Solved

Local file encryption - Data at rest

Posted on 2014-02-07
5
545 Views
Last Modified: 2014-02-19
I know this is a much beleaguered topic, but I want to get some overall perspective on this subject based on some considerations.  

For the purpose of this question the following assumptions are true --

Encrypted files are fully accessible when authenticated access occurs.
We are guarding against stolen or lost devices that fall into the hands of others.
We are not necessarily guarding against remote hackers

So in our world, we have local windows authentication which is password protected, and local file encryption using windows 7 pro file encryption.  The question is when is the solution enough?  There are many 3rd party solutions out there that claim to do it better and be more secure however as in most any security solution implementation, risks and pitfalls exist that make it only as good as the policy which is drafted, and not necessarily provided by the technology itself.  I understand that if I were holding the codes for nuclear Armageddon, of course we would spend millions of dollars for both the technology as well as the process to protect that data.  In our simple world I have yet to find a windows 7 machine that I have not been able to recover local admin rights.  So that being said, am I exercising satisfactory due diligence to secure my protected data?  (And if you tell me you have a solution that is better than mine, and can you also guarantee me that there is no possible way to hack it / crack it, I'm not buying it... )  

So again, when is the process satisfactory?  Where do we draw the line.  IF I protect my device and spend 200 man hours, and 20K$ to secure my system and you only do windows auth and EFS, and we both lose our device and the data is recovered -- did I win? do I get more points than you?  Will I get a blue ribbon?

OK so just a little reflection.  Please feel free to give me your opinion on this topic, I will most likely award points to those I am in agreement with, but I tend to be fair and reward thoughtful insights.

Thanks.


The following story kind of sums up my disposition on security:

I have a hosted solution with N-able, and they have a password policy that is every 45 days, and the complexity is beyond memorization or comprehension.  So as a result we end up calling N-able once per week for password resets.  after so long all of our staff has written down their passwords and keep it in secure locations like under the keyboard, in the pen jar, top drawer of the desk... so they can access the site.... This is a perfect example of a security policy which has backfired.  I can see the looks on the faces of the security officer who master-minded the password policy for enable... he / they are very proud of their work... "Boy we've shown them... No one will hack into our Systems...."  of which they are right... all that will happen is someone will come along and steal a username and password, and voila they will be in.... So as I hope I have illustrated, this is a policy that truly lacks any introspection into the value proposition of its intended purpose...
0
Comment
Question by:halejr1
5 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 150 total points
ID: 39841569
Hi.

This is an opinion-question and given the amount of text and the amount of security principles/techniques that you mention, we will have a hard time avoiding this discussion to get quite chaotic (I fear).

I know very well what you are talking of as I am working for a military related company.
Let me illustrate some remarkable things: The really important data (classified "NATO secret") and so on, may NOT be held on networked computers AT ALL.
Instead, you have stand-alone machines in secured rooms that are even shielded physically against electro-magnetic emmitance. http://www.automation.siemens.com/mcms/topics/en/tempest-products/pages/home.aspx

Those are not encrypted at all, instead the hard drives are being put in a safe at the end of the day.

That tells you quite a lot about real computer security. It is nearly impossible to achieve without such drastic measures.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 150 total points
ID: 39843211
An answer entirely depends on your organizational information security governance and risk management policies (if any.)

Ideally these policies were designed using proven security and audit frameworks and methodologies such as COBIT, ITIL, ISO 27000, NIST SP 800-30, 800-30 and 800-66, CRAMM, FRAP, OCTAVE, etc.

Qualitative and quantitative risk analysis (involving exposure factors, single loss expectancy, annual loss expectancy, asset value, etc.) is generally used to identify resource value, risks, and mitigation cost.  Mitigation cost should consider all control types (administrative, technical, physical) and control categories (directive, deterrent, preventive, compensating, detective, corrective, recovery, etc.) as necessary.

So put simply, are they willing to spend 10% or 25% of the asset value to protect it?  It essentially boils down to the value of the asset (whether tangible or intangible.)

I'd say you get a blue ribbon if you're ultimately able to ensure organizational operations and mission objectives.  This requires ensuring availability, integrity, and confidentiality.  This what you're being compensated for after all-- is it not?

@McKnife
Do your emanation controls address RF retro-reflectors, implant RF transceivers, and commercial wireless communications (GSM/EDGE, UMTS/HSPA, etc.)?

See HOWLERMONKEY, COTTONMOUTH, TAWDRYYARD, TRINITY.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 39843511
I tackled a lot of this in my article: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
And I even did some more in the 2-factor article:  http://www.experts-exchange.com/Security/Misc/A_12368-Two-Factor-Authentication-Added-layers-are-not-always-added-security.html

EFS isn't like some containers you find like TC, it allows multiple people to access it, but takes quite an effort to secure from a hacker. A mounted TC container relies on file/folder or machine access once it's open. A fully encrypted OS is great when it's physically stolen, but does nothing when it's running (unlocked).

We recommend companies put their data in encrypted databases/tables, and use HSM's to manage the keys so no human knows the passwords.
Nothing wrong with a written down password actually, I have many, I just protect them well on my person. I address that in yet another article: http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39843981
@Giovanni
I don't know too many technical details, sorry. Those computer encasements (also shielded monitors and printers) are the only ones the german government certifies for working on this type of classified data and by the shielding, it saya we can achieve that no one could simply park his equipped bus next to our office and simply view for example the screens via recorded emittance.
0
 
LVL 8

Author Closing Comment

by:halejr1
ID: 39871901
thanks for the feedback fella's --- almost exactly what I was expecting with some valuable feedback / information.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now