As mobile computing becomes a competitive necessity within the financial industry, a new set of security issues arise with the use of laptops. When the early days of hacking networks became difficult due to the encryption of network traffic, attacks moved towards servers. With the securing and hardening of servers, hackers began targeting a newer weak link -- unprotected client machines. The importance of sensitive financial data is usually of far greater value than the laptop on which it resides. According to the Ponemon Institute's 2007 annual study on the US cost of data breaches, financial services organizations suffered the greatest impact, with associated costs of more than 21% higher than average.
Once leaving the workplace, employees are in possession of "off-network" computers, no longer subject to central data management policies. The significance of maintaining the security of financial data has led to the development of numerous
Although laptop data encryption has several different implementations, there are some common important characteristics to consider:
Evaluation of key length: All forms of encryption are theoretically susceptible to brute force attacks; however, this vulnerability can be trivialized by increasing the key size. Longer keys require significantly greater amounts of time to crack. The complexity of the key space is increased with its length (measured in bits), and additionally, hashing or salting techniques can be used for further key strengthening. Key management policies: The corporate protocols for key management are critical for supporting encryption. This requires having procedures in place for activating and distributing keys, key revocation, changing and archiving keys, and key destruction.
Encryption algorithm: When choosing an encryption algorithm, there are several underlying traits that are essential to its use. It must provide privacy for the intended recipient, data integrity (which is often verified with checksums) and data authenticity. Those which are non-proprietary, have undergone extensive public scrutiny and withstand cryptoanalytic attack are considered secure. It is important to remember that encryption algorithms work in tandem with keys, therefore the secure strength of RSA or PGP must be preserved by using strong keys (>1024 bits).
Which data to encrypt and where: To minimize the cost and complexity of data management, risk classification systems are often applied to assess the corporate and financial sensitivity of the data. This provides a set of data guidelines that help determine the type of security, and subsequent level of encryption, based on the risks associated with its loss or exposure.
File and folder level encryption: This method provides granular protection and control. It enables content protection from multiple users on a given system. This is useful in situations where multiple user accounts exist on the same computer. Furthermore, it safeguards your data if moved to other storage media, such as USB or flash drives. However, when used alone, encryption on this level has several drawbacks. Lacking automation, it requires implementation by the end user, which is often unreliable. In addition, clear text versions of the data may accidentally exist in temp folders or other cached locations. Its use is best realized in a layered security approach.
Operating system level encryption: This is one of the more common forms of data encryption. Typically, this permits encryption of a drive or volume. Examples include Apple's FileVault system, which encrypts a user's home directory, and Microsoft's BitLocker drive encryption; both of which employ the Advanced Encryption Standard algorithm in cipher-block chaining mode. This method provides a more robust solution for automatically encrypting large amounts of data, without the task of specifying individual files and folders. Occasionally, the breadth of encryption has been misinterpreted as applying to the whole disc, when in actuality it only operates on a specific volume or partition. This is an important consideration for laptops which posses multiple volumes or hidden backup partitions.
Full disk encryption (FDE): FDE is a comprehensive method gaining popularity in mobile security. Implemented as both hardware and software tools, all data written to the hard drive is encrypted without exception. This includes all data saved by users, information in swap files and temp folders, as well as the operating system itself. Its complete and transparent integration removes content encryption decision making from the end user, only requiring their provision of pre-boot authentication. This ensures protection of the data in the event of laptop theft or hard drive removal. Furthermore, FDE can be used across different laptop manufactures and models, with a platform independent implementation. However, in contrast to file and folder encryption, its use alone doesn't protect content from multiple users on a system.
Embedded security processors: These are one of the more recent advances in encryption technology. The development of the Trusted Platform Module by the Trusted Computing Group provides an open industry standard for implementing security hardware subsystems. Using asymmetric cryptography, crypto chips securely store private keys generated, often used alongside FDE methods. When transferred from the chip for use, keys are encrypted, thus never decipherable outside the chip. The true power behind onboard crypto processing comes from its ability to verify the security of the PC's platform before decryption. Using a daisy chain design, a series of trust mechanisms establish sequential verification of system control from BIOS up through kernel stages of the boot process.
Secure cryptographic keys: In order for any encryption technology to provide adequate security, it is essential that all cryptographic keys are secured and managed properly. Effective strategies require planning key management processes and procedures, including their generation, storage, recovery and destruction. While file encryption allows key management flexibility, embedded crypto chips employ a strict approach to key storage.
The digital mobilization of the financial industry has increased the need for data security. There are a number of options available to securely encrypt the sensitive data of individual laptops. Methods chosen will ultimately cater to the corporate needs of regulatory compliance, budgetary constraints, productivity limitations, and customer perception. Regardless, a comprehensive encryption tool will incorporate software and hardware technologies, employed at different levels of the computer's architecture.
About the author:
Noah Schiffman is a former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. He has worked as a security consultant specializing in vulnerability assessment, pen testing, cryptography, digital forensics, incident response, and defining corporate security policies and strategies. With degrees in cognitive psychology and mechanical engineering, as well as a doctorate in medicine, he has experience in advanced biometric systems, human factors, physical security, authorization and access technologies, and holds several patents. Currently, Schiffman is the CSO of Orbis, Inc., a defense contractor specializing in providing the Department of Defense (DoD) with technical and consulting services, based in Charleston, S.C.
This was first published in July 2008