Sure, but will laptop hard drive crypto solve the problem of theft? While laptop crypto is nice to have (and will very likely become a requirement for most of us soon), it won't solve the problem entirely. In fact, it might make some things worse.
Imagine a world where pretty much every organization has cobbled together a laptop crypto implementation to comply either with its own policies or government requirements. Company X loses a laptop storing 20 million accounts with very sensitive personally identifiable data. Management chooses not to disclose the fact that the laptop was stolen, because, after all, the data should be encrypted. The crypto should protect the data from the hands of the bad guys. Why bother incurring the wrath of customers and regulators? Some organizations won't disclose to the public or regulators that the data was exposed, because they believe that it wasn't.
Now, here's the rub. For nearly all modern crypto solutions, you are only as safe as the crypto keys. But, with the vast majority of desktop and laptop crypto systems, the keys are stored on the local system, protected by the user's password or passphrase. And, for those solutions seamlessly integrated with the operating system, like Microsoft's Encrypting File System (EFS), the user's operating system account password is typically the sole protection of the crypto key. For determined attackers, getting the sensitive data is only as hard as cracking the user's password, and then using that password to recover the crypto key. Once attackers have the password and the key, they can slice through to the sensitive data. Sadly, such an attack is far too easy, especially if weak password solutions are still in place, such as the still widespread Microsoft LANMAN password representation, a techno relic from ancient times that plagues many organizations today. With LANMAN passwords (included by default in most versions of Windows), an attacker can crack most passwords in less than a day.
And, making matters worse, if users aren't trained in using the crypto solution, they may inadvertently bypass it, leaving the data exposed even though the organization thinks the data safe.
As a result, laptop crypto may drive less disclosure of information theft, while still allowing the determined bad guys access to sensitive information. The data is still exposed, but we might find out about it a lot less.
So, is laptop crypto therefore useless? No, it still provides value against the half-witted attacker or petty laptop thief who isn't interested in password cracking or other techniques, keeping the sensitive data from them. But, for a determined, focused attacker, the password will often fail, the crypto key will be exposed, and the data will be stolen.
How can your enterprise deal with this concern? A multi-pronged approach is best. First, in conjunction with the deployment of desktop crypto, you must encourage your users to choose complex passwords, those that cannot be easily guessed or cracked. Educate your users with good awareness programs so that they choose reasonable passwords with a mix of alpha, numeric and special characters. Automated password complexity enforcement tools, such as the Anixis Password Policy Enforcer, can help prevent your users from choosing poor passwords. Going further, set your minimum password length to at least 15 -- or even 20 -- characters to boost your password strength. Now, you might be thinking, "There'd be riots in the cubicles if we made such a change!" But, with your awareness program, work on transitioning your users from the mindset of passwords to passphrases. The latter are easier to remember, easier to type and far less likely to be cracked.
Next, consider augmenting your authentication process with tokens or biometrics in addition to passwords. Some new laptops have fingerprint readers built right in. Card- and USB-based authentication tokens are becoming less expensive and are more likely to be carried in a user's wallet or on a key chain, making them less likely to be stolen with the corresponding laptop.
Finally, some particularly careful organizations are prohibiting users from downloading vast amounts of vital data to hard drives. Instead, these users rely on terminal services (like Microsoft Terminal Server or Citrix) to access the data stored on a central repository through a carefully guarded server. The laptop is merely a terminal for viewing data stored elsewhere. The terminal services are carried over a rock-solid, encrypted VPN. Of course, such solutions must be configured to shut off file transfer from the server back to the client, or users will bypass any prohibitions against file storage on the laptop either inadvertently or on purpose. But, with such a solution, if a laptop is stolen, it won't have any of the sensitive data on it, helping management and IT sleep a little easier at night.
About the author This was first published in September 2006
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity, Ed answers your questions relating to threats.
This was first published in September 2006