Securing Moving Targets

Newton’s first law of motion states that a moving body will want to keep moving. The same law also seems to apply to business data, and the problem is trying to stop that mobile data moving further than you want it to.

It’s an issue that has caught out a number of very high-profile organisations, from the UK financial institution, the Nationwide Building Society, to MI5, the British security service. Both have suffered embarrassing losses of laptops, with the potential for damaging data leaks from those devices.

What’s more, the problem is growing. In the 2006 FBI security survey in America, theft of laptops and mobile devices was second only to viruses as the most common type of attack detected over the previous year. Nearly 50% of those responding to the survey had suffered, with an average loss per respondent of over $30,000 USD – up from under $20,000 the previous year.

So how should mobile data security be addressed? Broadly, this means looking at three key issues. The first issue is hard disk encryption of laptops, and smart devices such as PDAs, mobile phones and USB devices. Second is the requirement to audit and control data transfer and access to removable media, for example USB keys or iPods. The final issue is control of the security policy running on the user’s endpoint device – irrespective of type of device.

Let’s now look at each of these issues separately – and how security administrators can best control the use of mobile technologies to give the widest access to corporate resources while maintaining control to the organisation’s security policy.

Disk Encryption: full-disk or file?
Once you have decided it is necessary to protect your mobile devices then you will need to decide on whether to implement full-disk encryption (FDE) or file-based encryption. The latter is tempting, because Windows XP comes with file-based encryption built in – in common with Linux, and the Macintosh operating system. While these methods mean that anything stored in specific folders or directories is encrypted automatically, there is a significant security flaw. They rely on users putting files in the encrypted folders themselves.

That’s fine in theory, but as an IT professional do you want to rely on users to know what is sensitive information and two to place it into the appropriate folder. Even for the sharpest end-users the issue is further complicated by popular applications such as Outlook and Web browsers, which scatter attachments across file systems, often in obscure places. Folder-level encryption helps only if the IT department can tightly control all files and applications.

File encryption is only as good as your end-users’ level of interest or knowledge. Simply put would you leave updating the corporate AV software, or software patching to your users? The key advantage of full disk encryption is that it automates the process and secures the entire disk, so mobile users don’t have to worry about it – and also cannot interfere with it. Enterprise data encryption solutions also offer central management with tools for resetting passwords when the user forgets or leaves so the corporate data remains a corporate asset. Let’s look at some of the factors it is worth considering with a full disc encryption product.

Performance and standards matters
Increasingly, compliance emphasis is being placed on encryption that meets the Federal Information Processing Standard (FIPS) developed by the United States Federal government. This entails the use of either Triple DES (Data Encryption Standard) or 256-bit AES (Advanced Encryption Standard) as the encryption algorithm.

Encryption performance is also a factor to consider. A common criticism levelled at FDE techniques is that they slow down the PC’s performance, with the user experiencing delays while data is encrypted and decrypted on the fly. To a certain extent this is true, but misleading. A typical business-oriented machine from a corporate fleet of laptops, built in the last 2 to 3 years, will have the processing power and memory capacity to make any difference in running performance barely noticeable. In fact, the only times that FDE truly impacts on performance is on boot-up or going into hibernation – but this is a very modest trade-off for security.

It’s essential that the FDE solution you choose is operative during these wake-up and shut down periods, to avoid security vulnerabilities. Busy users often don’t shut down their laptops at the end of a session: they put them into sleep or hibernate mode, so they can start again quickly. It is vital to ensure the FDE solution you choose can encrypt the contents of the laptop’s memory during the process of it being written to the drive. If the solution does not do this, a thief can remove the disk drive from a stolen laptop that’s in sleep mode, mount it in another machine, and recall and read the data written from the memory. So support for laptops’ sleep and hibernation modes is critical.

For similar reasons, it’s important to choose an FDE solution that encrypts data before the laptop operating system loads, on boot. The FDE solution should take control while the computer’s BIOS looks for a master boot record to load, to prompt for the users for their login credentials. This ensures that only authenticated users boot the OS, and minimises the opportunities for manipulating data.

Security in hand
So far, so good and while the examples given relate to laptop PCs, the same concerns are just as valid for PDAs and smart phones which are also platforms for corporate data. Because these devices vary in operating system – from Symbian, Pocket PC and Windows Mobile to Palm – and architecture, an easy security solution is harder to define than for an Intel PC platform.

Key concerns for handheld security include a rigorous audit of all the devices being used within the enterprise, and then a single encryption solution to cover as many of the platforms as possible. If the handheld device is not authorised, the default approach should be to not allow connection to the corporate network or storage of sensitive data. And as with full disk encryption on laptops, the solution chosen should encrypt data automatically with no user intervention, giving ease of use with control and enforceability. In terms of encryption strength for handheld devices, this is typically not as strong as for a fully specified laptop, but look for 128-bit AES for data stored on the devices as a minimum.

However, this is only the first part of the security picture. Full-disk encryption is not a magical shield against all types of security threat to portable devices. While it will protect data on the hard drive from compromise if the device is stolen or lost, the hard drive is only one storage medium in use on a typical laptop. This brings us to the second area for endpoint security: the management and control of data leakage.

Data leakage: audit and control of removable media
Endpoint security should ensure that the organisation is able to avoid data leaks onto peripheral devices such as USB drives and portable storage media – such as mp3 players and digital cameras. The starting point for protection against leaks via these USB devices is to include them in the business acceptable usage policy (AUP) and to educate users on the importance of following policy – which will include the business risks of breaching policies.

However, policies alone are not enough. How should they be backed up and enforced? This is the role of port control solutions, which can automatically block a USB device that does not comply with the corporate security policy or prevent the transfer of certain files or file types. An example of a corporate security policy could include allowing encrypted USB devices – but not an iPod or mobile phone – from an authorised user. Again the ability to manage the security policy centrally will be a key requirement to the Security Department as in a large environment it would not be unusual to have 1000s of USB devices. Once the data is encrypted on an authorised device it must be accessible to the organisation if required through central administration of the system.

At the end(point)
This leads us to the third area of endpoint security. How do we protect the data on the machine from software threats such as application-level attacks or malicious code? The starting point for an effective endpoint security strategy is for every machine to run a firewall and antivirus protection with up-to-date signatures before it is granted a connection to the corporate network. This client should also ensure that the laptop is running the appropriate software patches and include a Virtual Private Networking (VPN) client for secure transfer of corporate information back to the corporate infrastructure. As with all endpoint security it is important that this is managed centrally. Other key points that should form part of the endpoint security plan are:

  • Client lockdown, to prevent mobile users and attackers from disabling endpoint security or enforcement of network access policy. The ability to deliver comprehensive, assured endpoint security and policy compliance across the enterprise enables threats to be defeated.
  • Inbound threats: laptop PC ports should only be opened for authorised network traffic and should block network intrusion attempts; port stealthing hides endpoint PCs from port scans.
  • Preventing unauthorised applications and malicious code from capturing and sending enterprise data outbound to hackers.
  • Email protection: this includes quarantining suspicious email attachments and inappropriate email – whether by network-based software or an in-the-cloud service – to help prevent address book hijacking.

Management matters
With endpoint security, each time we touch the remote device it is a cost to the organisation so the ability to centrally manage the security policy of the remote security solution will be a key factor in deciding on a solution. Security without easy, central control by IT administrators leads to holes in defences – holes which will eventually be exploited. Don’t underestimate the importance of management.

Looking specifically at the management issues around full disk encryption, ensure the solution you choose to deploy lets IT staff easily perform day-to-day functions, such as resetting users’ and administrators’ passwords and PINs. Make no mistake, many users will forget or lose their authentication details, so re-allocating these needs to be simple and secure. Furthermore, IT staff will regularly need access to users’ machines for routine upkeep tasks such as software patches and updates – so administrator access similarly needs to be secure and easy to manage.

For broader management of all endpoints, desirable management capabilities include the ability to exclude users or allocate specific user permissions; to create user groups; automatically push updates; integrate with existing LDAP or Active Directory infrastructures; and set configuration essentials such as user passwords, password lengths and strengths, retry attempts, lockout times and user recovery options. The other essential management issue is quick access to comprehensive audit and event logs, which give an audit trail on user and network events such as when users are changing passwords, if there were failed attempts to log in, or errors occurring. This visibility is essential from both a management and compliance standpoint.