Date post: | 17-Jan-2016 |
Category: |
Documents |
Upload: | hugo-mcbride |
View: | 218 times |
Download: | 0 times |
ITSS 2015
ITSS 2015: Encryption
Edward Carter, Manager, Architecture and Response
Stephen Hoffer, Senior Information Security Analyst
Haley Baker, Associate Information Security Analyst
Ohio University
ITSS 2015
Information Security Goals
• C-I-A Triad
• Confidentiality • Keep private information protected from unauthorized access• Encryption
• Integrity• Ensure information is protected from unauthorized changes• Hashing
• Availability• Ensure information is accessible to authorized entities
ITSS 2015
What is encryption?
• Encryption: Transform data to keep it secret from unauthorized parties
• Asymmetric-key, symmetric-key
• Encoding: Transform data so it can be used by a different system
• Base64, ASCII, EBCDIC, Unicode
• Hashing: Transform data to ensure the message contents haven’t changed
• MD5, SHA1, RIPEMD
ITSS 2015
Why do we encrypt?
• Protect data• At rest: Data stored on media (USB drive, disk, tape, etc.)• In transit: Communications over a network between systems
• Regulations/Compliance• HIPAA/HITECH (health-care industry)• FERPA (education)• PCI-DSS (payment-card industry)• PII (personally identifiable information)• Auditors
• Personal choice• Policy
ITSS 2015
Ohio University Policy
• 93.001: Data Classification• https://www.ohio.edu/policy/93-001.html
• “This policy establishes that all information assets will be classified according to their confidentiality, integrity and availability. This policy sets forth procedures based on those classifications so that the University can protect each asset in an appropriate manner.” (emphasis added)
ITSS 2015
Where is it used?• Application layer• SSH• S/MIME• TDE• Adobe• Microsoft Office• Identity Finder
• “Network” layers• SSL/TLS• IPSec/L2TP• PPTP
ITSS 2015
Where is it used?• Volume-based (disk)• BitLocker• FileVault• VeraCrypt/CipherShed• dm-crypt
• File-based (disk)• EFS• PGP/GPG
ITSS 2015
How do we encrypt disks?
• Operating System “built-in”• BitLocker• EFS• FileVault
• Open Source• Veracrypt/CipherShed• GPG• dm-crypt
• Commercial• Symantec EndPoint Encryption (PGP)• Sophos SafeGuard • TrendMicro EndPoint Encryption
ITSS 2015
Windows
• Bitlocker / BitlockerToGo• Windows 7 (Ent/Ult), Windows
8/8.1/10 (Pro/Ent), Server 2008+• Bitlocker cmdlets in PS• Diskpart.exe• Disk Management MMC
ITSS 2015
Mac OSX
• FileVault / FileVault2
ITSS 2015
Linux
• Dm-crypt
ITSS 2015
What about the keys?
• Bitlocker Key-Management• MBAM (Microsoft BitLocker
Administration and Monitoring)• Recovery Key
• Store in AD or file• GPO change required
ITSS 2015
What about the keys?
FileVault2 • Casper• Cauliflower Vest• Crypt• Institutional Recovery Key (https://support.apple.com/en-us/HT202385)
• Commercial Applications• Sophos Safeguard, TrendMicro, WinMagic (all support key escrow in
Windows and Mac OS X)
• Network-share encryption (PGP)
ITSS 2015
Encrypting is all good, isn’t it?
• Benefits• Many breach laws include “Safe Harbor" provision• Lost/stolen devices
• Limitations• Key management• Conversion can be difficult• Not a panacea
• Data in memory is unencrypted• Malware can still access those data• Entire drive may not be encrypted• Cold-boot attack
• Corruption – Please backup your data• Please backup your data
• Please backup your data• Please backup your data
• Please backup your data
ITSS 2015
Questions?
• Please back up your data BEFORE encrypting it• Please perform regular backups of your data• Please test the restoration of the backup
• OIT Security Office Contact/Incident Reporting • 740-566-SAFE (7233)• [email protected]