• No results found

Disk Encryption. Aaron Howard IT Security Office

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Disk Encryption. Aaron Howard IT Security Office"

Copied!
39
0
0

Loading.... (view fulltext now)

Download now ( 39 Page )

Full text

(1)

Disk Encryption

Aaron Howard IT Security Office

(2)

Types of Disk Encryption?

• Folder Encryption

• Volume or Full Disk Encryption

– OS / Boot Volume – Data Volume

• Managed or Unmanaged

– Key Backup and Data Assurance

(3)

How Does Disk Encryption Help?

• Useful when Physical Security Fails

– Stolen Laptop

• Protects Data from Public Disclosure

– Not a replacement for permissions

• Does Encryption Protect from Malware?

(4)

Recomendation for Laptops

• Mobile Device Physical Security

– Secured when not in use

– Implement Screen Saver Passwords

• Mobile Devices should not contain Level 3 Highly Sensitive Data

– e.g. CC #s, SSNs, Medical Records – Data Classification Guide

(5)

Level 3 Highly Sensitive Data Stored on Laptops

Must be Encrypted

(6)

Encryption Challenges

• Business Continuity

• Encryption Key Management

• Passwords

• Backups & Restores

• Additional Complexity

• False sense of security

(7)

Strategy for Deployment

• Identify Sensitive Data

– Cornell Spider

• Is sensitive data required?

– Can data be moved to a server?

• Only encrypt when sensitive data is required

(8)

What’s Being Done?

• Upgrading Existing AD Integrated PKI

– Offline Root CA

– Adding support for EFS

• Planning EFS Pilot

– Develop Support Documentation

• FDE Product Evaluation

(9)

Which Technology to Use?

• Migrate Laptops to Vista

– Use Bitlocker for long term solution

• When EFS Infrastructure is ready

– Enable EFS on Legacy hardware

• Use AD & PKI for Key Management

• PGP interim solution

(10)

Encrypting File System

• Included in Windows 2000+

• NTFS + Encryption Module

• Transparent Encryption

• Uses Public Keys - PKI

• Managed with AD & Group Policy

(11)

EFS Data Recovery

• Multiple ways to Recover Data

• Key Recovery Agents

– Key Backup / Escrow

• Data Recovery Agent

– Allowed to Decrypt Only

(12)

Key Recovery

• 2003 Enterprise CA

– Creates backup key automatically

• Key Recovery – Separation of Duties

– CA Admin extracts encrypted key

– Key Recovery Agent(s) decrypts key – Key Escrow

(13)

EFS Best Practices

• Use EFS with domain accounts

• Assign Data Recovery Agent

• Backup EFS Keys

• Encrypt folders instead of files

• Disable swap file and hibernation

(14)

EFS Warnings

• XP Local account password reset

– Causes loss of encryption keys – Change password back

– Use Data Recovery Agent to recover

• XP does not have a Default DRA

(15)

EFS Vulnerabilities

• Windows 2000

– Local Admin default DRA

– Local Admin can access EFS data

• Original Clear text files are not wiped

– Create files in encrypted folder

– Use secure erase or cipher to wipe

• Won’t encrypt swap or hibernation file

(16)

What EFS Doesn’t Do

• Doesn’t encrypt across network

– FTP, CIFS, SMB ( Network Shares ) – WEBDAV is encrypted

• EFS is enabled on specific folders

– Accidents happen

– Sensitive data could be made public

(17)

Manual Key Backup

• Backup keys before encrypting

• Certificate Manager MMC

– Right click key -- Export

• Cipher.exe

• Keep backup keys offline

• Store keys in secure location

(18)

EFS Setup

• Disable EFS when not in Use

– Curious users may enable EFS – Data could be lost

• Configure EFS individually

– Configure Data Recovery Agent – Backup encryption keys

– Encrypt data and temporary folders

(19)

Which Folders to Encrypt?

• My Documents and all subfolders

• All Folders with Sensitive Data

• Temporary folders

– Found in Environment Variables – Use set command

(20)

EFS Data is

Protected by a Password

• EFS is as weak as your password

– Use at least 15 character complex pw

• Require authentication after hibernation or screen saver

• Enable Syskey for Windows 2000 or when using local accounts

(21)

Encrypting for multiple Users XP & 2003 only

• EFS files can be shared

– Add additional users to specific files – Managed via file properties

• Cumbersome to manage

– Can’t add groups or share folders

• Try sharing encrypted ZIP files

(22)

FDE

Full Disk Encryption

(23)

Full Disk Encryption

• All data is encrypted

– Including Swap & Hibernation files – Better protection for stolen laptops

• Separate pre-boot authentication

• Disk “unlocked” at boot

– Still requires password after

screensaver, sleep and hibernation

(24)

FDE Product Evaluation Ongoing

• PGP Enterprise

• Pointsec

• Winmagic SecureDoc

• Guardian Edge

• Compusec

• Bitlocker and others

(25)

OS Specific Encryption

• Most are windows only

• Bitlocker – Vista Only

• Linux – Open Source or Pointsec

• OS X – FileVault or PGP

– Data Volumes or virtual disks

(26)

Hardware Disk Encryption

• Seagate and others have disks with encryption built-in

• Is it enterprise ready?

– Management tools are in development – Can we make key backups?

– How will encryption keys be protected?

(27)

MS Bitlocker

FDE Built into Vista Enterprise

• Managed via group policy

• Scriptable with WMI

• AD key backup

• Great pre-boot authentication

• Supported by MS

(28)

Bitlocker

Pre-Boot Authentication

• Trusted Platform Module

• TPM Based Modes

– TPM only – TPM + PIN

– TPM + USB Key

• USB Key Only Mode

(29)

USB Key Only

(30)

Bitlocker Disk Configuration

• Two NTFS drive partitions

– one for bitlocker

– one for the operating system volume

• Bitlocker partition must be at least 1.5 GB

(31)

Bitlocker Hardware Requirements

• TPM chip, version 1.2

– Or USB key attached to user

• Trusted Computing Group (TCG) compliant BIOS

• Minimum requirements for Vista

(32)

How To Configure Bitlocker

• Bitlocker installation guide on Technet

• Partition drives before installing Vista

• Initialize TPM – TPM MMC

• Enable Bitlocker – Control Panel

• Create recovery password

(33)

Bitlocker AD Integration

• Backup recovery key in AD

– Disable encryption until key is stored

• Initialize TPM

– Backup TPM password or key in AD

• Select encryption strength

– AES 128 – 512 bit keys

(34)
(35)

Recovery Password

• 48 digit random number

• Saved to USB Key

• Saved to Network File Share

• Sent to Printer

(36)

Disaster Recovery

• TPM is not required for recovery

– Encrypted disk can be recovered on alternate system

• Boot normally

• Type in recovery password

• What happens if the drive fails?

• What about corrupt sectors?

(37)

Bitlocker Security

• Is Bitlocker Secure?

– Not yet FIPS 140-2 compliant

• Use BIOS password with TPM

• Does not support single sign-on

– TPM plus fingerprint reader

(38)

Performance

• FDE can slow disk usage 2x

• Most FDE is reasonable to use

• Copying large files will show latency

• Faster CPU will help

(39)

Vista Security Guide

• Best practices for implementing Bitlocker and EFS

• Great advice on preventing malware

• Templates and tools for Vista security

• http://www.microsoft.com/technet/win dowsvista/security/guide.mspx

References

Download now ( PDF - 39 Page - 1.41 MB )

Related documents

Vormetric Encryption Architecture Overview

The Data Security Manager provides centralized administration of encryption keys and data security policies, while the Encryption Expert Agents provide protection of structured

Towards a political economy of republicanism : a critical assessment of Alaska's basic income scheme

En efecto, así como los libertarianos ven en cual- quier forma de intervención del Estado una fuente inevitable de interferencias arbitrarias –con la excepción de aquella acción

Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities

Backup Exec software performs the data encryption on the client via the Remote Agent, transfers the data across the network, and then stores it on tape or disk in the encrypted

Broadband and the creative industries in rural Scotland

Rural areas, remote rural areas in particular, are also characterised by poor broadband infrastructure, something that impacts negatively on businesses, unfortunate given the

Fostering information security culture through intergrating theory and technology

The chapter discusses the typical design of an e-learning based information security educational program, using Bloom’s taxonomy to plan the educational activities, in order to

HMRC Secure Electronic Transfer (SET)

Encryption key “To” keys in HMRC SET terminology use a Public half to encrypt data and a corresponding Private half to decrypt data Encryption software HMRC SET uses

Virtual Machine Encryption Basics

Both the virtual disk descriptor and virtual disk data are encrypted only if the encryption policy is set to Encrypt data and configuration files when this virtual machine

Diverse drivers of long-term pCO(2)increases across thirteen boreal lakes and streams

Percentage of signi ficant increase, decrease, or no change in dissolved organic carbon (DOC), temperature, water color/DOC, C:N, pH, water color, total phosphorus (TP) and catch-