Security for those who know they can't win the security war
Because nothing beats jail time. Or a spanner
In a post-Snowden world most IT people are painfully aware that most of us would not win a fight against a well-funded organisation, or government, that wants the data on your network, laptop or device.
When someone is targeted by such an entity, they won’t go for the ever-popular “spooks” style secret bugging or custom zero-day exploits. Those tricks are reserved for the real bad boys (and other governments, if you live in the US).
A user can use all the encryption they like, but the UK government’s strongest weapon is a potential two-year jail term for those who don’t roll over and comply with decryption key requests. In less enlightened nations spanner decryption may well be used to persuade a suspect to hand over those crypto keys.
With that thought in mind how can administrators and power users secure a company network against data loss as well as the common or garden variety thief, attacker or malware slinger?
A lot of individuals and companies view the theft or loss of laptops and mobile devices as a big issue. Such theft represents two distinct issues.
Once control of the device is lost the security already present on the device is the only thing preventing an attacker from lifting all the information. At the recent SpiceWorld London a straw poll suggested that approximately two thirds of attendees used Full Disk Encryption. The other one third must be either lazy or just mad.
Any device I own or manage for others uses Full Disk Encryption (FDE), often overlooked is making a device auto lock and password protected. In such a lose configuration, once a device is lost or stolen they will more than likely be in control of a Facebook, LinkedIn or some other account.
Just make sure it is password protected OK! Fingerprint scanning? Just don’t trust it. Anything that can be defeated by a gummi bear is not worthy of being called secure.
When working as a junior admin many years ago, before InfoSec became a big security issue, we had a laptop theft due to a salesman not being careful with his company laptop. One day we noticed the stolen laptop come online on our remote management product. With the remote viewing capability we decided to just watch.
Somehow this stolen computer had ended up being purchased (or otherwise obtained) by a student at a London university (according to the IP geolocation data). We knew it was a student because rather than wipe the laptop and start over, a new account was added and Ti graphing and MattLab software installed.
We even watched him do his coursework on it. When the police were contacted it was an exercise in futility. We gave up when we tried to explain IP addresses to a copper who was neither interested nor IT literate.
Eventually this “user” clocked the software and removed it post-haste. Luckily, there was no real sensitive info on the machine. Lesson well and truly learned: most laptops that are stolen are by opportunistic thieves.
There really is no excuse. Most modern devices and operating systems come with the option to enable inbuilt FDE. Assuming the inbuilt security algorithm is robust is the only thing a user can really do.
Make sure that the encryption phrase used is strong and lengthy. I typically run to thirty characters including the whole range of non-alphanumeric ones.
The loss of the information on the device can be either an inconvenience or a disaster depending upon how good the backups are. Secure backups can be a complex issue in themselves.
Cloud backup is fine, but it also has several inherent weaknesses. Should an attacker be able to compromise a backup account it is easy enough to wipe out all the backups, or even more if you happen to live in the Apple centric eco-system with remote wipe capability. With the advent of cryptolocker ransomware the issue of good backups becomes even more critical.