Threat Watch
Threat Watch | Cold Boot: Should New Attack on Encrypted Disks Change the Way Lawmakers Approach Disclosure Legislation 'Safe Harbors'?
Recent research from Princeton, McGraw Security Services illustrates how the lack of encryption specifications in legislation could put consumer data at risk.
By Rick Cook
"Basically, the fact that it's technically doable doesn't mean it's likely to happen," says Tom Ruffolo, president of eSecurityToGo LLC, an Irvine, Calif., security and compliance consultancy. "The question is, what is the likelihood that a particular computer will be attacked with this [exploit]?"
According to Sohn and security researcher Wesley McGrew of McGrew Security, however, the "cold boot" attack does point out a weakness in the current laws and in the thinking of many companies: The data breach laws don't specify what is needed to qualify as "encryption." Theoretically, a company could encrypt its data with ROT13 and not have to notify consumers in the event of a breach. (ROT13 is a simple 13-character shift cipher sometimes used to hide the punch line of jokes in newsgroup messages. It's about as secure as a paper mache padlock.) A better approach, they say, would be to specify some level of security needed to trigger the safe-harbor provision.
"You might want to include at least some kind of standard in there saying the data protection has to be strong enough to provide significant protection," Sohn says. "You wouldn't have to get real specific [in the bill.]"
Says McGrew: "I believe that, at the least, regulations should require a set of 'secure practices' to go along with encryption requirements, to ensure that the encryption technologies are being used in the safest possible way."
Regardless of the compliance implications, McGrew says organizations should be sure to understand the level of protection that their disk-encryption products provide. "In the short-term, I think it's important for enterprises and users to ask questions about the encryption products they're using," he says. "Does this product erase the key from memory when I suspend or hibernate my laptop? The answer should be 'yes.' Questions should also be asked about the way the laptops are used: Do I leave my laptop unattended while encrypted file systems are open? The answer should be 'no.'"
Rick Cook is a freelance writer based in Phoenix.
Other stories by Rick Cook
encryption
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
