Caroline Ikomi, technical director of Checkpoint wrote an article on Securing Moving Targets an article on how to protect data on your laptops and USB devices.
In this Podcast, she discusses with Ben Chai her thoughts behind the article and what other aspects she would have written about had there been more time. Checkpoint will be exhibiting at Infosec 2008.
Click on this link to download the MP3 Interview.
You will also find the slides that Caroline has produced as part of her Expose on Securing Moving Targets on the next few pages of this post.
This podcast is sponsored by IncomingThought.com specialists in security education and white papers.
The playing field is changing now when we talk of the threats to data security we typically are not talking about the loss of paper copies, we are however talking about the ability to move large amounts of information around very easily. That could be on a CD/DVD or USB device, with a laptop or mobile phone or an MP3 or ipod.
1. International automobile Federation fined McLaren $100 million over their chief designer have confidential data from Ferrari
2. Francis Ford Coppola had his personal laptop stolen with an unmade film on it – studio felt a loss of $25 Million
3. Nottinghamshire hospital had a laptop stolen with data on 11,000 children aged between 7months and 8 years old
4. Memory sticks from the US air force on sale in an Afghan market
5. GAP laptop stolen which contained data on 800,000 people who had applied for a job.
So what is your corporate policy – is it to say we will not allow users to have laptops or use wireless networks and take a hit on productivity or is it about managing the risks by implementing a data security policy.
If as an organisation you decide you need to be able to give your workforce a more flexible environment that does allow for remote working and the ability to work a home with different media, you need to design a security policy that is
Written and Communicated to your employees and then implement technology to ensure that it is enforced.
Some of the technology areas you will need to consider are :
The use of Hard Disk encryption for Desktops, laptops, PDA or Smartphones or USB devices. There are a number of options which will be right for your organisation, what will the cost be to your organisation of managing the solution
Managing how information leaves your organisation, we had one customer who put a pilot in prior to implementing a policy and found that over a million usb devices had been plugged into their corporate environment of over 100,000 desktops. This is a very large scale problem where ease of use and ease of deployment are key.
We now have an encrypted laptop or pda which is mobile how do we secure the communication back to our organisation? How do you check it is running a the corporate firewall policy before you let it onto your network.
How do you do all of the above while managing the cost to the organisation?
Disk encryption, there is a choice of two types either file encryption, where only a specific files or folders are encrypted or full disk encryption which as the name suggests the whole disk is encrypted after the master boot record.
File Encryption while it may be very tempting to go with free solutions that come with the operating system, its does require that each end user knows which information is important and where to store it so it is encrypted. This is not as simple as it sounds even for a technically competent users with clients such as outlook and browsers with temporary files. So where are users choose to store information is crucial and this type of encryption is only as strong as your weakest user.
The second type of disk encryption which has greater traction with enterprise customers is full disk encryption the key benefit is that the whole disk is encrypted after the master boot record, so there is no reliance on the end user. You should also ensure that this type of encryption can cope with laptop hibernation and uses recognised encryption standards such as AES.
I have mainly focused on laptops but it is important to realise that in today's environment the device could just as easily be a Smartphone or a pda, and that it is just as necessary to be able to encrypt this type of device. As each of these devices vary it is important to be able to find a published list for supported devices.
Encryption Rate Approximately 25 GB / Hour
Regardless of info amount on the hard drive
Once inside your organisation how much security is available – I am a legitimate user on the network
For example if a USB device is plugged into my network some someone can take a file home to work on over night should it be encrypted. Would it be as acceptable to copy the same file onto the same users mobile phone or mp3 player?
For example I work for a law firm – I require my partners to be able to save information to usb devices but I want to know whether it has been changed and that the devices it is stored on are encrypted
Legislative requirements are currently mainly in the US, though there is a duty of care that information is protected.
Once the user is up and running you now want to give them access back into your network, again there are a number of elements to consider.
Caroline has also published a featured article called Securing Moving Targets which you can read here. Here's an excerpt.
"Newton’s first law of motion states that a moving body will want to keep moving. The same law also seems to apply to business data, and the problem is trying to stop that mobile data moving further than you want it to.
It’s an issue that has caught out a number of very high-profile organisations, from the Nationwide Building Society to MI5. Both have suffered embarrassing losses of laptops, with the potential for damaging data leaks. "