To encrypt or not to encrypt? That is the question.

To encrypt or not to encrypt? That is the question.

Keeping Data Secure at Rest and in Motion

What Data?• Important information should be protected from theft, being misplaced or altered without

authorization.Social Security Numbers (SSN)Drivers license numberFinancial account number in combination w/any security code, access code or

passwordStudent gradesExams, PhD Qualifiers and homework solutionsBusiness emailAddress book (stores names, phone numbers, email addresses, birthday,

home phone number, home address, relatives names)Personal email you might want to keep privateBudgetsEmployee evaluations and other HR informationBusiness documents and memos


What is meant by secure?

• Keep sensitive information confidential and safe from prying eyes• Data is not changed without the alteration being detected• Data is not changed without authorization

Options:• Store data on secure server and access over network

Data in motion• Store data on mobile computer or mobile storage media

Data at rest but no physical security


Encryption Basics

There are two basic ways to encrypt data:Both use keys which are large numbers used to drive the encryption and decryption

algorithms

Asymmetric PKI (public-key infrastructure) uses a pair of keysPrivate key – known only by the user and kept secretPublic key - known to the public and used by the other party to exchange messages

Symmetric (also known as secret key) uses one keyGenerally speedier than PKI


Encryption Basics

- Some applications have built-in encryption- Encryption can also be built-in to hardware

Some Hitachi and Seagate hard drives have built-in encryptionSome USB memory drives have built-in encryption chips

- Encryption software allows adding security to almost every application.- Some examples:

PGPGPGTrueCryptMicrosoft BitLocker and EFSOS X File Vault


The Office at RiskOld Security Philosophy – create a hardened perimeter to protect the network and

the data stored within

Shift in Corporate computing calls for a shift in security philosophyNo Edges – since 2004, there has been a documented de-perimeterization of

the corporate network

Information Centric approach focuses on protecting the data and having the protection travel with it.

Supporting this approach to data protection requires supporting encryption and key management


TrueCrypt Features• TrueCrypt runs on Windows, Linux (RPM and .deb) and OS X• TrueCrypt is Open Source and free to distribute• TrueCrypt is in active development (Works with OS X 10.5 and Windows Vista)

• A TrueCrypt volume can be stored on USB memory, External Hard disk, CD, DVD, Desktop, Laptop and Flash memory cards.

• TrueCrypt supports full disk encryption on Windows.


TrueCrypt Demo

Lock up your USB drive files using TrueCryptPreparing the files - Although it’s not vital, you should move all the files that may be in your USB drive to your hard drive. Leave the space to be encrypted on the USB drive empty before starting.

Use the Volume Creation Wizard:


Lock up your USB drive files using TrueCrypt

























After creating avolume, Use the Traveler Disk Setup:









When TravelerDisk is put inWindows PC:


Using TrueCrypt: I’m worried I’ll forget the password…

When the volumeis first created, backupthe Volume header and Initial password:



When the volume is first created, backup the Volume header and Initial password:







Enter the location for storing the backup.






Volume header backup file:



When restoring a Volume header, use the initial password:


TrueCrypt DemoLock up your Windows Laptop with Full Disk Encryption

















TrueCrypt requires you to verify the Rescue disk (which is a good thing).

The encryption key is in the Rescue disk ISO file. Store it in a safe place along with the initial password.

If you have a key escrow system or policy:• Encrypt the system• Store the Rescue disk and password in safe location• Give system to end user and allow them to change the password at will



• If password is ever lost, you can use the rescue disk and the initial password to decrypt the data

• If needed, a rescue disk can be created later






Working with encryption software:

Problem: When you copy files or directories to an encrypted volume, the original unencrypted data is still on the drive until it is overwritten.

• This is true for most file systems including NTFS, FAT and FAT32.• To move the files and overwrite the original data, use a secure erase utility.• There are also utilities to overwrite the free space on a drive

Windows Secure Erase utilityEraser - http://sourceforge.net/projects/eraser/

http://sourceforge.net/projects/eraser/


Working with encryption software:Eraser Features

• Works with Windows 95, 98, ME, NT, 2000, XP (32/64),Vista (32/64), Windows Server 2003 and DOS. It works with any drive including IDE, SCSI and RAID, and CD-RW's.

• Uses the Guttmann (Default), Pseudorandom Data and US DoD 5220-22.M methods.

Erases Files and Folders.Erases Files/Folders that were only previously 'deleted'. Erases all hard drives using 'Darik's Boot and Nuke' method. Erases Index.dat on Reboot Erases FreeSpace on 95, 98, ME, NT, 2000, XP and DOS. Erases contents of the Recycle Bin.Erases Network Files, Floppy Disks, CD-RW, DVD-RAM, DVD-RW.Erases Windows Temporary Files.Erases Internet Cookies.Erases Paging (swap) file.Erases Internet Cache.

• Appears as an 'Erase' option on the Context Menu of Windows Explorer and Recycle Bin.• Comes with an Eraser Scheduler that allows you to create user-defined tasks.• Defeats File Recovery software applications Hardware tools.• Supports FAT32 and NTFS Files Systems.

http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/

http://burtleburtle.net/bob/rand/isaacafa.html

http://sourceforge.net/projects/dban/



Problem: When you copy files or directories to an encrypted volume, the original unencrypted data is still on the drive until it is overwritten.

SDelete - Command line secure erase utilityhttp://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

File Vault on OS X has a secure erase optionMove file to Trash and choose Finder menu to Secure Empty Trash

shred – GNU Unix utility for secure erasure gshred – Solaris secure erase utilityscrub - Unix utility for erasing free space on a volume

scrub -X /scratch/junk

http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx



If you copy a file from an encrypted drive or volume to an unencrypted one:

A) The information stays encryptedB) The information becomes unencrypted



If you copy a file from an encrypted drive or volume to an unencrypted one:

A) The information stays encryptedB) The information becomes unencrypted

If using TrueCrypt, the information becomes unencrypted on the target volume.

* If using Microsoft’s EFS and the target is a local disk, the file remains encrypted



If you copy a file from an encrypted drive or volume to a network drive:

A) The information stays encrypted in transitB) The information becomes unencrypted in transit



If you copy a file from an encrypted drive or volume to a network drive:

A) The information stays encrypted in transitB) The information becomes unencrypted in transit

Generally, the file is unencrypted in transit and on the target drive, unless the target drive is encrypted.

Microsoft file servers, Novell file servers and AFS servers do not support encrypting the file in transit.



If an encrypted drive goes bad, you can return it for warranty repair and not worry about the data being recovered.

If an encrypted Laptop, CD or USB memory device is lost, you don’t have to worry about the data being recovered.


Organizational Challenges Opportunities

• Key management plays an extremely important role in the world of data security/privacy.

• The problem here is that the development of enterprise-class key management systems lags well behind the adoption of encryption technologies.

• Large organizations like ours tend to develop islands of encryption.

• One lost encryption key and the data cannot be recovered.

• For a large organization, avoiding this problem demands formalized processes and robust technologies for key management--creating, organizing, storing, and auditing encryption keys.


Encryption Policies

• At present, NC State University has no formal encryption policies

• The University of Virginia recently implemented a policy (in phases) on electronic storage of highly sensitive data: https://etg07.itc.virginia.edu/policy/policydisplay?id=IRM-015.

• Briefly stated, the policy prohibits the storage of highly sensitive data on individual-use electronic devices, unless such action has been approved by a vice president or dean. If approval is granted, the data must be encrypted and the device has to be protected by certain security safeguards. Storage on electronic media is also addressed.


Encryption Policies

• Here's the UVA policy definition for "Individual-Use Electronic Devices":

Computer equipment, whether owned by the University or an individual, that has a storage device or persistent memory, such as desktop computers, laptops, tablet PCs, BlackBerrys and other personal digital assistants (PDAs), and smart phones.

Individual-Use Electronic Media: All media, whether owned by the University or an individual, on which electronic data can be stored, including but not limited to external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).


Encryption on disk

A. File / Folder: NTFS, Truecrypt, PGP, GPG

B. Application: Winzip, Adobe Acrobat (128-bit, not 40-bit)

C. Whole-disk: Truecrypt, Bitlocker, PGP-WDE


Transmission:

A. Virtual Private Network: VPN http:/ /comtech.ncsu.edu/networking/vpn_access.php

B. SSL or HTTPS

C. SSH and SCP

D. SFTP

E. IMAP w/SSL

To encrypt or not to encrypt? That is the question.

Documents

data protection

usb drive files

truecrypt volume

secure server

motion store data

volume creation wizard

network andthe data

prying eyes data