These are my notes from the SANS SS&E Summit conference section 1.1. its my attempt to not violate their copyright by reproducing their slide deck, but I think posting my notes is fair game. This may or may not have any flow to it. Any errors are my own.
In the first section Alan Paller Director of Research at SANS and Ben Wright Attorney introduce the subject of encryption.
The first step was a review of the audience at the summit. About 20% of the audience is government, as you might expect for a DC area conference. The Federal Government is overdue on implementing encryption based on the OMB deadline.
Its important to remember that encryption is one piece of your data protection program. If you get too wrapped up in in you miss other needed protection.
The CEO doesn’t want to end up on the front page of the Washington Post for the wrong reason. They’ve seen Congressional hearings on the theft of Veterans’ data. They’ve seen the Choicepoint lawsuit. They’re often leading the charge for encryption. They’ve heard the word so often it sounds like a magic phrase. Abracadabera, my security problems are gone. Unfortunately its not so easy.
You can lose data may ways. Encryption only deals with some of these.
- Stolen or lost laptops, desktops ,servers
- Lost or stolen CDs and thumb drives
- Lost or stolen backup tapes
- Employee theft
- Server compromise
Cybercrime is real. They’re coming after anyone where they can make money. That includes government contractors.
Interesting mention of the Romanian South Pole Station extortionists. I dont recall that incident, but here’s a link http://www.fbi.gov/page2/july03/071803backsp.htm
Encryption doesn’t necessarily help when the attack is a targeted social engineered attack. Lets say the user finds a usb fob in the parking lot. He wants to return it, or he has a more prurient interest, so he hooks the usb fob to his computer to open it. Most computers will autorun code found on the fob if it is configured to do that. The code installs and has the same access to the files that the user does which generally includes reading the encrypted files on their system. (disable autorun on business computers).
“A firewall is a steel door on a cardboard house.”
An email comes by name and correct email address from a VP at your company warning you that you need to install the latest patch you’re in big trouble. Most people will follow instructions.
Data needs to be protected across multiple layers.
1. Identity Management and access control
2. Encryption and rights management
3. Host monitoring and protection (HIPS and network segmentation)
4. Content monitoring (egress monitoring, and monitoring for things on the laptop that shouldn’t be there).
The next part of this session covered legal issues with Benjamin Wright, JD.
The I.T. Security Law sweet spot is negligence law. This is based on the reasonable man doctrine. This covers the steps a reasonable man would take to protect the data.
Politicians emphasize encryption. The California disclosure law Senate Bill 1386 has a safe harbor for encrypted data. He mocks it saying “reasonable security is not required as long as its encrypted.” In spite of what the law says he would recommend airing on the side of disclosure because some creative lawyer will sue you even if its encrypted data that is lost.
HIPPA merely terms encryption as addressable, meaning it should be considered.