Home page logo
/

basics logo Security Basics mailing list archives

RE: List of Full Disc Encryption products
From: "Robertson, Seth (JSC-IM)" <Seth.Robertson-1 () nasa gov>
Date: Thu, 6 Jul 2006 15:32:38 -0500

The problem with technologies like EFS which encrypt files and folders
is that several unencrypted copies and fragments are scattered around
the file system to comport to the OS's peculiar implementation.  For
example, temporary recovery files aren't saved to the folders designated
for encryption (e.g., My Documents).  Sure, the intent of letter is to
encrypt data files rather than executables (because the information
which comprises an executable is *typically* not sensitive), and
targeted encryption is a good solution for certain problems (e.g., a
file server which is physically secure, saving files from the laptop to
removable storage or over the network), but I don't think one could
successfully argue that targeted encryption would meet the requirements
of protecting ALL the sensitive data in every place it resides on the
hard drive.  For that particular piece of the puzzle, only full disk
encryption guarantees the encryption of all the data.


Seth Robertson

-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com] 
Sent: Thursday, July 06, 2006 1:13 PM
To: Saqib Ali
Cc: security-basics
Subject: RE: List of Full Disc Encryption products

I don't want to argue semantics, but you're wrong. Pure and simple.
Data's data. Program files and operating system files are not data.
Data is stored in files. You can encrypt individual files and folders
and still be in compliance with any federal mandate or guideline.  There
is NO mandate or guideline that says the entire drive must be encrypted.

Again, encrypting hard drives are a good thing, but don't spread FUD.
Let the facts speak for themselves. Encrypting the entire hard drive is
one solution for protecting confidential files, but it isn't the only
solution. And it certainly isn't the only one accepted by law or
mandate.

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com]
Sent: Thursday, July 06, 2006 12:28 PM
To: Roger A. Grimes
Cc: security-basics
Subject: Re: List of Full Disc Encryption products

On 7/5/06, Roger A. Grimes <roger () banneretcs com> wrote:
I don't believe your second sentence. Prove me wrong. What mandate 
says that full hard drive encryption is mandatory versus just 
encrypting the necessary files and folders?  Give me the law and
subsection.

OK. See:
1) http://digg.com/security/U.S._gov_t_mandates_laptop_security
2) http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Bullet #1 from the PDF reads:
1) Encrypt "all" data on mobile computers/devices which carry agency
data unless the data is determined to be non-sensitive, in writing, by
your Deputy Secretary or an individual he/she may designate in writing;

So encrypting certain files on the laptop will NOT suffice. You have to
encrypt "All Data".

If you are NOT encrypting partial data on the device, you have to get an
written exception from the Deputy Secretary.



--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault