|
|
|
ACCESS CONTROLS AND ENCRYPTION Access control is discussed in Section 1.1 as well as 2.2. Encryption technology is discussed in Section 8.1. Earlier it was noted that access controls and encryption are a defense against the compromise of data on stolen systems and storage media. For example, if a laptop system is stolen but the bulk of the data on the machine are stored in encrypted files, it is unlikely that the thief, or the person to whom the machine is fenced and ultimately sold, will gain access to the data. Unfortunately, encryption is an example of security’s two-edged sword. For example, the very feature that makes a notebook easier to secure physically (the small size — it can be locked away in an office drawer or a hotel-room safe) also makes it easier to run off with. Similarly, the technology that renders files inaccessible to the wrong people, encryption, can be abused to deny access to legitimate users (in the last 12 months we have received several calls from companies wanting help in retrieving their own data, encrypted by a disgruntled employee who refuses to share the password — payment is sometimes demanded, leading to the term data ransoming). Nevertheless, it is better to use the digital protection schemes that are available than risk data loss or compromise. Start with the BIOS. Most laptops and desktops produced in recent years have a decent set of BIOS-based security features. For example, the trusty three-year-old Compaq Concerto on which this chapter is being written allows the user to “hot lock” with a single keystroke, preventing anyone from using the mouse or keyboard unless they can enter the correct PIN. This can be set to kick in at system startup, thus defending against a reboot attack. Beyond this, you can disable the floppy drive, even block the ports, and all with a security program that has a Windows interface. Getting around this protection would require taking the machine apart and knowing just how to drain current from the CMOS. Beyond BIOS-based protection you have the option of installing encryption software to scramble the contents of files so that they are useless to anyone who doesn’t have the password/key. Encryption programs can operate at different levels. You can chose to encrypt just a few very valuable files on a file-by-file basis. This is simple and straightforward with something like Nortel Entrust Lite, McAfee’s PC Secure, RSA’s SecurPC, or Cobweb Application’s KeyRing. These programs are particularly useful when you want to transmit files by E-mail, which remote users often need to do. If you routinely need to encrypt your E-mail messages, as opposed to file attachments, then PGPMail or ConnectSoft’s Email Connection may be the way to go (the later supports the S/MIME standard and requires a password before you can even run the program). The next level of encryption is a designated area on the hard disk, in which all files stored are automatically encrypted. This is possible with programs like Utimaco’s Safe Guard Easy products, which perform on-the-fly encryption. In other words, encryption and decryption are made part of the normal file save and open process. This can be more convenient in that constant entering of passwords is not required, but then again, if the master password is compromised the attacker may gain access to more data than if each file had a separate password. Program’s like Symantec’s Norton Your Eyes Only can actually encrypt everything on the entire hard disk, if that is what you want to do. If you do use encryption you will need to take passwords seriously. The use of a master password, which unlocks all files you have encrypted, can simplify this, but it also increases the amount you have riding on one single password. Separate passwords for each file presents a management problem. Then there is the dilemma of easy-to-remember passwords, like your name, being easy for interlopers to guess, vs. long, obscure, and hard to crack passwords that you are tempted to write down, and thus compromise, just because they are hard to remember. Also, there is the temptation to use the same password in different situations, which can lead to compromise. For example, it is relatively easy to crack the standard Windows 95 screen-saver password. So, you shouldn’t use the same password for the screen-saver that you use for network log-in or sensitive file encryption (alternatively, you can use a more powerful screen-saver, such as Cobweb Application’s HideThat). Several encryption solutions attempt to go beyond passwords. For example, Fischer International offers a hardware key that fits inside a floppy disk drive. Companies like Chrysalis and Telequip make PCMCIA cards that not only store encryption keys but also perform encryption calculations, thus mitigating some of the performance hit that encryption can impose. Encryption programs like Entrust can store passwords on floppy disks, which allows them to be kept separate from the computer where the encrypted files are stored. Keep that in your pocket when you leave your laptop behind and at least you will know that nobody can get to your files, even if they steal your machine. DEFENDING THE LAN The first personal computer networks were installed in the mid 1980s, allowing users to share, for purposes of efficiency, productivity and cost-saving, their storage devices, printers, and software. Naturally, these networks started out small, hence the term local area network. They were often informal, employed by a group of users who knew and trusted each other, and so people paid little attention to the security implications of this new type of computing.
|