IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Challenge base assumptions, such as pre-boot passwords, disk encryption, and their necessity

August 8th, 2011 · No Comments

When pre-boot authentication is not a safeguard … how does that change the risk landscape, the assumptions on other controls, and user behaviors?

DEFCON 16 had a presentation on “Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer (practical low level attacks against x86 pre-boot authentication software)”.  This is available for free consumption on Slideshare.  I just recently revisited it during some emerging convergence risk research and the impact effected me differently this time.  The presentation is quite technical, but what is shared is that for 25+ years bypassing the BitLocker, etc boot-passwords is possible – more so on Microsoft than *nix.  This can be executed remotely too.  I would encourage reviewing the presentation, but caution it is technical.  Also, welcome any updated research in this field.

My analysis on how this can impact organizations and their information security programs is captured below – mainly via challenge statements.  Many financial, training, operational, and risk assumptions require review (as is a good practice annually).

Do people drive faster with seat belts on, because they can handle a harder impact with such protections?  Do users carry more sensitive data, or are more casual with the physical security of their machines when they are trained that ‘full disk encryption will save them’? (or maybe do users feel secure online because there are passwords)

If these protections only protect the accidental discovery and recovery (think petty criminals and exploits of opportunity) – what is the percentage effectiveness of such safeguards?  Not all machines have the data that is sought most by those trained to bypass these pre-boot safeguards.  So, deciding which ones should have priority is vital.  This establishes a need for a program approach and not a single golden technology bullet but instead is progressive to the risks presented…

A rough approach:

  1. Define what is sensitive data to the organization (Under ISO 27001 practices this takes the input from external parties, business owners, contracts, and all facets of the organization.)
  2. Eliminate and contain sensitive information – logically, once we know what to protect it is a matter of finding where it is transmitted and stored .. then eliminated to the maximum degree
  3. Then process and technology controls come into the conversation … this is the step where Full Disk boot encryption has become the defacto in some organizations.  As an alternative – what if there was an escalated set of safeguards applied to those based on their user access.  This would mean that perhaps < 50% of the population would require full disk encryption, among many other per-device licensing technologies.  As the sensitivity of the data, volume, and impact values increase the process and technology safeguards escalate respectively.  This would include training the end-users, and priority support teams to handle these top tier system end-users.  So, executives with highly scored assets would have extreme safeguards, while those without would have lesser safeguards.

This would ensure in both policy and practice that sensitive data is safeguarded in a manner that is conducive to sustainable practices – both financially and emotionally by the organization and users.

Other thoughts?

James DeLuccia

Tags: Uncategorized

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment