ITSS 2015

ITSS 2015: Encryption

Edward Carter, Manager, Architecture and Response

Stephen Hoffer, Senior Information Security Analyst

Haley Baker, Associate Information Security Analyst

Ohio University

ITSS 2015

Information Security Goals

• C-I-A Triad

• Confidentiality • Keep private information protected from unauthorized access• Encryption

• Integrity• Ensure information is protected from unauthorized changes• Hashing

• Availability• Ensure information is accessible to authorized entities

ITSS 2015

What is encryption?

• Encryption: Transform data to keep it secret from unauthorized parties

• Asymmetric-key, symmetric-key

• Encoding: Transform data so it can be used by a different system

• Base64, ASCII, EBCDIC, Unicode

• Hashing: Transform data to ensure the message contents haven’t changed

• MD5, SHA1, RIPEMD

ITSS 2015

Why do we encrypt?

• Protect data• At rest: Data stored on media (USB drive, disk, tape, etc.)• In transit: Communications over a network between systems

• Regulations/Compliance• HIPAA/HITECH (health-care industry)• FERPA (education)• PCI-DSS (payment-card industry)• PII (personally identifiable information)• Auditors

• Personal choice• Policy

ITSS 2015

Ohio University Policy

• 93.001: Data Classification• https://www.ohio.edu/policy/93-001.html

• “This policy establishes that all information assets will be classified according to their confidentiality, integrity and availability. This policy sets forth procedures based on those classifications so that the University can protect each asset in an appropriate manner.” (emphasis added)

ITSS 2015

Where is it used?• Application layer• SSH• S/MIME• TDE• Adobe• Microsoft Office• Identity Finder

• “Network” layers• SSL/TLS• IPSec/L2TP• PPTP

ITSS 2015

Where is it used?• Volume-based (disk)• BitLocker• FileVault• VeraCrypt/CipherShed• dm-crypt

• File-based (disk)• EFS• PGP/GPG

ITSS 2015

How do we encrypt disks?

• Operating System “built-in”• BitLocker• EFS• FileVault

• Open Source• Veracrypt/CipherShed• GPG• dm-crypt

• Commercial• Symantec EndPoint Encryption (PGP)• Sophos SafeGuard • TrendMicro EndPoint Encryption

ITSS 2015

Windows

• Bitlocker / BitlockerToGo• Windows 7 (Ent/Ult), Windows

8/8.1/10 (Pro/Ent), Server 2008+• Bitlocker cmdlets in PS• Diskpart.exe• Disk Management MMC

ITSS 2015

Mac OSX

• FileVault / FileVault2

ITSS 2015

Linux

• Dm-crypt

ITSS 2015

What about the keys?

• Bitlocker Key-Management• MBAM (Microsoft BitLocker

Administration and Monitoring)• Recovery Key

• Store in AD or file• GPO change required

ITSS 2015

What about the keys?

FileVault2 • Casper• Cauliflower Vest• Crypt• Institutional Recovery Key (https://support.apple.com/en-us/HT202385)

• Commercial Applications• Sophos Safeguard, TrendMicro, WinMagic (all support key escrow in

Windows and Mac OS X)

• Network-share encryption (PGP)

ITSS 2015

Encrypting is all good, isn’t it?

• Benefits• Many breach laws include “Safe Harbor" provision• Lost/stolen devices

• Limitations• Key management• Conversion can be difficult• Not a panacea

• Data in memory is unencrypted• Malware can still access those data• Entire drive may not be encrypted• Cold-boot attack

• Corruption – Please backup your data• Please backup your data

• Please backup your data• Please backup your data

• Please backup your data

ITSS 2015

Questions?

• Please back up your data BEFORE encrypting it• Please perform regular backups of your data• Please test the restoration of the backup

• OIT Security Office Contact/Incident Reporting • 740-566-SAFE (7233)• security@ohio.edu