Friday Summary - June 5, 2009By Adrian Lane
If you have ever listened to Rich or myself present on data centric security or endpoint encryption, we typically end by saying “Encrypt your freakin’ laptops.” It works. The performance is not terrible and it’s pretty much “set and forget”. We should also throw in “Encrypt your freakin’ USB keys” as well. The devices are lost on a regular basis and still very few have encrypted data on them. I confess that I am fairly lazy and have not been doing this, but started to look into encryption when I realized that I had brought a stick with me to Boston that had a bunch of sensitive stuff I was moving between computers and forgot to delete … oops. I am not different than anyone else in that I am not really interested in taking on more work if I can avoid it, but as I am moving documents I do not want public, I looked into solving this security gap. While at RSA I dropped by the IronKey booth; in nutshell, they sell USB sticks with hardware encryption. After a product demo I was provided a 1gb version to sample, which I finally unpacked this morning and put to use. This is a dead simple way to have USB files encrypted without much thought, so I am pretty happy moving the stuff I travel with onto this device.
A few years back at the IT Security Entrepreneurs’ Forum at Stanford, I ran into Dave Jevans. He had just started IronKey and was there trying to raise capital. At the time this seemed a tremendous idea: USB keys were ubiquitous and were quickly supplanting writable CDs & DVDs as the portable media of choice. Everyone I knew was carrying a USB stick on their keychain or in their backpack. And subsequently they were lost and stolen at an alarming rate along with all the data they contained. It had been three years or so since I had spoken to anyone at the company, so I wanted to catch up on new product developments. I am not going to provide a meaningful analysis of the hardware security implementation as this is beyond my skill set, but there were a couple of advancements in the product for browser safety and data usage policy enforcement that I was unaware of, so I wanted to share some comments.
The key has hardware encryption, so all files are stored encrypted. It provides an authentication interface and credentials need to be established before the device is usable. IronKey has added anti-malware to detect malicious content, but given that more dedicated appliances still fail in this area, the capability is not going to be cutting edge. The advancements I was not aware of were strong password enforcement, remote administration, and the ability to destroy the device in the event that certain access policies are violated. This prevents an attacker from trying indefinitely to gain access, and allows for policies to be adjusted per company, per users. The first idea that hit me is that this is a natural to leverage the encryption capabilities of the memory stick with DLP in a corporate environment. Use DLP to detect the endpoint device and allow data to be copied to the USB device when the device is trusted. This is very much in line with a data centric security model – where you define the actions that are allowed on the data, and where the data is allowed to go, and do not allow it to be in the clear anywhere else. I am not aware of anyone doing this today, but it would make sense from a corporate IT standpoint and would make an effective pairing.
The second concept pushed during the demo was the idea of putting a stripped down and trustworthy version of Firefox onto the IronKey. They are touting the ability to have a mini-mobile safe harbor for your data and browser. Philosophically speaking, this sounds like a good idea. Say I am using someone else’s computer: invariably they have IE, which I do not want to use, and the basic security of the computer is questionable as well. So I could plug in the memory stick and run a trusted copy of Firefox from wherever. Neat idea. But from my perspective, this does not seem like a valid use case. Even today I am going to have my laptop, and I just want an Internet connection. With EVDO, MiFi and the surge of mobile computing, do I really need a memory stick to do this for me? If I have a browser on my iPhone or Blackberry, what’s the point? Endpoint devices come and go with the same regularity as women’s fashions, and I wonder what the real market opportunity for this type of technology is in the long run. While it appears to be good security, the medium itself may be irrelevant. One thought is to embed this technology into mobile computing devices so that the information is protected if lost or stolen. If they could do that, it would be a big advancement over the security offered today. With the ability to provide user authentication, and destroy the data in the event that the unit is lost or the security policies are violated, I would have a much more secure mobile device.
Anyway, very cool product, but not sure where the company goes from here.
Oh, I also wanted to make one additional reminder: Project Quant Survey is up. Yeah, I know it’s SurveyMonkey, and yeah, I know everyone bombards you with surveys, but this is pretty short and the results will be open to everyone.
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich’s Macworld article on Apple, Mac security and responsibility.
- Rich with Dennis Fisher on the ThreatPost podcast
- Rich with Bill Brenner of CSO on DLP
- Rich’s TidBITS article on 5 Ways Apple Can Improve Mac and iPhone Security
- Rich and Martin on The Network Security Podcast
Favorite Securosis Posts
- Rich: The State of Web Application and Data Security.
- Adrian: Technically not a Securosis post, but I thought this analysis was stellar.
Other Securosis Posts
- Hackers 1, Marketing 0
- Introduction to Database Encryption: The Reboot!
- 5 Ways Apple Can Improve Their Security Program
- Project Quant Patch Management Survey
- Boaz Nails It - The Encryption Dilema
- Piracy Fighting Dog FUD
- Macworld: The Truth About Apple Security
- How Market Forces Can Fix PCI
Favorite Outside Posts
- Adrian: Jeremiah Grossman provides a very level-headed analysis of Vulnerability Disclosure.
- Rich: Boaz’s post on The Encryption Myth.
Top News and Posts
- Underground Intrigue.
- A bit older, but really good
- Who doesn’t love color scales?
- I have lock picks and bump keys, but nothing like this! Fascinating read and a great physical security parallel to what we see with data security.
- Aetna breach
- Mike Andrews in response to our State of Security post.
- These speak for themselves.
- Mandatory encryption reading.
- Bad news for consumers
- White House cybersecurity review
- Interesting UTM Review. Once you get past your initial shock at the poor anti-malware performance, you see how the other variables come into play in the selection process.
- Data Domain is popular. Very popular.
- Nice perspective on the attack vector lifecycle also by Jeremiah.
- Suspected Malware Hub Takedown
- Not security related, but Intel buying real-time OS provider Wind River Systems has very interesting implications for the mobile computing space. Most are not aware that WRS is working on Android.
- Informative post on using Metasploit Libraries.
Blog Comment of the Week
This week’s best comment was LonerVamp’s response to the State of Web Application and Data Security post:
Excellent information in that post!
Rich, have you been encouraged by the tone of those you’ve talked to regarding their WAF setups? I am not surprised by the larger number of WAF deployments (dropping in an appliance certainly seems easier!), but I’m curious how many really think they’re being effective. I’m not as big a skeptic as dre (hi!), but I realistically think deployment out of band and lots of false positives leave them doing absolutely nothing. I also wonder how many are deployed with nothing but a handful of basic triggers that are just default examples.
This would be the equivalent of deploying an ANY/ANY firewall 15 years ago just to say you have a firewall. Technically, you do have one. Technically, you might even be set up to look at the alerts, but because it detects nothing, it does nothing.