Using HSMs to prevent RansomWeb attacks

Prevention and threat detection tools can only go so far, and should be used as part of a layered approach to data security, says Paul Hampton.

Paul Hampton, payments security expert, Gemalto
Paul Hampton, payments security expert, Gemalto

For security teams tasked with safeguarding data, the need to protect sensitive information has never been greater. Data breaches have not only increased in frequency and size last year, they have also diversified. Added to virus threats and phishing attacks is a new type of cyber-attack called RansomWeb – where hackers break into a website, take control of the encryption system used for securing or backing up its data, change the keys, and demand payment to unlock the files.

According to the latest Breach Level Index report, one billion data records were compromised in 2014 alone, showing that being breached is no longer a question of “if” but “when”. So what can organisations do to protect themselves and guarantee the protection of data as it is used?

Organisations should assume that prevention and threat detection tools can only go so far, and should be used as part of a layered approach to data security that can defend data once criminals get into the network. When all else fails, Hardware Security Modules (HSMs) are an organisation's last line of defence against cyber-crime.

Out with the old, in with the new

RansomWeb hackers scan the internet for unsecured websites and, over a long period of time, modify server scripts so that data is encrypted on-the-fly before it's inserted into the database. Traditional perimeter security measures such as firewalls, antivirus, content filtering, and threat detection will not keep determined cyber criminals out. To combat RansomWeb threats and guarantee the protection of data as it is used, the first step in effective data protection is for organisations to move to a framework that is centred on the data itself.

Organisations often underestimate the magnitude of the risk to their business-critical data while it's in transit across public or private data networks. From the moment data is in motion, organisations are no longer in control. Data can be easily and cheaply intercepted by cyber-criminals for a number of reasons – ranging from data theft to cyber-blackmail.

As a result, organisations need to provide a protection that stays with the data wherever it is being sent, such as encryption and digital signatures, which enable organisations to maintain control of their data and detect any unauthorised modifications, even when data is deployed in the cloud or in their data centre. By moving security controls as close as possible to the data, they can ensure that even after the perimeter is breached, the information remains secure.

Keeping keys safe

However, encryption alone is only part of the solution, as an organisation's infrastructure is only as secure as the private keys and certificates used to protect it. RansomWeb hackers target encryption keys stored on remote web servers which they can then remove from an organisation's server. Therefore, storing encryption keys on remote web servers no longer guarantees avoiding key interception.

Preventing RansomWeb attacks requires the use of hardware security modules (HSMs), a type of electronic safe used by some of the most security-conscious organisations in the world to store their cryptographic keys, securely managing, processing, and storing them inside a hardened, tamper-resistant device. 

HSMs traditionally come in the form of a plug-in card or an external device attached directly to a computer or network server. They are essentially providing protection for transactions, identities, and applications by provisioning encryption, decryption, authentication, and digital signing services for a wide range of everyday things – including smart meters, websites, medical devices and national identity cards. Organisations use them to implement a standards-based enterprise key management strategy that includes specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for them as they are stored.

Because HSMs generate keys that never leave the hardware, it is very easy to track who has used them and when – ensuring keys can't be utilised by unauthorised third parties and personnel. This results in an extremely high level of trust in encryption keys – and in a valuable last line of defence for any organisation.

Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who could then access sensitive data.

Secure the breach

Experts agree that more hackers will start abusing the RansomWeb technique in coming months, as news spreads among cyber-criminals of the attack's effectiveness and financial rewards. Now more than ever, simply putting up a wall around the data and hoping it will protect what's on the other side is no longer enough. Data moves around and is stored in many environments with varying degrees of security. As more individuals have access to that data from multiple access points, organisations must take a multi-layered, dynamic approach to securing it.

Organisations worldwide need to be continually vigilant and implement a data security strategy which will allow them to be safe in the knowledge that their data is protected, whether or not a breach occurs. Only those that adopt a 'secure breach' approach, consisting of a combination of strong authentication, data encryption and key management, can be confident that data is useless should it fall into unauthorised hands.

Contributed by Paul Hampton, payments security expert, Gemalto