Is your data at risk? Why physical security is insufficient for laptop computers
1 like894 views
The document discusses why physical security alone is insufficient to protect data on laptop computers. Passwords provide access to operating systems but not protection of data. Without encryption, data is vulnerable if a laptop is lost, stolen, or its hard drive is accessed on another machine. The document evaluates options in Microsoft Windows for encryption and recommends third-party full disk encryption software for strong protection of data on laptops.
Is your data at risk? Why physical security is insufficient for laptop computers
- 1. Is your data at risk?: Why physical security is insufficient for laptop computers Evaluating the various data security options to protect your PCs can be challenging. This paper examines the options, discusses why passwords alone are not sufficient and makes the case for strong data encryption. A Sophos white paper June 2009
- 2. A Sophos white paper Is your data at risk?: Why physical security is insufficient for laptop computers Is your data at risk?: Why physical security is insufficient for laptop computers New frontiers in computer security The meaning of computer security continues involve personally identifiable information (PII). to evolve. Physical security used to be the More than half of the states in the United States main concern. Through the 1980s, expensive require disclosure of such breaches. Don’t let mainframe computers were locked in special your company’s name get added to this list; good climate-controlled rooms within secure buildings. solutions are available. Security costs, when they were considered at all, constituted a very small percentage of the Attacks on laptop data security overall system costs. Today, such systems are To a casual observer, a laptop computer seems called “server systems”; and although they are secure. To use a computer system, users must type important in their own right, they make up a credentials into a window. If users do not provide small percentage of all computer shipments each the correct username and password, they cannot year. According to market researcher Gartner, 2.3 access the system. Like someone who misplaces million server systems shipped worldwide in the the keys to a car, someone who forgets a computer third quarter of 2008, compared to 80.6 million password is locked out. Without the proper PCs that shipped in the same period. credentials, access is blocked. Or is it? The widespread use of PCs creates much greater Passwords alone do not protect data vulnerability compared to yesterday’s mainframe The login process prevents unauthorized users computers. Although desktop PCs are arguably from running software. But a password does not, less secure than centralized servers, such systems by itself, make the data on hard drives secure. A probably have physical security identical to that user without a correct username and password of a company’s other on-premises assets. The cannot use the services of the operating system least secure computers are those that are mobile. as installed and configured on that particular hard According to the Gartner estimate for 2008, drive. However, a tech-savvy person without the worldwide mobile PC growth is 25% versus 1.2% appropriate credentials can still attack a computer. for desktops. According to its forecast, 293 million There are three possible attack strategies: PCs would be shipped in 2008. • Alternative boot device • Alternative boot device + alternative boot Whether you prefer the term “mobile PC,” program “laptop” or “notebook,” the vulnerable systems • Moving a hard drive to an alternative computer are those taken off-premises. In spite of employee system diligence, mobile PCs do get lost and stolen. Not convinced? Take a look at www.privacyrights.org, a website listing breaches in data security that 1
- 3. A Sophos white paper Is your data at risk?: Why physical security is insufficient for laptop computers Attack #1: Alternative boot device need to enable password protection on the BIOS One type of attack involves using an alternative itself. A third step, locking the computer’s case, boot device instead of the hard drive. Every prevents a reset of the BIOS and failure of the computer system supports this option. Over many above measures. years and many versions, the Microsoft Windows setup disks have been distributed on bootable Attack #3: Moving a hard drive to an CD-ROM or DVD discs. A simple way to access a alternative computer system system’s data is to boot to a Windows setup disk An individual with physical access to a laptop and install a new copy of the operating system. computer can remove the laptop’s hard drive using This approach makes available any data that a screwdriver. Once removed from the original resides on a hard drive. system, the laptop’s hard drive can be attached to another computer—one on which the individual Attack #2: Alternative boot device + alternative has valid login credentials. When installed on boot program another computer, the laptop hard drive is not the A second attack combines the first attack with bootable system drive. Instead, the laptop hard special boot programs. For example, many IT drive appears as a secondary data drive (drive D, professionals use bootable CD-ROMs with software E, etc.). When attached to another system like like BartPE (Bart’s Preinstalled Environment) this, the laptop’s data is just as readily accessible as an aid in fixing systems with boot problems. as if an authorized user had logged on to the Aside from legitimate uses, unauthorized persons original laptop. At this point, all data is readable; can use this type of tool to mount an attack. only encrypted data is hidden from view. In addition to accessing normal user data files, such tools allow access to operating system files What can an intruder use to enable this type of that are not available when the operating system unauthorized access? There are several choices, is running. Of particular interest is the Security but the simplest is a hard disk enclosure kit. Accounts Manager (SAM) database, an encrypted These kits are available from computer retailers. file with password hashes. Although this is an Hard disk enclosures have a very reasonable and encrypted file, techniques are widely available to legitimate purpose: to create a portable storage decrypt the SAM and read password hashes. While device. A hard disk enclosure allows any hard different from plain-text passwords, a password drive to be portable between computer systems. hash is the result produced when a password is Such enclosures support both USB connections run through a security algorithm. By replacing a and 1394 (i.e., FireWire) connections. The cost is password hash for an existing account—maybe nominal—typically less than US$20 (€15). one with administrator privileges—a data thief can boot and run the original operating system and any Therefore, this legitimate product can have installed software. illegitimate uses. A hard disk enclosure enables unauthorized users to read the data on a hard Guarding Against Attacks #1 and #2 drive taken from a lost or stolen laptop computer. Support for alternative boot devices enables By using this tool, anyone who has physical access operating system installation. After the OS has to a hard drive can gain full access to the data on been installed, the use of alternative boot devices that drive. Hard disk enclosure kits also include a can be disabled in the basic input/output system screwdriver, which is often the only tool needed to (BIOS). In the same way that you can lock remove a hard drive from a laptop computer. the front door of your house, you can lock out alternative boot devices with the proper BIOS settings. To keep those settings in place, you also 2
- 4. A Sophos white paper Is your data at risk?: Why physical security is insufficient for laptop computers Securing data requires encryption Data encryption in Microsoft Windows Microsoft Windows supports some data encryption. True data security requires making data unreadable Starting with Windows 2000, Microsoft made to persons who are not authorized to access the available support for the Encrypting File System data. And because file system permissions can be (EFS), a built-in mechanism for encrypting overridden using schemes like the ones described specific files or entire folders that reside on earlier, data encryption is the only truly secure NTFS partitions. Note that FAT partitions are not way to hide sensitive data. To unauthorized users, supported, which means that files stored on USB encrypted data is meaningless. Only authorized memory sticks cannot be encrypted. users with valid credentials can access the encryption keys needed to decrypt and use data. Encrypting File System (EFS) When an individual file is encrypted using EFS, This section reviews encryption support in Microsoft modifications made to that file may result in Windows, and the encryption support in three the creation of unencrypted, or “plain-text,” popular data encryption products from Sophos. copies. When a user opens an encrypted file using Microsoft Word, the file is decrypted by A look inside encrypted files the operating system and copied to a temporary To understand the protection that data encryption location. The plain-text file is used during the provides, you must understand the difference editing process, and the contents get encrypted between data in an unencrypted state and an again only when the file is closed. This process encrypted state. In both states, the data appears can leave unencrypted remnants on disk, opening in two forms: (1) numeric values and (2) character the possibility that sensitive information may be data. Software engineers commonly use both types revealed. of displays when they need to understand the exact location of each bit and byte of data. The greater vulnerability of EFS comes from the fact that access is tied to a user’s logon account. In an unencrypted “plain-text” display, the text data For example, a data thief could reset a user’s is clearly readable. Interestingly, even the most password on systems that are vulnerable to the sophisticated word processing programs typically attacks described earlier in this paper. A thief can store text data in a very readable form. Of course, impersonate a legitimate user, thereby gaining this helps software engineers when writing the access to the EFS files for which the compromised sophisticated programs. From a security standpoint, user ID has access rights. Paradoxically, the use this practice also makes it easy for anyone—friend of EFS in such situations has a negative effect or foe—to read data on a hard drive. on data security. A thief would probably examine EFS-enabled files first, based on the assumption It’s a different situation when the same file is that encrypted files are likely to be the ones with saved on a hard drive that is fully encrypted. sensitive data. By comparing an encrypted display with an unencrypted display, it becomes obvious that the two are different. The encrypted data contains nothing that seems even vaguely understandable. And that is the essence of encryption—to make some piece of data unintelligible and unusable to all except those who are authorized to use the data. 3
- 5. A Sophos white paper Is your data at risk?: Why physical security is insufficient for laptop computers BitLocker full-drive encryption Sophos data encryption products A more secure alternative to EFS is full-drive encryption. Full-drive encryption protects against To help you select the Sophos product that is both types of attacks described in this paper. right for you, we turn our attention to three of our When alternative boot media is used, the contents products: SafeGuard Easy, SafeGuard PDA and of the encrypted drive are gibberish. When an SafeGuard PrivateDisk. encrypted hard drive is connected as a secondary drive (see Attack #3), the contents are still not Sophos SafeGuard Easy/SafeGuard Enterprise readable. Both BitLocker and SafeGuard Easy/SafeGuard Enterprise provide pre-boot authentication to A central benefit of full-drive encryption is that protect the integrity of the boot partition and the the choice of what data to encrypt and what to operating system. In addition, SafeGuard performs leave unprotected is taken away from the user. encryption of all local data drives and is not All data on encrypted partitions is encrypted limited to the partition with the operating system; without exception. Microsoft’s full-drive encryption it applies to all partitions on all hard drives. It also solution is BitLocker. Sophos’s full-drive encryption encrypts removable drives including diskettes, zip solutions are SafeGuard Easy and its successor and jaz disks, as well as USB memory sticks. SafeGuard Enterprise. Let’s consider BitLocker. SafeGuard Easy can be deployed on versions of On Windows Vista, BitLocker can encrypt one Microsoft Windows older than Windows Vista. disk partition: the one with the operating system And so, unlike BitLocker, which requires specific (typically the C drive). Compared to EFS, BitLocker versions of Windows Vista, SafeGuard Easy is provides a more secure way to protect data. On supported on the entire family of operating systems a BitLocker-enabled system, data on the boot from Microsoft, including Windows NT 4.0, partition is unavailable unless a valid password is Windows 2000, Windows Server 2000, Windows entered during system boot. XP and Windows Server 2003. » Note: BitLocker hard drive encryption is supported SafeGuard Enterprise, the successor of SafeGuard in two versions of Windows Vista: Windows Vista Easy, supports Windows XP and also Windows Enterprise and Windows Vista Ultimate. Vista (starting with version 5.20). Besides As we have described, Microsoft has built in some offering many other enhancements, it adds a support for data encryption, starting with Windows central Active-Directory enabled server as well 2000. When you need more than what comes as the ability to manage BitLocker clients in with the operating system, we invite you to look at parallel to SafeGuard encrypted clients in a mixed Sophos’s line of data encryption products. environment if the customer desires to do so. 4
- 6. A Sophos white paper Is your data at risk?: Why physical security is insufficient for laptop computers Sophos SafeGuard PDA Conclusion SafeGuard PDA provides data encryption, interface blocking and authentication on the Windows, Is your data at risk? Unless your data is encrypted, Palm and Symbian OS-based devices (on Windows the answer is yes. Although you must secure all Mobile even biometric authentication—signature or computer systems, those that leave a company’s fingerprint). physical security perimeter are the most vulnerable. Such computers include laptops used Sophos SafeGuard PrivateDisk by sales professionals, or those that executives If you have been using EFS but want just a few take on visits to remote company sites. Without extra features, SafeGuard PrivateDisk might have encryption, your company’s data is at risk. Don’t what you are looking for. Both EFS and SafeGuard become the next lost laptop headline. PrivateDisk allow your data to be secured under digital lock and key. Both require active involvement by a user to identify the specific files to be encrypted. Note that this is unlike whole drive encryption schemes, on which all files are transparently encrypted and decrypted. Where a user would define a specific system folder for EFS encryption, SafeGuard PrivateDisk generates encrypted “virtual” disk drives. To authorized users, these disk drives appear with a regular system drive letter (D, E, etc.). To the outside world, a SafeGuard PrivateDisk volume appears as a single file. Unlike EFS, which is limited to NTFS partitions, PrivateDisk volume files can be copied to a USB memory stick, CD-ROM drives, DVD drives or diskettes. In addition, unlike EFS, PrivateDisk supports Windows NT 4.0. 5
- 7. A Sophos white paper Is your data at risk? Why physical security is insufficient for laptop computers Boston, USA | Oxford, UK © Copyright 2009. Sophos Plc All registered trademarks and copyrights are understood and recognized by Sophos. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means without the prior written permission of the publishers.