One Application to Build CISA’s Data Pillar Suporting "Zero Trust"

In response to the SolarWinds supply chain attack, the Cybersecurity and Infrastructure Security Agency (CISA) finally realized the importance of protecting unstructured data and made it one of the five pillars of the White House’s cross-agency strategy to shift the U.S. government toward a “Zero Trust” approach. APF foresaw that reality four years ago and built the Unstructured Data Shield (UDS). UDS is currently the only end-to-end solution that meets and exceeds all the requirements of CISA’s data pillar.

We welcome and challenge any organizations to join our efforts to ensure a safer cyber space. For those who are interested, please contact us for a self-guided demo which takes only about 30 minutes, a testament to UDS’s usability. We will reward those who work with us to perfect UDS with very favorable terms and priority status when they become APF customers. We are also inviting cyber security organizations to attempting to exploit any possible weakness in UDS – please contact us if you’re interested in that effort.

Unstructured Data Shield (UDS)

The SolarWinds attack represented a significant violation of national security that exposed flaws in the United States’ cyber defenses. The Russian virus went undiscovered and unabated at almost 400 of the world’s major firms and several government organizations. When those firms and agencies pool their resources, they have access to every kind of cyber security product imaginable, yet none of them were able to detect or prevent the virus from taking the data.

As the response, White house released The Federal strategy to move the U.S. Government toward a “zero trust” approach to cybersecurity, which is built on the 5 pillars from CISA. Among them, the Data pillar presents for the first time the urgent need to protect the unstructured data. The requirement of the Data Pillar calls for

  1. Data categorization and security responses, focusing on tagging and managing access to sensitive documents.
  2. Audit access to any data encrypted at rest.
  3. Comprehensive logging and information sharing capabilities

 

APF came to the same conclusion early on and we build UDS to address the problem. UDS not only meets but exceeds the CISA requirements to extend the encryption at rest and audit access as well as violation detection to the entire environment.

First, UDS allows users to categorize files when they are created, and tag them with designations including classification, compliance status and any other customized information. The tags and classifications permanently stay with the files and every copy made from those files. CISA targets the one file copy housed on the cloud.

Second, UDS encrypts files using one of strongest encryption schemes ever engineered. It uses a random key and IV for each file. There is no master key, password or algorithm of any sort which can be used to reverse engineer the key and IV.  Contrast that with cloud storage, which uses a single key to encrypt all the files.

Third, UDS uses a centralized access policy to determine access rights for every user on every file. When access is granted, the UDS client will decrypt the file and open it in the GUI application.  UDS keeps every access request to every copy of the file and constantly uses artificial intelligence (AI) to identify anomalies for early warning.

Last but not least, UDS maintains extensive logs on all changes to the configurations. They are available for audit and forensic analysis. UDS-protected files are always encrypted on all devices, and so are all file copies. They are subject to the same access control processes.

UDS provides excellent ROI by reducing financial loss to data breaches, application fragmentation and related support cost

Over time, many solutions and products have been created to deal with a small part of a larger problem:

  1. Cloud encryption at rest for the files stored on the cloud
  2. Utilizing SharePoint and Box to manage access to files in cloud storage
  3. Loss prevention solutions on the end devices to monitor user’s actions
  4. VPN to encrypt files in transit
  5. Encryption at rest on selected local devices
  6. Key management solutions to enable on-premise encryption

Unfortunately, the sum of the parts does not equal the whole and the result is an ever-increasing number of data breaches; concurrently, organizational cyber security budgets increase every year. Files are stolen from the end devices, from the servers, from the cloud storage and from the email servers, simply because the files are not protected at rest and are not subject to a universal access management.

Because UDS protects all the files on all devices at rest and in transit, businesses can eliminate the overlapping data file protection applications and the support resources.

UDS also

  1. Reduce or stabilize cyber insurance costs
  2. Reduce costs to stay compliant with data protection laws and regulations

Embedded Shield: protecting the critical infrastructure

Security for embedded systems has been lacking for many reasons. One obvious reason is that attacks on embedded systems are rare. Those systems are highly specialized, so normal cyber criminals do not have the knowledge, nor the economic interest, in developing viruses like “Stuxnet”. But it becomes a different story when considering a possible state sponsored attack. Attacks on embedded systems always come with the intent of strategic disruption and often lead to catastrophic consequences…  virus that target embedded systems are categorized as “cyber warfare” for good reasons.

Called by some as “cyber-missile” a decade ago, the “Stuxnet” virus changed how the world views cyber security forever. By modifying the firmware of the system’s logic controller, the virus destroyed nearly a thousand of Iran’s otherwise impenetrable gas centrifuges used to make weapons-grade uranium, and put Iran’s nuclear ambitions at least temporarily on hold.

There are two known pathways to attack an embedded system:

  1. Gaining access to the system’s user interface through remote access software like TeamViewer and Remote Desktop. In February 2021, a Florida water treatment plant control system was accessed by hackers through the remote access software TeamViewer. The hacker then increased the purification chemicals added to the water to poisonous levels using the control software’s user interface. Fortunately, the movement on the screen was caught by a user who happened to be monitoring the system at the time. He reversed the changes and averted the potential disaster. This type of attack is rare since most control units don’t provide remote The damage is often limited since most systems limit changes that can be achieved through user interfaces to avoid accidental damage caused by human error; it is also easy to spot and correct. But this could open the door for viruses and lead to more sophisticated attacks.
  2. Gaining access to the system, escalating access privileges and making stealthy changes without being caught. Once the virus obtains the root privilege, it replaces or modifies the binary code and/or configuration files to hijack the communication between the control unit and embedded systems, injecting malicious commands which eventually leads to the damage. This was the pathway taken by the “Stuxnet” virus.

A security system that guards the entrance to a government building could be compromised to let bad guys in and lock the good guys out; a hacked monitoring system could fail to alert of an active attack or even worse, sends the wrong signal; a breached surveillance system could be stopped during a crime or history files could be altered. Fearing possible attacks on the national or regional grids, some have even suggested bringing back analog controls like physical buttons and dials as a “failsafe”.

Currently, protecting embedded systems has relied solely on protecting the command and control units, which often run on well-known operating systems and have the same vulnerability to cyber-attacks, which potentially may open the exact route taken by “Stuxnet” and those follows.

The Embedded Shield takes a new approach, however, creating a completely independent protection for the firmware and other critical data files that will remain unbreakable even after virus has affected the control unit. This protection is designed to establish a two-layered defense system that is unique to the UDS embedded system.

First, the Embedded Shield encrypts firmware and configuration-related data files. This prevents the information from being stolen. Because each embedded system is different, having a thorough understanding of the firmware, configuration and schematics is often the first step to a cyber-attack. Without intimate knowledge of the schematics and the ability to create a mirrored system, it is nearly impossible to develop a virus to attack the system.

The second layer of protection plays a critical role after the command unit is infected by a virus. The UDS-protected firmware and configuration cannot be changed or modified by a virus, and that is usually the most effective pathway for a virus to launch an attack. “Stuxnet” initiated its attack by replacing one of the runtime library files to give itself the ability to monitor and modify the communication between the control unit and the embedded board so it could inject the false commands. The Embedded Shield blocks this sort of action and therefore stops an attack.

We should have no illusions that cyber-attacks on our critical infrastructure will stop and our current cyber defense is sufficient. The Embedded Shield is designed to prevent the attacks as the second line of defense and protect an embedded system after all other measures have failed so the critical infrastructures can continue function.

Contact us to see how you can protect the critical infrastructure with Embedded Shield