2009 SECURITY UPDATE

Nate SolbergOwner, Nordic PCBoone, NC 28607

nate@nordic-pc.com

Who is Nate Solberg?

•Owner, Nordic PC

•10+ Years Experience in IT

•Contributing author of Dentistry and NC Law

•Hardware enthusiast, systems builder.

How to Protect Your DataFrom Unauthorized Access

1. Good Passwords

2. Data Encryption

3. Sound Practices

What Makes a Good Password?

Complexity:

-Use upper-case and lower-case letters

-Add a number or symbol

-Stay away from dictionary terms

-8 characters or longer

What Makes a Good Password?

“Keep your keys away from the lock”

- Don’t write down passwords

- Change passwords every 60 – 90

days

- Don’t share passwords with anyone

What Makes a Good Password?

Password Alternatives

- Fingerprint Readers

- SmartCards

Data Encryption, why?

- Stolen equipment equals data

breaches

- Man in the middle attacks steal

unencrypted data from networks

NIST Guidelines That Matter

•NIST 800-111 for Data at Rest

•NIST 800-52 for Data in Motion

NIST Guidelines For Data Encryption

NIST 800-111: Data at Rest

• If properly implemented, data encryption may

eliminate the need to notify patients if hard

drives, flash drives, or other storage devices are

stolen.

• Provides three types of encryption: Full Disk

Encryption (FDE), Virtual Disk Encryption, and

File/Folder Encryption

NIST 800-111: Data at Rest

PROS• FDE can now be done in hardware, with products like Seagate’s FDE drives for laptops and servers, and IronKey Flash Drives.• Hardware solutions do not penalize performance for safety.• Hardware-encrypted hard drives do not have to be destroyed for the data to be destroyed, making drives easily reusable.• Keeps keys safe and hidden in hardware

CONS• FDE is still very young, and currently only available in portable devices, flash drives and high-end servers.• More expensive than other encryption techniques.• Tough to implement in conjunction with Active Directory or other centrally-managed authentication solutions.

Full Disk Encryption (FDE)

NIST 800-111: Data at Rest

PROS• Virtual Disk Encryption containers can be backed-up very easily, and are portable.• System files are not encrypted, meaning the system can be used without keys.• Performance of basic operations is not affected since only sensitive data is encrypted.• Extremely easy and inexpensive to implement.

CONS• Decryption happens in Windows, so keys are accessible to malware.• Can cause issues with stored data, like executables.• Does not automatically encrypt everything, users must put sensitive data on the Virtual Disk.• Encryption and Decryption is done on-the-fly with the PC’s CPU, so it can be slow.

Virtual Disk Encryption

NIST 800-111: Data at Rest

PROS• Has been around for a very long time, tried and true method.• Built-in to NTFS file system for Windows, and Office Suites. • Extremely flexible, just encrypt the files you want to, or have a folder called “Encrypted” to store sensitive information in.• Often portable, but not guaranteed.

CONS• Does not encrypt file names and other metadata.• Each file has it’s own key, so changing passwords can be very time consuming.• Does not guarantee protection from malware, especially folder encryption.

File/Folder Encryption

NIST 800-111: Data at Rest

FIPS 140-2

1. FIPS 140-2 may need to be followed also, once HIT laws are finalized next year.

2. Products are classified in 4 levels, with level 1 being the least secure and level 4 being the most.

3. Software solutions like Microsoft BitLocker and TrueCrypt can only be level 1 certified because of the lack of tamper protection.

4. Hardware solutions like IronKey flash drives can be level 2 or level 3. IronKey is the only level 3 certified flash device.

5. Seagate’s FDE has not been classified yet, but we can expect level 1 certification once testing is completed.

NIST 800-111: Data at Rest

Recommendations

1. Use a Virtual Disk to encrypt data on a server. Keep that container on a separate device from the server, like a NAS device. Use a password to access the Virtual Disk in conjunction with a key file like an MP3 or JPEG, so that simply having the password is not enough to gain access to the volume. TrueCrypt is an excellent solution, and it’s free!

2. For Laptops, look into Seagate’s FDE solution. It will protect the contents of the laptop if stolen, and will have the least adverse effects on your computing experience.

3. Use an IronKey flash drive with FDE if you need to move sensitive data on a small device.

4. If you backup files to DVD or CD-ROM, put them into a Virtual Disk first, then backup the container. Again, look at TrueCrypt for this.

NIST 800-52: Data in Motion

• Provides recommendation of TLS 1.0 security for all data

moving from one system to another over the network.

• Explains that SSL is no longer considered appropriate

because it is not standards-based. TLS 1.0 is the only

acceptable solution.

• Even data in motion on your own private network should

be encrypted with TLS 1.0 to help protect against hackers.

NIST 800-52: Data in MotionHow to check your security settings:

-In IE8, right-click the page and hit Properties

NIST 800-52: Data in Motion

- Remote access via IPSEC VPN Tunnels

- Stay away from LogMeIn, GoToMyPC and

similar uncertified products

- Keep confidential data out of emails

NIST 800-88: Destruction of Data

• Sanitization Types:

1. Disposal: Act of discarding media with no sanitation

2. Clearing: Overwriting the storage space on the media

3. Purging: Same as Clearing for all recent hard drives

4. Destroying: Disintegration, incineration, pulverization,

etc.

NIST 800-88: Destruction of Data

• Sensitive data that is unencrypted needs to be destroyed.

• Clearing/Purging is a suitable solution for hard drives, and a single

overwrite is considered effective. Utilities like Eraser

(http://eraser.heidi.ie) are good, open-source options.

• If a hard drive fails, then it must be destroyed. NIST 800-88

requests that this is done by a professional, however removing the

platters from the hard drive and scratching and breaking them

should be sufficient.

• CDs or DVDs should be crosscut shredded to a 5mm x 5mm size.

NIST 800-88: Destruction of Data

• Seagate’s FDE products can be safely

reused just by changing the cryptographic

key in the drive. This is called “Instant

Secure Erase.”

Good Practices

• Keep your data storage under lock and key, just

like your paper files. Use both physical safeguards

and data encryption.

• Keep up with software updates. Microsoft releases

new patches every second Tuesday of the month.

Java and Flash updates are very important.

• Audit your access logs on a weekly schedule.

• Sanitize all hard drives before disposal or reuse.

Good Practices, cont.

• Lock workstations when not in use. Windows Key +

L works quickly and workstations should lock

automatically after 5 minutes of inactivity.

• Keep monitors out of the public eye, or use privacy

screens.

• Use limited user accounts to prevent software

installations.

• Be able to terminate user access at any time,

especially BEFORE termination.

2009 Security Update

• Presented by: Nate Solberg

839 W King St. #4

Boone, NC 28607

(828) 263-8359

nate@nordic-

pc.com

www.nordic-

pc.com