HAROLD WORLEY - 2014 Honorary Harold Worley.pdf · Title: HAROLD WORLEY.pub Author: MADMAX
Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the...
-
Upload
aron-walters -
Category
Documents
-
view
213 -
download
0
Transcript of Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the...
![Page 1: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/1.jpg)
Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is
granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or
to republish requires written permission from the authors.
Big Encryption on a Small Budget
Beth E. BindeHarold W. Winshel
![Page 2: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/2.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Agenda
• Definition of encryption• Need for encryption • Drawbacks to encryption • Criteria for product selection • Encryption demonstration
![Page 3: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/3.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
What is encryption?
• Coding a message to conceal meaning
• Reduces impact of eavesdropping
• Helps protect Data At Rest
![Page 4: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/4.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
How it works: Digital Substitution Example • Apply the encryption key: 1010011 1010010
1001110• To the plain text message CAT: 1000011 1000001
1010100• XOR operation
– 0 if the same – 1 if different
• The elements of the key correspond to letters: – 1010011 = S – 1010010 = R – 1001110 = N
![Page 5: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/5.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Result
1000011 1000001 1010100⊕ 1010011 1010010 1001110 ====== ====== ======= 0010000 0010011 0011010 ← Cipher text
• These binary strings correspond to ASCII control characters. They aren’t even printable!
• Results of string lookup: – Data Link Escape → 0010000– Device Control 3 → 0010011– Substitute → 0011010
![Page 6: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/6.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Recover original message
• Ciphertext: 0010000 0010011 0011010 • Key: 1010011 1010010 1001110 • Apply XOR operation • Original: 1000011 1000001 1010100
![Page 7: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/7.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Caution!
• Don’t trust a secret or proprietary algorithm or roll your own– Public scrutiny by multiple experts finds the flaws– Public scrutiny beneficial
• Protect keys – Keys essential for decryption– Even knowing the algorithm is not sufficient
• Don’t rely on any single technology or measure for security
![Page 8: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/8.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Why encrypt?
• Protect confidential data – Non-public personal information (NPPI) – Intellectual property
• Regulatory requirements
![Page 9: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/9.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Data Breach Incidents
• A Chronology of Breaches http://www.privacyrights.org/ar/ChronDataBreaches.htm
• Educational Security Incidents http://www.adamdodge.com/esi
![Page 10: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/10.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
RegulationDate of
EnforcementFine Imprisonment Industry
HIPAA 1996 $250,000 10 years Health
GLBA 1999 $100,000 per incident 5 years Financial
PCI 2005 $500k per incident + $100k if VISA is not notified
None—Rescind the right to accept credit card payments
Credit Card Security
Sanctions for Regulatory Non-Compliance
![Page 11: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/11.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Summary
![Page 12: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/12.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Big Thefts of Notebooks with Sensitive Data.• 28,600,000 records of American military veterans
discharged since 1975 (SSN’s, names, dates of birth, etc.) on a laptop computer stolen from a VA’s ee’s home on May 22, 2006.
• 60,000 current and former employees of Starbucks on four Starbucks laptop computers that were lost. Contained employee’s names, addresses and SSN’s (Nov 3, 2006).
• 48,000 records of American military veterans that might contain SSN’s on a portable hard drive stolen or missing, from VA Medical Center in Birmingham, AL (Feb 2, 2007).
![Page 13: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/13.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Reportable Incident?
“… notification is required if there is reasonable belief that data were acquired by an unauthorized individual.” (Steve Schuster / Tracy Mitrano, Cornell)
Is the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information? (Cal State Northridge).
![Page 14: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/14.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
If Encryption’s So Great, How Come Everyone Doesn’t Use It?
• Cost of purchase• Time
– Product evaluation and testing – Installation and maintenance – Staff training – User education
• Loss of data due to corruption of encrypted disks • Possible lock out due to forgotten passwords
![Page 15: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/15.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Encryption vs. Data Breach
Pay now
… or pay later
![Page 16: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/16.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Three states of data
Data at rest Data in transit Data in process
![Page 17: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/17.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Terminology – Authentication Factors
• The more factors the better• One-factor authentication• Two-factor authentication• Three-factor authentication
![Page 18: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/18.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Our Criteria for Evaluating Encryption Products
• Purchase cost of the product• Size of current user base • Open source?• Availability of support
![Page 19: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/19.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
More Criteria…
• Ease of administration for IT staff• Ease of use for end users• What happens when things go wrong.• Ability to support two-factor authentication.
![Page 20: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/20.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
And more criteria…
• Full disk encryption vs. file / folder encryption.• Keyserver vs. standalone products.• Support of portable media (flash drives, zip drives,
CD’s, etc.)• Not linked to hardware of a specific manufacturer
![Page 21: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/21.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Why we chose Truecrypt
• Large user base• Great support• Very well received / good reviews • Free
![Page 22: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/22.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Why we chose Truecrypt…more…
• File / folder• Supports two factor authentication.• Supports multiple operating systems.• Encrypts portable media.
![Page 23: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/23.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Truecrypt Details.
• Truecrypt volumes:– File-hosted volumes (aka Container volume)– Device hosted volumes (partition).
• Truecrypt won’t encrypt existing files.– Encrypting an existing file will overwrite that file.
• Password is entered once to decrypt a volume.• Truecrypt never saves decrypted data to a disk.
– Decrypted data temporarily stored in ram.– Even when volume is mounted, data on disk still encrypted.– Password is entered once to decrypt a volume.
• Travelor mode.• Date / time stamp of the file.
![Page 24: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/24.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Steps in Creating / Using a Truecrypt Encrypted Area:• Create a Truecrypt volume.• Mount a Truecrypt volume.• Copy files to / from a Truecrypt volume.• Dismount a Truecrypt volume.
![Page 25: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/25.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Things We Don’t Favor About Truecrypt
• File / folder• Interface a little clunky.• Windows recognition of the Truecrypt volume when it
is not mounted.
![Page 26: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/26.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Current TrueCrypt Vulnerability
• Escalation of privileges by local users • Applies to Linux implementation • Reported March 28, 2007 • Must be running TrueCrypt as setuid root • Exploit available • More information here:
http://www.securityfocus.com/bid/23180/info
![Page 27: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/27.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Features of Other Encryption Products We Reviewed.
• Which features were typical to many products• Which features were considered positive • Which features where considered negative
![Page 28: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/28.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Some Other Encryption Products We Looked At.• Encryption utilities on flash drives.• Axcrypt• Cryptainer• SafeEnd• Windows EFS• Windows Vista Bitlocker• Pointsec• Safeboot• Authenix• PGP
![Page 29: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/29.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Suggestions / Policies
• Get senior administration support for policies to protect data
• Don’t store sensitive data if you don’t have to• Use utilities to find files with sensitive data• Require encryption for sensitive data
![Page 30: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/30.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Conclusion
• What is encryption?• Why do you need it?• Encryption as part of an overall security posture• Sharing experiences to help you
![Page 31: Copyright Beth E. Binde and Harold W. Winshel 2007. This work is the intellectual property of the authors. Permission is granted for this material to be.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d145503460f949e8797/html5/thumbnails/31.jpg)
Big Encryption on a Small Budget
EDUCAUSE Security Professionals Conference
Truecrypt available at:
www.truecrypt.org