matt

About matt

https://www.12feet.com

Posts by :

Magecart formjacking attacks

matt October 10, 2018 0 PCI breach, british airways breach, magecart, newegg breach, shopper approved breach, ticketmaster breach

The recent breaches at Ticketmaster, British Airways and Newegg that have been attributed to the hacking group Magecart have many e-commerce merchants taking a closer look at any potential exposure. And rightfully so.

Several blogs have well documented the details of the credit card compromise. However, there is still a lack of detail surrounding how the attackers are obtaining access to the environments modify the static JavaScript files. Clearly a huge area of missing information. In each reported case, it seems that the attackers would have obtained access to the file systems where the files were hosted, or some portion of the development and deployment pipeline in order to modify these files.

The inserted code that provided the compromise of credit card data leverages the logical structure of the Document Object Model (DOM) to be able to access and manipulate anything on the page. This includes the ability to send data to a malicious entity behind the scenes of a normally operating payment page as in the case of these Magecart breaches. This is also known as formjacking. With access to the DOM, many common security measures are effectively bypassed. This includes the embedding of iFrames and even the implementation of browser-based encryption in order to better secure payment data upon collection from the customer.

Once the attackers gain access to the source code they own any data that you are collecting from the user.

To make things more difficult, today’s common web pages are loading dozens of scripts from many different locations. This includes scripts loaded from internal systems as well as from third party providers. Any one of these scripts has the ability to manipulate data elements that are being collected from the customer.

I believe that this type of attack will continue to grow due to the number of possible vectors of infection a given page and the value of the customer data that is at risk. I also believe that this will eventually drive changes with the PCI council’s approach to e-commerce guidelines and requirements. Hopefully providing more emphasis on server-based controls and a much needed focus on securing the source code and development pipeline.

What can we do to help reduce the risk of these types of attacks?

Secure the source code pipeline: So much of our technology world these days is powered by code, this includes infrastructure changes, automation and of course our applications. The entire code pipeline should be a focus for security controls to ensure the integrity of the code from source, to build to deployment. Consider implementing hashing checks throughout this process and alerting when hashes do not match. This provides a mechanism to ensure that what was developed at least makes it to the intended destination

Secure the origin servers: Once our servers get the validated source code we should have a way to periodically check the code that is running to ensure that it hasn’t changed. This can be accomplished through various scripting methods, automation tools or open source tools such as OSQuery.

Implement Subresource Integrity checks: The use of Content Security Policies in conjunction with Subresource Integrity can ensure that files that your pages fetch from anywhere (third party, CDN or internally) have been delivered without any changes. This is accomplished by delivering signatures of the known-good scripts that the browser verifies prior to execution. Once again it is important to note that if the attacker has access to the origin source code – all of this behavior can be modified.

The added measures of knowing that the code you authored is what is running on your servers and having visibility when that changes can help to reduce the risk of these type of attacks for your organization. Leverage automation as much as possible to ensure these measures don’t have a negative impact on the efficiencies of deploying often.

Magecart Resources

PCI Security Council’s opposing views on scope reduction technologies

matt March 4, 2016 1 PCI, Uncategorized encryption, PCI, PCI Scope, tokenization

Many organizations seek ways to reduce the scope for PCI DSS. While there are many different methods of reducing scope, I want to focus specifically on tokenization and encryption of the primary account number (PAN).

For the intent of this post we will assume that the encryption and tokenization methods that are used meet the appropriate requirements to protect the PAN and that unauthorized attempts to reverse the token or encrypted value would be computationally infeasible. Additionally, I want to note that this post is not arguing the technical strengths or differences between tokenization and encryption, just to point out the council’s documented view on PCI DSS scope as it relates to the key and vault management aspect of these technologies.

Definitions

From the PCI Security Standards Glossary of Terms: Encryption is the process of converting information into an unintelligible form except to holders of a specific cryptographic key.

From the PCI DSS Tokenization Guidelines information supplement, tokenization is defined as a process by which the primary account number (PAN) is replaced with a surrogate value called a token. De-tokenization is the reverse process of redeeming a token for its associated PAN value.

For both tokenization and encryption, the overall principal is that a valuable data is altered into non-valuable data through a given mechanism. For encryption, that mechanism is the encryption process and the keys. For tokenization, the mechanism is the tokenization process and the relationship between the token and PAN. Additionally, the process of de-tokenization and decryption are similar in that there is a process to provide my encrypted data or tokenized data to a mechanism in order to receive the PAN in return.

The tokenization guidance that is provided in the PCI DSS Tokenization Guidelines August 2011 notes that tokenization can be used as a method of reducing the scope of PCI in an organization. There are obviously many considerations for de-scoping using tokenization that are adequately covered in this document. But it is important to note that the document does not seem to link de-scoping with who manages the tokenization process, vault or tables.

The topic of de-scoping using encryption is covered by the PCI DSS FAQ article 2086 where it is noted that scope reduction can be achieved only if the merchant or service provider does not have access to the encryption keys.

If we follow this logic through to its conclusion, the council seems to be saying that tokenization can be used as a method for scope reduction without restriction to who manages the tokenization mechanism, but encryption can only be used if the merchant or service provider has no access to the keying mechanism.

Here we have nearly identical fundamental approaches to protecting data. Each deals with nonsensical data that can be exchanged for valid data through a particular mechanism. Depending on the details of the architecture, each has the capability of adequately securing cardholder data. However, it seems that the council has added additional rules around scope reduction using encryption vs. tokenization.

First of all, I do not believe that the council should be able to dictate the ability to de-scope based on a potential management issue. It is feasible to architect an effective key management while keeping clear segregation of duties within the same organization or entity. I do not think it should be the council’s place to prohibit a solution based upon the predetermination that an organization cannot maintain effective segregation of duties or other risk mitigation strategies. An enterprise encryption strategy isn’t acquired as an off-the shelf widget that I just plug in and turn on. There are many different potential elements that can make up a solution (one-time use, long term storage, tokenization hybrid, etc). It should be left up to the QSA to determine if the implemented solution meets the intent of the requirements.

But more importantly for the purposes of this discussion is the inconsistency of the view of two nearly identical fundamental approaches to protecting sensitive data and the accompanying keying systems. Why is the council’s position on these two scenarios different? I hope that the council will address this ambiguity in upcoming FAQ’s or supplemental documentation as the current information that is available is contradictory in nature.

Merge.io – January 2014 Release Notes

matt February 6, 2014 0 Changelog, Merge.io, Uncategorized

Added support for McAfee Vulnerability Manager / Foundstone

Merge.io now supports the direct import of the Foundstone/MVM Risk_Data.xml file. The Foundstone data is supplemented with additional vulnerability data from the National Vulnerability Database for use in the Merge.io platform.

Added National Vulnerability Database

nvd

The addition of 2million records of vulnerability data will help us to greatly enhance the vulnerability information that we have to correlate with customer’s data. See our blog post on the addition of the NVD to Merge.io.

Better charting and graphing support

We have changed our charting and graphics libraries to support better reporting and dashboard functionality.

Performance improvements

Added better caching in the import process to improve performance.

Reporting

We have added project based reporting. The project reporting outlines the risk of the vulnerabilities of the project, the current status of remediation and validation and the specific filtering rules that were applied to vulnerabilities to determine which vulnerabilities were remediated and which were not. The report is a PDF report that includes the following sections:

Project Summary
Vulnerability Summary
Vulnerability Validation
Risk Profile Filters

Merge.io now supports McAfee VM / Foundstone!

matt February 6, 2014 0 Uncategorized Foundstone, McAfee Vulnerability Manager, Merge.io, Vulnerability Management

This week we launched support for McAfee Vulnerability Manager (AKA Foundstone).

You can now leverage the remediation workflow, validation and custom filtering power of the Merge.io platform for your McAfee Vulnerability Manager / Foundstone scan data!

Adding Foundstone / MVM data to your Merge.io project allows you to sift through the volumes of vulnerabilities, automatically select the vulnerabilities that meet your policies (through our custom risk profiles) and track the vulnerabilities through to remediation and validation of closure. To import Foundstone / MVM data into Merge.io, simply export your scan results in XML format and upload the Risk_Data.xml file to your Merge.io Project.

Need to comply to PCI DSS requirements? Import your scan results and apply our built-in PCI Risk Profile. Only those vulnerabilities that are required to be fixed by PCI are added to your project.

Merge.io extends vulnerability data with the NVD

matt January 2, 2014 1 Merge.io, Uncategorized

In order to enrich the amount of data for vulnerabilities that are managed through the Merge.io platform, we have integrated a local copy of the National Vulnerability Database. The combined data set contains more than 2 million records with the resource and affected software categories and is updated on a daily basis from the NIST feeds.

With this data we have the ability to correlate imported vulnerabilities with the NVD to supplement and extend the vulnerability information that is managed by the product. This allows us to continue to build wider support for vulnerability scanning tools as well as provides additional, up-to-date information for the resolution of vulnerabilities.

Customized Risk Profiles with Merge.io

matt September 29, 2013 0 Merge.io, PCI, Uncategorized, Vulnerability Management

Converting mounds of vulnerability scan data into operational action is a challenge that many organizations have. One major part of that challenge is how to go about systematically boiling down the volumes of vulnerability data to get to the vulnerabilities that you need to fix.

This is especially crucial when dealing with internal scans of larger networks. Internal vulnerability scanning tends to be a tricky process due to the fact that in most cases there is very little access control that is implemented between the scan engine and the target systems. With little access control in place, the vulnerability scanners produce a lot of vulnerability data to analyze. The question still remains – how do you make the most sense of the volumes of data that is generated?

We begin with a policy and a process. Does you have established remediation thresholds for ranked vulnerabilities and has management signed off on it? If not, start your journey here. Build an organizational policy that establishes a base set of conditions that determine which vulnerabilities must be remediated vs. vulnerabilities that are acceptable in a given environment. As an example policy/process may state that you remediate (per the defined remediation thresholds) any vulnerability that meet the following criteria for internal scans:

CVSS score of 5.5 or greater
SQL injection
Cross site scripting

Since these are internal scans, there will be certain vulnerabilities that we will choose not to remediate. This could be due to environmental variables, compensating controls, etc. Examples of these may include:

Self signed certificates
Denial of service vulnerabilities

These are obviously just examples, but each organization generally has vulnerabilities they want to remediate and vulnerabilities that they don’t due to acceptable levels of risk. So how do you apply this logic in an automated fashion to our vulnerability data? The reality is that most companies that I deal with are still using Excel (the duct tape and bailing wire of the business world) to accomplish this. And even with the use of spreadsheets, the process is highly manual.

This is where Merge.io can help out. With Merge.io you can create custom risk profiles that can determine which vulnerabilities from the imported data sets to remediate and which to exclude for acceptance. Just create the profile using the risk profile builder and apply it to a scan import. All of the vulnerabilities that match your include criteria will be added to the Merge.io workflow system. And the vulnerabilities that match the exclude filter will be excluded from workflow tracking.

Risk profile filters can be built that examine vulnerability CVSS score, Risk rating, title description, port, service, operating system and more.

These filters are available for use with any scan imported into Merge.io. They can be built to match your internal remediation standards and they can be added to over time as the organization changes. This provides an automated, repeatable approach to managing the volume of data that vulnerability scans can create.

Merge.io has a built-in filter for PCI that matches the requirements laid out by the PCI ASV Program Guide Version 2.0. Additional compliance filters are coming soon!

Be sure to check out Automated Scan Validations with Merge.io.

Automatic Scan Validations with Merge.io

matt July 9, 2013 1 Merge.io, PCI, Uncategorized, Vulnerability Management

PCI requirement 11.2 requires merchants and service providers to conduct internal and external vulnerability scanning on their infrastructures. The requirements further state that the scanning activities should be repeated until clean scans are achieved.

The devil is indeed in the details when it comes to operationalizing what seems to be a simple concept. Companies struggle with how to effectively achieve clean-scans when they are scanning many different assets running on multiple platforms that have different patching cycles.

Many companies create manual file comparisons using spreadsheets to compare scan files quarter over quarter. This manual comparison process can be come exceedingly complex and time consuming.

In order to stop the vulnerability management “whack-a-mole” we have incorporated an automatic validations feature into the Merge.io platform. This validation process allows you automatically compare scan data against closed vulnerabilities to prove that the vulnerabilities have been remediated on the target systems.

Once a project is created and baseline scan data has been imported, the Merge.io platform provides a mechanism to allow continuous validation scan data to be imported into that project. For each validation scan file that is imported, Merge.io analyzes the data in the scan file, specifically looking for vulnerabilities that are in the “Closed-Approved” state on the Merge.io platform. If the vulnerability is not present in the validation scan file, then Merge.io marks the vulnerability as “Validated” noting the uploaded scan file that it compared. If the vulnerability still persists in the validation scan file, then Merge.io re-opens the vulnerability and assigns it back to the engineer who closed the vulnerability.

This closed-loop approach to vulnerability lifecycle management allows organizations to not only track the vulnerability state all the way through the vulnerability management process. But have assurance that each vulnerability has been proven not to persist.

Merge.io will be ready soon – feel free to contact us at info@merge.io for more information. Or sign up to be notified when it is released.

Attestation Aggravation?

matt December 20, 2012 0 PCI, Uncategorized, Vulnerability Management

With the introduction of the ASV changes on September 1, 2010 ASV’s were to begin providing merchants with an Attestation of scan Compliance. The details of the attestation are documented in the ASV Program Guide v1.0, which was released in March of 2010.

The introduction of the attestation was intended to bring a reduction in errors with a more formal process of engagement between the merchant and ASV.

But exactly what is the ASV attesting to?
The ASV Program Guide version 1.2 requires that the ASV provide the merchant or service provider an Attestation of Scan Compliance attesting that the scan results meet PCI DSS Requirement 11.2 and the PCI DSS ASV Program Guide.

That’s not how I read it…
There seems to be some inconsistencies amongst ASV’s as to what exactly they are attesting to as a part of the required ASV Attestation of Scan Compliance. In working with different ASV’s over the past years I have come across three different methodologies on what an ASV is attesting to:

There should be NO vulnerabilities on a given host at the time of attestation
All identified vulnerabilities have been addressed within 30 days of when they were identified
All identified vulnerabilities must have been addressed within 90 days of when they were identified

As an example, Qualys (who supplies their scan tool to a large portion of the ASV industry) has implemented a rule within their platform that fails a given host if that host has not been scanned within the last thirty days. This helps them to support their methodology of attestations – vulnerabilities should be addressed within 30 days of when they were identified.

The differences in these methodologies have a huge impact on organizations with a large ASV scanning scope. It is very difficult for an organization of size, running many different operating systems with different patch/release/test cycles to achieve an attestation under these types of attestation requirements.

This is not necessarily an issue with patch timing, it’s an issue with the alignment of different patch cycles and how that is reflected on a particular scan. Let’s take an example – an ASV scan scope of 100 system components contains the following platforms:

Microsoft Windows
Redhat Linux
Cisco IOS
Juniper OS
HPUX
F5 Networks

This is a very plausible group of devices for an average enterprise. This group has 6 different platforms with 6 different patching release cycles. In order to meet the Qualys attestation requirements this pool of 100 system components would have to be scanned every 30 days and reflect a “clean scan” with overlapping patch cycles somewhere within a quarterly cycle.

This approach also presents some inconsistencies with the requirements of DSS Requirement 6.1, which as an example, allows a risk based approach to prioritize less critical security patches for implementation beyond 30 days.

Where’s the sweet spot?
The ASV scanning element of the PCI requirements should be a validation that the merchant or service provider has a working program in place for patch and configuration management by providing proof that vulnerabilities are being addressed in accordance with PCI DSS 6.1 and 11.2. While the stricter attestation requirements by some ASV’s provide a reduction in risk for the ASV, it can also provide operational hurdles for larger organizations.

At this point in time, PCI DSS 11.2 provides no further clarification other than clean scans are required on a quarterly basis. If the merchant can prove to the ASV that vulnerabilities that were identified have been resolved within a 90-day period, I believe that this meets what is currently documented in 11.2.

Establishing the time that vulnerabilities must be remediated by should be based on risk to the organization while meeting the minimum guides of compliance requirements. It should be up to the merchant or service provider to establish these time frames according to their business risk. Unfortunately in some circumstances, this timing is being established based on risk to the ASV and what they will attest to, not risk to the merchant and their operating environment.

Hopefully the highly anticipated next version of the PCI Program Guide will bring some much needed clarification in this space.

Segmentation Fault

matt November 2, 2012 1 PCI, Uncategorized

6365622111_4f08857c0f_b — Fence by popartichoke

The subject of segmentation is and probably always will be a hot topic in the world of PCI. Effective segmentation is the primary subject of conversations as organizations struggle to reduce the scope and the subsequent financial impact of achieving and sustaining PCI compliance. Due to the massive amount of implementation possibilities, it would be very difficult for the PCI SSC to take a specific stance and define what actually constitutes “effective segmentation.”

So this leaves us with every QSA’s and merchants favorite PCI SSC chant. “It’s up to the QSA.”

One big area of the segmentation discussion surrounds the use of VLAN’s as a part of segmenting the CHD. Dr. W. David Sincoskie and Chase Cotton created and refined the algorithms that eventually became VLAN’s and published their work in the 1988 IEEE Network (http://en.wikipedia.org/wiki/Virtual_LAN). Since then, VLAN’s have become a major part of most networking environments today. However, VLAN’s have been getting a bad rap from the security population in recent years.

The PCI Wireless Guideline information supplement that was published in July of 2009 states:

“Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place."

Relying on VLAN based segmentation is not sufficient? Does this suggest that the only method of proper segmentation would air gapping? Which is to say that each network must completely stand on its own, never traversing a common infrastructure. This common infrastructure would include firewalls, switches and routers.

This approach is not feasible in an enterprise environment, nor do I believe is really the intent of this writing, although I’m at a loss as to how they would suggest that you segment if you are not to use VLAN’s at all.

The issue with segmentation is not with the use of VLAN’s for segmentation. The real concern is with how data is managed that traverses one or more VLAN’s. The devices, technologies and processes that are used to regulate, manage and inspect data that flows from a VLAN of one security level to another should be the focus of concern.

Are access lists ok? What about firewalls? How about Deep Packet Inspection?

Access lists are a common way of managing data flow between VLAN’s. Access lists can be applied to routers, firewalls and switches. If a standard access list is used to manage traffic, the access must be defined for both ingress and egress. An access list entry must be added to allow traffic to exit a VLAN and another access list is needed to allow the traffic to re-enter the VLAN. These access lists create open persistent “holes” for the traffic to pass through

The security concern with this approach is that defined “open” access might have to be used to allow traffic from a level of lower security to a level of higher security creating a possible attack vector or path to enter the area of higher security.

Reflexive access lists (also known as IP session filtering ACL’s) are designed to alleviate this problem by monitoring the connection state and only allowing return traffic for established sessions. For example, if traffic is exiting VLAN1, destined for VLAN2, the RACL notes the destination address and port and will only allow return traffic from that destination and destined for the defined port. This prevents the need to add an access list for return traffic. In-turn reducing the exposure of the open ports when not needed. It is important to note that RACL’s only provide full session awareness for TCP. With other protocols RACL’s use timeouts to remove idle sessions.

A firewall adds an additional level of security to reflexive access lists by providing full session state monitoring for all protocols as well as deep packet inspection capabilities. Deep packet inspection takes a further look into the payload of the traffic that is passing through the firewall in order to inspect the content contained within the TCP encapsulation.

PCI DSS requirement 1.2.3 states:

Install perimeter firewalls between  1.2.3 any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

VLAN security has come a long way since the introduction of VLAN hopping or double tagging in 2000. Vendors have increased the level of security features in the switches and routers as well as provided more detailed implementation and configuration instructions. In virtually every case, proper configuration of the networking environment reduces the risk of these vulnerabilities.

VLAN’s are an essential part of managing enterprise networking environments. While the most secure network architecture will be a complete air-gapped environment, chances of you coming across one outside of your local donut shop isn’t very high. Don’t be afraid to roll your sleeves up and get your hands dirty with the details. Grab your QSA and pull them into the ditch with you and force them to think.

How do you think I learned?

Establishing meaningful cryptoperiods

matt March 15, 2012 0 PCI, Uncategorized

For those of you who play along on a daily basis, PCI DSS 2.0 has brought many clarifications and a few changes that merchants and service providers must contend with. And while we don’t see the “relaxing” of requirements very often in PCI, version 2.0 brought a much-needed relaxation in Requirement 3.6.4.

DSS versions prior to 2.0 required a minimum key rotation period of 1 year. So if you had 1 or 100 million records encrypted, you were required by the standard to rotate the key on an annual basis. Version 2.0 requires that you change the keys once they have reached the end of their defined cryptoperiod. And the establishment of this cryptoperiod should be based on industry best practices and cites the NIST Special Publication 800-57.

NIST SP-80057 notes many different factors that should be considered when establishing an appropriate cryptoperiod. Some of these factors may include:

Volume of information encrypted
Strength of the cryptographic mechanisms
Retention period of the data
Security function (data encrypting, key encrypting)
Number copies of a key
Overall architecture or design of the cryptographic solutions in production

In general, as the sensitivity of the data that is being protected by the cryptography increases, the length of the associated cryptoperiod should decrease.

Cryptoperiod: The timespan for which a cryptographic key is authorized for use.

PCI DSS Requirement 3.6.5 notes that cryptographic keys can be “archived” for decryption purposes. This is a very vague, yet important statement. There has never been any clear position taken by the PCI Security Standards Council that specifically states that data re-encryption is required as a part of a key changing process. When merchants or service providers go through a key rotation process they rotate the encrypting key and begin encrypting and decrypting any new data with the new keys. While moving forward they are encrypting with a new key, but any existing data that is required by the business to be accessed must be decrypted with the old key. Unless all of the data is re-encrypted or otherwise protected, the old key must always be available for decryption as long as there is a business need to access the data up to the end of the retention period for the protected data.

Lets take an example. Say a merchant establishes a two year key rotation cycle for their keys based on risk indicators that are outlined in the NIST special publication. They use key 1 (K₁) to encrypt data for two years. At the end of the second year, they rotate keys to key 2 (K₂). However, as long as there is data that is encrypted with k_1,the key cannot be destroyed. K₁ will have to remain active until there is no longer a business need for the decryption of the data that was encrypted using K₁.

Does this mean that merchants and service providers can continue to rotate encryption keys and never address the topic of legacy keys that are readily available to decrypt legacy data? Let’s look further into that topic…

Key States

There are six different key states that are defined in the NIST SP 800-57 documentation. From pre-activation to compromised and beyond, however, for this post I would like to focus in on three specific key states:

Active Key State: The key may be used to cryptographically protect information or to cryptographically process previously protected information (e.g., decrypt ciphertext or verify a digital signature) or both.

Deactivated Key State: A key whose cryptoperiod has expired but is still needed to perform cryptographic processing is deactivated until it is destroyed. A deactivated key is not used to apply cryptographic protection to information, but in some cases it may be used to process cryptographically protected information. When a key in the deactivated state is no longer required for processing cryptographically protected information, the key is destroyed.

Destroyed Key State: Pretty much self-explanatory.

Table 1: Lifespan of a key

In the above table, we have a current cryptographic process that encrypts data for 2 years. The table indicates that that there is a 9 year data retention policy. Data is encrypted with a specific key for 2 years and then retained for an additional 7 years. As long as there is an immediate need to have access to that data, then the decryption key must still be retained in order to access the encrypted data.

Only when the retained data is no longer needed can we no longer require the decryption key. The true end of a cryptoperiod is not reached until the decryption key can effectively be destroyed.

The NIST special publication 800-57 supplies recommended cryptoperiods for different key types. Cryptoperiods will vary for each organization based upon many different elements that make up the overall risk of the keys and the protected data. But as an example, the document points out that the cryptoperiod is 2 or less years for a symmetric data encrypting and 3 or less years for the data decrypting key. That’s a total cryptoperiod of 3 years. Compare that with our above example of protecting data with a 9 year retention. Something’s got to give!

Data that is required to be maintained longer than the defined cryptoperiod of the keys should be protected with a key that has a new/valid cryptoperiod. That protection could vary depending on the architecture, but could come in the form of re-encryption of all of the data, or the rotation of key encrypting keys for example.

Although the PCI DSS does not require a data re-encryption process for legacy data, I highly recommend that organizations provide the appropriate due diligence in establishing appropriate cryptoperiods. Ensure that your cryptoperiods are in-line with your data retention policies. If you need to retain protected data longer than your cryptoperiod then you should establish a process to protect the retained data with new keys with fresh cryptoperiods. Mileage will vary for different organizations on the most efficient and secure way that you can accomplish this. But as usual, these roads continue to lead us back to the question we should all ask more frequently….”do we really need to keep this data?”

1 2