▶ 9.1 Securing a Volume
When we examined file systems, Eve had asked to borrow a USB drive from which all data had been deleted (Section 5.1). Eve could have tried to recover private bookkeeping files from the drive. We can avoid such risks and protect everything on the drive, including the boot blocks, directory entries, and free space, if we encrypt the entire drive volume.
The word volume refers to a persistent storage area that contains its own file system. The volume may reside on any physical device with storage: a hard drive, a solid-state drive, a smartphone, or another mobile device. A device may often contain two or more volumes, each in a separate storage partition. If the system “sees” the volume as a single random-access storage device, then we can protect it all by encrypting it all. We sometimes call this full-disk encryption (FDE) because we often apply it to hard drives, but it applies to any mass storage volume (FIGURE 9.1).
FIGURE 9.1 A hard drive volume with full-disk encryption.
File encryption lets us protect individual files from a strong threat. If we encrypt a particular file, then attackers aren’t likely to retrieve its contents, except in two cases. First, there is the file-scavenging problem noted previously. Second, people often forget things, and file encryption is a forgettable task.
In many cases, sensitive data is vulnerable simply because nobody bothered to encrypt it. Even when users encrypt some of their data files, it’s not likely that they have encrypted all of their sensitive files. It is challenging to identify the files at risk and to remember which ones to encrypt.
The principal benefit of encrypting a whole volume is that the encryption takes place automatically. When we plug in a removable encrypted drive or we start up the operating system, the drive encryption system retrieves the volume’s encryption keys and mounts the volume. If the keys aren’t available, then the volume can’t be used. Once the volume is mounted, the data is encrypted and decrypted automatically. The user doesn’t need to decide which files to encrypt. In fact, the user doesn’t even have the choice of saving a plaintext file; everything on the volume is encrypted, including the directories and free space.
Volume encryption is convenient, but it doesn’t solve every security problem. For example, it protects Bob if the attacker physically opens up his tower computer and connects directly to his hard drive. Disk encryption does not protect Bob from a Trojan program that copies files to a separate, unencrypted storage device, like a USB stick.
To put volume encryption in context with other security measures, we look at risks and policy trade-offs. First, we will look at risks facing an unencrypted volume. Next, we look at policy trade-offs between volume encryption, file encryption, and file-based access control.
9.1.1 Risks to Volumes
There are three general risks we address with volume encryption:
User loses the device
Eavesdropper looks at the volume without the operating system in place
User discards a device without wiping it
Lost Device
The first risk is everyone’s worst-case scenario: Our computer is stolen. Laptops especially seem likely to “sprout legs and walk away.” While our first worry might be the cost of replacing the laptop, many people also worry about identity theft. Some thieves exploit the data stored on the hard drive to masquerade as the laptop’s owner. Identity theft is a booming business, and personal computers often contain extensive financial records and lists of online passwords.
The theft risk poses even greater problems for large organizations. A stolen laptop may contain large databases of sensitive information about customers. According to statistics collected for the first half of 2009, there were 19 incidents in the United States where a misplaced or stolen laptop placed databases at risk. The incidents involved private companies, schools, hospitals, and government agencies at all levels. The smallest data loss involved 50 personal records, while one incident involved more than a million records.
If a stolen computer contains a customer database, many companies are legally required to contact all affected customers and warn them that their information may have been stolen. If the database includes credit card numbers or Social Security numbers, then the company may need to provide some defense against identity theft.
Eavesdropping
The eavesdropping attack vector arises if we can’t always keep our drive physically safe or under appropriate software protection. When Bob and Alice started using file encryption, they decided to keep the encrypted file on a shared USB drive. Because the file was encrypted, they assumed it was safe from eavesdropping. For convenience, they left it on the bulletin board in their suite.
This attack vector poses a risk even if we don’t share a drive on a bulletin board. If we back up the data to a separate drive, we need to physically protect the backup drive. If attackers have physical access to our computer, then we can try to protect our data by protecting our Chain of Control; we can disable booting of other drives and enable file protections. However, these defenses don’t protect us if the attacker cracks open the computer’s case. An attacker can bypass any BIOS or operating system by connecting the drive to a different motherboard.
Discarded Hard Drives
When we upgrade our devices, we usually acquire new storage. We copy our data from our old storage volumes. The old devices disappear along with their storage volumes. What happens to our sensitive data?
Modern mobile devices often have mechanisms to erase all personal data when the owner turns in, donates, or discards the equipment. Smartphones and other mobile devices typically use flash storage, which is hard to erase reliably. (See Section 7.4.3.)
Drive erasure has long posed a challenge for desktop computers. Research at MIT by Simson Garfinkel in the 2000s found that many companies and individuals were selling or discarding computers without properly erasing the hard drives. The researchers found that most people took very simple steps to “clean” their drive of data before passing the computer onto the next owner. Using “undelete” programs and other file-recovery tools, researchers were able to recover numerous personal and business files.
There are four strategies for cleaning a hard drive of personal data:
Delete personal files and “empty the trash.”
Reformat the hard drive.
Run a “disk wipe” program.
Physically damage the hard drive so that it can’t be read.
The first two strategies yield similar results. As noted earlier, files continue to exist in a ghostly form after they have been deleted. The same is true for reformatting. When we reformat a drive, especially a “quick format,” we just rewrite the first few blocks of the hard drive with a new directory that contains no files. Disk-recovery software looks at the other blocks on the disk and tries to reconstruct the previous directories. The attempt often succeeds. Once the directories are restored, the software recovers as many files as possible.
Either of the last two strategies may eliminate the risk of recovered files. We examined disk wiping as part of encrypting a file in Section 7.4.3, but there are also utility programs that wipe a drive by overwriting every one of its blocks. Some hard drives have a built-in mechanism to wipe the drive, but these mechanisms are rarely evaluated for effectiveness. Even with the built-in wipe, an attacker might be able to retrieve data.
Note that it may be challenging to physically destroy a modern hard drive. The major components are metal and are assembled to operate at very high rotational speeds. For all but the more extreme threats, we render the data irrecoverable if we open the drive case and remove all of the drive’s read/write heads.
9.1.2 Risks and Policy Trade-Offs
FDE clearly protects against scavenging data from an unprotected hard drive. However, just as file encryption was no cure-all, drive encryption doesn’t guarantee our safety. Depending on the risks, we may need one or the other or both.
Just because some risks call for one type of encryption or another does not mean that the encryption solves our problems. Encryption introduces practical problems, especially with respect to key handling.
At this point we have three practical security measures: access controls enforced by the operating system, file encryption using an application program, and drive encryption. We can implement all three, or some combination, depending on the risks. TABLE 9.1 summarizes the individual alternatives.
TABLE 9.1 Effectiveness of Access Control and Encryption |
|---|
|
Table 9.1 answers the following questions about whether the particular security measure protects against the particular risk:
Hostile users. Does it protect against hostile logged-in users trying to steal information from other users on the computer?
Trojans. Does it protect against data leaking through Trojan horse applications?
Trojan crypto. Does it protect against Trojan software embedded in the crypto software?
External files. Does it protect files that we copy onto removable storage and carry to other computers?
Lost control. If attackers take physical control of the computer and physically disassemble it to attack the hard drive, do we have any protection?
Theft. This is the ultimate case of lost control. Do our files remain protected?
Recycling. When we want to sell, discard, or recycle the drive, do our files remain protected so that a scavenger or new owner can’t recover them?
Access control clearly plays a role in computers where we have to protect data against hostile users. We also could use file encryption as an alternative to access control. This isn’t a good idea in practice. We can protect files with encryption only if we always remember to encrypt them. People often forget to do such things and leave information unprotected. Users must also completely erase all plaintext copies of the sensitive data. This is very hard to ensure.
Moreover, we can’t use file encryption to protect critical operating system files or even our application programs. If the operating system doesn’t provide access controls, then there’s no way to prevent someone from installing a Trojan inside our file encryption software.
Volume encryption provides no real protection against hostile users or Trojans. If the hostile users are on the encrypted system, then they are inside the boundary protected by the encryption. They see everything as plaintext anyway. If the access control doesn’t restrict hostile users, then volume encryption won’t improve matters.
Volume encryption becomes important when we risk losing control of our storage device. Clearly, access control gives little protection if the attacker uses a different operating system or special software to retrieve data from a hard drive. File encryption may protect the encrypted files, but risks remain: We might have forgotten to encrypt a critical file, and there are still risks of scavenging information from scratch files.
Identifying Critical Data
There are several ways to identify critical data. In some cases, we already know which files we need to protect and which aren’t important. However, it’s best to develop policy statements that help define critical data.
For example, if we handle information that others deem sensitive (like credit card numbers, health information, or proprietary information), we are obliged to safeguard it. In some cases, there are specific security measures we must use. In all cases, however, we need a way to tell which files might contain the sensitive information so that we may protect those files.
Critical data should always be marked as such. We should clearly distinguish between critical and noncritical data. This makes it easier to ensure that we adequately protect critical data. For example, we may restrict critical data to specific folders or to folders with particular names.
We also may put readable markings in documents to remind us that they contain sensitive information. For example, government agencies routinely put classification markings or other warnings about restricted distribution in the document’s page header and/or footer. Law firms may do this for documents that are restricted according to judicial orders. Many companies systematically mark all proprietary information.
We also should physically mark any removable storage volumes that might contain sensitive or critical information. Even if the volume is encrypted, it is essential to be able to tell easily whether sensitive information should—or should not—be stored on a particular volume.
Policy for Unencrypted Volumes
If an unencrypted volume contains data we can’t afford to leak, then we must guarantee its physical protection. It is very hard to guarantee such protection in practice. We often need to leave hardware unattended, even laptops. This opens the risk of a peeping Tom, even if we aren’t risking theft. If we don’t encrypt the drive and we store sensitive information on it, then we need the policy statements shown in TABLE 9.2.
TABLE 9.2 Policy Statements for an Unencrypted Volume |
||
|---|---|---|
| Number | Policy Statement | Risks |
| 1 | The mass storage device shall be physically protected against eavesdropping and theft at all times. | 4, 5, 6 |
| 2 | The mass storage device shall be completely wiped of data before it is recycled or discarded. | 7 |
In practice, the policy statements should be more specific about the information and storage. Somewhere, our policy should identify what we mean by sensitive data. We should also be more specific about which mass storage devices we protect.
These policy statements are easy to write but difficult to implement. If we keep the drives locked in a private office, we may also have to consider the risk of cleaning staff having access to it. If the drive is in a laptop, we need a locked cabinet for it, and we should avoid carrying it in public.
Policy for Encrypted Volumes
In practice, we can justify volume encryption for almost any computer hard drive or USB drive. Although it may not protect against every attack, volume encryption prevents many common risks. In most cases, we cannot keep a hard drive or laptop safe continuously. As of 2010, however, volume encryption remains a relatively rare and sophisticated feature, although this should change as the technologies evolve.
TABLE 9.3 presents policy statements for volume encryption. As with the previous statements, a practical policy needs to tell people how to identify sensitive data. Policy and procedures also should provide a way to distinguish between volumes containing sensitive data and those that don’t.
TABLE 9.3 Policy Statements for Volume Encryption |
||
|---|---|---|
| Number | Policy Statement | Risks |
| 1 | Every removable storage volume used for sensitive data shall be fully encrypted. | 4 |
| 2 | The computer’s system drive shall be fully encrypted. | 5, 6 |
| 3 | There shall be a mechanism that fully erases and purges the encryption key used to encrypt any mass storage volume. | 7 |
Now that we know that we need volume encryption, we must figure out how to implement it. Volume encryption places a serious burden on an encryption algorithm. Most algorithms become vulnerable if we encrypt a great deal of information, especially if it includes known plaintext and duplicated information. This is exactly what happens on a large encrypted hard drive.