Viewing posts from : April 2011



It’s rare for Digital Trust to endorse a product; exceptional products are scarce, and the normal information outlets cover them well enough.  But Job X was special and we like to give credit where credit is due.

This Job was a high volume, high speed imaging affair, with only two days warning.  We’d been contracted to image all the drives in a small business with, or course, minimal disruption.  About 40 drives, or so we thought.  Normally, we could parallel image either across the network or via multiple boot and intern combinations, but not in this case.  We had to get the physical disks.

The lack of prep time is normal, but not for a job this size.  We had on hand one Voom Hardcopy 3P and two Tableau’s, which would require laptops.  One of the nice things about the Voom units is they are standalone.  They are also considerably faster than a low end portable forensic imaging system.  PCMCIA SATA cards are okay, but not nearly as fast, and just one more device in the loop for Murphy to break.  Hardcopy’s transfer SATA to SATA, at drive interface speeds and are astonishingly easy to use.

Job time estimation isn’t rocket science for imaging.  It takes ~3 hours to copy a 1TB drive (at the time of this report).  A Hardcopy 3P runs at ~3GB per minute with MD5 hash (real world observations, not marketroid fluff) on an average older 80GB drive (what we had at this job).  The faster the source drive, the faster the Hardcopy; it’s limited by the drive speed.  We see 5+GB/m on a more current 7200rpm 1TB drive.  Time varies based on the quality of the source and target drives.  So given 40 average office drives, one Hardcopy would take 40drivesx80GB/3GB/m/60m=17 hours if the world was perfect.  Then there’s the overhead of locating the drives, removing them from their housings, hooking up the drives, labeling everything, recording in the logbook, putting them back, and trying to fend off questions while dealing with the inevitable, most notably, failing drives, which drastically alters the 3GB/m rule, as retries eat up exponential time.  Such is life.  Our best working estimate at this time is that 8 hours of imaging with no major issues takes two people at least 12 hours.  Which meant we needed two days with two people, and it would still take longer if things didn’t go as planned, which they never do.

Given the volume of drives, and the distressing estimation from above, we opted to try and find additional high speed equipment.  So we picked up the phone and called (651-998-1618) the nice people at Voomtech, who have been a pleasure to deal with in the past.  Unfortunately, the didn’t have any on hand, which put a crimp in our plans, but only for a moment.  They reached out to a reseller who had some in stock, and arranged for the dealer to overnight two to us, on reputation alone.  That’s awesome customer service.

Having 3 Hardcopy’s on hand would definitely make this a simple Job.  Which is when Murphy showed up.  Turns out there were a bit more than 40 drives.  There were 70.  If you follow the math, you realize that 3 Hardcopy’s are a bit of overkill for 40 drives in two days.  Even 70 would normally not be a stretch, until you factor in Murphy’s sister, who arranged for 30% of the drives to have errors, some fatally so, and to top off the adventure, the on site contact supplied imaging drives from a manufacturer we normally don’t use, because they are not as good as Seagate.  No drive maker is perfect, but some are better than others.  We like (at this point in time) to rely on Seagate.  The other drives cost us half a day dealing with their quality issues until we bit the bullet, trotted over to Staples, and picked up half a dozen big Seagate’s.

What happened to the Tableau’s?  They got used trying to figure out how to deal with the failing drives.  Once a Voom reported a problem with a drive, we moved it to the laptops and tried to finagle a viable image out of the drive.  Right tool for the job, and all that.  Hardcopy’s are faster than Tableau’s, but Tableau’s give you the ability to work with the drive using other tools.  We don’t think of it as Voom versus Tableau.  While Tableau’s can be used to acquire images, the Hardcopy’s are so much faster, they are the obvious choice for imaging.

Back at the Job, once we had the Seagate’s in place accepting data, we started thinking things might work out okay.  For two days we transferred md5 checked images from source to Seagate via the Hardcopy’s, and they were good.  Hardcopy 3P’s are wonderfully simple devices for quickly acquiring images.  One of the features we like is that they pull all the identification off the hard drive and store it in a txt file with the image file and md5 checksum file.  Saves more time.  Couple that with a vendor willing to talk to you, and you get a great option for data collection.

The assembly line of drive copying finally ended the second day at 6PM, having imaged or attempted 70 drives in 24 hours.  The Voom Hardcopy 3P’s were definitely cost effective.  There’s just something so nice about its simplicity, and even better about a vendor that treats you well.  Digital Trust highly recommends the Voom Hardcopy 3P.

Voomtech.com

 

HTC Hydra is very cool, as is any brute forcing tool (Fast Track in BT4 is nice), but there is a very simple way to eliminate brute force attacks on your exposed authentication interfaces; add a Captcha or similar technology. Lots of companies are getting into strong authentication with codes and tokens, but you may not need to go that far. In lower risk cases, where the need is just to keep the system clean, a simple recognition code works to keep out all but the most dedicated brute force attempts. An attacker with enough patience or enough money may still be able to use a brute force attack, but the chance of recognizing it in the logs and alerting so you can take appropriate action is much higher with that level of attention. So if you’re not protecting credit cards for PCI-DSS and you’re not guarding medical information for HIPAA, think about adding a Captcha or other simple recognition code that will make your application a much harder target. And don’t forget to have it professionally tested/evaluated once you’ve modified it. Digital Trust – helping companies keep security costs down.

Some Seattle criminals were apparently hacking wifi to help them locate business servers with identity information and then breaking in and stealing the servers. This is a perfect example of why physical security risks should be checked along with any electronic security validation. Penetration testing needs to be both physical and electronic, because sometimes it’s just easier to walk away with the equipment than it is to hack in and steal the data.

http://www.seattlepi.com/local/article/Police-Wireless-network-hacker-targeted-1344185.php

What issues should be in a company smart phone policy?  There are a lot of different options for restriction or permissiveness, depending on the company and any associated culture.  If we run down all the possibilities (that we had thought of by this time, there’s always more) you can use the list to check or build your own company policy.

Is company business permitted on personal phones, and vice versa?  This is the most important bit of information in your policy.  It determines how much effort you can expend in other areas, and how expensive they’ll be, or how much risk you’ll accept.  If you try a half-way approach, the end result is the same as if you openly permit mixing.  If you fail to address it, you have accepted the inevitable, so you might as well document it as such.  Company business on personal phones and personal business on company phones is no simple issue.

Allowing personal business on company lines means your security personnel can monitor it, or should.  You’re monitoring all company assets for anomalous behavior, right?  Hackers are into phones these days.  You’d be a fool if you weren’t at least checking them once in a while, like we used to check PC’s for viruses once a week.  However, most employees don’t like knowing their personal calls are monitored.  Plus, since any company property can become legal evidence, anything done on that phone can potentially come out in court.  We all like to think our private calls to that certain number are private and unknown to others, but if it’s a corporate phone, it had better be known or one day it may turn into a courtroom surprise.  Express your intent to have phones utilized in a professional manner for business use only to reduce the likelihood of courtroom embarrassment.

Permitting work on personal phones is worse in one way, which we’ve discussed previously, so we’ll zip through it here: your personal phone gets impounded as evidence, and no, you can’t back it up before we take it.

Specifically differentiate between business and personal use, what is acceptable, and in what quantity.  The easiest way is to specifically restrict use, even if it’s realistically impossible; at least you’re trying.  Failure to address it at all, however, means you implicitly accept it, which means you might as well document it so management understands what risk they are accepting.

Be specific, if you can, about what behaviors, frequencies, and durations of behavior are acceptable if you are permitting personal or business use.  If you can’t be specific, you are assuming anything goes.  At least try and limit it with a stock “professional behavior” phrase or similar.

Does your policy cover all the features of current phones (cameras, sms, etc…), or just talk about a couple issues?  It needs to cover everything plus contain extension language so when they figure out how to do new things with phones you don’t end up having to rewrite the policy.  Who knew ten years ago we’d finally be doing all the things today they told us about 40 years ago?

Discuss why you are restricting use.  People are a lot more likely to follow a policy they understand than one they think is draconian and absurd.  Don’t wait to educate them until you’re coming to get their phones for a legal case.

Discuss who it applies to.  If you’re treating the executives differently than the staff, better mention it, or it could cause problems.  Treating everyone exactly the same makes things easier unless you’re the person explaining it to the C levels.

Define the terms you use that could be misunderstood, perhaps deliberately, or what could be termed “weasel” words.  When you say “personal use and business use”, what do you mean?  When you say “off hours”, do you mean the same time for all shifts or different times?  Don’t say “disciplined” when you mean terminated.  Weasel words.

Define any exceptions, generally if necessary.  “You are allowed to use the company phone to make emergency calls, where emergency implies life and death situations.”  Why someone would need that laid out for them is a mystery, but you know if you leave it out, someone will get sued after somebody lets someone die because they couldn’t make a personal call on a company phone.  Read a spray paint warning label if you doubt it.

Particularly vulgar misuse should be defined and the resulting disciplinary and legal steps laid out to discourage straying from the expected path.  “If you take pictures of guests without permission and post them on the Internet or sell them to someone you will be fired and charges filed with the appropriate criminal authority.”

Make sure to cross link to your social networking policy, since many people take pictures just to upload them to their site and share with friends.

Can personal or business devices connect to business or personal networks?  In other words, are you going to trust that the mail-room guy’s phone is clean enough to let it access your corporate network?  This is the second most important issue, and it leads directly to complexity and cost.

Will you, for example, attempt to isolate personal phones from the main network?  If you do a good job, it’s going to cost.  If you don’t do a good job, you increase risk.  Mention it to management and see if they’re comfortable with it.

Will you permit work devices to surf on any old network and then return to the fold bearing who knows what sort of infection?  If you do a good job, it costs you, if not, it increases risk.

Related policies reminder.  Remind users that when using a device in a setting other policies may apply.  So while that smart phone may be great for surfing porn in their basement, because it’s a work device, it’s still not permitted.  Oh, and you can see them in the logs you’re monitoring.

Finally, damage.  If they drop their work phone at home, or their home phone at work, who’s paying and under what circumstances?  If they lose the phone on a subway, who’s paying to replace it?  Some employees will flush phones down the toilet repeatedly, it’s just in their nature.  Who’s paying?  And if you have someone losing phones, have plans for dealing with it.

Very importantly, have a hard policy regarding how fast they notify authorities and who those authorities are.  Many people will wait to inform you of a loss until they get the new device or the loss personally inconveniences them.  Meanwhile, the lost phone has been in the hands of bad guys for days or weeks.

Put a reward sticker on the phone.  It might result in the return of several valuable phones that would otherwise end up in pawn shops.  A few cents per phone versus hundreds of dollars for a single loss makes it worthwhile.

Security; alluded to above, is the cost that makes any risk bearable.  What will you do, or be able to do, if a phone containing potentially sensitive business information is lost, or if personal information is exposed on company networks?  There are a few facets to phone security issues.

Loss.  In either business or personal property cases, where company information may be present, it is best to:

  • Be locked with a code of some sort, to prevent immediate use.  Also, activate this lock after a period of inactivity, like a screen-saver on a PC.
  • Be encrypted, to prevent stronger efforts at compromise, such as corporate espionage or other subversive reason.
  • Be remotely wipeable, to allow for a positive acknowledgement that a device is completely safe.  This is critical for assets storing very sensitive data, but won’t always be possible, especially in cases involving corporate espionage, so in those cases strong encryption is an additional requirement.  Note that remote wiping of a personally owned device can create additional liabilities, the most obvious being, what if it’s done accidentally.  Likewise, with a business device, a sales person could lose valuable scheduling data that hasn’t synchronized with HQ yet, costing them sales.  Address these and other risks by having users sign an agreement and understanding of how phones are protected and specifying what they can do to avoid complications, as well as the companies refusal to accept any liability.  Place the onus on them to care for data that is important to them.

Integrity of the device: anti-virus, anti-tampering.  Companies concerned about data leaks must weigh the risk of device compromise through malicious software and employ appropriate measures.  Anti-virus is available for phones, as is anti-tampering software that performs an integrity check on the program portions of phone memory.  This plays directly into whether or not you permit 3rd party untested applications to be installed on devices.  If it’s a personal device, you don’t have much choice, so factor that in to any decisions: such phones will leak data like a sieve.   Business phones can be much more locked down, but you’ll need a process whereby new apps can be requested and tested.

Disable unnecessary services, just like with a computer.  If you can avoid Bluetooth, do so.  Same with Wi-Fi, but if you can’t, take appropriate mitigating steps.

If restrictions in use could conflict with emergency contact from relatives, provide contingency contact plans for them.  In other words, if you require personal phones to be removed or turned off, provide a way for relatives and emergency contact through other means, such as a paging system or central contact number that can reach the person.  Kentucky coal miners, as an example, cannot receive calls down in the mine, so relatives must contact the mine office which will use radios to relay appropriate information.

Legal requirements.  Your legal department will likely want a couple paragraphs in the policy, most notably regarding compliance with local laws and ordinances.  Just because the business provides a phone, doesn’t mean you can use it in violation of laws such as phone use while driving.  The legal department will specifically want that mentioned to escape liability when an employee breaks that law and ends up in trouble.

That’s a pretty big policy for such little devices.