that is flowing through a network, including private corporate networks and public networks such as the internet. Data in use refers to active data that is being accessed and manipulated by a software program and is stored in a non-persistent digital state, typically in the computer’s random-access memory (RAM) or in the caches and registers associated with the central processing unit (CPU). Last, but certainly not least, data at rest (DAR) refers to data that is physically housed in a storage device.

The problem here is that, when most people hear terms like “computer security,” their knee-jerk reaction is to focus on threats like viruses, malware, and ransomware. Solutions to these threats in the form of things like firewalls and antivirus software predominantly focus on external menaces by protecting data in transit and data in use. However, many security breaches and data loss incidents may be traced to insider threats in the form of unauthorized access to DAR, including computers and/or their drives being mislaid or stolen.

Do you recall the “…within 180 days of the date of this order…” mentioned above? Unless extensions are granted, this means that all of the Federal Government’s data at rest must be fully secured by no later than early November 2021. I’m visualizing a lot of people running around in ever-decreasing circles shouting, “Don’t Panic!” right about now.

For the purposes of these discussions, let’s focus on Windows and Linux, which are the predominant operating systems used by military, federal government, critical infrastructure, and industrial applications. Let’s also concentrate our attention on DAR that is housed on a solid-state drive (SSD) because this is an extremely common and problematic scenario.

Have you heard the term self-encrypting drive (SED)? The idea here is to have an SSD that contains a hardware encryption engine (EE) that automatically encrypts data as it is written to the drive and automatically decrypts the data as it is read from the drive. This all sounds jolly good, but it’s only a starting point, because anyone can power-up the computer and access the data with impunity.

Many people mistakenly believe that their OS password provides sufficient protection for their DAR. When a system is being attacked by professional hackers, however, relying on the OS password is akin to not having a password at all. Thus, another critical aspect of a DAR security solution is that the process of unlocking the SED must take place prior to the OS being booted.

A key feature of an effective DAR security solution is for the drive to be cyber-locked with a data encryption key (DEK), thereby protecting it from bad actors who gain access to the SSD, either on its own or while residing in a computer. One critical step in the process of legitimately accessing the data is authorization acquisition (AA), in which the user enters a password that releases the DEK to the SSD’s EE. The preferred scenario is for AA to occur prior to booting the OS, which is referred to as pre-boot authentication (PBA). A higher level of confidence regarding AA is provided by employing multi-factor authorization (MFA), the use of which is also mandated by the aforementioned executive order.

But wait, there’s more… For example, the Trade Agreements Act (TAA) includes the requirement that the General Services Administration (GSA) must acquire only U.S.-made or TAA-compliant products, which means that an SSD cannot originate in a non-TAA-compliant country. When it comes to encrypting the data, the SED must employ a suitably robust algorithm, such as AES-256, which is part of the Commercial National Security Algorithm suite of cryptographic algorithms that are approved by the National Security Agency (NSA).

Federal Information Processing Standards (FIPS) are standards and guidelines for Federal computer systems that are developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and that are approved by the Secretary of Commerce. A FIPS 197 certification guarantees that the AES cryptographic algorithm has been implemented correctly and has sufficient entropy. A FIPS 140-2 certification assures that the SED’s EE has been properly designed and secured. Furthermore, a FIPS 140-2 L2 (“Level 2”) certification — which is required for most DAR applications — ensures that there is visible evidence of any attempt to physically tamper with the drive.

In a nutshell, in order to be acceptable for use by the Federal Government, a DAR solution must be TAA compliant, NIST Validated, and FIPS-certified.

Are we having fun yet?

The reason I now know so much about DAR (more than I ever wanted to know, if the truth be told), is that I’ve been chatting with those clever chaps and chapesses at the CRU Data Security Group (CDSG). DIGISTOR is the CDSG brand of fixed and removable rugged storage drives that are crucial to physically securing sensitive data for government agencies and other security-conscious organizations. Meanwhile, Citadel TAA compliant, NIST Validated, and FIPS-certified SEDs are the only SSDs to offer pre-tested and pre-integrated multi-factor authentication and pre-boot authentication (PBA).

Citadel SSD SEDs with M.2 form factor: SATA (top) and NVMe bottom)
(Image source: CDSG)

One very important point is that the security software, which is pre-installed on the drive, is OS agnostic — it doesn’t care whether the user wishes to load Windows or Linux or use a virtual machine (VM). Having said this, another important point is that Citadel drives are shipped deactivated and can be used “out of the box.” This means the user can test the drive out, load different operating systems, wipe the drive (this doesn’t affect its security capabilities), and start all over again prior to activating the PBA.

When the time is ripe, the organization’s cryptographic officer/administrator can activate the PBA, including granting or revoking access to multiple users, each with their own password, and activating MFA if required. The administrator can also establish various policies, such as cryptographically wiping the drive following a specified number of failed AA attempts.

There’s even a “headless” version for use in things like unmanned aerial vehicles (UAVs), critical infrastructure, and industrial applications, where a headless system is one that operates without a display (the missing “head”), keyboard, or mouse.

Ranging from 512 GB to 2 TB in size, Citadel SSDs are unique in providing a commercial off-the-shelf (COTS) solution that brings military-grade security to Federal agencies and critical infrastructure, as well as industrial, banking, and medical markets.

I must admit that I was hoping to see one of these little rascals “in the flesh,” as it were, so I asked the folks at CDSG if they had a non-functional Citadel SSD they could send for me to wave around in the air while taking a quick video for use in this column, but they replied that — although they would if they could — they didn’t get to see defunct Citadels very often. When you come to think about it, that is, of course, what we want to hear. So, what say you? How confident are you currently regarding your own DAR solution?