Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Tip #14: Data Encryption

Published: 2007-10-14
Last Updated: 2007-10-15 00:32:59 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Today’s Security Tip of the Day deals with a subject that is pretty abstract to most people.  Cryptography is referred to as the science of secret writing. This is not a new concept that came about with the development of the Internet.  Cryptography has been around for hundreds of years dating back to the days of the pyramids and the Ancient Egyptians. Today we use the concept introduced by them to develop a safe, secure method of communicating, exchanging and validating data between computer systems. 

Whether it is very sensitive information that needs to be transmitted via an email, online financial or banking transactions, or any other data that you would rather not have the whole world knowing about, encryption can help you protect the data.  When email, data, etc is transmitted via the Internet with no encryption, it is possible that someone could eavesdrop and intercept the communication.  Good encryption assures that the data remains intact and maintains the confidentiality, integrity, authentication and non-repudiation of the data received.

There are 3 general types of crypto algorithms:

                 Secret Key – Symmetric containing single or 1-key encryption

                Public Key – Asymmetric containing dual or 2-key encryption

                Hash – One way transformation with no key encryption

There are many different methods of data cryptography and a variety of vendors providing encryption software.  All of the encryption programs perform two distinct operations: Encryption, encoding the data in such a way as to conceal the information and Decryption, the process of transforming the data back to its original form. 

There are advantages and disadvantages to each and differing opinions of which is best and when each should be used, but most everyone agrees that encryption plays a crucial role in data protection.  And in most environments today you will see a mixture of algorithms in use.  Each situation has its own set of requirements.  In today’s world all Security Administrators and users need to be conscious of the significance of the data they are dealing with and the need to secure that data.  

 Tell us what you think.  What if anything is your company doing?  Have a good program you are using, let us know.



A couple of responses that we received regarding encryption provide good insight into the use of Encryption. Here they are in part:


Email 1

From Lyal: Not all are right in every situation. We typically find our clients chose 2 or 3 of the above methods, just to ease deployment and ensure compatibility.

It doesn't look like open source crypto tools (and there are some good ones) are oriented towards server protection - they all operate in user land, or are oriented to personal key management, not dual control, split knowledge etc.  If the adopted StrongKey or similar, it'd be much easier in the corporate world.


From a reader that does not want their name published:

I look forward to seeing what comes of the proposed discussion about which crypto, SecKey/PubKey/Hash is "best."  

Me thinks the answer is none...  But that's only one dweeb's vote.  

What matters more to me is the context in which crypto is being used to protect data.  

When crypto is used there are several necessary bases also need to be covered:  

1)  for data "on disk"
 - strong user authentication
   (for the obvious reasons, but also for granular,
   role-based access to encrypted assets
 - full disk encryption  
   (strong FDE means you can Secure Delete by good key
   management and delete-by-destruction of keys, rather
   than resorting to DoD overwrites -- which isn't Good
   Enough for Top Secret or better;  more and more caches
   are being implemented as encrypted stores, with
   decryption occurring only as data moves into "volatile
 - folder/file encryption  
   (for granular, role-based access to sensitive/regulated
   assets on otherwise encrypted disks/partitions)
 - never store passwords on the devices to be protected
 - never store keys in-in-the-clear (store hashed keys,
   if they have to be stored on-device)  

2)  for data "in motion"
 - two-way authentication and two-way encryption on the
   ideally with unique *client* and "server" certificates
 - don't use known-to-be broken encryption (SSL1/2)

Most sensitive/proprietary/regulated data will require both sets of protection.  What useful data that resides on disk is not accessed over some kind of network as part of production???...  Almost none.  Yet both bases are rarely covered.  

Take away any one of these elements and the crypto effort will not be for much more than naught.  


Gartner has recently begun beating the drum that FDE, alone, Ain't Good Enough.  This after thoroughly trouncing F/FBE-only, for years, for inadequately protecting data.  

It takes both forms of "at-rest" crypto to significantly mitigate risks of data loss/leakage.  

Crypto also has to be *relatively painless* for the end-user to live/work with, otherwise there will be devastation from pilot error.  Single sign-on, and, for the vast majority, integration with Windows Active Directory, will have to play a role in easing some of the burden on end users.  

There is some cool stuff from Seagate (Momentus) and Wave Systems for integrating HW-based, managed FDE with Windows Authentication.  It's even cooler when there's TPM 1.2 to mash/mesh with.  I'm not the only one who thinks this stuff is good -- it's being fast-tracked for "Federal"-use approval, outside of FIPS.  

There's also some interesting use of crypto in VMware's ACE2, which isn't your mammy's or pappy's ACE1, that integrates slickly with Windows AD -- if you're thinking about leveraging managed desktop clients.  


Hashes bring up another problem...  

Has anyone figured out how to write "good" ones?  

The big problem with today's hashing algorithms are hash collisions.  It's an elephant in the room that most InfoSec practitioners simply ignore.  


TLS1.0/SSL3 is undergoing thorough analysis and attack.  
I keep hearing about side-band attacks, etc. that are
*almost* there, in terms of what White Hats know.  

What do we have waiting in the wings for when TLS1 is broken???...  

That day is coming...  and I, for one, don't know...  

0 comment(s)

SANS Security Conference 2007 and ICE ICE Baby

Published: 2007-10-14
Last Updated: 2007-10-14 14:21:20 UTC
by Deborah Hale (Version: 1)
0 comment(s)

What a time I had in Las Vegas, outstanding.  I had the pleasure of attending my first SANS conference and meeting some of my fellow Handlers in the flesh.  All I can say is that neither SANS or the “boys” disappointed me.  My extreme thanks to Dr Eric Cole for an incredible educational experience.  I took the SANS Essentials Bootcamp and let me just tell you, this is about as action packed a class I have ever taken.  After returning home it took me several days to “ring this sponge” that I call my brain and begin to assimilate what I had learned.  Now I have turned my thoughts to studying so that I can take the test and make it official.

The culmination of this awesome week came on Friday night and Saturday morning.  There were a group of attendees that signed on for the first ever Integrated Cyber Exercise (ICE).  I have to say without a doubt that this was one of the most valuable “exercises” that I have ever participated in.  There were about 20 “players” in the game.  I was on the Defenders team (The Blue Team) and what a terrific team it was.  Among the team were Chris Hoke, Jeff Tchang, Amy Hagerman, Glenn "Blue 6" Larratt as well as some that wanted to remain anonymous.  Our job was to defend our little network against the “bad guys” that were attempting to attack us and break into our computers.  Our computers included Linux and Windows based OS, both servers and workstations. The players for the attack team were Joseph Bagdon, Brandon Greenwood, and some individuals that prefer to remain anonymous.  And of course we defenders had the deck stacked against us because the attackers ( the Red Team) had a little help from some pretty powerful friends, namely my fearless instructor Dr Eric Cole, Tim Rosenburg from Whitewolf Security, the folks from F5 and Core Technologies.  The defenders used some pretty sophisticated tools to snoop on our network and figure out where our vulnerabilities lay and then unleash their evil on our network. 

I have to say, my team – the Blue Team, did a fantastic job.  We were limited in the tools that we could use.  Basically the only tools we were allowed to use were the ones offered default by the OS manufacturer. We were not allowed to install any patches or updates from the manufacturer and had no access to the Internet to download anything.  We could not plug in our thumb drives, use CD ROMS, or any other extras.  And yet my awesome team was able to stave off our attackers within just a couple of hours.  We were feeling really proud of ourselves. Then the other shoe fell.  We had to leave the room to attend a “meeting” with management.  While we were out everything we had done was undone, and a bunch of programs, holes and such were installed on our machines.  We were in big trouble they had us dead to rights.  I for one was a little irritated….  We had worked so hard and they got in anyway.  They had done a lot of damage and left a real mess behind.  They ended up, by Saturday morning completely taking us over and we were done.

When I returned home, I started thinking about the exercise and what it really had taught me.  At first I felt that it was really unfair that they were able to come in and undo all that we had put in place to keep them out. They were allowed inside our network to do their dastardly deeds.   However, is that not what actually happens in the real world?  Just one user doing one stupid thing can open the door and undo everything that you have done to secure your network. And once the bad guy’s get in, it may be too late, it may take days to find them and lock them out again. This exercise led me to realize that this was just the tip of the iceberg and in the real world the frustration level will be much worse. 

Some comments from other attendee’s:

Brandon Greenwood - I really enjoyed my experience as a part of the Red Cell and the ICE Games.  This was one of the most well put together exercises that I have been a part of.  From working directly with Eric Cole for the length of the games, the impromptu visit form some of the top SANS instructors, to being able to get some shop talk in with Tim Rosenberg and the White Wolf Security team I think allowed everyone to really take something positive away from the games and it made for an interesting time.  I plan on being back next year in either role as it was a positive experience.

Tim Rosenburg, Whitewolf Security - We consider the event a success and are working on ways to make it more spectator friendly.  We'd like to thank all who made it possible including SANS, F5, Core, Paul Asadoorian and of course the players.  We are looking forward to a bigger and better game next year and will incorporate VOIP and RFID and some more tricks up our sleeve.


I want to echo Tim and thank all of those who participated.  To Whitewolf Security, F5, SANS Institute -  Stephen Northcutt, Eric Cole,  Core and Pauldotcom, I want to give my heartfelt thanks for a tremendous experience. I highly recommend that all Computer Security personnel attend this event and I look forward to participating again in the future.

0 comment(s)
Diary Archives