Local file encryption - Data at rest

Posted on 2014-02-07
Medium Priority
Last Modified: 2014-02-19
I know this is a much beleaguered topic, but I want to get some overall perspective on this subject based on some considerations.  

For the purpose of this question the following assumptions are true --

Encrypted files are fully accessible when authenticated access occurs.
We are guarding against stolen or lost devices that fall into the hands of others.
We are not necessarily guarding against remote hackers

So in our world, we have local windows authentication which is password protected, and local file encryption using windows 7 pro file encryption.  The question is when is the solution enough?  There are many 3rd party solutions out there that claim to do it better and be more secure however as in most any security solution implementation, risks and pitfalls exist that make it only as good as the policy which is drafted, and not necessarily provided by the technology itself.  I understand that if I were holding the codes for nuclear Armageddon, of course we would spend millions of dollars for both the technology as well as the process to protect that data.  In our simple world I have yet to find a windows 7 machine that I have not been able to recover local admin rights.  So that being said, am I exercising satisfactory due diligence to secure my protected data?  (And if you tell me you have a solution that is better than mine, and can you also guarantee me that there is no possible way to hack it / crack it, I'm not buying it... )  

So again, when is the process satisfactory?  Where do we draw the line.  IF I protect my device and spend 200 man hours, and 20K$ to secure my system and you only do windows auth and EFS, and we both lose our device and the data is recovered -- did I win? do I get more points than you?  Will I get a blue ribbon?

OK so just a little reflection.  Please feel free to give me your opinion on this topic, I will most likely award points to those I am in agreement with, but I tend to be fair and reward thoughtful insights.


The following story kind of sums up my disposition on security:

I have a hosted solution with N-able, and they have a password policy that is every 45 days, and the complexity is beyond memorization or comprehension.  So as a result we end up calling N-able once per week for password resets.  after so long all of our staff has written down their passwords and keep it in secure locations like under the keyboard, in the pen jar, top drawer of the desk... so they can access the site.... This is a perfect example of a security policy which has backfired.  I can see the looks on the faces of the security officer who master-minded the password policy for enable... he / they are very proud of their work... "Boy we've shown them... No one will hack into our Systems...."  of which they are right... all that will happen is someone will come along and steal a username and password, and voila they will be in.... So as I hope I have illustrated, this is a policy that truly lacks any introspection into the value proposition of its intended purpose...
Question by:halejr1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 56

Accepted Solution

McKnife earned 600 total points
ID: 39841569

This is an opinion-question and given the amount of text and the amount of security principles/techniques that you mention, we will have a hard time avoiding this discussion to get quite chaotic (I fear).

I know very well what you are talking of as I am working for a military related company.
Let me illustrate some remarkable things: The really important data (classified "NATO secret") and so on, may NOT be held on networked computers AT ALL.
Instead, you have stand-alone machines in secured rooms that are even shielded physically against electro-magnetic emmitance. http://www.automation.siemens.com/mcms/topics/en/tempest-products/pages/home.aspx

Those are not encrypted at all, instead the hard drives are being put in a safe at the end of the day.

That tells you quite a lot about real computer security. It is nearly impossible to achieve without such drastic measures.
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 600 total points
ID: 39843211
An answer entirely depends on your organizational information security governance and risk management policies (if any.)

Ideally these policies were designed using proven security and audit frameworks and methodologies such as COBIT, ITIL, ISO 27000, NIST SP 800-30, 800-30 and 800-66, CRAMM, FRAP, OCTAVE, etc.

Qualitative and quantitative risk analysis (involving exposure factors, single loss expectancy, annual loss expectancy, asset value, etc.) is generally used to identify resource value, risks, and mitigation cost.  Mitigation cost should consider all control types (administrative, technical, physical) and control categories (directive, deterrent, preventive, compensating, detective, corrective, recovery, etc.) as necessary.

So put simply, are they willing to spend 10% or 25% of the asset value to protect it?  It essentially boils down to the value of the asset (whether tangible or intangible.)

I'd say you get a blue ribbon if you're ultimately able to ensure organizational operations and mission objectives.  This requires ensuring availability, integrity, and confidentiality.  This what you're being compensated for after all-- is it not?

Do your emanation controls address RF retro-reflectors, implant RF transceivers, and commercial wireless communications (GSM/EDGE, UMTS/HSPA, etc.)?

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 800 total points
ID: 39843511
I tackled a lot of this in my article: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
And I even did some more in the 2-factor article:  http://www.experts-exchange.com/Security/Misc/A_12368-Two-Factor-Authentication-Added-layers-are-not-always-added-security.html

EFS isn't like some containers you find like TC, it allows multiple people to access it, but takes quite an effort to secure from a hacker. A mounted TC container relies on file/folder or machine access once it's open. A fully encrypted OS is great when it's physically stolen, but does nothing when it's running (unlocked).

We recommend companies put their data in encrypted databases/tables, and use HSM's to manage the keys so no human knows the passwords.
Nothing wrong with a written down password actually, I have many, I just protect them well on my person. I address that in yet another article: http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
LVL 56

Expert Comment

ID: 39843981
I don't know too many technical details, sorry. Those computer encasements (also shielded monitors and printers) are the only ones the german government certifies for working on this type of classified data and by the shielding, it saya we can achieve that no one could simply park his equipped bus next to our office and simply view for example the screens via recorded emittance.

Author Closing Comment

ID: 39871901
thanks for the feedback fella's --- almost exactly what I was expecting with some valuable feedback / information.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question