LANDesk® Management Suite 8, V8.6.1 Security - Common Criteria
Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention...
Transcript of Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention...
![Page 1: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/1.jpg)
Endpoint Security
Data At Rest
Bryan Hadzik
Network Consulting Services, inc.
![Page 2: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/2.jpg)
Look back on 2010
Incident types
Inside Job ?
Source of Risk
Role of Encryption
Some Conclusions
Agenda
![Page 3: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/3.jpg)
• The Good
• The Bad
• And the (occasionally) Ugly
2010 – A Year In Review
![Page 4: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/4.jpg)
• Some good news:
First, The Good News (Or Is It?)
![Page 5: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/5.jpg)
More Likely….
![Page 6: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/6.jpg)
Incident Types: 2010
![Page 7: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/7.jpg)
Incident by Vector
![Page 8: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/8.jpg)
Understanding Insider Attacks:Some Definitions
• "There are two kinds of people in the world: those who divide the world into two kinds of people, and those who don't―
• – Robert Benchley
![Page 9: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/9.jpg)
Understanding Insider Attacks:Quantifying Attacks
•48% of attacks involve an insider
• Source: 2010 Verizon Risk Team Data Breach Investigation Report
![Page 10: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/10.jpg)
Understanding Insider Attacks:Some Definitions
Accidental MaliciousInsider
Risk
![Page 11: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/11.jpg)
Non-Malicious
![Page 12: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/12.jpg)
Understanding Insider Attacks:Non-Malicious
![Page 13: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/13.jpg)
Some Stats
•7% of all laptops are lost during their operational
lifetime
Source: Ponemon Institute
![Page 14: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/14.jpg)
Some Stats
•7% of all laptops are lost during their operational
lifetime
•60% are simply misplacedSource: Ponemon Institute
![Page 15: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/15.jpg)
Examples in 2010
![Page 16: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/16.jpg)
Healthcare ALONE
•147 Breaches in 2010
![Page 17: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/17.jpg)
Healthcare ALONE
•45% involved a laptop or•portable electronic device
![Page 18: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/18.jpg)
Not just the BIG companies
It happens every day
![Page 19: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/19.jpg)
Malicious Insiders
![Page 20: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/20.jpg)
Malicious InsidersI’ll just blend
right in…
![Page 21: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/21.jpg)
Malicious Insiders
• CERT indentified four, broad groups:
1. Sabotage (often out of a desire for revenge)
2. Attacks for financial benefit
3. Attacks for business gain
4. Attacks associated with unauthorized access but not necessarily for personal gain
Source: "Common Sense Guide to Prevention and Detection of Insider Threats
![Page 22: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/22.jpg)
Looking For Commonalities
46% of attacks – another staff member had direct knowledge of the attacker’s plans
US Secret Service/Carnegie Mellon whitepaper :"Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector"
![Page 23: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/23.jpg)
Malicious InsidersAt least no-one has mentioned
WikiLeaks..
![Page 24: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/24.jpg)
The WikiLeak Era
![Page 25: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/25.jpg)
Coming To A Board Room Near You?
![Page 26: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/26.jpg)
Some Practical Steps
![Page 27: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/27.jpg)
CERT’s 16 Step Program1. CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK
ASSESSMENTS
2. CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS
3. INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES
4. MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS
5. ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES
6. TRACK AND SECURE THE PHYSICAL ENVIRONMENT
7. IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES.
8. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE
9. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE
10. USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS
11. IMPLEMENT SYSTEM CHANGE CONTROLS
12. LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS
13. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS
14. DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION
15. IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES
16. DEVELOP AN INSIDER INCIDENT RESPONSE PLAN
Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"
![Page 28: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/28.jpg)
CERT’s 16 Step Program1. CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK
ASSESSMENTS
2. CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS
3. INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES
4. MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS
5. ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES
6. TRACK AND SECURE THE PHYSICAL ENVIRONMENT
7. IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES.
8. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE
9. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE
10. USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS
11. IMPLEMENT SYSTEM CHANGE CONTROLS
12. LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS
13. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS
14. DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION
15. IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES
16. DEVELOP AN INSIDER INCIDENT RESPONSE PLAN
Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"
Tec
hn
ica
l C
on
tro
ls/P
roce
ssN
on
-Tec
hn
ica
l C
on
tro
ls/P
roce
ss
![Page 29: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/29.jpg)
Boiling That Down
• Be able to identify the causes of insider attacks
• Technical or process vulnerabilities
• Management problems
• Enforce good segregation of duties
• Watch for technical precursors (log, monitor, audit)
• Privilege escalations
• Service account use
• Changing access rights
• Have good processes in place for high-risk events and individuals
![Page 30: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/30.jpg)
30
The Business Problem
Employee
ContractorPartner
Prospect List
Intellectual Property
Customer Credit Card Info.Social Security Numbers
Classified Information
Airport
Internet Cafe
Home
Office
Site
Transit
Critical enterprise data resides on numerous endpoint devices —enterprises are now looking for comprehensive data protection solutions
Patient Records
![Page 31: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/31.jpg)
Industry Regulations PCI DSS
▫ Visa Europe
Sarbanes Oxley (SOX)▫ EuroSOX - Directive 2006/43/EC ▫ Basel II - International Convergence of
Capital Measurement and Capital Standards
US Federal Regulations HIPAA & The HITECH Act FISMA 2 (ICE) Data Breach Notification Act (S139) Data Accountability and Trust Act (HR
2221)
US State Regulations SB1386 (the first) 201 CMR 17 (one of the latest) NRS 603A (requires PCI DSS)
▫ >45 other State & US Jurisdiction Laws
How are you Keeping up with Changing Regulations?
CD/DVD
USB Memory Sticks
Smartphone’s & PDA’s
Desktops
Laptops
![Page 32: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/32.jpg)
Ponemon Institute estimates $243 per victim for a first time data breach in it’s Fourth Annual US Cost of Data Breach Study published in January 2009. Gartner estimate: $160 per account in direct charges: legal expenses, professional fees; customer notification; embedded costs of cleanup and recovery, systems – Gartner G00162711
Consider: Non-Compliance Costs
CompanyAccounts
ImpactedEstimated Breach Cost
Health Net 446k $70 - $75 Million
MA Secretary of Commonwealth 139k $22 - $25 Million
AMR 79k $10 - $15 Million
Lincoln Medical & Mental Health 130k $15 - $20 Million
San Jose Medical 110k $12 - $17 Million
Boeing 382k $60 - $65 Million
ING 13k $1.5 - $2 Million
Fidelity 196k $31 - $36 Million
A4e 24k $3 - $4 Million
Gartner Estimates
$160/account
Ponemon Estimates
$243/account
- Reputation
- Brand
- Innovation
Country
Avg. Cost
per Record
(USD)
Avg. Total Cost
of a breach
(USD)
Australia 114 1.83 million
France 119 2.53 million
Germany 177 3.44 million
UK 98 2.57 million
US 204 6.75 million
Average 142 3.43 million
- Operations
- Personal Risks
Other Costs:
![Page 33: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/33.jpg)
How Encryption Can Help
A little help here, please...
![Page 34: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/34.jpg)
How Encryption Can Help:Non-Malicious Incidents
Source: Ponemon Institute: ―Cost of a lost laptop‖
Especially important to
prevent accidental data
breaches
![Page 35: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/35.jpg)
How Encryption Can Help:Non-Malicious Incidents
Source: Ponemon Institute: ―Cost of a lost laptop‖
Especially important to
prevent accidental data
breaches
![Page 36: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/36.jpg)
Role Of Encryption• ―Technologies such as encryption can be
implemented to prevent such users from reading or modifying sensitive files to which they should not have access.‖
Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"
![Page 37: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/37.jpg)
Should we encrypt the entire disk ?
• Everything needs to go through the encryption
• Overhead on every single read/write
• The system cannot boot up without password
• Password sync can be difficult
• NOT required for audit purposes
• NOT required for security
![Page 38: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/38.jpg)
What are we encrypting with “full
disk” encryption
10%
40%15%
20%
Files
OS
Program Files
Temp data
User Data
![Page 39: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/39.jpg)
What are they looking for?
Fixed drive
C:\documents and settings\username
C:\windows\system32\config\sam
C:\pagefile.sys
Removable drive
Any documents
![Page 40: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/40.jpg)
Which encryption is best ?
Disadvantage:
• Encryption only on system level - no awareness of user or type of data
• Only available for Desktops and Laptops
• System administration significantly impacted
• No separation of system and security administration
• No protection against copy onto external media
Full Disk Encryption
Complete encryption of hard disk, including boot and system files
File & Folder Encryption
Files and Folders specifically selected by the user are encrypted
Disadvantage:
• Security dependent on user behavior
• Temporary application files can leak information
• No central administration or key recovery
• Impossible to enforce or prove compliance
• Data automatically encrypted based on policies
• Encryption awareness of users, groups,
systems and data types
• System remains accessible for system
administration
• Central Administration for all devices
and storage media with automated key
escrow for guaranteed recovery
• Automatic detection and enforced
protection of external media
Data-Centric Encryption
![Page 41: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/41.jpg)
How should the protection work ?
Fixed drive
C:\documents and settings\username
File level user encryption
Policy based
C:\windows\system32\config\sam
Tamper protection
C:\pagefile.sys
System level encryption
![Page 42: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/42.jpg)
How should the protection work ?
Removable Drive
Policy based file level encryption
Only encrypt what is important
No user interaction required
![Page 43: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/43.jpg)
The problem with iPads
• Top down
enterprise adoption
• “New” platform
• Personal devices
![Page 44: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/44.jpg)
The specs
• 256 bit AES*
• Local wipe
• Remote wipe
• VPN
• Code signing
• Passcode policies
*Not perfect
http://www.businesswire.com/news/home/20110209007321/en
![Page 45: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/45.jpg)
The Challenges
• Top Down
• C-levels are the first to get the device
• Bypass normal testing and validation
• “Make it work” attitude
• Personal
• All I need to know is username/password
• Easy to discover settings even without auto
discover
• Wipe
![Page 46: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/46.jpg)
iOS is the target
Phone, iPad share the same OS
Jailbreakers are doing all the work for other reasons
Most exciting new platform
Commonplace
![Page 47: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/47.jpg)
Encryption?
• Rated at AES 256 bit
• Passcode does not relate to encryption
• The keychain is the key
• Email username/password
• Vpn username/password
• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf
![Page 48: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/48.jpg)
How to do it?
• Jailbreak
• Install ssh server
• Execute script that asks for the keychain info
• No reverse encryption necessary
• Just ask nicely
• Cannot be removed and broken, but just as
easy to break on the device
• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf
![Page 49: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/49.jpg)
What do we get?
• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf
![Page 50: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/50.jpg)
How to protect Data
• The hard way
• Keep the data off the device*
• VDI
• Disallow Exchange activesync
• Disallow email syncing
*Not technologically difficult
![Page 51: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/51.jpg)
How to protect Data
• The medium difficult way
• Allow data, but encrypt and secure access
• Insist on Exchange activesync
• Create policies
• Local wipe
• Remote wipe
• Local encryption
• Keeping device current
• VDI the very sensitive data
• Remote wipe means password reset
![Page 52: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/52.jpg)
FIR
EW
AL
L
FIR
EW
AL
L
52
LANDesk MOBILE GUARDIAN Enterprise Edition
Secure and control data across all mobile and portable endpoints
▫ Device detection and enforced provisioning across all connections
▫ Local policy enforcement ensures data protection travels with the device at all times
▫ Scalable, single point of management and control for all platforms
▫ Leverages existing infrastructure for seamless integration
CMG Local Gatekeeper or
Proxy Policy
Central Admin Console
CMG Shielded Devices
Enterprise Server
Active
DirectoryExchange Server with
CMG OTA Sync Control
Existing Infrastructure
CMG Policy Proxy
INTERNAL NETWORK DMZ
CMG Shielded Devices
FIR
EW
AL
L
Internet
REMOTE NETWORK
![Page 53: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/53.jpg)
Primary objectives
Keeps your business out of the headlines and protects your
brand by eliminating the need to notify
customers/employees of lost or stolen data
Provides proof that a lost or stolen mobile device was
encrypted to meet compliance requirements
Provides Maximum Security with Minimal Impact on
operational processes and end users
1
2
3
![Page 54: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/54.jpg)
Moving Out To The Cloud
• The Cloud makes the challenges of Insider Threat more complex:
• Increases complexity of quantifying risk
• Managing that risk
• Ensuring compliance
• Serves as a barrier to adoption of Cloud offerings
•These challenges exist for both private and public cloud infrastructures
![Page 55: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/55.jpg)
Some Conclusions
• Insider incidents are often accidental
![Page 56: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/56.jpg)
Some Conclusions
• In the event of an accidental disclosure, or malicious theft, encryption has been proven
to reduce both risk and cost
![Page 57: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/57.jpg)
Three important things to protect
• Data on the local HD
▫ Lost laptop scenario
▫ Policy based file encryption
▫ No user interaction
▫ User/system level keys
▫ Escrowed to server
• Removable media
▫ Malicious or not data removal
▫ Drive level encryption
![Page 58: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/58.jpg)
Three important things to protect
• Tablets/Smart Phones
▫ Local Wipe
▫ Remote wipe(password reset)
▫ Insist on exchange activesync
![Page 59: Endpoint Security Data At Rest · 2019. 8. 2. · Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats" s n-s. ... LANDesk MOBILE GUARDIAN Enterprise](https://reader033.fdocuments.us/reader033/viewer/2022052006/601aaf289252d50f350dfea6/html5/thumbnails/59.jpg)
Thank You!