As you may or may not know, I am gainfully employed by the Federal Government in the area of Information Security. Recently the Bush Administration responded to media hype to issue a Federal Mandate requiring all government owned laptops use encryption technologies to encrypt their data.
There are two interpretations of this memo.
- Encrypt the ENTIRE disk.
- Encrypt just the files containing the data.
So, what’s a lowly security administrator to do?! Choices are bad! Obviously you encrypt the entire disk! Right?! no? Why not?
Well, recently concerned has been growing in the media over “Personally Identifiable Information” being recovered from stolen laptops. Sadly, they’ve missed the point. You see, most of the identity theft perpitrated results from malware, with a smaller number coming from physical security breaches, involving mostly server hardware like backup tapes, hard drives, and entire computers. OMB and the Presidential mandate don’t deal with any of these issues, so their mandates can be viewed as little more than knee-jerk reactions to news coverage on the stolen VA Laptop.
Essentially, the media is now responsible for dictating Federal IT Security Policy. This is what happens when you have governing bodies like OMB that don’t rationally evaluate threats or understand the technical aspect of IT Security. It takes maybe another 10 minutes of searching through the archives at Emergent Chaos to realize that most breaches are the result of software breakins. However, that’s not gonna stop the Federal Government from shelling out millions, possibly billions, to address the threat of data being stolen from a laptop that’s shutdown.
I don’t know about you, but the last time my laptop was shutdown was, well.. that one time it ran out of battery and I was miles away from a power adapter. Otherwise my PowerBook just gets folded up and goes to sleep. Full Disk Encryption decrypts the disk at BOOT. So, since I’ve already booted, my entire drive is already booted, I gain nothing unless the battery dies.
“Full Disk Encryption” is also a pretty intimidating mouthful for most computer users. Uninitiated, and some who think they’re initiated, sporting CISSP’s, would be lulled into thinking “HEY! My WHOLE disk is encrypted! I’m secure!!!!!!!!!” Unfortunately, this does nothing to protect your data from the software threats that are much more common. You see, the disk is decrypted at boot, and then any programs just use the disk without even knowing that it’s encrypted. So all the viruses and malware you’ve accumulated surfing the net for discount shopping and myspace.com updates on IE, is able to read ALL the data on your drive.
You haven’t really secured things from the most common threat, however, you have added another layer of complexity to the user’s experience.
So what is the solution? Well first, it’s time to start investigating new methods for virus detection. The Big 3 Vendors (Symantec, McAfee, and Trend Micro) have miss rates of 80% because Virus authors are testing their virus against them. Closing this hole in the organizational structure will eliminate 80% of the threat to Identity Theft.
Horrible programming practices are usually to blame for the majority of personalized attacks that have leaked information in the past. Managers should be encouraged to hire talented programmers and work with the programmers to create an atmosphere of cooperation. The programmers should be involved in the design process. They should also be given the right to veto or question their managers decisions. Source control systems should be in place and encouraged. Peer reviews should be factored into the development process. The more eyes on the code, the more likely something will be caught. The organization should adapt Best Practices based on recommendations by the development team. These best practices require the same peer review that the code base gets.
This sounds like a lot of work, and it is. Additionally, it’ll only fix like 1% of the Identity Theft problems. However, it will raise the quality of the code, thus the product. It might initially introduce some overhead, but that overhead will pay for itself and prove more cost effective as the products developed more accurately reflect customer desires.
If you have people with sensitive data on laptops or other portable media, you’re gonna need to deploy some form of encrypted mechanism for storage. Personally, the encryption schemes that come builtin to Mac OS X and Windows XP should suffice for most intents and purposes. Even OMB could’ve saved some money by leveraging this had they paid attention to their own rules. Apple and Microsoft are both in process for attaining the coveted FIPS-140-2 compliance that is required for productions imploring encryption of federal data. The Apple and Microsoft solutions have no cost overhead as they’re already installed on all the Apple and Microsoft laptops in production.
Folders with sensitive data should be encrypted in such a manner that there’s a an inactivity timeout, and the files must be decrypted when required. Apple’s Disk Utility allows a user to construct an encrypted disk image that can be mounted like a regular DMG. I’ve been told that Windows XP has a similar utility. There are also free products out there like TrueCrypt that allow you to hide the encrypted image in a JPG or other benign file. For most people, the built-in encryption tools should be sufficient.
Users need to be trained to use the built-in features. That’s where the money could go. A simple PowerPoint presentation would satisfy most users. I’d recommend that people routinely working with sensitive data be instructed on proper ways to store that data on their local machines. You can pretend it won’t happen by making it a violation of Policy, but policy is a horrible place to hinge your IT Security Infrastructure on.
Don’t be sucked into the hype. Think about things rationally and don’t make mandates that affect all government organizations without figuring out if there’s a potential threat there. Realize, in my organization, we have over 300 users with laptops and in two years, we’ve had 0 lost or stolen laptops.
Post a Comment