Cyber Security Awareness Tip #16: Protecting Portable Media
Last Updated: 2007-10-16 11:56:12 UTC
by Johannes Ullrich (Version: 1)
Today's topic is a bit an extension of yesterday's "protecting laptops" tip. Derek wrote in saying:
"I actively teach my users to put nothing on portable media that contains anything that would meet out criteria for sensitive data. If it is sensitive, it should always be stored on a secure device with access controls in place. In the cases where someone MUST carry sensitive data on portable devices, I advise them to use a flash drive like IronKey, or use TrueCrypt to create a virtual volume, or to encrypt the device itself. "
I have used the "Ironkey" mentioned in his note. It is a USB stick designed with security in mind. The user has the option to "escrow" the password with the manufacturer. Of course, you can also just write it down. But the device will self destruct after the password has been entered wrong 10 times.
Back to the topic. One particular difficult task is off site backups. The SANS Newsbites newsletter is littered with reports of backup tapes getting lost. Some commercial backup solutions now include encryption. One challenge with backup tapes is the fast obsolescence of backup hardware. Proprietary encryption schemes will make it only harder to recover older backups. But its a valid solution if you need to protect backup tapes. Of course, many organizations move now to network based off site disk-to-disk backups. In this case, you can control physical security at each end point and protect the tunnel in between using some sort of encrypted vpn.
Backup tapes are usually performed by trained admins. Portable drives are a different challenge. I had hard drives fail on the road. Traveling with two laptops saved the day. But having a second hard drive handy is nice as well and lighter. There are now a number of commercial solutions with biometrics or other build in security features. You have to check however if the biometrics can be bypassed just by removing the hard drive from its enclosure. The data on the drive should be encrypted.
Other then that, a lot of the solutions mentioned in our prior diary apply to portable media as well. Truecrypt, dm_crypt, Bitlocker and knox are just some of the technologies. Fortunately, these portable devices are usually not boot drives, which makes encryption easier. Over the last few years, this has become a very competitive commercial market with many options to choose from. If you evealuate a solution thing about how you can recover a misplaced password. Is there a master password or key escrow option to recover data after an employee leaves? Is *all* the data encrypted? And don't forget Derek's advice: If you don't need it on the road, don't take it on the road.
Scooter wrote in with these points to consider was you evaluate a disk encryption product:
- Can a solution audit and record the serial number of any USB device plugged into a managed system?
- Is there an audit trail of what data moved to the drive.
- Does it require local admin rights to use (encrypt/decrypt)?
- Can you restrict/authorize access by device/system/user?
- Is is centrally administered so you can revoke access for violating policy?
- Does it generate alerts for strange behavior? (Why is this device being plugged into systems all over the company?)
- How does it handle "disk" based portable media (since it is not recognized as removable media by Windows).
- Can the solution restrict running of executables from the portable media?
- Does the encrypted content expire if not reauthorized within a certain time period?
Any comments? Ideas? Please use our contact page.