A weird thought attacked to my mind: We are enabling encryption techniques to protect sensitive data in restricted environments to keep the secrets from leaking OUT. That is obvious. There are multitude of applications and software to accomplish this.
However, hardly NO-ORGANIZATION is protecting their environments from data that comes FROM outside to INSIDE, as the way famous ‘malware-in-wild’ such as Stuxnet and way it was deployed show’d. (Don’t worry, I am not going to discuss here about “same old same old again.”.)
Yes, organizations are deploying techniques such as antimalware and USB port blocking. As threats demonstrated already, precise payload targeted threats typically render antimalware useless and USB blocking is somewhat problematic while data, being it PLC control set configuration or documents, should be somehow able to carried between boundaries. Read-only devices work, but to the opposite direction. So no good with them.
This is hard deal. Making such protection technique work, it would require to understand how the environment behaves on different situations and more-over, it requires understanding how and what data is handled within the environment boundaries, and how it is bypassed.
The weird thought hit me enough bad and I’ve decided to define imaginative environment where there is a security element in place which would require all data created IN-RESTRICTED environment (“say, ..enclave”) to be encrypted while stored in mobile media such as USB stick and NO-OTHER than in particular (“enclave”) encrypted mass media would be accepted at all. Then all ILLEGITIMATE media, say non-enclave created data, including the physical storage device brought to environment would be rendered inoperable within environment. This would allow a federation capabilities between different enclaves and assumes inside the enclave is security enforced correctly.
A kind of reversing the original “securing” data model to protect environment from foreign objects through identifying “own” data via encryption. I believe we still need the “white cells”, like antimalware techniques to maintain environment security at requested level. That, however, works and is efficient only at certain levels of need.
So taking Stuxnet “case” in hand again (unfortunately), in case conveyor, our carry-in Jack from illegitimate organization with malware attached USB stick would access physically our imaginary enclave, the security element would render USB stick inoperable within our secured environment. All this is done via encryption functionality inside the enclave, not trusting the physical media capabilities at all, and by not touching the port activity monitorig or lazy jobs as alike, and would in turn make impossible to use any data without proper encryption. This would make activities based on bribing local people useless.
So what about normal operation? Well, it should be seamless, transparent within “enclaves” or between trusted security domains (not talking Windows domain architecture here..) and thus not requiring anything special to carry with.
Nice reversal approach of well known technique? Just a thought with some background 🙂