The Desktop Files
How Not to Lose Your Data
Information yearns to be free. It doesn’t matter who you entrust it to or how hard you try to lock down those zeros and ones, they will always find the hole in the stack. Every day the news has reports of both minor and significant data losses. It’s ridiculous that important data is lost
so often, but the reality is that information is lost because people simply fail to protect it.
A year ago, I outlined "Ten Security Rules to Live By
". In this column, I’d like to focus specifically on steps you can take to secure your data. It’s rarely a simple task. The bigger your organization, the harder these steps are to complete. You’ll need to devote a significant amount of effort to these tasks; a large organization has the most to lose when critical data is compromised.
The truth is that data—customer or internal—should be treated in much the same way as you would handle medical waste. It should be:
- Handled with extreme care
- Stored and transported cautiously
- Not compromised during any step of the process
- Disposed of incredibly carefully
By following all of the safeguards I outline here, you will be well on your way to securing your data during its entire lifecycle.
Don’t Count on Policies or People
Many have referred to people as Layer 8 in the OSI (Open Systems Interconnection) model and in many ways, they are. Regrettably they are often the weakest link. Both your technically strongest and weakest users are always the ones poking at the edges of any infrastructure policy. The same holds true for data security. You should absolutely never rely on a policy as a key aspect of data security. People will break the policy—whether intentionally or inadvertently. You must put countermeasures in place in order to ensure that if the policy is compromised, the breach is properly logged or digital countermeasures will ensure that the data is not compromised.
The USB flash drive (UFD) is a device revered by the computing masses and much feared by many in the IT management world. The risk of data theft using UFDs is significant. But if you find yourself worrying that your data will just be walking out the door every time you see a UFD, then your data is not secure enough to begin with. CD-R media, Windows® PE boot CDs, network shares, and other small media types are all threats, and the truth is that if you are fighting piecemeal against a variety of media formats, you are probably fighting a losing battle. Don’t secure systems at the end of the pipeline where people connect to your infrastructure. Secure the data from the beginning. Of course you can’t secure everything, but the average organization can do much more than it is doing now.
Make protecting data a significant part of your work environment. Enforce the idea that everyone in your organization must treat data carefully. Only send e-mail messages and share documents that specifically say "OK to forward" and don’t disclose anything that should not be disclosed. As an IT professional, it’s your job to teach and enforce that behavior.
Limit Information Disclosure
With the prevalence of mobile computing, mobile devices need even more data security. If your organization deals primarily with Microsoft® Office documents, you should investigate Microsoft Office Information Rights Management (IRM) and Windows Rights Management Service (RMS) for your RMS-enabled Windows-based apps. With these technologies in place, users can only access data for which they have predetermined rights.
So often, e-mail marked "confidential" leaks out of the organization because someone thought the message significant enough to send on to a colleague, who then did the same. Figure 1 shows the message alerting the user to restricted content in Microsoft Outlook®, thanks to RMS.
Figure 1 Restricted permissions in e-mail (Click the image for a larger view)
Although RMS hasn’t completely alleviated the problem, it has made distributing restricted content far more difficult. A user who really wants to "liberate" RMS or other encrypted/secured data can still do so. Even if you securely encrypt your data, never forget "the analog hole"—the acquisition of sensitive data through nondigital means such as the capturing of information displayed on a monitor simply by using a camera. Even in a world with the new protected path in Windows Vista™, which guards data secured with Digital Rights Management (DRM) through to presentation on the screen, there is still a risk of data loss through analog means.
Pay attention to the actual machines where your data is stored. Should you really have a confidential customer database on a laptop or right at the front desk at your office? Such information should really be available only on a physically secured server (or desktop) located in a private area of the office, ideally stored in a tightly secured datacenter without a direct connection to the Internet. Here in Austin, Texas a laptop containing customer data was recently stolen from a local company. The laptop held patient medical data, Social Security numbers, and birthdates—all the key data points you’d need to steal someone’s identity. So why on earth was information this important stored on a poorly secured laptop? It should have been only available via a secure fat-client or Web application or on a server accessible via a Terminal Services or Citrix client. In an organization that should be following the HIPAA statute, the loss of data this significant is huge.
Usually, the password is the final security barrier. Unfortunately, users left to their own devices will cycle through passwords, reuse roots of already weak passwords, limit the complexity so they can remember them more easily, and even write them down in conspicuous places.
It’s very important that you establish password integrity measures, as well as two-factor authentication—measures that require a combination of password and another mechanism, such as a smart card, that results in authentication integrity even if the password itself is compromised.
Whether or not you employ multi-factor authentication, password integrity should be enforced using the following techniques:
- Limit the maximum duration of all user passwords, but use your judgment regarding this length of time. If the duration is too short, users will either forget their passwords or bypass security by writing them down. If it is set too long, the whole reason behind changing them at all becomes moot. Do not use the "Password Never Expires" option for any interactive account.
- Enforce password length and complexity so that users aren’t short-circuiting your security with weak passwords like the one in Figure 2. Don’t enforce integrity to the point that a user cannot remember the password, unless you are using multi-factor authentication. Otherwise, they’ll use the sticky-note method to remember passwords.
- Keep a password history—don’t let users recycle passwords they’ve already memorized and used for months.
- Prevent brute-force password attacks by limiting the number of failed attempts before an account lockout.
- Most importantly, educate your users about the significance of their credentials.
Figure 2 Poor password choice, even if you love your mother (Click the image for a larger view)
Password integrity and local authentication are critical but, of course, the data on the local system should still not be data you can’t afford to compromise unless it’s physically secured or encrypted. Passwords alone aren’t the solution. A user’s password is but a tool to ensure that attackers who want to compromise the direct interactive access to the system and aren’t willing to bring in tools cannot do so.
Critical data shouldn’t reside on a system that can be physically compromised or removed from the office. If you have systems that you are afraid might be compromised when someone boots into Windows PE and retrieves data, you have other problems; Windows PE is not the culprit. Instead, one or more of the following are true. Your systems are not properly physically secured. They’re secured, but you don’t trust the users who have access to them, your data is on a system that is not (or cannot be) physically secured, or the systems cannot be physically secured and you have not used volume encryption tools, such as the BitLocker™ feature in Windows Vista, to mitigate against physical compromise. (For more about BitLocker, see Byron Hynes’s article in this issue of TechNet Magazine.)
Think about which of your systems may be at risk. Can you physically secure them? Why not place them in a datacenter or some other area that has limited access? If that’s not possible, or if it’s a mobile system, do you use volume encryption software? If you can’t take any of these steps, either move the data to a system that can be secured or encrypt it. In the case of the stolen laptop previously mentioned, if the volume had been encrypted with a secure volume encryption tool, the data would have been almost completely safe from compromise.
Just because a system lives in a datacenter doesn’t mean it’s secure; if you’ve got a bunch of T1s out to the Internet, you’re still at risk. Internet access gets the bad guys one step closer to physical access, so carefully consider the threats posed against your systems. Consider moving them onto a separate segment of your network where you’ve at least got another level of network protection between the Internet and the systems being analyzed.
Data Risk Mitigation
Another security measure available to you is to give users access via applications or thin-client tools that isolate the data to a physically secure server. This may mean providing access via a VPN so users who are off-site can gain access. You should never let a user’s physical constraints dictate how data should be treated. Just because a user needs access, and he is in a location where broadband or other high-speed access is not available, doesn’t mean you should just move the data to a local instance on the user’s machine. If you absolutely cannot move the system and must keep it in an insecure location, again, secure the data using volume encryption.
You should be prepared for the possibility that, despite all your best efforts, someone will break into your system by removing the hard disk and placing it into another Windows system where the NTFS ACLs can be reset.
To prepare for this, use the volume encryption included with Windows Vista. For most other versions of Windows, there are many third-party tools available. They vary in complexity of use, as well as in their ability to perform full-volume encryption and/or encryption of individual files or directories as Encrypting File System (EFS) permits. If the volume is encrypted, the data will be protected against all but the most advanced thief.
Backup data must also be secured. Most people give two reasons for not backing-up their systems securely: encrypting at backup time takes too long and/or their backup software doesn’t support it.
But if you are backing up systems, and especially if you are following the best practice of taking the backups off-site, you must secure the data going into the backups. Either encrypt the data using EFS, if it’s available, or other volume encryption software (such as the BitLocker feature in Windows Vista or other third-party software), or purchase backup software that includes encryption capabilities and performs at an acceptable level. Just because data is somewhat obfuscated on a backup tape or chopped up in a disk-based backup solution doesn’t make it safe. Assume the transport mechanism itself will be compromised.
You must secure any data that is transported over the wire. Only use secure protocols to access the remote system. Use encrypted versions of protocols and always assume a man-in-the-middle (MITM) attack is probable. Don’t use weakly encrypted or unencrypted protocols, and if using encryption, don’t use a weak encryption length or algorithm. You or someone in your organization needs to understand all of the communication protocols and encryption algorithms being used inter-system in your infrastructure.
We’ve all heard stories of hard disks or other storage devices bought from eBay or the local flea market that were subjected to forensic software or even ordinary undelete utilities, thus revealing dark secrets—data that should have been wiped out completely before the drives were sold.
If you have UFDs in your organization, consider forced encryption utilities. Disks that contain high-risk data should be encrypted. Despite popular belief, I don’t agree that simply encrypting volumes before disposal is a safe way to dispose of disks. Remember that medical waste metaphor I mentioned earlier? Regard the data on these systems as hazardous waste, and secure data deletion utilities as the treatment. Use a data deletion tool that implements the DoD 5220.22-M specification, like Mark Russinovich’s SDelete
before releasing your disks and systems back into the wild for resale, or even before moving them around within your organization. Otherwise the next user becomes privy to all of the previous user’s data.
Last but not least, another key component of data security is auditing, and even threat-modeling, the lifecycle of data in your organization. Understand the weak points where your data can be leaked and watch those points carefully. Windows provides several built-in auditing tools. With auditing, however, you can easily run into data overflow. Make sure that you’re watching the right areas and that you are not being overrun with data. Watch for weak points and fill them in properly with good mitigation—don’t spackle the data dam with hacks. Also ensure that your users are properly educated about how to treat data. They are the critical link at so many levels in your organization. You’ll find more guidance in the "Additional Resources" sidebar. Don’t forget to follow all the suggestions outlined here; you’ll sleep better at night if you do.
Wes Miller is a Development Manager at Pluck (www.pluck.com) in Austin, Texas. Previously, he worked at Winternals Software in Austin and at Microsoft as a Program Manager and Product Manager for Windows. Wes can be reached at firstname.lastname@example.org.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited