PC Data Security Blog

Passwords: Hard-to-hack equals hard-to-remember

I read today about a new web-based program that can be used to create complex hard-to-hack passwords. These passwords are randomly generated and a sufficient number of uppercase, numerical and special characters. Terrific! Hard-to-hack equals hard-to-remember. And hard-to-remember means these difficult passwords will be written in a notebook, on a sticky note or… who knows. Here’s the point: Reliance on users in large scale for critical security related tasks is just plain dumb. Users/employees should not be relied upon for effective data security.

Security even more of an afterthought today

It is no surprise that security tools remain a secondary purchase amongst IT executives well behind that of productivity tools. This secondary assignment has been exacerbated by economy-inspired belt-tightening. There’s simply no reasonable way to apply ROI a non-event – exactly the outcome we want when a security tool is deployed. Even Google, aggressively moving into applications and host of the Google I/O Developer Conference has seemingly given security short shrift. Our economy has been almost the sole story relative to all things business but I wonder how long it will offer a safe haven excuse for not adequately protecting data; particularly customer, client and patient data?

Considerations for USB/Flash Security

Laptops that are in use are obviously a potential data security threat. With all of those laptops are about twice as many USB flash drives. Data transferred onto these flash drives are largely unmonitored or regulated. Is your data being kept safe?

How do you protect yourself from employees losing flash drives with sensitive data on them? There are ways and products to block the use of flash devices. But that can hinder the productivity of the employee. There are also several products that do on-the-fly encryption. One of these with a good key management system and the ability to remotely kill access to the flash drive might be a good solution to this threat. Looking in the somewhat near future is another option, BitLocker.

Currently, BitLocker is a full-disk encryption solution available as a part of Windows Vista (Enterprise and Ultimate versions). In service pack 1, it was improved to allow the encryption of not only the boot partition but additional drive/partitions as well. In Window 7, BitLocker is getting another boost to its functionality. BitLocker To Go, will allow users to use full-disk encryption technology on external USB flash or other removable drives. Windows 7 will also allow for much easier management of blocking all storage devices that are not protected with Bitlocker To Go.

Just like with normal BitLocker, these BitLocker To Go encrypted drives can be accessed via password or through the use of a smart card and four digit pin. It also has a recovery key in case the password or smart card is lost. On the down side, the initial encryption of the drive can take hours depending on the size of the drive you are using. However, while the setup of BitLocker To Go can only be done on Windows 7 Enterprise and Ultimate editions, they can be accessed and used normally on any version of Windows 7.

When deciding what type of solution to use to protect sensitive data on removable drives, be sure to consider these things: key management, ease of setup and support, and the amount of control you have if the drive is lost.

Laid-Off Workers Biggest Data Security Threat

In a recent McAfee study of 800 companies in 8 countries (McAfee-Study) that says businesses risk $1 Trillion in data security losses, 42 percent of companies surveyed said that laid-off employees were the single biggest threat to their data security.  The increase in the availability and power of removable storage, including laptops and USB sticks, has made data loss or theft easier.

Can any company afford to keep this threat window open?  If your company deploys an encryption-only solution, that former employee, who may still be in possession of their computer after their termination, will also have possession of sensitive data for which your company is responsible.  Encryption doesn’t protect you now, since they have the password.

To ensure that your data cannot be accessed, either by a former employee or anyone in possession of the password, you need a solution that will continue to work for you, even after encryption has been neutralized.

You Can’t Move Forward If You Don’t Back Up

So now you’ve finally implemented a comprehensive Information Asset Protection strategy. You have strong password policies and are rigorous about adherence. You’ve even deployed data encryption and possibly the more advanced data destruction capabilities. Your fortress is secure!

However, there are many things that could compromise your access to your information beyond theft or loss. Hardware and software failures are among them. We know about the occasionally dropped laptop or heaven forbid, that spilled beer or soft drink that seeps into the innards of your machine. Drive failures are also a common occurrence. Let’s also not forget that any encryption system, by its very nature is designed to scramble your data.

Which is why it is essential that you have a rock –solid backup and recovery plan to complement your information asset protection strategy. Regardless of the size of your organization – from a sole proprietor to large enterprises – you should always have provisions to be able get back to a set of your data that gets you operational as quickly and smoothly as possible. To that end, there are several things you should consider when developing a backup and recovery strategy. Among them are:

1. How much data can you (or can’t you) afford to lose? Will losing an hour, day or week worth of data result in a financial or operational catastrophe for your work or business?

2. How quickly do you need to be operational again? Will an extended amount of downtime while you are attempting to recover/restore your data severely impact your work or business?

3. What is realistic for you to do given your resources of people, time and/or money? This includes looking at what technologies, people or processes are available for you to utilize.

Finally, it is important to insure that you test your backup and recovery strategy on a regular basis. Do not wait for failure to happen until you test your ability to recover data. Instead, make it a regular habit to bring data back from your backup sets at least once a quarter. So in addition to the ability to encrypt and/or eliminate your sensitive data, putting a good backup and recovery plan in place is essential to truly protecting your information assets and your business.

A time-limit on encryption?

The computational power required to brute-force attack most the most widely used encryption algorithms (RSA, PGP, 3DES) is currently beyond anyone’s reach, provided that a sufficiently large key is used for encryption.  Such power should continue to be out of anyone’s reach for the foreseeable future, assuming that:

1. Moore’s law holds true- that computing power only doubles every 18 to 24 months

2. a breakthrough in quantum computing is not just over the horizon

3. no striking advances to currently used factoring algorithms

These assumptions are generally considered to be reasonable.  The real, immediate risk to most security systems continues to be weak password policies and social engineering.

However, what if your encrypted data falls into an attacker’s hands, and an exploitable flaw is found in the way your data is encrypted and stored?  How likely is this to happen?  If we look at cryptographic systems introduced only ~10 years ago, we see that flaws are often found ~5 years after their widespread implementation, which usually lead to full cracks of the system in the following ~2-10 years.  Granted, current encryption algorithms are more robust and have already withstood far more scrutiny than older ones, but breaches do still happen.  For example, SSL was recently compromised and attackers were able to create a rogue certificate authority.

Encryption alone isn’t sufficient to guarantee long-term security.  Removal/destruction of secure data in addition to encryption is preferable.  If nothing else, destruction of private keys is a great start.

Passwords are exchanged routinely and even when they aren’t …

One of my relatives once worked for a large federal firm administering their employee database that included all of the employee personal data, salary, and for some the required monthly drug test results.  At the time, the firm was building a couple of new modern interfaces to the database, and my relative, being of the older generation of programmers, quite often asked for my help with the newer concepts.  Of course, when he was showing me how he built his interfaces, he also told me the password to that database (which happened to be the same as his laptop password).  Up until now, I cringe every time I think of how often things like this happen in every large corporation.  However, let’s give him the benefit of the doubt, since I was his close relative, and he knew that I wouldn’t do anything bad with the password.  And, frankly, that’s not what worries me.  What really worries me is that his password was something like “Charles99” where Charles was my relative’s first name, and 99 was the current year.

I don’t break into systems, I don’t use my social engineering skills to gain access to user accounts, and I don’t get any pleasure out of doing things like that;  in other words — I’m not a hacker.  Nevertheless, I’m guessing that it would take me no longer than 10-15 minutes to guess that “Charles99” password, simply because it’s so easy!  In fact, I don’t even need to know any personal information about the owner of a laptop with such password, except for his or her name, which is most likely a part of their stored login anyway.  So, the question is: being the System Administrator in this corporation, how do you protect a system like this?

There are a couple of ways to enhance password security:

1) Educate your users. Conduct a mandatory security workshop with your users a couple of times a year, where you stress the importance of good data security practices.  Describe how a data security breach might directly affect the users’ work environment or salary and use that as an incentive for them to follow the company security rules.

2) Create a strong password policy in your domain. Things like nonalphanumeric characters and no relation to user’s account name are present in the Microsoft’s password complexity requirements as a default.  Make sure that you don’t require users to rotate passwords very often; otherwise they will get frustrated and write them down, which will defeat the purpose of the whole exercise.

3) Use a security package with remote kill switch. If the computer does get lost or stolen at some point, the IT Administrator should have a way to either secure or destroy the company data remotely.  In this case, the encryption is not going to protect your data if we assume that the password was broken by the thief.  But the ability to destroy the data will be an effective tool against data leakage.

The Effects of Economic Downturn on Data Security

The current economic landscape has left corporations brutally exposed to loss and even abuse of sensitive data.  According to a survey conducted by SailPoint of over 100 Fortune 1000 IT managers, “nearly 70 percent can’t summarize which workers have access to the most critical applications and data. Further, if faced with a layoff, 44 percent of respondents are unable to remove access privileges of terminated employees on a timely basis.”  This is extremely dangerous with the high number of layoffs and merger/acquisitions that are increasingly happening every day.  It allows for situations where disgruntled workers can maliciously misuse their access such as in the case of the disgruntled S.F. admin who hijacked their network.

Public CIO has some useful tips on what to look for and how to keep your company from being vulnerable.  The four things to look out for are :

• Orphan Accounts – Do employees that no longer work at your company have access to any systems
• Access Level of Contractors/Temps – Do you regularly restrict the access you give to contractors as they move off and on various projects
• Entitlement Creep – Have employees who have worked at your company for a long time received more access than they should have just for being around?
• Separation of Duties – Do any employees have excessive control over critical business transactions?

Regularly monitoring these things should greatly help maintain access control over your sensitive data so that the economy does not cause more damage than it already has.

Cloud Computing in our Immediate Future?

The term Cloud Computing includes many areas of technology such as software as a service (SaaS), a software distribution method, a newer avenue; hardware as a service; all having in common that they are delivered over the internet, on demand, from massive data centers. Cloud Computing represents a fundamental shift in the way companies obtain software and computing capacity, using the internet to tap into everything from extra server space to software programs. Assigning these computing tasks to a remote location, not a desktop computer, laptop computer, handheld machine or the companies own servers is known as Cloud Computing.

Cloud Computing, once a concept, is now on its way to becoming a legitimate new technology and is gaining interest with forward thinking CIO’s. According to writer Nicholas Carr, Cloud Computing will put most IT departments out of business. “IT departments will have little to do once the bulk of business computing shifts out of private data centers into the cloud.” Nicholas also comments on the security issues facing this new approach to off load data centers. “One of the key challenges for corporate IT departments, in fact, lies in making the right decisions about what to hold onto and what to let go.”

Several issues worry CIO’s about the reliability and security of cloud based services. Down time on these services will now be out of their control, moving away form their current ability to maintain their own systems to insure up time. The ability to comply with regulations, including Sarbanes-Oxley, governing corporate financial reporting and HIPAA, the Health Insurance Portability and Accountability Act is a major concern.

Due to the concern for reliability of system up time and the ability to comply with the many regulations now mandated on corporate and personnel data security, many CIO’s, analysts and vendors see the emergence of Cloud Computing happening only gradually.

Worm Attack Forces the U.S. Army to Ban USB Drives

According to news reports, the Army initiated a temporary ban on the use of USB Flash Drives until they could get control of a Worm that propagates itself by installing itself on USB Flash Drives when they are mounted on an infected machine. When the drive is then plugged into another machine it copies itself to the new machine and then tries to download malware from the Internet.

Using a product like Beachhead Solutions’ LDDFlash could have prevented this type of malware attack. LDDFlash forces users to create encrypted vaults on any USB Flash device they plug into the computer. Because Beachhead’s product is driverless and because it creates a vault that encompasses the entire space on the device, the Worm cannot copy itself to the device. Files must be dragged and dropped into the vault after a user name and password is used to open it. Executables cannot be launched from the vault eliminating this threat completely.

A side benefit of this product is the ability destroy the data on the device based on failed logons or if the device is lost or stolen.