Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Whole disk encryption

from [andrew . probert] Network Security [Permanent Link]
Subject: Whole disk encryption
Date: Fri, 25 Aug 2006 12:41:44 +1000 (EST) 
If you're worried about fragments of temporary files from office, explorer
cache, residual data in sectors when a file is deleted (but not
overwritten many times), and swap-file residual data, then you need disk
encryption at the sector level.

Not to mention current surveys like this: 
http://news.com.com/Confidential+data+really+is+at+risk/2010-1029_3-6108603.html?tag=html.alert

Vista has 'bitlocker':
http://www.apcstart.com/site/pschnackenburg/2006/08/1066/your-money-or-your-hard-drive-vistas-full-disk-encryption-benchmarked

There are products around such as: WinMagic, SecureGuard, TrueCrypt,
SecureStar,  to name a few.

Some laptop vendors provide hardware option - Dell & HP, but I haven't
looked at enterprise capability.

[I am unaligned to products]

Most products sit below Windows / Linux and add moderate overhead to CPU a
few percent (if doing AES encryption).  Don't know about I/O latency. 
They can convert disks in-situ.

Standard backup utilities, through O/S continue to work.

Disk-level imaging tools, however, need special consideration.

They can work with passphrases, smartcards and USBkeys that operate pre-boot.

For enterprise use, the key considerations are:

* Recovery, Recovery, Recovery, Help Desk, Support, Auditability
* If user loses usbkey, smartcards or forgets passphrase, you need over-ride
* Encryption needs to extend to USBDrive and CD/RW - DVD/RW (some
  products do this as part of same scheme)
* Multi-user login i.e. handle multiple keys
* Group users of USB keys i.e. workgroup crypto-keys
* Auditors - need to be able to break-the-glass - escrow / recovery
* Systems Support - ditto
* Multiple boot / Compartmented operating systems e.g. one environment for
uncontrolled surfing, and another boot image for corporate LAN?

You need a Key Escrow server, or ability to distribute sets of keys to
workstations. In enterprise environment you absolutely need audit / system
support keys in addition to normal (Deployment of sofware is also
consideration.)

If you're concerned about real pedigree of security, then you also need to
be looking for evidence of independant security accreditation such as
FIPS140-2, EAL4 etc.

Enjoy!!


Andrew Probert
Seurity Consultant (CISSP)
Trusted Solutions Pty Ltd
+61 419303705
Australia



---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Whole disk encryption, Dietrich Heusel
Next by Date:  Re: Whole disk encryption, Johnny Wong
Previous by Thread:  Fwd: Whole disk encryption, Kurt Buff
Next by Thread:  Re: Whole disk encryption, Johnny Wong
Indexes:  [Date] [Thread] [Top] [All Lists]