Don’t share passwords with anyone</li></li></ul><li>What Makes a Good Password?<br />Password Alternatives<br /><ul><li>Fingerprint Readers
SmartCards</li></li></ul><li>Data Encryption, why?<br /><ul><li>Stolen equipment equals data breaches
Man in the middle attacks steal unencrypted data from networks</li></li></ul><li>NIST Guidelines That Matter<br />NIST Guidelines For Data Encryption<br /><ul><li>NIST 800-111 for Data at Rest
NIST 800-52 for Data in Motion</li></li></ul><li>NIST 800-111:<br /> Data at Rest<br /><ul><li> If properly implemented, data encryption may eliminate the need to notify patients if hard drives, flash drives, or other storage devices are stolen.
Provides three types of encryption: Full Disk Encryption (FDE), Virtual Disk Encryption, and File/Folder Encryption</li></li></ul><li>NIST 800-111:<br /> Data at Rest<br />Full Disk Encryption (FDE)<br />PROS<br /><ul><li> FDE can now be done in hardware, with products like Seagate’s FDE drives for laptops and servers, and IronKey Flash Drives.
Hardware solutions do not penalize performance for safety.
Hardware-encrypted hard drives do not have to be destroyed for the data to be destroyed, making drives easily reusable.
Keeps keys safe and hidden in hardware</li></ul>CONS<br /><ul><li> FDE is still very young, and currently only available in portable devices, flash drives and high-end servers.
More expensive than other encryption techniques.
Tough to implement in conjunction with Active Directory or other centrally-managed authentication solutions.</li></li></ul><li>NIST 800-111:<br /> Data at Rest<br />Virtual Disk Encryption<br />PROS<br /><ul><li> Virtual Disk Encryption containers can be backed-up very easily, and are portable.
System files are not encrypted, meaning the system can be used without keys.
Performance of basic operations is not affected since only sensitive data is encrypted.
Extremely easy and inexpensive to implement.</li></ul>CONS<br /><ul><li> Decryption happens in Windows, so keys are accessible to malware.
Can cause issues with stored data, like executables.
Does not automatically encrypt everything, users must put sensitive data on the Virtual Disk.
Encryption and Decryption is done on-the-fly with the PC’s CPU, so it can be slow.</li></li></ul><li>NIST 800-111:<br /> Data at Rest<br />File/Folder Encryption<br />PROS<br /><ul><li> Has been around for a very long time, tried and true method.
Built-in to NTFS file system for Windows, and Office Suites.
Extremely flexible, just encrypt the files you want to, or have a folder called “Encrypted” to store sensitive information in.
Often portable, but not guaranteed.</li></ul>CONS<br /><ul><li> Does not encrypt file names and other metadata.
Each file has it’s own key, so changing passwords can be very time consuming.
Does not guarantee protection from malware, especially folder encryption.</li></li></ul><li>NIST 800-111:<br /> Data at Rest<br />FIPS 140-2<br />FIPS 140-2 may need to be followed also, once HIT laws are finalized next year.<br />Products are classified in 4 levels, with level 1 being the least secure and level 4 being the most.<br />Software solutions like Microsoft BitLocker and TrueCrypt can only be level 1 certified because of the lack of tamper protection.<br />Hardware solutions like IronKey flash drives can be level 2 or level 3. IronKey is the only level 3 certified flash device.<br />Seagate’s FDE has not been classified yet, but we can expect level 1 certification once testing is completed.<br />
NIST 800-111:<br /> Data at Rest<br />Recommendations<br />Use a Virtual Disk to encrypt data on a server. Keep that container on a separate device from the server, like a NAS device. Use a password to access the Virtual Disk in conjunction with a key file like an MP3 or JPEG, so that simply having the password is not enough to gain access to the volume. TrueCrypt is an excellent solution, and it’s free!<br />For Laptops, look into Seagate’s FDE solution. It will protect the contents of the laptop if stolen, and will have the least adverse effects on your computing experience.<br />Use an IronKey flash drive with FDE if you need to move sensitive data on a small device.<br />If you backup files to DVD or CD-ROM, put them into a Virtual Disk first, then backup the container. Again, look at TrueCrypt for this.<br />
NIST 800-52:<br /> Data in Motion<br /><ul><li>Provides recommendation of TLS 1.0 security for all data moving from one system to another over the network.
Explains that SSL is no longer considered appropriate because it is not standards-based. TLS 1.0 is the only acceptable solution.
Even data in motion on your own private network should be encrypted with TLS 1.0 to help protect against hackers.</li></li></ul><li>NIST 800-52:<br /> Data in Motion<br />How to check your security settings:<br /> -In IE8, right-click the page<br /> and hit Properties<br />
NIST 800-52:<br /> Data in Motion<br /><ul><li> Remote access via IPSEC VPN Tunnels
Stay away from LogMeIn, GoToMyPC and similar uncertified products
Keep confidential data out of emails</li></li></ul><li>NIST 800-88:<br /> Destruction of Data<br /><ul><li>Sanitization Types:</li></ul> 1. Disposal: Act of discarding media with no sanitation<br /> 2. Clearing: Overwriting the storage space on the media<br /> 3. Purging: Same as Clearing for all recent hard drives<br /> 4. Destroying: Disintegration, incineration, pulverization, etc.<br />
NIST 800-88:<br /> Destruction of Data<br /><ul><li>Sensitive data that is unencrypted needs to be destroyed.
Clearing/Purging is a suitable solution for hard drives, and a single overwrite is considered effective. Utilities like Eraser (http://eraser.heidi.ie) are good, open-source options.
If a hard drive fails, then it must be destroyed. NIST 800-88 requests that this is done by a professional, however removing the platters from the hard drive and scratching and breaking them should be sufficient.
CDs or DVDs should be crosscut shredded to a 5mm x 5mm size.</li></li></ul><li>NIST 800-88:<br /> Destruction of Data<br /><ul><li>Seagate’s FDE products can be safely reused just by changing the cryptographic key in the drive. This is called “Instant Secure Erase.”</li></li></ul><li>Good Practices<br /><ul><li>Keep your data storage under lock and key, just like your paper files. Use both physical safeguards and data encryption.
Keep up with software updates. Microsoft releases new patches every second Tuesday of the month. Java and Flash updates are very important.
Sanitize all hard drives before disposal or reuse.</li></li></ul><li>Good Practices, cont.<br /><ul><li>Lock workstations when not in use. Windows Key + L works quickly and workstations should lock automatically after 5 minutes of inactivity.
Keep monitors out of the public eye, or use privacy screens.
Use limited user accounts to prevent software installations.
Be able to terminate user access at any time, especially BEFORE termination.</li></li></ul><li>2009 Security Update<br /><ul><li>Presented by: Nate Solberg</li></ul> 839 W King St. #4<br /> Boone, NC 28607<br /> (828) 263-8359<br /> firstname.lastname@example.org<br /> www.nordic-pc.com<br />
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.