After years of praising whole disk encryption, I’m finally seeing enterprises buy into its value. With relatively inexpensive products from PGP/Symantec, WinMagic, Check Point and Microsoft, it’s easy assume securing desktops is simple. Slap whole disk encryption on your laptops, flash drives and external hard drives, and you’re good to go.
Not so fast.
As with any security technology, it’s important to think things through and make sure controls are properly implemented. Here are some common whole-disk encryption configuration weaknesses that can negate its benefits.
Blank and weak passwords
Security is only as good as the weakest link in the equation, so don’t let passwords be the ultimate workaround for whole disk encryption. Remember that you can’t fix grander security issues if you haven’t addressed the basics.
Not training users to lock their desktops
It’s crucial to educate users on the consequences of leaving their laptops unattended and unlocked at coffee shops, conference centers and airports while they grab a coffee refill, run to the restroom or take a phone call outside. Someone could easily walk off with full access to everything on the machine, including credentials to gain further access into your enterprise (i.e. virtual private network, remote desktop, Web portals). And it’s all because your user didn’t think to press CTRL+ALT+DELETE or Windows Key+L.
In addition, this creates an interesting scenario regarding compliance and breach notification. Since the data was encrypted, do you have to report the security breach, even though it was technically accessible?
No screensaver timeouts
This technology helps you enforce policy and set users up for success, but I rarely see it in place. Configuring locking screensavers with a reasonably short timeout period -- 5 to 10 minutes -- is a simple task and will improve desktop security tremendously.
No re-authentication requirements from sleep or
If a Windows system is in an unencrypted state and the user puts the system into standby or hibernate mode, what happens when it comes back up? It’s important to check if the user will be prompted for credentials.
On a related note, there has been some discussion of systems being put to sleep in this way and the ability for an attacker to remove the drive, place it in another system, and have full access. To ensure that there’s nothing blatantly insecure with this, I tested certain scenarios with both BitLocker in Windows 7 and PGP Whole Disk Encryption. Every time I tried accessing the presumably unsecured drive, I was prompted to authenticate and decrypt. Regardless, this would still be a good thing to verify, depending on the operating system version and the whole-disk encryption software you’re running.
All these concerns can be enforced via Group Policy, but make sure you remember the standalone laptops -- including personal systems -- that aren’t under your control. There are many variables that can go wrong, not to mention all the things you have to do to balance security with usability.
Like firewalls, Secure Sockets Layer and anti-malware software, whole disk encryption is a technology that can create a false sense of security. Whole disk encryption is definitely worth looking into, but don’t just dive in without thinking things through. When done correctly, whole disk encryption can minimize one of your greatest information risks. But when done incorrectly, it can spell trouble for your enterprise.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. With over 21 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly-updated Hacking for Dummies, 3rd edition. In addition, he's the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com, and you can follow him on Twitter at @kevinbeaver.
This was first published in March 2011