Securing Moving Targets
by Caroline Ikomi - CISSP, Technical Manager at Check Point - Monday, 25 February 2008.
Encryption performance is also a factor to consider. A common criticism levelled at FDE techniques is that they slow down the PC’s performance, with the user experiencing delays while data is encrypted and decrypted on the fly. To a certain extent this is true, but misleading. A typical business-oriented machine from a corporate fleet of laptops, built in the last 2 to 3 years, will have the processing power and memory capacity to make any difference in running performance barely noticeable. In fact, the only times that FDE truly impacts on performance is on boot-up or going into hibernation – but this is a very modest trade-off for security.

It’s essential that the FDE solution you choose is operative during these wake-up and shut down periods, to avoid security vulnerabilities. Busy users often don't shut down their laptops at the end of a session: they put them into sleep or hibernate mode, so they can start again quickly. It is vital to ensure the FDE solution you choose can encrypt the contents of the laptop’s memory during the process of it being written to the drive. If the solution does not do this, a thief can remove the disk drive from a stolen laptop that’s in sleep mode, mount it in another machine, and recall and read the data written from the memory. So support for laptops’ sleep and hibernation modes is critical.

For similar reasons, it’s important to choose an FDE solution that encrypts data before the laptop operating system loads, on boot. The FDE solution should take control while the computer’s BIOS looks for a master boot record to load, to prompt for the users for their login credentials. This ensures that only authenticated users boot the OS, and minimises the opportunities for manipulating data.

Security in hand

So far, so good and while the examples given relate to laptop PCs, the same concerns are just as valid for PDAs and smart phones which are also platforms for corporate data. Because these devices vary in operating system – from Symbian, Pocket PC and Windows Mobile to Palm – and architecture, an easy security solution is harder to define than for an Intel PC platform.

Key concerns for handheld security include a rigorous audit of all the devices being used within the enterprise, and then a single encryption solution to cover as many of the platforms as possible. If the handheld device is not authorised, the default approach should be to not allow connection to the corporate network or storage of sensitive data. And as with full disk encryption on laptops, the solution chosen should encrypt data automatically with no user intervention, giving ease of use with control and enforceability. In terms of encryption strength for handheld devices, this is typically not as strong as for a fully specified laptop, but look for 128-bit AES for data stored on the devices as a minimum.

However, this is only the first part of the security picture. Full-disk encryption is not a magical shield against all types of security threat to portable devices. While it will protect data on the hard drive from compromise if the device is stolen or lost, the hard drive is only one storage medium in use on a typical laptop. This brings us to the second area for endpoint security: the management and control of data leakage.

Data leakage: audit and control of removable media

Endpoint security should ensure that the organisation is able to avoid data leaks onto peripheral devices such as USB drives and portable storage media – such as mp3 players and digital cameras. The starting point for protection against leaks via these USB devices is to include them in the business acceptable usage policy (AUP) and to educate users on the importance of following policy – which will include the business risks of breaching policies.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th