Google Encryption
1. Use 2 factor authentication
2. Don't use same password everywhere
3. Update the software on your computer
4. Be careful with how much info you post online
5. Be careful when sharing personal info
SolarWinds Attack: Targeted major companies and government agencies.
Marriott Hotel Data Breach: Millions of customers' personal information compromised.
Equifax Data Breach: Data of 145 million Americans stolen.
Yahoo Data Breaches: Millions of account details leaked.
Target Data Breach: Credit card information of millions exposed.
Here are 10 ways hackers could get into your computer and steal your information.
1: Wipers
Wipers are malware that are used to erase information.
Attacks are disruptive, not financial.
2: Phishing
Consistently one of the most common and successful tactics used by hackers.
Pretending they are a trusted source(organization you trust).
Links with malware or redirect you to fake sites that steal your information. I
3: Whale & Spear Phishing
Whaling is just like phishing, but it’s reserved for the “big fish”. Instead of finding people, say, on social media, these scams target big corporations and high level execs.
4: Pharming
Pharming uses a fake landing page disguised as a website you trust.
Scams target banks and their patrons. People go to the webpage to log in, but they are rerouted by the link to a fake page. When they enter their information to log in, the hackers steal it.
5: SQL Injection Attacks
During an SQL Injection attack, hackers look for weak points in webpages, like contact forms, and insert malware. From there it’s easy to steal information.
6: Denial of Service (DoS)
A Denial of Service attack uses web traffic to shut down a website.
A system or network can crash when there’s too much traffic
Hackers infect computers on the network with malware that can control them remotely.
7: Brute Force Attacks
Use software to guess your login credentials.
1 in 5 networks have experienced a brute force attack.
Multiple attempts to login from the same IP address or, the opposite, many IP addresses trying to log in to the same account(password lock outs)
8: Man In The Middle Attacks (MitM)
Hackers can use a shoulder-surfing type tactic to steal your information. They can eavesdrop on your connection. They can also insert themselves through an IoT device or through unsecured WiFi. Then they intercept data between a server and a client.
9: Insider Threats
Sometimes an insider threat is intentional - and sometimes it's just an accident. For example, an employee could accidentally download some type of malware. But also, an employee with access to private information could simply choose to misuse their access.
10: Zero Day Attacks
They are called Zero Day attacks because these kinds of attacks take advantage of newly-found bugs and weaknesses. There is a small window of time before developers can fix them, so hackers often try to capitalize on that time frame. (Updates)
Encryption at rest in Google Cloud
Google Cloud protects customer data at rest using multiple layers of encryption.
All stored data is automatically encrypted — first split into chunks, each encrypted with a unique data encryption key (DEK). These DEKs are themselves encrypted (“wrapped”) with key encryption keys (KEKs).
Google primarily uses AES-256 encryption, though a few older Persistent Disks (pre-2015) use AES-128. AES (Advanced Encryption Standard) is a symmetric-key algorithm approved by NIST and the U.S. government, replacing the older DES standard. It converts plain text into cipher text using one shared secret key for both encryption and decryption. AES-256, with its 256-bit key, is considered virtually unbreakable with current technology.
Introduction
Traveling the internet, moving between data centers, or stored on servers.
The strategy is encryption in transit and at rest.
Data can be accessed only by the authorized roles and services with audited access to the encryption keys.
What is encryption?
Encryption is a process that takes legible data as input (often called plaintext), and transforms it into an output (often called ciphertext) that reveals little or no information about the plaintext.
The encryption algorithm used is public, such as the Advanced Encryption Standard (AES), but execution depends on a key, which is kept secret.
To decrypt the ciphertext back to its original form, you need to employ the key.
Why does encryption help secure customer data?
Encryption adds a layer of defense in depth for protecting data—encryption ensures that if the data accidentally falls into an attacker's hands, they cannot access the data without also having access to the encryption keys.
Even if an attacker obtains the storage devices containing your data, they won't be able to understand or decrypt it.
Encryption at rest reduces the surface of attack by effectively "cutting out" the lower layers of the hardware and software stack.
Acts as a "chokepoint"—centrally managed encryption keys create a single place where access to data is enforced and can be audited.
What do we consider customer data?
Content provided to Google by a Google Cloud customer , directly or indirectly, via Google Cloud services used by that customer's account.
Google's default encryption.
Google Cloud encrypts all customer content stored at rest, without any action from the customer, using one or more encryption mechanisms.
Layers of encryption
Google uses several layers of encryption to protect data.
Figure 1: Distributed file system encryption or database and file storage encryption is in place for almost all files; and storage device encryption is in place for almost all files.
Encryption at the storage system layer
Data is broken into subfile chunks for storage; each chunk can be up to several GB in size.
Each chunk is encrypted at the storage level with an individual encryption key: two chunks will not have the same encryption key.
Google encrypts data prior to it being written to disk.
Each data chunk has a unique identifier.
Access control lists (ACLs) ensure that each chunk can be decrypted only by Google services operating under authorized roles.
A malicious individual who wanted to access customer data would need to know and be able to access (1) all storage chunks corresponding to the data they want, and (2) the encryption keys corresponding to the chunks.
Figure 2: Data at Google is broken up into encrypted chunks for storage.
Advanced Encryption Standard (AES) algorithm to encrypt data at rest.
All data at the storage level is encrypted with AES256 by default.
Recommended by the National Institute of Standards and Technology (NIST) for long-term storage use.
GCM (Galois/Counter Mode) – A fast and efficient mode of operation for symmetric-key block ciphers, offering high throughput even on inexpensive hardware.
CBC (Cipher Block Chaining) – A block cipher mode where data is encrypted in sequential blocks, each dependent on the previous one.
HMAC (Hash-Based Message Authentication Code) – A message authentication method that combines a cryptographic hash function with a secret key to verify data integrity and authenticity.
Encryption at the storage device layer
Encrypted at the storage device level with AES256 for hard disks (HDD) and solid state drives (SSD), using a separate device-level key (which is different from the key used to encrypt the data at the storage level).
Encryption of backups
Data remains encrypted throughout the backup process.
Backup system further encrypts each backup file independently with its own data encryption key (DEK), derived from a key stored in Google's Key Management Service (KMS) plus a randomly generated per-file seed at backup time.
Key management
Google Cloud uses a layered encryption key system managed by its Key Management Service (KMS) to protect data at rest.
Each piece of stored data is divided into chunks, and each chunk is encrypted with its own Data Encryption Key (DEK).
DEKs are themselves encrypted (“wrapped”) with Key Encryption Keys (KEKs), which are stored centrally in Google’s KMS.
DEKs are unique — even different chunks of the same customer’s data use separate DEKs, ensuring strong data isolation.
When data needs to be accessed, the service retrieves the wrapped DEK, sends it to KMS, and KMS verifies authorization before unwrapping it.
The plaintext DEK is then used to decrypt the data chunk.
Access controls (ACLs) in KMS ensure only authorized Google services and users can use specific keys.
In special hardware (like local SSDs), encryption and DEK management occur directly on the device.
Overall, this system ensures secure, isolated, and tightly controlled encryption key management for all customer data.
Figure 3: To decrypt a data chunk, the storage service calls Google's Key Management Service (KMS) to retrieve the unwrapped data encryption key (DEK) for that data chunk.
Encryption key hierarchy and root of trust
Google's KMS is protected by a root key called the KMS master key, which wraps all the KEKs in KMS. This KMS master key is AES256 and is itself stored in another key management service, called the Root 5 KMS.
To summarize:
● Data is chunked and encrypted with DEKs.
● DEKs are encrypted with KEKs.
● KEKs are stored in KMS.
● KMS is run on multiple machines in data centers globally. ○ KMS keys are wrapped with the KMS master key, which is stored in Root KMS.
● Root KMS is much smaller than KMS and runs only on dedicated machines in each data center. ○ Root KMS keys are wrapped with the root KMS master key, which is stored in the root KMS master key distributor.
● The root KMS master key distributor is a peer-to-peer infrastructure running concurrently in RAM globally on dedicated machines; each gets its key material from other running instances. ○ If all instances of the distributor were to go down (total shutdown), a master key is stored in (different) secure hardware in (physical) safes in limited Google locations. ○ The root KMS master key distributor is currently being phased in, to replace a system that operated in a similar manner but was not peer to peer.
No comments:
Post a Comment