Keeping laptops secure solutions
Download
1 / 20

Keeping Laptops Secure: Solutions - PowerPoint PPT Presentation


  • 248 Views
  • Updated On :

Keeping Laptops Secure: Solutions Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil Defense Team: Agenda Real world analysis of laptop security Four cornerstones of secure computing as they relate to laptop security Confidentiality Authenticity Integrity

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Keeping Laptops Secure: Solutions' - emily


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Keeping laptops secure solutions l.jpg

Keeping Laptops Secure:Solutions

Mike Delahunty

Bryan Lutz

Kimberly Peng

Kevin Kazmierski

John Thykattil

Defense Team:


Agenda l.jpg
Agenda

  • Real world analysis of laptop security

  • Four cornerstones of secure computing as they relate to laptop security

    • Confidentiality

    • Authenticity

    • Integrity

    • Availability

  • How can we apply these cornerstones to ensure laptop security?


Real world balancing cost and risk l.jpg
Real World – Balancing Cost and Risk

  • The greater the security risk, the greater the cost to mitigate

    • Software and administrative costs

  • Some laptops need more security than others

    • Bank employee’s laptop must be very secure

      • Financial data could be compromised

    • Government employee’s laptop must be very secure

      • Public records could be compromised

    • College student’s laptop might not need as much

      • MP3s and videos could be lost


Real world business legal consequences l.jpg
Real World – Business/Legal Consequences

  • A survey of almost 500 IT professionals in 2006 revealed that 81 percent of firms lost machines containing sensitive data last year.1

  • Loss of laptop containing personal data belonging to the public can lead to:

    • Financial loss to those affected, and the company

    • Stolen identities of those affected

    • Lawsuits from those affected

    • Loss of customers

    • Lowered public perception of company


Real world feasibility analysis l.jpg
Real World - Feasibility Analysis

  • Companies must dedicate appropriate resources to maintain a sufficient level of security for laptops, based on their accepted level of risk

    • Ranges from $10’s to $100’s per laptop

    • IT personnel to administer laptops and keep them secure

    • Employee training on security

  • Having the appropriate level of laptop security should always be feasible, or the company is not doing their due diligence.


Solutions to ensure laptop data confidentiality l.jpg
Solutions to Ensure Laptop Data: Confidentiality

Laptop Data Encryption

Two Types of Encryption

File

Full Disk (Preferred)

Most Encryption Products are FIPS Certified

US Federal Information Processing Standards (FIPS) certification from the National Institute of Standards and Technology (NIST), which verified the encryption algorithms in the products as conforming to the Advanced Encryption Standard (AES) algorithm


Case study bitlocker l.jpg
Case Study: BitLocker

Microsoft Product with Windows Vista

Targets the Lost Laptop

Encrypts operating system volume on a sector by sector basis

Two Layer Approach

Cipher Layer: Well-Established Cipher, AES in CBC mode

Diffuser Layer: Unproven algorithm; premise is to make manipulation for authentication attacks harder


Case study bitlocker cont l.jpg
Case Study: BitLocker Cont.

Premise/Design Approach

Software Based Attacks Most Prevalent

BitLocker does not require user to enter special boot password or use boot SmartCard or USB device

Hardware Attacks Rare but Supported with TPM Chip

Seal/Unseal Function used to encrypt key which can only be decrypted by same TPM chip; other OS’es can be booted and fully functional, but drive cannot be read.


Case study bitlocker9 l.jpg
Case Study: BitLocker

Secure Boot Process

If Attacker has access to ciphertext, and modifies it to create weakness in the normal boot process

Authenticate Data From Disk

Poor Man’s Authentication: trust that changes in ciphertext do not translate to semantically sensible changes in the plaintext

512 to 8192 byte block cipher

If attacker changes any part of ciphertext, all plaintext in that sector is changed randomly


Solutions to ensure laptop data confidentiality10 l.jpg
Solutions to Ensure Laptop Data: Confidentiality

Physical Security

Keep Devices in Safe Locations

Lock them up

LCD Privacy Screens

Don’t Display Confidential Documents in Public Areas

Lock Down Ports: USB, IEEE 1394, etc.

Exploitation of Legitimate Forensics Tools

  • Use TPM Chip to thwart hardware attacks


Authenticity solutions l.jpg
Authenticity Solutions

  • Make it difficult to guess passwords and account names

    • Disable well known accounts such as “guest” and “administrator”

    • Disallow passwords that contain login names, dictionary words, or simple variants of previous passwords

    • Require long passwords with a mix of characters, numbers, and symbols

    • Use systems that employ SHA-512 or MD5


Authenticity solutions cont l.jpg
Authenticity Solutions Cont.

  • Disable access to I/O ports

    • Popular vendors of security products offer software that blocks the use of removable storage devices and media. This can prevent theft of data through USB devices or booting alternate operating systems on CD.


Authenticity solutions13 l.jpg
Authenticity Solutions

  • Prevent users from connecting to rogue access points

    • Host-based: Require the use of secure tunnels whenever using any connection outside of the company. VPN clients can be launched at startup, however this can lead to connectivity problems.

    • Network-based: Employ software that detects and shuts down rogue access points installed within the company’s network. An example would be RogueScanner, which is an open source tool for detecting rogue devices.


Integrity solutions l.jpg
Integrity Solutions

  • Do not give laptop users “administrative” rights

    • Prohibits the installation of unapproved software

    • Most malware / spyware exploits administrative privileges to install without user knowledge

    • Provides greater stability - extraneous software

      not running in the background

      • Laptops run more efficiently and quickly

      • Less need for maintenance

  • Only allow network administrators to install approved software

  • Have a standardized, approved laptop image


Integrity solutions cont l.jpg
Integrity Solutions Cont.

  • Do not allow laptops on the network with expired Virus definitions

    • Use a product such as Cisco Clean Access to place the laptop on a quarantined subnet upon first connection, download current virus definitions, and grant access once the laptop is in compliance

  • Do not allow laptops to use unsecured wireless networks

    • Enforce minimum requirements for wireless access using group policy or similar

      • Do not allow open access SSIDs or WEP


Slide16 l.jpg

Retaining Availability

  • Availability - The ability to use the

  • information or resource desired

  • A loss of availability is a loss of data

  • Logical Prevention

    • Data redundancy

      - Ex: Oracle's “Data Guard”

    • Virtualization software

    • Regular backups to

      corporate network

  • Physical Prevention

    • “Toughbook” laptops

Oracle's “Data Guard”


Slide17 l.jpg

Retaining Availability Cont.

  • Cost (per 100 users)

  • Data Redundancy

    • Oracle's “Data Guard” - $6k (enterprise license)

  • Virtualization

    • VMWare's “bundle pack” - $15k for 100 Virt. Machines

  • Toughbooks

    • 3x over standard laptops

    • At 50% enterprise discount: $100k for 100 users

  • Simple data redundancy through server backups is most cost effective. However, high availability has its drawbacks.....


Slide18 l.jpg

Retaining Availability Cont.

  • Risks

  • High Availability comes at a price

    • Performance – synchronization for backups,

      loading virtual machines, n/w latency

    • Deployment – costs, training, personel

  • Feasibility

  • 99% uptime = 8,649 hrs/yr

  • or 87 hrs downtime / yr

  • If 95% uptime is good enough,

  • Gartner suggests doing nothing.

Source: Gartner Research


Laptop security solutions conclusion l.jpg
Laptop Security Solutions - Conclusion

  • There is no “silver bullet” product that covers all areas of laptop security

  • Use a combination of products to achieve your optimal level of security

  • Keep the balance between usability and security

    • Employees must be able to work effectively while remaining secure



ad