SANS Session 1.4 Top Ten Things to Look out for in Laptop Encryption

These are my notes from a talk Eric Cole gave at today’s SANS Secure Storage and Encryption Summit. If you have a chance to hear Eric talk on any subject, run do not walk to sign up. I dint have a lot of security heroes but he is someone I admire.
Again these are my notes. I am not copying the slide deck due to obvious copyright concerns. But I hope these notes are still somewhat useful as it does take some time to convert from handwriting. If nothing else it allows me to review the material while its still fresh.
Gartner has a Magic Quadrant for desktop encryption. Most of the providers in the “good” quadrant are only 1-2 years old. Food for thought.
With encryption you might not know for 10 years if the implementation is valid. So you should do some basic checks. Boot from a CD, mount the hard drive and see what can be discovered.
Credant is great for mobile devices and PDA, but on the laptop they focus on specific folders leaving hibernation files vulnerable.
PC Guardian encrypts everything but doesn’t have the integration the bells and whistles (your mileage may vary).
Histogram – I kind of missed this part. It has to do with looking at file size over time and determining if something or other is too predictable.
It is certainly worse to think you’re secure when you really aren’t.
Eric likes to encrypt at the folder level. If you encrypt full disk, then when you log in everything is accessible. He likes to be able to leave his consulting directory encrypted while working at a SANS conference. Further backups remain encrypted when you do folder level encryption.
Many people deploy encryption without fixing up the security of their computer at all.
Deploying without a screensaver lock is like leaving the door open on a safe.
Same goes for deploying with a bad password policy. Eric says quit messing around. Set the minimum length to 30 and be done with it. That will force users to use a phrase. They cant write something like that down, its more trouble than just learning a phrase.
Like Alan said, you need to look at data protection solutions as well as encryption.
If encryption was easy everyone would be doing it. Its been around a long time.
Because of laptop theft and data leakage press, and regulation, crypto has become the hammer of choice. Crypto is seen as the solution to every problem. Ever hear the phrase “when all you have is a hammer, everything looks like a nail”? Pass me the crypto-hammer.
1. Protection of the key is paramount.
the strength of the key is based on the strength of the password that protects it.
If your users have admin rights, your ability to succeed in this deployment drops by 80%.
2. Understand what risk is being mitigated and what isn’t.
take protections commensurate with the exposure. A $10k per day body guard is nothing if the wrong people want you dead.
3. Encryption doesn’t prevent inference attacks.
Several friends of mine have spent time in unfriendly countries. I asked them about using hushmail or PGP. They said that if the bad guys suspected you of hiding email traffic it would only cause trouble.
Eric told a story where they suspected theft of trade secrets. They did some egress monitoring and found one guy who only used encryption when sending email to one address. That certainly raised suspicion.
Steve Jobs apparently has a bodyguard for his computer. If he isn’t within 5 feet of the computer, than the guard needs to be.
(skipping some steps)
6. Know the problem you’re trying to solve.
Its no longer a laptop when its got 80 Gb of data on it. Its a portable server.
“The only silver bullet is found in a bar”