Common whole-disk encryption configuration weaknesses

After years of praising whole disk encryption, I’m finally seeing enterprises buy into its value. With relatively inexpensive products from PGP/Symantec, WinMagic, Check Point and Microsoft, it’s easy assume securing desktops is simple. Slap whole disk encryption on your laptops, flash drives and external hard drives, and you’re good to go.

Not so fast.

As with any security technology, it’s important to think things through and make sure controls are properly implemented. Here are some common whole-disk encryption configuration weaknesses that can negate its benefits.

Blank and weak passwords
Security is only as good as the weakest link in the equation, so don’t let passwords be the ultimate workaround for whole disk encryption. Remember that you can’t fix grander security issues if you haven’t addressed the basics.

Not training users to lock their desktops
It’s crucial to educate users on the consequences of leaving their laptops unattended and unlocked at coffee shops, conference centers and airports while they grab a coffee refill, run to the restroom or take a phone call outside. Someone could easily walk off with full access to everything on the machine, including credentials to gain further access into your enterprise (i.e. virtual private network, remote desktop, Web portals). And it’s all because your user didn’t think to press CTRL+ALT+DELETE or Windows Key+L.

In addition, this creates an interesting scenario regarding compliance and breach notification. Since the data was encrypted, do you have to report the security breach, even though it was technically accessible?

No screensaver timeouts 
This technology helps you enforce policy and set users up for success, but I rarely see it in place. Configuring locking screensavers with a reasonably short timeout period -- 5 to 10 minutes -- is a simple task and will improve desktop security tremendously.

No re-authentication requirements from sleep or hibernate 
If a Windows system is in an unencrypted state and the user puts the system into standby or hibernate mode, what happens when it comes back up? It’s important to check if the user will be prompted for credentials.

On a related note, there has been some discussion of systems being put to sleep in this way and the ability for an attacker to remove the drive, place it in another system, and have full access. To ensure that there’s nothing blatantly insecure with this, I tested certain scenarios with both BitLocker in Windows 7 and PGP Whole Disk Encryption. Every time I tried accessing the presumably unsecured drive, I was prompted to authenticate and decrypt. Regardless, this would still be a good thing to verify, depending on the operating system version and the whole-disk encryption software you’re running.

More on enterprise security

Resetting passwords in the enterprise without the help desk

Endpoint security may not keep your enterprise safe

A desktop admin's guide to passwords in the enterprise

All these concerns can be enforced via Group Policy, but make sure you remember the standalone laptops -- including personal systems -- that aren’t under your control. There are many variables that can go wrong, not to mention all the things you have to do to balance security with usability.

Like firewalls, Secure Sockets Layer and anti-malware software, whole disk encryption is a technology that can create a false sense of security. Whole disk encryption is definitely worth looking into, but don’t just dive in without thinking things through. When done correctly, whole disk encryption can minimize one of your greatest information risks. But when done incorrectly, it can spell trouble for your enterprise.

ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. With over 21 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly-updated Hacking for Dummies, 3rd edition. In addition, he's the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com, and you can follow him on Twitter at @kevinbeaver.

This was first published in March 2011

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top