Dynamic random access memory is used to hold data that a system needs immediate access to, like the content of...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
this document while I am typing it, or, in the case of your question, the keys used by disk encryption software to write an encrypted copy to disk.
Disk remanence, the tendency of file data to persist despite the user issuing file delete commands, has been known for at least twenty years. The risks from DRAM remanence have been mentioned before, but seldom in the context of disk encryption keys. The research paper firmly establishes DRAM remanence as a new class of attack.
When a new threat appears, it is reasonable to ask how much of a risk it poses. Precise answers are problematic precisely because the threat is just emerging. Not all hackers publish their findings, so there is no way of knowing how many people have been working on perfecting this attack, or for how long.
And certainly there are alternative methods of achieving unauthorized access to a disk encryption program's stored data. I would think, for example, that social engineering or eavesdropping would be an easier tactic for data thieves right now.
But let's plan some defenses. The two main ways for a DRAM remanence compromise to occur would be to: reboot a system with a specially configured boot device (a bootable CD-ROM, USB drive, or network boot), or; take physical possession of a system that is still powered on (or in standby mode for some operating system configurations). All vectors, apart from a network boot, require physical access to the system for an attack. A network form of the attack requires access to a server on the same network as the target system.
So defense No. 1 should be to physically prevent other people from so much as touching your computer without your permission. Hopefully, all of your users already feel that way about their/your machines. Users of systems which contain data that is so sensitive that the disk encryption has been turned on should already know that theft of their system is a security problem, even if data is encrypted. The mere presence of disk encryption may bring some compliance-related benefits if a theft occurs, but theft is still going to be a major hassle, one that is best prevented in the first place.
Hopefully you have already trained your users and told them that no system should ever be left unattended, unless it is in a secure environment (i.e. a place accessible only to trusted personnel). This DRAM remanence issue presents a good time to reiterate that policy and emphasize that it includes systems that employ disk encryption. And I would add that before a system is stowed or stored, for example, in a hotel room safe or an airline luggage compartment, it must first be powered off and should not be left in standby or hibernation.
Finally, I would take issue with the assertion that "DRAM remanence renders disk encryption systems useless." Encryption still provides useful protection against a wide range of real world attackers. Sure, if your users are not well-trained, then a skilled and determined opponent may be able to get past the defenses, but I would argue enterprises are still much better off with encryption in place. Over time there will be software and hardware improvements that beat this attack, indeed some forms of hardware encryption already do.
- A SearchSecurity.com reader asks Michael Cobb, "Should whole disk encryption products be used with data backup software?"
- Get the latest news and expert advice on disk and file encryption.
Dig Deeper on Disk and file encryption tools
Related Q&A from Michael Cobb
Geofencing technology is increasingly being used as a security tactic, such as to control access to servers with DNS settings. Expert Michael Cobb ...continue reading
After a remote code execution flaw in PHPMailer was patched, the problem persisted, and had to be repatched. Expert Michael Cobb explains how the ...continue reading
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.