The IT World is facing massive security breaches like Target, Adobe, Linkedin, Snapchat due to the lack of good encryption practices. Sensitive data were hacked. The big question that they’re being asked is, “Were the data encrypted?” Alternatively, are we worry-free of the data confidentiality when the stolen data are encrypted? In current data practice, encryption could be considered a “Get out of Jail Free Card”. However, the answer is NO. Such a desperate answer actually has been greatly agreed from many previous data breach incidents.
Data encryption is not equivalent to secure data protection.
Data encryption is unable to provide the following data protection:
Encrypted Data Publication: The hacker can copy, publish, and distribute the encrypted data to intended parties (e.g., WikiLeaks) or totally open the public, having very high risks. On June 2016, Wikileaks released massive 88 GB encrypted insurance files. Data encryption could not actually nullify the damage caused by such data breaches, especially for the cases of safety-critical data (e.g., national security data). Such a conclusion can also be evidenced from the many healthcare data breaches, e.g., Codman Square Health Center in Dorchester, Mass., Keck Medicine in Los Angeles, part of University of Southern California, World Anti-Doping Agency's database of Olympians' medical record leakage, Tulsa, Okla.-based Saint Francis Health System, Danville, Pa.-based Geisinger Health Plan, Burrell Behavioral Health in Springfield, Mo., Oberlin, Kansas-based Decatur Health Systems, Medical College of Wisconsin in Milwaukee, etc. Healthcare data are encrypted but they are breached.
Ransomware: Encrypted data are subjected to Ransomware attacks as if the data are not encrypted. It is a type of malicious attacks to maliciously encrypt the data (encrypted or encrypted) until an amount of money is paid to the hackers. Ransomware has been exploded in 2016 and is aggressively increased especially on the business data. The current anti-Ransomware efforts are stunted as the Ransomware itself effectively acts as a security application. The total number of the Ransomware attacks rose by 13% in September in 2016 alone, said by Check Point cybersecurity researchers. Hollywood Presbyterian Hospital paid $17,000 to ransom. The total cost of damages could come to $1 billion in 2016 such that Ransomware has been now one of the three most common malware threats.
Data Tamper/Destruction/Sabotage: RSA conference in 2016 noticed that the security industry has been primarily focused on stopping information theft for years and now more and more people in the trade are worried that the next wave of attacks won’t steal data – they’ll sabotage them instead. Encrypted data could be tampered and even been totally destroyed. In the earlier data breach incidents, the hackers steal the desirable data from the system and recent data breaches show that the adversary could be more evil that is to modify or even destroy the data on the data system. Data destruction could cause serious business when the destroyed data are unrecoverable. Notable examples are the data destruction at the Sony Pictures Entertainment data breach on November 24, 2014, and the Saudi Arabia data breach in 2016. In these incidents, the hacker wiped a large amount of data after they stole the sensitive data. The data in three-quarters of the computers and servers at the studio’s main operations are almost destroyed. Recently, NSA (Mr. Iain Thomson) reveals that the data tampering is the second of the top three IT nightmares. Suppose the data has been subtly altered rather than stolen. The consequences could be severe, especially in the IoT (Internet of Thing) in relation to the industry safety (e.g., SCADA (Supervisory Control and Data Acquisition)) and national security.
Cryptographic Attacks: Further, the data encryption is subjected to cryptographic attacks by exploring the weakness of encryption. The encrypted password, credit card, or other encrypted PII (personal identity information) can be crashed in a few seconds, e.g., 6 seconds, by brute–force decryption attacks. There are many incidents (Linkedin – 200 million PII, Yahoo – 500 million PII, Dropbox, etc.) that occurred with PII disclosure. The Dropbox data breach incident occurred in 2012 and is confirmed in 2016, resulting in 68 million of PII leakage. This is due to the weakness of encryption protection of short PII data, e.g., 8-15 digitals of a password. Advanced computation systems are able to crash an encrypted file. The Penetrating Hard Targets project spends 79.7 million of research to crack RSA on the web. MIT’s Quantum Computers can crack most of the encryption.
Malware may steal/modify/delete (e.g., stealth attacks) encrypted files such that you are unable to recover them. The compromise of a storage device having the encrypted files will result in data loss and other risks. Data encryption is designed for protecting data confidentiality. It is unable to offer the following data protection capabilities:
Preventing encrypted data stolen, redistribution, and publication
Enabling robust capability to defending Ransomware attacks
Protecting encrypted data in the storage from being sabotaged
Preventing encrypted data from being crashed by brute-force or other cryptographic attacks, and
Offering reliable restoration/recovery from being tampered.
NXdrive is holistic solution for data storage and protection against data breaches. Different to saving a data as a file (even an encrypted file), NXdrive is fragment-based data storage that builds extra features over encryption to provide holistic data protection capabilities. Specifically, a file is saved as a number of fragments over different authorized places. It prevents external and internal data thieves (attacker reads the data), data loss (hacker deletes the data), and data tamper (hacker changes the data).
Figure 2: NXdrive adds data spatial properties for data protection that is hard to be explored by using a powerful computer.
NXdrive achieves fine-grained data security to prevent the data stolen and sabotage from potential cyber-attacks. NXdrive (www.NXdrive.com) is an online system to provide data protection:
Worry-free on data confidentiality: NXdrive provides leading capability of protecting your data confidentiality
Worry-free on data breach: NXdrive excels in defending against data breach which is one of the major cyber security threats of the online data storage.
Worry-free on privacy: NXdrive protects the data privacy, having the unique abilities to disable a number of semantic analyzing tools that targets for your data privacy.
Worry-free on data loss: NXdrive has robust self-generation capabilities that prevent the loss of any data pieces.
Worry-free on device compromise: Automated data protection prevents data disclosure or loss that could be caused by device loss or device failures.
Worry-free on data insiders: NXdrive prevents insiders by advanced features of distributed authentication and authorizations for data management.