Disk Secure
Is your data at risk?: Why physical security is insufficient for laptop computers
Is your data at risk?:
Why physical security is insufficient for laptop
computers
Evaluating the various data security options to protect your PCs can be challenging. This
paper examines the options, discusses why passwords alone are not sufficient and makes
the case for strong data encryption.
Is your data at risk?: Why physical security is
insufficient for laptop computers
New frontiers in computer security
The meaning of computer security continues to evolve. Physical security used to be the
main concern. Through the 1980s, expensive mainframe computers were locked in special
climate-controlled rooms within secure buildings.
Security costs, when they were considered at all, constituted a very small percentage of the
overall system costs. Today, such systems are called “server systems”; and although they are
important in their own right, they make up a small percentage of all computer shipments each
year. According to market researcher Gartner, 2.3 million server systems shipped worldwide in the
third quarter of 2008, compared to 80.6 million PCs that shipped in the same period.
The widespread use of PCs creates much greater vulnerability compared to yesterday’s mainframe
computers. Although desktop PCs are arguably less secure than centralized servers, such systems
probably have physical security identical to that of a company’s other on-premises assets. The
least secure computers are those that are mobile.
According to the Gartner estimate for 2008, worldwide mobile PC growth is 25% versus 1.2%
for desktops. According to its forecast, 293 million PCs would be shipped in 2008.
Whether you prefer the term “mobile PC,” “laptop” or “notebook,” the vulnerable systems
are those taken off-premises. In spite of employee diligence, mobile PCs do get lost and stolen. Not
convinced? Take a look at www.privacyrights.org, a website listing breaches in data security that
involve personally identifiable information (PII).
More than half of the states in the United States require disclosure of such breaches. Don’t let
your company’s name get added to this list; good solutions are available.
Attacks on laptop data security
To a casual observer, a laptop computer seems secure. To use a computer system, users must type
credentials into a window. If users do not provide the correct username and password, they cannot
access the system. Like someone who misplaces the keys to a car, someone who forgets a computer
password is locked out. Without the proper credentials, access is blocked. Or is it?
Passwords alone do not protect data The login process prevents unauthorized users
from running software. But a password does not, by itself, make the data on hard drives secure. A
user without a correct username and password cannot use the services of the operating system
as installed and configured on that particular hard drive. However, a tech-savvy person without the
appropriate credentials can still attack a computer.
There are three possible attack strategies:
•• Alternative boot device
•• Alternative boot device + alternative boot
program
•• Moving a hard drive to an alternative computer
system
Attack #1: Alternative boot device
One type of attack involves using an alternative boot device instead of the hard drive. Every
computer system supports this option. Over many years and many versions, the Microsoft Windows
setup disks have been distributed on bootable CD-ROM or DVD discs. A simple way to access a
system’s data is to boot to a Windows setup disk and install a new copy of the operating system.
This approach makes available any data that resides on a hard drive.
Attack #2: Alternative boot device + alternative boot program
A second attack combines the first attack with special boot programs. For example, many IT
professionals use bootable CD-ROMs with software like BartPE (Bart’s Preinstalled Environment) as an aid in fixing systems with boot problems.
Aside from legitimate uses, unauthorized persons can use this type of tool to mount an attack.
In addition to accessing normal user data files, such tools allow access to operating system files that are not available when the operating system is running. Of particular interest is the SecurityAccounts Manager (SAM) database, an encrypted
file with password hashes. Although this is an encrypted file, techniques are widely available to decrypt the SAM and read password hashes. While different from plain-text passwords, a password hash is the result produced when a password is run through a security algorithm. By replacing a password hash for an existing account—maybe one with administrator privileges—a data thief can boot and run the original operating system and any installed software.
Guarding Against Attacks #1 and #2
Support for alternative boot devices enables operating system installation. After the OS has
been installed, the use of alternative boot devices can be disabled in the basic input/output system (BIOS). In the same way that you can lock
the front door of your house, you can lock out alternative boot devices with the proper BIOS settings. To keep those settings in place, you also
need to enable password protection on the BIOS itself. A third step, locking the computer’s case, prevents a reset of the BIOS and failure of the
above measures.
Attack #3: Moving a hard drive to an alternative computer system
An individual with physical access to a laptop computer can remove the laptop’s hard drive using a screwdriver. Once removed from the original
system, the laptop’s hard drive can be attached to another computer—one on which the individual has valid login credentials. When installed on another computer, the laptop hard drive is not the bootable system drive. Instead, the laptop hard drive appears as a secondary data drive (drive D,E, etc.). When attached to another system like this, the laptop’s data is just as readily accessible
as if an authorized user had logged on to the original laptop. At this point, all data is readable;
only encrypted data is hidden from view. What can an intruder use to enable this type of unauthorized access? There are several choices,
but the simplest is a hard disk enclosure kit. These kits are available from computer retailers. Hard disk enclosures have a very reasonable and legitimate purpose: to create a portable storage device. A hard disk enclosure allows any hard drive to be portable between computer systems. Such enclosures support both USB connections and 1394 (i.e., FireWire) connections. The cost is nominal—typically less than US$20 (€15).
Therefore, this legitimate product can have illegitimate uses. A hard disk enclosure enables unauthorized users to read the data on a hard
drive taken from a lost or stolen laptop computer.
By using this tool, anyone who has physical access to a hard drive can gain full access to the data on that drive. Hard disk enclosure kits also include a screwdriver, which is often the only tool needed to remove a hard drive from a laptop computer.
Securing data requires encryption
True data security requires making data unreadable to persons who are not authorized to access the
data. And because file system permissions can be overridden using schemes like the ones described earlier, data encryption is the only truly secure way to hide sensitive data. To unauthorized users, encrypted data is meaningless. Only authorized
users with valid credentials can access the encryption keys needed to decrypt and use data.
This section reviews encryption support in Microsoft Windows, and the encryption support in three popular data encryption products from Sophos.
A look inside encrypted files
To understand the protection that data encryption provides, you must understand the difference
between data in an unencrypted state and an encrypted state. In both states, the data appears
in two forms: (1) numeric values and (2) character data. Software engineers commonly use both types
of displays when they need to understand the exact location of each bit and byte of data. In an unencrypted “plain-text” display, the text data
is clearly readable. Interestingly, even the most sophisticated word processing programs typically store text data in a very readable form. Of course, this helps software engineers when writing the
sophisticated programs. From a security standpoint, this practice also makes it easy for anyone—friend or foe—to read data on a hard drive.
It’s a different situation when the same file is saved on a hard drive that is fully encrypted.
By comparing an encrypted display with an unencrypted display, it becomes obvious that the
two are different. The encrypted data contains nothing that seems even vaguely understandable.
And that is the essence of encryption—to make some piece of data unintelligible and unusable to all except those who are authorized to use the data.
Data encryption in Microsoft Windows
Microsoft Windows supports some data encryption. Starting with Windows 2000, Microsoft made
available support for the Encrypting File System (EFS), a built-in mechanism for encrypting specific files or entire folders that reside on NTFS partitions. Note that FAT partitions are not supported, which means that files stored on USB memory sticks cannot be encrypted.
Encrypting File System (EFS)
When an individual file is encrypted using EFS, modifications made to that file may result in
the creation of unencrypted, or “plain-text,” copies. When a user opens an encrypted file using Microsoft Word, the file is decrypted by the operating system and copied to a temporary location. The plain-text file is used during the editing process, and the contents get encrypted
again only when the file is closed. This process can leave unencrypted remnants on disk, opening the possibility that sensitive information may be revealed.
The greater vulnerability of EFS comes from the fact that access is tied to a user’s logon account.
For example, a data thief could reset a user’s password on systems that are vulnerable to the attacks described earlier in this paper. A thief can impersonate a legitimate user, thereby gaining access to the EFS files for which the compromised
user ID has access rights. Paradoxically, the use of EFS in such situations has a negative effect on data security. A thief would probably examine
EFS-enabled files first, based on the assumption that encrypted files are likely to be the ones withsensitive data.
BitLocker full-drive encryption
A more secure alternative to EFS is full-drive encryption. Full-drive encryption protects against
both types of attacks described in this paper. When alternative boot media is used, the contents of the encrypted drive are gibberish. When an
encrypted hard drive is connected as a secondary drive (see Attack #3), the contents are still not readable.
A central benefit of full-drive encryption is that the choice of what data to encrypt and what to leave unprotected is taken away from the user.
All data on encrypted partitions is encrypted without exception. Microsoft’s full-drive encryption
solution is BitLocker. Sophos’s full-drive encryption solutions are SafeGuard Easy and its successor SafeGuard Enterprise. Let’s consider BitLocker. On Windows Vista, BitLocker can encrypt one disk partition: the one with the operating system (typically the C drive). Compared to EFS, BitLocker provides a more secure way to protect data. On a BitLocker-enabled system, data on the boot partition is unavailable unless a valid password is entered during system boot.
As we have described, Microsoft has built in some support for data encryption, starting with Windows 2000. When you need more than what comes with the operating system, we invite you to look at
Sophos’s line of data encryption products.
Conclusion
Is your data at risk? Unless your data is encrypted,
the answer is yes. Although you must secure all
computer systems, those that leave a company’s
physical security perimeter are the most
vulnerable. Such computers include laptops used
by sales professionals, or those that executives
take on visits to remote company sites. Without
encryption, your company’s data is at risk. Don’t
become the next lost laptop headline.
About the Author
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.
|
|
For Computer 3.5″ Portable Secure Hard Disk Bracket $30.43 |
|
|
HP High-Performance Secure EIO Hard Disk (J8019A) $358.00 |
|
|
NEW HP High Performance Secure EIO 80G Hard Disk J8019A $489.95 |
|
|
8GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card 8 GB $9.29 |
|
|
4GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card NEW $5.99 |
|
|
*8GB San Disk SD HC Secure Digital Memory Card 8 GB NEW $9.99 |
|
|
16GB San Disk Class 4 16 G GB SD HC Secure Digital Memory Card $17.99 |
|
|
32GB San Disk Class 4 32 G GB SD HC Secure Digital Memory Card $36.99 |
|
|
8GB San Disk Extreme SD HC Secure Digital Memory Card $19.99 |
|
|
16GB San Disk Extreme SD HC Secure Digital Memory Card $22.79 |
|
|
32GB San Disk Extreme SD HC Secure Digital Memory Card $48.99 |
|
|
~4GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card NEW Retail $7.89 |
|
|
~8GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card 8 GB Retail $12.29 |
|
|
HP 80GB High-Performance Secure Hard Disk J8018A for LaserJet and MFP $195.00 |
|
|
Professional Data Encryption Software Security Protect Disk Secure Personal Info $9.97 |
|
|
APRICORN A25-PLE256-1000 1TB PADLOCK PRO SECURE USB HARD DISK DRIVE (HDD) ESAT.. $236.23 |
|
|
2pcs SD card 512mb 512m SD Secure Digital memorys Card san disk gunuine $11.99 |
|
|
100% NEW Disk 16GB SD Memory Card 16 GB Secure Digital $18.77 |
|
|
Metal 3.5″ Portable Secure Hard Disk Bracket for PC $30.26 |
|
|
2GB San Disk USB Plus Secure Digital SD Memory Card $18.19 |
|
|
10 x 2GB San Disk Class 2 Secure Digital SD Memory Card $75.57 |
|
|
5 x 64MB OEM San Disk Secure Digital Memory Card new $26.58 |
|
|
50 x 512MB SD Memory Card San Disk Secure Digital OEM $240.77 |
|
|
2GB San Disk Class 2 Secure Digital SD SDSDJ-002G Memory Card New $7.37 |
|
|
LOT OF 5*NEW SAN DISK 128M Secure Digital Memory Card SDSDB-128-781 $20.00 |
|
|
Hp Jetdirect Secure EIO Hard Disk J8019A $550.00 |
|
|
For Computer 3.5″ Portable Secure Hard Disk Bracket $31.56 |
|
|
10 x 128MB San Disk Secure Digital SD Memory Card New $21.99 |
|
|
New SAN DISK 2GB 2 GB SD Secure Digital Memory Card 2G $6.78 |
|
|
8GB San Disk SD HC Secure Digital Memory Card 8 GB NEW $5.99 |
|
|
16GB San Disk 16 G GB SD HC Secure Digital Memory Card $9.99 |
|
|
4GB San Disk SD HC Secure Digital SDHC Memory Card NEW $5.19 |
|
|
10 x 1GB San Disk USB Plus Secure Digital SD Memory Card NEW LOT $93.77 |
|
|
8GB San Disk Secure Digital SD SDHC Memory Card HC New $15.58 |
|
|
New 8GB Secure Digital Memory Card for San Disk Extreme SD HC Class 10 $25.88 |
|
|
10 x 2GB San Disk Class 2 Secure Digital SD Memory Card $39.99 |
|
|
For Computer 3.5″ Portable Secure Hard Disk Bracket $31.60 |
|
|
Stainless Steel 3.5″ Portable Secure Hard Disk Bracket $28.32 |
|
|
2x 8GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card 8 GB $14.99 |
|
|
Metal 3.5″ Portable Secure Hard Disk Bracket for PC $35.86 |
|
|
8GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card 8 GB $7.79 |
|
|
4GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card NEW $6.75 |
|
|
*4GB San Disk SD HC Secure Digital SDHC Memory Card NEW $7.40 |
|
|
16GB San Disk Class 4 16 G GB SD HC Secure Digital Memory Card $12.99 |
|
|
*8GB San Disk SD HC Secure Digital Memory Card 8 GB NEW $8.57 |
|
|
32GB San Disk Class 4 32 G GB SD HC Secure Digital Memory Card $27.29 |
|
|
*16GB San Disk 16 G GB SD HC Secure Digital Memory Card $13.77 |
|
|
*32GB San Disk 32 G GB SD HC Secure Digital Memory Card $28.07 |
|
|
8GB San Disk Extreme SD HC Secure Digital Memory Card $15.85 |
|
|
16GB San Disk Extreme SD HC Secure Digital Memory Card $29.63 |
|
|
~8GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card 8 GB Retail $9.74 |
|
|
~16GB San Disk Class 4 16 G GB SD HC Secure Digital Memory Card Retail $17.41 |
|
|
~4GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card NEW Retail $7.66 |
|
|
Metal 3.5″ Portable Secure Hard Disk Bracket for PC $31.56 |
|
|
5 x 64MB OEM San Disk Secure Digital Memory Card new $15.99 |
|
|
Hewlett Packard J8019A#140 HP HIGH-PERFORMANCE SECURE EIO HARD DISK EIO VERSION $691.91 |
|
|
For Computer 3.5″ Portable Secure Hard Disk Bracket $28.02 |
|
|
2GB San Disk Class 2 Secure Digital SD SDSDJ-002G Memory Card New $8.99 |
|
|
50 x 512MB SD Memory Card San Disk Secure Digital OEM $136.99 |
|
|
50 x 2GB San Disk Class 2 Secure Digital SD Memory Card for Camera, Frame ,GPS $199.99 |
|
|
PRETEC 32GB i-DISK BULLET SECURE USB FLASH PEN DRIVE 32 $118.47 |
|
|
Metal 3.5″ Portable Secure Hard Disk Bracket for PC $28.03 |
|
|
TRANSCEND 8GB 8G USB Flash Drive Memory Stick Pen Disk Secure Jetflash 200 $21.99 |
|
|
TRANSCEND 16GB 16G USB Flash Drive Memory Stick Pen Disk Secure Jetflash 200 $30.99 |
|
|
2x 4GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card NEW $10.29 |
|
|
8GB San Disk Secure Digital SD SDHC Memory Card HC New $8.99 |
|
|
8GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card 8 GB $5.99 |
|
|
4GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card NEW $5.19 |
|
|
*8GB San Disk SD HC Secure Digital Memory Card 8 GB NEW $6.59 |
|
|
*4GB San Disk SD HC Secure Digital SDHC Memory Card NEW $5.69 |
|
|
16GB San Disk Class 4 16 G GB SD HC Secure Digital Memory Card $9.99 |
|
|
32GB San Disk Class 4 32 G GB SD HC Secure Digital Memory Card $20.99 |
|
|
*16GB San Disk 16 G GB SD HC Secure Digital Memory Card $10.59 |
|
|
*32GB San Disk 32 G GB SD HC Secure Digital Memory Card $21.59 |
|
|
8GB San Disk Extreme SD HC Secure Digital Memory Card $12.19 |
|
|
~8GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card 8 GB Retail $7.49 |
|
|
~16GB San Disk Class 4 16 G GB SD HC Secure Digital Memory Card Retail $13.39 |
|
|
~4GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card NEW Retail $5.89 |
|
|
8GB San Disk Class 4 SD HC Secure Digital SDHC Memory Card 8 GB $9.29 |
|
|
16GB San Disk Class 4 16 G GB SD HC Secure Digital Memory Card $17.99 |
|
|
Freecom DataBar Secure 16GB 16G USB Flash Drive Disk $28.99 |
|
|
Freecom DataBar Secure 8GB 8G USB Flash Pen Drive Disk $16.99 |
|
|
APRICORN A25-PLE256-1000 1TB PADLOCK PRO SECURE USB HARD DISK DRIVE (HDD) ESAT.. $236.23 |
|
|
Data Locker – Dldvd100 Secure Disk DVD Encypte 100 Pack $288.90 |
|
|
Stainless Steel 3.5″ Portable Secure Hard Disk Bracket $31.55 |
|
|
NEW HP High Performance Secure EIO 80G Hard Disk J8019A $140.00 |
