With major data breaches occurring on a regular basis, encryption vendors are going into hyperdrive, touting the need for their products. However, encryption is only one aspect of protecting your sensitive data, and a new attack shows that it may not be enough.
Recently, the security research group at Princeton University published a report on its success at recovering data from an encrypted disk image on a laptop. This caused a good bit of consternation and some breathless coverage in the press (as with this New York Times story that got the headline "Researchers Find Way to Steal Encrypted Data"), leading to some speculation that this meant on-disk encryption was simply not worth the effort. (Read more on Laptop Encryption Strategies.)
The next morning, having read the New York Times, your CEO stops you in the coffee room and asks, "Is it worth using this disk encryption? It's a pain, and from this article it sounds like someone could get my data anyway."
The security community gets excited about any cool hack that can be exploited to get something you're not supposed to get, and we know that sometimes it's really an important issue. On the other hand, sometimes it isn't. How is a nonspecialist to know the difference, and how can a CIO answer the CEO's questions in the coffee room the morning after a story like this appears?
It turns out that we can answer this sort of question quickly with some good expectation of accuracy, using ideas from that half-remembered Finance 101 class we took years ago. What we're concerned with is the risk posed by this new attack, risk as defined in finance as the probability of the undesired event multiplied by the cost of the undesired event (which is called the hazard). We can manage security issues, first of all, by considering the risk.
Risk = Probability X Hazard
An easy way to see how this is applied is to think about the PIN on your ATM card. Most banks have simple policies for ATM cards: You have a four-digit PIN; there is a limit on how much cash can be taken out of the account every day, say $500; and there is a policy that says after three wrong PIN attempts, the ATM annoyingly eats your card, usually on Friday afternoon just before you leave for that weekend in Vegas.
Now, assume the card is lost, and someone is attempting to get money from it illicitly. The chances of guessing the PIN correctly with no extra information (you didn't write the PIN on the back of the card, right?) are 1 in 10,000 for one try, or about 1 in 3,333 for the three tries you get. The hazard is $500, so the risk is about 15 cents. In other words, the bank can be pretty confident that over many thousands of depositors and ATM cards, the cost of this kind of fraud per card is about 15 cents each.
Of course, with more data and a longer time to explore it, we could get a much better estimate that takes into account the people who do write the PIN on the back of the card, the people who manage to watch over your shoulder as you enter the PIN and so on, but remember, we're in the coffee room and the CEO doesn't want "I'll get back to you in a week or so when I've had time to research this." In any case, for many purposes this is good enough: If someone is trying to sell you a $5 solution to a 15-cent problem, it really doesn't matter much if the accurate answer is really 16.231 cents.
So, how can we apply this to the problem of an encrypted disk? The attack the Princeton group outlined goes something like this: You have data stored on a disk, say on a laptop, that you have protected with a commercial disk-encryption program like Microsoft's BitLocker or Apple's FileVault. (Also read How to Lock Up Laptop Security.) A technically sophisticated attacker wants that data and has significant resources he can apply to the problem, including tools, a bottle of "canned air" and a computer with some specialized software. To execute the attack, the bad guy must first get the computer with the power on, or within a few minutes of the power being turned off; second, cool the memory chips in the computer to -50 C using the "canned air"; third, get the chips where they can be read by the attacker's computer; and finally apply a statistical method and some knowledge of the disk encryption to find and extract the keys. He can then read the data from the disk.
Can it be done? Sure: See the Princeton website for a description and even a video, but it isn't easy. Still, "It can be done, but it's hard" isn't necessarily reassuring in the coffee room on Monday morning; using a risk estimate, though, we can compare it to other possible problems.
To start with, how much is the data on the disk worth? Let's take an all-too-common example: Someone has copied the customer data for 100,000 customers to his laptop to work on over the weekend, and this data includes enough information to be of use to an identity thief. If this data were to be lost or compromised, your company would have to respond by, say, buying a year's credit monitoring service for each of the 100,000 customers, at a cost of about $20 each. So, from the standpoint of a potential loss, the data is worth around $2 million. (Let's stop and think about that number for a minute: two million dollars. The loss of a $2,000 laptop is nothing.)
Assume we don't protect the data at all, and one laptop is lost every 10 years, so the probability of one loss in one particular year is about one-tenth. The risk: $200,000. In other words, without using disk encryption or some other protection, you can expect data loss to cost about $200,000 a year on average.
Now, let's assume you did use encryption. We start with the same assumptions, and guess that one time out of a hundred a laptop is lost to a skillful thief; instead of taking the laptop to a pawnshop in the seedy part of town, the thief is actually going to try to extract data from it. Let's say further that about half the time the computer is actually stolen with the power on, because for convenience it was simply put into sleep mode. So now, about one time in 200, our skillful thief gets a computer full of recoverable data. The probability of loss is now one two-hundredth of one-tenth, or about 0.0005, and the risk is now about $100 per year. So the answer to the CEO's question is this: With disk encryption we can expect data losses to cost us around $100 a year on average; without it, we can expect data loss to cost $200,000 a year, again on average.
Of course, the easiest protection is to use a disk-encryption program and simply make sure you turn the laptop off when you're not using it; then this technique won't work at all, because there won't be any recoverable keys left in memory.
This technique of risk analysis can be applied to almost any decision about any security measure: It's worthwhile only if it costs less than the reduction in your expected loss per year. For example, there are a number of special disks available now that have specialized on-disk encryption hardware. How much of a premium is it worth to buy one of these disks, compared to using encryption software? Simply extend the reasoning: If the special hardware makes it 100 times harder to get data off the disk, the expected loss per year is around $1. If the special hardware costs significantly more than $199, it doesn't actually pay off.
So the next time the CEO asks you one of these questions, you can make a back-of-the-envelope estimate in just a few seconds' thought. Won't that make you look good?
Charlie Martin is a Colorado-based security architect, researcher and consultant, currently working on key management for a major computer manufacturer.