Protecting Data in Use

What is Data in Use? Use it or lose it.

As the adage goes, you have to use your data correctly with the appropriate encryption protections, or you risk losing the data you’ve worked so hard to gather. To deal with this challenge, let’s start with the basics. Information that is currently being used in a system is known as Data in Use. It could be data stored in RAM, swap space, buffers, or registers. To learn more about protecting this temporarily stored data, let’s return to the network scenario we introduced in our Data in Motion blog and our Data at Rest blog.

Security camera network

Our example company has implemented a security camera network to help monitor a restricted portion of their property. Video feeds are stored on onsite computers. All the camera footage is also stored in a database on an off-site server, and users can view the logged footage remotely using an authorized computer on the network.

Our final area of focus for our example security camera network is Data in Use. This temporarily stored data doesn’t have the vulnerability of being accessible outside the system like Data in Motion. Nor does it have the vulnerability of permanence like Data at Rest. So why does it need to be protected? Data in Use is important because it’s the information your system is currently using. Running applications require storing configuration information and/or information to allow program execution. When an attacker alters the configurations or information that an application depends on, it can have serious consequences on the behavior and security of the system.

Why do attackers target Data in Use? Because its useful data.

Vulnerabilities:

Other programs on the system
Social engineering
Successful attacks can be hard to detect

Goals of attackers:

Altering configuration information
Obtaining sensitive information such as keys/credentials
Bypassing authentication
Holding systems for ransom

How do I protect Data in Use? Be vigilant at every step.

In our example, Data in Use is the data being used in the server database, control PC, remote PC, and security cameras. It’s important to keep in mind that an attacker normally has to have access to the system in one way or another — whether it is direct physical access or through installing malicious software via phishing or other means. The best protection for Data in Use is ensuring attackers don’t have access to your system and keeping security best practices in mind while using your system to avoid the installation of malware.

Social engineering: email or text message manipulation.

Attackers often use social engineering tactics because it is easier to exploit the inclination to trust other people than it is to hack software. For example, it takes much less time to send an email to trick someone into giving you their password than the effort you might spend trying to hack a password. So, when you get an email from somebody you don’t recognize, examine it carefully before you proceed. Be suspicious of emails that claim you must click, call, or open an attachment immediately. If an email or text message looks like a scam, it probably is.

Code injection: digital misdirection.

Code injection attacks are when an attacker changes a program’s execution code to do something different. This alteration of the program’s behavior may allow the attacker to skip portions of the program (such as authentication steps), or even jump into another program’s memory. A basic example of this is a buffer overflow, where an attacker can overwrite memory by entering a larger value than expected into an input field. In our security system example, an attacker that is able to inject code into the server database could lock up the application that is logging the camera feeds, preventing the information from being stored. To protect against code injection, we recommend you use memory enclaves as a form of user authentication. You should perform thorough testing during software development and use hashing algorithms to verify the contents of your memory enclaves.

Privilege escalation: hey, you shouldn’t be here!

A privilege escalation attack uses an existing vulnerability in a program to grant elevated privileges to a user, or to grant access to information reserved for other programs/users. A well-known example of this is jailbreaking, where a system’s normal limitations on what a user can do are circumvented. Privilege escalation allows an attacker to run programs or access information of another program when they normally couldn’t. In our example, a privilege escalation attack on the control PC could allow an attacker to have administrative permissions, allowing them to turn off camera feeds or disable security notifications while bypassing user authentication. Memory encryption, the principle of least privilege, and keeping software up to date are ways of mitigating privilege escalation attacks.

Physical attacks: playing it cool.

An example of a physical attack would be a cold boot attack. In such an attack, the attacker freezes a system’s RAM modules to preserve their contents longer, then reboots it using their own operating system. The goal of such an attack is to dump the memory contents, effectively turning it into Data at Rest where it can be analyzed for valuable information such as encryption keys. In our example, a successful cold boot attack on the remote PC could result in an attacker gaining information they need to pose as a legitimate remote PC on another system (spoofing), granting them access to the server/database while bypassing user authentication. System configuration checks, memory encryption, and tamper evidence/response are all options for protecting against physical attacks.

Don’t get used.

When you use the proper security measures in your computer systems, you can prevent your data from being targeted or used maliciously. This may be our final installment in our series of blogs covering an Introduction to Secure Data, but data security doesn’t stop here. Just as attackers will always look for new ways to attack your systems, data security is an ongoing effort that requires constant diligence. That’s why Crystal Group continually helps customers in rugged applications protect their hardware, components and data from security attacks.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_H1FF8RS08T	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_1180346_2	1 minute	Set by Google to distinguish users.
_gat_UA-1180346-2	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
uid	5 months 27 days	This is a Google UserID cookie that tracks users across various website segments.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
sa-user-id	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
sa-user-id-v2	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
lpv141931	30 minutes	No description
visitor_id141931	10 years	No description
visitor_id141931-hash	10 years	No description

How We Work

Who We Serve

Who We Are

News & Events

What is Data in Use? Use it or lose it.

Why do attackers target Data in Use? Because its useful data.

How do I protect Data in Use? Be vigilant at every step.

Don’t get used.

Contact Us

Subscribe