If you even are vaguely aware of Bitcoins, you have seen the latest hack – $460 million stolen by hackers from the Mt. Gox Exchange. Within the bitcoin world, this has launched a lot of discussion about the concept of cold storage.
Cold storage means keeping the currency offline in a way that there is no possible way a security breach could gain access to the money. Mt. Gox claimed most of their bitcoins were in cold storage, and that turned out not to be true. Other bitcoin exchanges are now scrambling to offer proof to their users that their coins actually are in cold storage.
Offline storage of critical data is not a new concept, but the stakes for protecting digital information is higher than ever. If you assume that your network may eventually be compromised, and an attacker may eventually gain access to even your most critical servers to protect, taking this final step of security may be the difference between that breach being catastrophic or manageable.
If Mt. Gox had been properly using cold storage, its $460 million loss might only have amounted to a $20 million loss and they would still be in business today.
So how you might better protect your own critical security assets by moving them to your own corporate cold storage? Look at the inventory of all the critical data within your organization. Does all of this data absolutely have to be on the network 24x7x365?
The most common example of good candidates for cold storage is encryption keys. If you are signing software and the signing keys are not in cold storage, why not? If you are encrypting backups and the decryption keys are not in cold storage, why not?
It would be easy to stop there, but look deeper. The whole computer industry has been in a relentless pursuit to digitize everything, put everything online, give instant access to everything, and we have ended up more vulnerable than ever before. I have fallen into this same trap in my personal digital life.
Why did I have years of emails sitting in a cloud mail service? Why did I have passwords to all my online bank accounts sitting in a password manager I know very little about the security of itself? Why did I have all my data from every computer I own aggregated to a single network connected storage device separated from the world with a consumer wireless router that my own security researchers keep finding holes in?
It is time I take a hard look at what really needs to stay online and what data can be moved into cold storage. Your company’s data deserves the same assessment.
- Is the Audit Committee Really the Secret Sauce for Cyber Security?
- Why the Security Stack Has Ten Layers, Not Seven
- Reacting Faster and Better with Continuous Security Monitoring
- Managing the Complexity of the Attack Surface
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock