Ask an Expert
Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.
Ask an ExpertEmailing, whether for personal or business purposes, is ubiquitous in our modern way of life. In the wake of the COVID pandemic, businesses rely more and more on remote meetings versus personal visits. As a result, company workers share more files with colleagues, clients, customers or other third parties (e.g. service providers, contractors, financial, legal and engineering partners). It is more important than ever that we feel secure when attaching files with sensitive information to our emails – that we can trust our sensitive data is secure with email providers that properly encrypt our messages, end-to-end.
Many people go further. Applications such as Word, Excel®, Adobe® Acrobat® and numerous others allow users to password-protect a file. This built-in encryption is intended to boost confidence that the data within will be kept secure, accessible only to the intended recipients with the correct password.
However, this confidence can be misplaced. IT departments do not routinely check outgoing emails for potential breaches of protected data, as data on its own or in cloud servers as required by laws and regulations. In many cases, a contractor with an email breach may not report it to its partners.
We must assume that our email servers, Internet providers and customer/partner servers are properly secured. There are constant stories of cloud or company data breaches, and few reports of email breaches.
Yet, in July 2023, hackers broke into US government email accounts. In January 2024, Microsoft® revealed that it was the victim of a two-month long email breach in which executives’ internal messages and attachments were stolen.
Is it still possible to feel secure with sensitive data? Consider professions that handle valuable data, such as lawyers, financial advisors, tax advisors, insurance companies and others. Password-protecting files so that they can be encrypted serves as a relief to many people but can no longer be considered a guarantee of security.
Password-protected Microsoft Excel spreadsheets of customer information, or encrypted Acrobat PDFs of legal evidence may provide peace of mind, but what can hackers do if they procure these documents?
Files like these are software encrypted on the computer, and a password gate is added to access the data. When the wrong password is entered, the file will not allow access and will stay inaccessible.
Unfortunately, these files lack protection against brute force (also known as dictionary) attacks, which involve guessing all combinations of characters that could make up a password. For example, assume a secure, complex password using three out of four character sets – uppercase, lowercase, numbers and special characters. This is the typical password type required as a best practice by IT security policies. Most commonly, complex passwords are eight characters long.
In principle, such complex passwords should take many years for a computer to guess. Password-protected files have no defences against password guessing except the randomness (or entropy) of the selected password.
Today’s computers can guess 1 billion or more passwords a second. That is a huge leap from when password-protected files were first created.
How do cybercriminals break password-protected files?
There are many free tools on the Internet to remove a password from Excel or Acrobat files. Files with special security encryption can be targeted by paid tools that attack a password-protected file with a single computer or scaled up to a thousand or more networked computers (for determined attackers seeking high-value data). Some of these powerful tools are marketed as forensic tools for law enforcement, yet they’re highly accessible – to the point that you can buy and download them with a credit card.
According to Home Security Heroes, an AI-based password cracking tool can hack the common eight-character complex password in minutes or take a maximum of seven hours. With networked computers, a brute force attack on a single password-protected file could be completed in a shorter time period.
At this point, it is clear that any transmission of sensitive data by electronic means is subject to a breach if a file is intercepted, or servers containing the file as an attachment or a file are breached. The same is also true of encrypted files stored on a cloud – any cloud – that has to rely on software encryption. If someone acquires the password-protected file, then they can subject it to brute force attacks using software that is customised to the file type.
The solution to mitigate this risk is to keep that data “off-the-grid” or air-gapped. It can be stored on a computer that is not connected to the Internet, or the data can be transmitted through a medium that is hardened against brute force password attacks. This can be cumbersome, but is a mitigation related to the value of the data – some types of breaches can cost millions of dollars and high legal costs and settlements, depending on the data that is lost. For example, a spreadsheet of customer accounts with details can be very damaging to a business when lost. A customer’s IP details used in a legal case can severely impact a company if those details are lost and sold on the dark web.
There is an inexpensive solution for mobile data that does just that – hardware-encrypted USB drives or SSDs. They have a self-contained, hardware-based security ecosystem that guards against password attacks and uses always-on AES-256 bit encryption that, in itself, is not known to have been compromised. It is important to source such storage devices from known and trusted manufacturers as inexpensive drives sold online may not properly implement password security or encryption.
A hardware-encrypted USB drive or external SSD, such as a Kingston IronKey drive, is not your typical USB or SSD. It is engineered from the ground up as a data protection device – using specialised controllers with security as the primary design goal. Such drives can provide enterprise-grade security and military-grade security (which adds a FIPS 140-3 Level 3 certification by NIST, the US government agency that creates AES-256 bit encryption and that sets the standards for US government agencies). Kingston has also been designing and manufacturing hardware-encrypted drives for over 20 years for enterprises and governments worldwide.
All accesses to an IronKey drive are routed through the secure microprocessor. To allow access to the data, the secure microprocessor requires either a valid password or a PIN for keypad drives. The secure microprocessor keeps a count of invalid password retries (if you have ever had a mobile phone reset on you, you know how it works). IronKey drives allow multiple passwords: Admin, User and One-Time Reset. If One-Time Reset or User passwords are entered incorrectly 10 times in a row, the drive will lock the passwords. If the primary Admin password is entered incorrectly 10 times in a row, the secure microprocessor will enter data self-destruct mode – it will execute a crypto-erase of all encryption parameters, format the data storage and reset the drive to factory state. At this point, the data previously stored on the drive is lost forever. This is the defence against most attacks that you want for your sensitive data.
Unfortunately, electronic transmission of password-protected files by email or posting on a cloud server can lead to data breaches as the files themselves cannot be protected using today’s AI and computer technologies. The best security requires that mobile data be transported physically in your possession – in your pocket or in your bag. Then, it can be shared with the other party. Or, you can send the drive to your customer/partner and tell them how to access the data. The drive can be left with them to keep the data secure and off the grid. IronKey external SSDs with capacities of up to 8TB can provide strong security for a range of professionals, from law firms all the way to providers of medical or financial services.
Many manufacturers no longer email key intellectual property documents and details. Instead, they send IronKey drives to others (often in different countries) and follow up with instructions on accessing the data. IronKey drives allow the Admin role to set a global read-only mode, which prevents any alteration of the files when a User password accesses them.
IronKey drives follow the best practices of the CIA Triad and are an inexpensive insurance to keep your sensitive data secure and protected to the best extent commercially possible. In the end, it is all about the perceived value of your information.
Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.
Ask an ExpertEncrypted USB flash drives keep your private data safe but how do they work?