7/22/08 - Disk Encryption Hacked, Awareness most Critical Security Layer
An update from the Ministry of Defence reports that "One laptop is lost every two days by the Ministry of Defence (MoD) with 659 reported stolen and 89 lost by the department in the past four years." Full disk encryption has been considered a saving grace for the issue of lost laptops and other portable storage devices. Now consider the impact of the recent cold boot attack that enables a "means to circumvent disk encryption simply by powering off a target machine." Implementing technical layers of defense are an important component in any information security program but pail in comparison to effective information security awareness training and properly implemented information security policies and procedures. Read the complete commentary below:

The Ministry of Defense loses one laptop every 4 days
"One laptop is lost every two days by the Ministry of Defence (MoD) with 659 reported stolen and 89 lost by the department in the past four years."

Now, consider this:

Researchers release 'cold boot' attack utilities
"The security researcher who demonstrated the 'cold boot' attack has released the source code for the hack. The attack, first demonstrated in February, uses a set of utilities to lift crypto keys from memory even after a reboot."

"A boon for hackers and computer forensics experts alike, the approach created a means to circumvent disk encryption simply by powering off a target machine which has been left hibernating or screen-locked, and quickly re-booting it to an external hard drive loaded with customised software."

Layers of Information security are critical. Information Assurance (IA) experts know this. This is why we implement laptop security mechanisms such as fingerprint readers, anti-virus, HIPS, Secure VPN, Secure Tokens, GPS tracking and recovery, and, disk encryption. We also spend time creating policies and procedures to lock down the OS, create secure group policies, and perform frequent patch management.

Even with all these layers, the physical loss of a laptop can be detrimental. Many laptops store confidential information (government, military, or private sector) critical to the information security of an organization. The loss and subsequent compromise of a laptop may lead to incalculable losses. For this reason, many individuals view laptop encryption as a saving grace to the stomach twisting thought of a lost laptop, at least, until now.

The need to educate employees on secure handling practices of critical organizational resources such as laptops is paramount to the information assurance of an organization and likely to be the most critical layer of security. As we have seen over and over again, the human element can be the strongest or weakest link in an organization's information security program.

Properly training employees on the criticality of the resources in their possession is crucial. The value of a well-informed employee verses that of an ill-informed employee is substantial. Through the use of a comprehensive information security awareness program and information security policies and procedures and organization can greatly reduce the liability presented by the human element of information security and swing the Information Assurance pendulum in the opposite direction.

As the old saying goes, a chain is only as strong as its weakest link. How strong are the links in your Information Assurance chain?