SCOPE OF NEEDED PROTECTION

When implementing encryption, it is critical to understand the scope of the encryption, and any points of vulnerability that leave the system exposed. The organization must not disregard the fact that any computer that contains encrypted information is self-contained and, as such, everything that is needed to decrypt the information is also present on that computer.

This includes the encrypted information, the algorithm, and the Key required for decryption; if the information and the algorithm are not carefully protected, anyone who gains access to the computer could potentially acquire the Key and decrypt the data.

This vulnerability often becomes a security breach in situations where only certain portions of the hard drive and folders are encrypted. With most encryption programs, a password is used to unlock the private or secret Key used to decrypt the information; however, the password is protected by the processes of the operating system. In many cases, if the operating system is not running, the password and, therefore, the Key are no longer protected.

In an example situation, bootable CDs are now commonly used by attackers. These CDs enable the attacker to “boot into” another operating system that is self-contained on that CD. When the attacker initiates this boot, the hard drive is still accessible, but the base operating system on the hard drive has been bypassed, so none of the normal protections are in place.

Attackers can use this method to easily change any password, including the administrator password, on the computer. Once the attacker has changed the administrator password, he or she removes the CD, booting the system off of the CD-stored operating system. Since the attacker successfully changed the password, he or she can now log on, unlock the Key, and decrypt any of the information on the system.

CONCLUSION

When considering data security solutions, there is no “silver bullet” or “magic” technology that ensures enterprise-wide information security. An organization will be able to protect is most sensitive information only by providing a comprehensive solution and using defense-in-depth. Encryption can play a major role in protecting the information that resides on laptop computers. However, in order for it to provide proper protection, encryption must be combined with Key management, user awareness, security policy, and proper installation.