Encryption Not All It's Cracked Up to Be: Assessing the Risks and the Cost
A new type of attack discovered by Princeton researchers demonstrates that encryption alone may not be an effective defense. Managing security is managing risk, and these tips can help show you whether encryption software and self-encrypting disks are worth the cost.
Fri, April 04, 2008
CIO — With major data breaches occurring on a regular basis, encryption vendors are going into hyperdrive, touting the need for their products. However, encryption is only one aspect of protecting your sensitive data, and a new attack shows that it may not be enough.
Recently, the security research group at Princeton University published a report on its success at recovering data from an encrypted disk image on a laptop. This caused a good bit of consternation and some breathless coverage in the press (as with this New York Times story that got the headline "Researchers Find Way to Steal Encrypted Data"), leading to some speculation that this meant on-disk encryption was simply not worth the effort. (Read more on Laptop Encryption Strategies.)
The next morning, having read the New York Times, your CEO stops you in the coffee room and asks, "Is it worth using this disk encryption? It's a pain, and from this article it sounds like someone could get my data anyway."
The security community gets excited about any cool hack that can be exploited to get something you're not supposed to get, and we know that sometimes it's really an important issue. On the other hand, sometimes it isn't. How is a nonspecialist to know the difference, and how can a CIO answer the CEO's questions in the coffee room the morning after a story like this appears?
It turns out that we can answer this sort of question quickly with some good expectation of accuracy, using ideas from that half-remembered Finance 101 class we took years ago. What we're concerned with is the risk posed by this new attack, risk as defined in finance as the probability of the undesired event multiplied by the cost of the undesired event (which is called the hazard). We can manage security issues, first of all, by considering the risk.
Risk = Probability X Hazard
An easy way to see how this is applied is to think about the PIN on your ATM card. Most banks have simple policies for ATM cards: You have a four-digit PIN; there is a limit on how much cash can be taken out of the account every day, say $500; and there is a policy that says after three wrong PIN attempts, the ATM annoyingly eats your card, usually on Friday afternoon just before you leave for that weekend in Vegas.
Now, assume the card is lost, and someone is attempting to get money from it illicitly. The chances of guessing the PIN correctly with no extra information (you didn't write the PIN on the back of the card, right?) are 1 in 10,000 for one try, or about 1 in 3,333 for the three tries you get. The hazard is $500, so the risk is about 15 cents. In other words, the bank can be pretty confident that over many thousands of depositors and ATM cards, the cost of this kind of fraud per card is about 15 cents each.
Of course, with more data and a longer time to explore it, we could get a much better estimate that takes into account the people who do write the PIN on the back of the card, the people who manage to watch over your shoulder as you enter the PIN and so on, but remember, we're in the coffee room and the CEO doesn't want "I'll get back to you in a week or so when I've had time to research this." In any case, for many purposes this is good enough: If someone is trying to sell you a $5 solution to a 15-cent problem, it really doesn't matter much if the accurate answer is really 16.231 cents.
Evaluating Risk
So, how can we apply this to the problem of an encrypted disk? The attack the Princeton group outlined goes something like this: You have data stored on a disk, say on a laptop, that you have protected with a commercial disk-encryption program like Microsoft's BitLocker or Apple's FileVault. (Also read How to Lock Up Laptop Security.) A technically sophisticated attacker wants that data and has significant resources he can apply to the problem, including tools, a bottle of "canned air" and a computer with some specialized software. To execute the attack, the bad guy must first get the computer with the power on, or within a few minutes of the power being turned off; second, cool the memory chips in the computer to -50 C using the "canned air"; third, get the chips where they can be read by the attacker's computer; and finally apply a statistical method and some knowledge of the disk encryption to find and extract the keys. He can then read the data from the disk.
Can it be done? Sure: See the Princeton website for a description and even a video, but it isn't easy. Still, "It can be done, but it's hard" isn't necessarily reassuring in the coffee room on Monday morning; using a risk estimate, though, we can compare it to other possible problems.
To start with, how much is the data on the disk worth? Let's take an all-too-common example: Someone has copied the customer data for 100,000 customers to his laptop to work on over the weekend, and this data includes enough information to be of use to an identity thief. If this data were to be lost or compromised, your company would have to respond by, say, buying a year's credit monitoring service for each of the 100,000 customers, at a cost of about $20 each. So, from the standpoint of a potential loss, the data is worth around $2 million. (Let's stop and think about that number for a minute: two million dollars. The loss of a $2,000 laptop is nothing.)
