Solved

Encryption for files, folders and Network shares to protect data from hackers

Posted on 2012-12-29
28
483 Views
Last Modified: 2013-01-01
I am looking for the best solution for encrypting our data on servers and workstations to protect it in the event it got stolen by hackers.  Not just physically stolen, but data extraction through hacker attacks and bots.

Our systems are Windows servers and workstations.

I need a reasonable solution and I need to know what to expect when I use the encryption...I am somewhat worried that encrypting might cause stuff to stop working or make the data un-retrievable in the case of a system crash...

I'm not that familiar with encryption and what different types are used for and what is the best for me.
0
Comment
Question by:rand1964
  • 6
  • 6
  • 6
  • +3
28 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 179 total points
ID: 38730667
Windows has bitlocker for the harddisk encryption and efs for the file encryption. The active directory and gpo support the recovery of the encryption keys..

Brief on bitlocker and efs
http://windows.microsoft.com/is-IS/windows7/Whats-the-difference-between-BitLocker-Drive-Encryption-and-Encrypting-File-System

Recovery for bitlocker
http://technet.microsoft.com/en-us/library/cc766200(v=ws.10).aspx#BKMK_RecoveryPass

Best practice for efs deployment
http://technet.microsoft.com/en-us/library/cc875821.aspx#ECAA
0
 
LVL 61

Assisted Solution

by:btan
btan earned 179 total points
ID: 38730675
But I will also suggest checking out truecrypt With its container scheme... It also support hdd encryption. But it will be lacking in enterprise support which we wouldn't expect much from open tool though.

http://www.truecrypt.org/docs/?s=sharing-over-network

http://www.truecrypt.org/docs/?s=sharing-over-network
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 143 total points
ID: 38730934
Encryption such as TrueCrypt or Bitlocker protect your data ONLY from offline attacks, meaning a computer or HD is physically in the attacker's possession and the system is powered OFF. If the system is in sleep or hibernation, an attacker can resume the session even if it's locked, and grab the encryption keys.
There is a saying:
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier
That means we don't know what you are trying to protect, and just saying encryption will solve the problem is not necessarily the best idea. Security is always a trade off, and you have to have some acceptable risk... BTW you should NOT be able to recover encrypted data, that's the point of the encryption is to protect if from being recovered by the wrong hands. So you should have backups of the data, rather than an easy to recover encryption platform. You can recover securely with encryption solutions, but that is a long and drawn out process.
-rich
0
 

Author Comment

by:rand1964
ID: 38731407
I am trying to protect company proprietary data and employee personal information data that is stored on our file server.  It is physically locked up and safe so I am not worried about it being physically stolen.  
I want to protect the data as it moves through the network to HR or Accounting and also mostly from hackers that would attempt to steal our data.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 143 total points
ID: 38731523
Hacker/intruder protection is a process, and encryption isn't the only thing that helps or prevents them from their goal. It can be one step that makes a good bit of difference though, but you have to understand a few things about encryption first.
TrueCrypt, PGP and others create containers, they can be files, folders, drives or partitions. These containers are encrypted all the time, but when they are opened they look like normal files/folders/partitions/drives, and they look and behave like plain-text. It's only at rest (when closed/unmounted) that they are secure. Encrypted sessions are a little different, and your probably fimilar with HttpS connections (ssl/tls) when using Gmail/hotmail etc... the data sent over those sessions is uniquely encrypted between you and the server and sniffing that data would not yield any plain-text data for a very very long time.

Protecting HR or Accounting data should be a multi-step process, locking down file and folder permissions to select groups or users. Remove admin rights from places that don't need it, you can always recover data using an admin account at a later time, it doesn't have to always be included.Maybe you have HR use terminal service (rdp) to a more secure computer or set of computers. Set the file permissions on the hr/acct folders to the most restrictive you can. Set the permissions on database access to the most restrictive possible, again if the admin account doesn't need access remove it, you can probably add it in later. If you yourself do not need access, remove your account, if you do need access, try using a group you can add yourself into instead, then remove yourself from that group when your done.
What I'm getting at is it's a process, it's never set-it and forget-it. You can encrypt a database or a file, but you have to keep the keys secure, from malware like keyloggers. You also need to make sure your users aren't doing things that undermine the security like copying unencrypted files to their desktops for example, this is why I suggest using another secure computer that they RDP into to do the HR or the Accounting work, so it's separate and locked down from other areas of the network.
-rich
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38731564
> Not just physically stolen, but data extraction through hacker attacks and bots.
short answer: impossible (if you mean all data on your system)
long answer: you can only get close this requirement if you ensure that all your data is properly encrypted and only decrypted if necessary right before used

If all these attacks (bots, whatever) are an issue for you, is "stealing" data using screenshots an issue too? If so, my short answer becomes even shorter: impossible.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 179 total points
ID: 38731734
Disallow remote admin where possible else enforce 2FA for such login for those privileged account..know solution such as cyberark that does the identity mgmt stuff..the idea is to also be wary on insider threats. Security is a process and a long one to keep monitoring for anomalies and up the defences constantly.

For secure channel it can even be a simple ssl or tls or ipsec riding on top of the data that is encrypted too. Simply also as long as it is networked, attacker will try to penetrate in and make are the password is complex minimally
0
 
LVL 45

Expert Comment

by:aikimark
ID: 38732360
If you use https and secure ftp protocols, your network traffic should be sufficiently encrypted.

If you need to send larger packages of data, you can use 7-zip to strongly encrypt the data.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38732455
how does SSL/TLS protect from/against bots, trojans, screenshots?
just wondering ...
0
 
LVL 45

Expert Comment

by:aikimark
ID: 38732632
@ahoffman

Was your comment directed to me?

If so, I was addressing the parts of the question related to protection of data during transport.
0
 
LVL 45

Assisted Solution

by:aikimark
aikimark earned 36 total points
ID: 38732644
If your PC gets infected with a key logger, your passwords may be compromised.
If your PC is the target of ransomware, your encrypted files may be doubly encrypted, rendering them unavailable to you (lost).
According to the sources in this Bruce Schneier post, even full-disk encryption may be breakable for $300.
http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 143 total points
ID: 38732736
It's not breakable... it's exploitable via Firewire/PCMCIA (and always will be) if you can resume a sleeping or hibernating laptop. The encryption keys being in memory are how things work, the author isn't worried about physical access which the elcomsoft product needs, Passware btw has been doing the same thing in their product for a year or more.

I tried to explain, FDE only protects data from physical theft/possession, and only if it's not hibernating/sleeping or just simply locked when stolen. Someone mentioned two factor auth for network login, this is not the same as network logON. If malwate sits on a machine, and wait's for you to VPN into work, even if your using 2FA, after your authenticated the network is wide open at the networked level, meaning \\ip.ip.ip.ip will use the users already established creds, and an attacker using pass-thehash or pass-the-pass (see mimikatz) would have no trouble getting around on the network.

The author needs to define the data to be protected, and create secure steps and processes to access that data. Typically that means ACL's at the network and file/DB levels based on Group's or users, and or on IP's. Encryption can also be used, but typically keys need to be shared among users if it's something like a TC file or PGP file. Database's that are encrypted can offer an Role Based Access Control and managing the DB keys becomes the main security issue.
2FA would be great at the TerminalServer/RDP level as long as the server the users are RDP'ing to doesn't offer any other network access. Keep the data that needs to be secured walled off in some single server that has little or no access to anything other that the users who need to access it. Encrypting the data in a walled off server may actually be overkill, each layer of complexity is the enemy of security. If you have a common area file server, lots of people can view or access then use encryption, if you can make a nice secure single server area that few can access easily then maybe you don't need encryption. It's about balance and tradeoffs, not about a ton of what-if's... once an encrypted container is "open" it looks like PlainText to you and a would be attacker, you need ways to keep a would be attacker off your PC more than you need the encryption. Patch and AV updates are a given, there is much more you can do.
-rich
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 71 total points
ID: 38732824
ssl/tls/https was mentioned in sevaral comments, hence my question (as I cannot imagine how it helps protecting stolen data or devices)

anyway, my short and probably not very helpfull comments are just to show that the answer to the requirement asked for is very simple: impossible (or simply do not store anything on electronic devices)
I'm aware that this will not help much, but it answers: best solution (see question)

to give more appropriate answers, the author needs to tell what "best" should be

if someone can't imagine what can be done with stolen devices, see the 29c3 talk about microprobing here http://heise.de/-1775185 ; then see the 300$ link above too ...
;-)
0
 
LVL 61

Assisted Solution

by:btan
btan earned 179 total points
ID: 38733868
29C3 has a couple of few note and in particular, the FDE attack is one takeaway on top of past cold boot attack...nothing is safe (being conservative at most time) when we start to open ourselves to embrace the technology. but we strive minimally to deter and make perpetrator work harder.

http://www1.cs.fau.de/sed
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Assisted Solution

by:DarinTCH
DarinTCH earned 71 total points
ID: 38733903
It seems some of my peers are being nice when they mention security is best delivered as a multi layered approach

Worrying about thieves inside your house and what they may damage is a valid concern
BUT
we would probably agree a more desirable solution would be to secure the house so that they could not gain entry in the first place.

To that end--what versions of Windows are you running - Desktop and Server
and what are your 4-6 primary business applications

Locking the server rooma dn controlling access to USB drives is great
but data can be contolled @ the drive level - Bitlocaker was mentioned
at the Data Level - NTFS...EFS REFS
are you worried it will be stolen OR copromised and changed
access to systems should be controlled by hardware and software
Firewalls - ACL - Permissions - many many varied arenas
applications security will vary depending on your answer and whether it is email or a database

transmission of data from one location to another may present other security risks
some can be mitigated others are....less likely to be exploited

tell us a little more about you environment and we can provide more pointed solutions
0
 

Author Comment

by:rand1964
ID: 38733912
I need to keep thieves out...not your average thief but state sponsored attacks...like from China...I won't say anymore.

What am I running?  Windows 2008R2 and Windows 7 along with a few remaining XP boxes.

SQL Server, Exchange Server, Deltek, Cobra, SharePoint...etc..

Seems they like using Phishing attacks to get in...

So you all think encryption is not the answer, but to lock down the house somehow?
0
 
LVL 12

Assisted Solution

by:DarinTCH
DarinTCH earned 71 total points
ID: 38733933
following my previous illus
Encryption is locking your jewels in a safe in the house...
still a very important concept...but more needs to be done
to lock the house down

Security CIA
C=Confidentiality - covers Encryption - important but doesn't cover everything
I=Integrity - Data doesnt change (sometime we discuss encapsulation here)
A=Availability -
+
A=Accountability
++Non-repudiation
read some articles ...even wiki on Information security

update everything- secure everything  - use WSUS and a vulnerability scanner
update your network hardware and firewalls
most state sposored attacks or phishing I've faced exploit known vulnerabilities
0
 
LVL 61

Assisted Solution

by:btan
btan earned 179 total points
ID: 38733970
If we are worried of state sponsored perpetrator, I will say one of the key trait of them is being persistent and stealthy in combination. But they minimally need a hole and gap to pluck and break in so,  make your home ground well defended internally as shared so far by all. But don't missed out network and perimeter or possible exit point as those perpetrator is running down those crown jewels you have.

Data leakage via outbound or egress legitimate traffic, device externally make accessible like external usb storage or similar are few of the common exit point. They don't give chance of those low hanging fruits like unmatched system exposed publicly, old web server and sharing site, web vulnerability from OWASP top 10  that they most likely perform intense recon to fingerprint and surface those "weak" systems. They become their target entry point to further pivot into the corporate network.  That is why we will also want to have segregated network from internet and internet and guard the gateway if data is to flow from internet into internal, one way where possible. Endpoint may become bridge such as remote user doing VPN and surfing internet - disallow split tunneling and do NAC prior to granting entry...

Overall, encryption is just touching confidentality - we need more than that hence my "rant" on the above (pardon me going off tangent of the question)

Can check out this ENISA paper - Proactive Defence (there are evaluation and recommendation chapter which you may find it useful in your environment context, not really just for CERT though, we can get some pt out of it. Also see interesting summary in pg20, 22 and 107)

http://www.enisa.europa.eu/activities/cert/support/proactive-detection
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 143 total points
ID: 38734362
Hire someone one, you won't do this yourself, Google couldn't stop state-sponsored attacks, you won't either, esp using windows only, it's just too easy. Again encryption will not be what saves your data, it will be everything else.
-rich
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 71 total points
ID: 38734563
.. and to complete rich's comment:
security is a process, not a product

1. get/hire someone who's used to security for your systems (don't believe sales people!)
2. tell your people what security is, and what they should look for, what to care about
3. setup a proper network firewall at your perimeter to the internet
4. separate your internal (sql, sharepoint, ...) from external servers (smptp), best: use physically and logically separated IP networks
5. allow access to you systems only by using secured protocolls
6. install proper AV and intrusion detection (HIDS) on each system
7. setup a security policy how to deal with sensitive data
8. setup a process to controll all settings and configurations continously
9. goto 2.

to be improved in many ways, I'm pretty sure others will add what I missed ;-)
0
 

Author Comment

by:rand1964
ID: 38734813
We have a firewall
We have AV
The firewall is our ids at the moment
Number 4 and number 6 (ids) are problems because I simply cannot get upper management to spend money on IT.  They prefer to blame me, makes it easier than buying servers and appliances.
For years I have asked for money for an IDS/IPS and servers and licenses for "front ends" for our Exchange and Sharepoint to no avail.  They won't even spend he money to upgrade from the 32 bit XP machines we have to 64 bit Windows 7.

I am stuck...I get the blame...they question my competence and yet they won't purchase anything or hire any help.  I currently do everything...I can't monitor logs all day and do everything else.

plus, it's probably these same nuts that are in charge that are clicking on the phishing links.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38734831
> .. cannot get upper management to spend money on IT ...
no money for protection, that's thiefs heaven ;-)

so it sounds that you first need step 2. and 9. for your management, that's what all experts here explain again and again

however, what's the problem being blaimed if you still get paid for doing all with nothing?
*SCNR*
0
 

Author Comment

by:rand1964
ID: 38734844
This is as good a place to stop as any...I think the answer is clear that encryption is not a magic bullet.  Looks like some serious attempts to "educate" uninterested employees on security is the answer.
0
 

Author Closing Comment

by:rand1964
ID: 38734855
Thanks to everyone for the answers and the discussion.  Moral of this story...security isn't free and if your management isn't serious about it and won't back you...do your best or go somewhere else.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38735124
yippie, another person who learned the (digital) security lesson ;-)
Good luck.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 38735415
While there are plenty of free tools out there, it takes time and thus money to learn to use them. Windows and Linux have so many unused or under-used security settings that most people never know are there. But there must be discipline in the process or it all falls apart. There is no set it and forget it solutions.
-rich
0
 

Author Comment

by:rand1964
ID: 38735435
I am setting up an ubuntu snort box right now, but I have to learn how to use it and who is going to monitor logs while I am busy handling stupid help desk calls?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 38735442
Might try the Security Onion download, might help you get a handle on things as it makes using IDS and such easier to setup: http://securityonion.blogspot.com/
GL!
-rich
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you are on a Windows computer and decide to protect a file with sensitive data, you can encrypt the file, password protect it or rely on steganography (hiding a file in an image). This technique is especially useful because unless someone knows t…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now