 |
|
 |
|
|
|||
| |||
Thinking about threats and how to manage them
14 Oct
2005
This definition sounds abstruse, so let's look at it in an everyday context: the locks on your car. There are two basic threats these locks address: someone stealing your car and someone stealing the things in your car. There are some related threats in this threat model, such as leaving things in your car, and of course the old horror movie trick of the slasher sneaking into the back seat and hiding there to slit your throat. But there are also limits to these threats, which is why I said "address" rather than "prevent." Part of the threat model is also the threat of locking your keys in the car. If you were looking at a new car and the salesman said, "This baby's so secure not even a mechanic can get into it," then you might decide you want something a little less secure. I know I would. We've all thought about threat models, even if unconsciously, and this quick description brings together all the complexities of threat modeling:
In PGP Desktop 9.0, we introduced a new encryption tool, PGP Whole Disk Encryption (WDE). WDE, as its name implies, encrypts everything on a given disk. For the boot volume of a PC or laptop, this means that WDE runs at a lower level than the operating system itself. When Windows starts up, it thinks it is talking to an unencrypted disk drive, but it is actually talking to PGP software that is pretending to be an unencrypted disk drive. This software also authenticated the user via a passphrase, token, or both before Windows ever got involved. Great, but what problems does WDE solve? What threat model does WDE address? WDE addresses the threat of a computer being lost or stolen and the data being lost along with the device. It also addresses the threat of a disk drive from a decommissioned computer being scavenged for interesting data. If you are in one of the several companies that were embarrassed by public revelations of lost data this year, this is a very real threat. In other cases, what happened wasn't the company's fault. For example, my health plan had some computers stolen and 750,000 medical records (including mine) were lost. As it turns out, what actually happened was that there was an inside theft of the computers themselves. The data wasn't actually stolen or even the intended target. But the company still had to report the data as lost and tell all its patients that their health records were in the hands of "persons unknown." WDE keeps such incidents out of the papers because it prevents anyone from accessing your disks and the data they contain. However, there is a whole class of threats WDE does nothing about, and these are also part of the threat model. For example, WDE does nothing about "lunchtime" attacks. A lunchtime attack is one in which someone uses your computer while you are away (for example, at lunch) and copies data from the computer. WDE does make other attack protection easier, however. For example, let's suppose you are at lunch, but have put your screen lock on. A sufficiently motivated attacker could come into your office, shut down your computer, take the drive out of the computer, duplicate it, and then put it back in your computer and reboot. When you come back from (probably a very long) lunch, you see only that your computer rebooted. You don't know that someone else has a copy of the disk. With WDE, that someone only has a copy of your encrypted disk. Other forms of lunchtime attacks include data loss when you get your computer repaired. WDE does nothing about that attack, but PGP Virtual Disk (what we now call the PGP Disk we've had for years) does address it. The whole disk and virtual disk threat models overlap in a way that make both better than either would be when used alone. Like all security systems, WDE introduces a new risk: namely, that the correct people cannot use the protected disks. This risk is analogous to the risk of locking your keys into the car. Without locks on your car, you can't lock the keys in it in the first place. Our WDE has options for addressing this threat as well. When WDE is used with a PGP Universal Server, the server can have "recovery tokens" for the WDE systems it manages. (Note that we do not offer this as a service. There is no way that we can ever get to your encrypted data.) These recovery tokens are one-time text strings that can unlock a WDE system. The next time the computer gets on the network with the managing server, the token is invalidated and a new one is created. With this approach, there is no master password that opens all managed computers, and even for any given computer, the recovery token is transient. Note the balance between the two types of threats: threats from the attackers and threats of the system itself. Good security must unflinchingly take into account what it can reasonably do, what it cannot reasonably do, the new threats the system itself creates, and how the system must address its own threats. This is why there is no such thing as perfect security and why very few systems manage to be good enough to call themselves "pretty good."
Background Reading
| |||
| |||
