Gold Lock Desktop White Paper

Transcription

1 Gold Lock Desktop White Paper TM AND FILE ENCRYPTION SOFTWARE Effective Data Security in the 21st Century Evaluating the needs of appropriate data security and identifying the risks in the modern corporate environment.

2 AND FILE ENCRYPTION SOFTWARE The Need for File and Data Security in the Digital Age Data security and privacy in today's world of global communication and information sharing is a growing concern and an increasing number of corporations and businesses continue to neglect the risks of not following appropriate data security and privacy measures. In the past five years, corporate espionage has become much easier thanks the advent of technology, which makes it possible for anyone with a laptop and relatively cheap equipment to eavesdrop on internet connections and computers remotely. This creates a genuine risk for both corporations and individuals alike as more and more people realize how easy it is to steal valuable information from other systems. However, Information privacy can be achieved with the aid of modern cryptography that ensures that in the likelihood of a security breach, damage is minimal and that data theft becomes a non-issue with the use of technologies such as High-grade encryption. This document aims to highlight the needs of effective File and security, by examining some of the risks and discussing some worst-case scenarios that may lead to disaster without appropriate prevention. In particular, this document aims to cover the following topics: Examining current technology and the security of file system data Looking at the increase of accidental and intentional corporate espionage Risks associated with Data theft and appropriate prevention strategies Information access control policies and theft prevention. Security for satellite workers and remote personnel The document aims to prevent a critical overview of the risks present to locally stored information because of the implications of lax data security in both a business environment and a corporate one. By examining current cryptographic technology and looking at unlawful intrusions, it will highlight the need for an appropriate data security policy for every organization that relies on information technology. 2

3 RISKS OF EVERYDAY DATA THEFT AND PREVENTION OF ESPIONAGE According to national and international studies, system attacks and successful network penetrations are on the rise and this presents a great deal of risk to global facing corporations, which suffer from the problem of being largely exposed on the Internet. This problem is highlighted in particular when employees access insecure information on a regular basis, which then leads to a security breach due to lackadaisical policies on web control and internet access. In Today's connected world, the Internet is a necessary tool for most outward facing companies, not only just for but also research, marketing and in some cases financial transactions. As a result, personal and corporate exposure is at an all-time high and we have now reached a period where many companies are being targeted by hackers and snoopers. Nevertheless, information security is not network security, and these two forms of protection should be isolated and seen as different layers of security. 1. Network Zones grouping systems with similar security requirements together. 2. Strong network firewall protecting individual zones and overall network. 3. System management and secure user management and authentication. 4. Information Security with File encryption on a disk-based and filebased level. 5. Employee awareness and training. The aspect of file information security this guide will focus on is the methods contained within Data and file encryption on a file-based level by explaining the issues and highlighting the many risks that corporations can be exposed to with insufficient protection. Ensuring file and security By adopting the five-layer security model mentioned previously, corporations are able to ensure that information systems remain as secure as possible, and that risks from file-theft are minimal, but in today's information age, 3

4 inter-departmental communication is a necessity, and with the adage of WIFI networks, the risks of being caught up in a snooping or MITM attack are high. To combat this risk, encryption has been developed to ensure that confidential communiqués are secured and protected from eavesdropping and packet snooping. File Encryption and Cryptography Explained Since man could first read and write, there has always been attempts made to obfuscate data so that it was only ever readable by those intended, and up until the 20th century, this was all done by hand. A few thousand years later, information security has evolved into the multi-million dollar industry it is today, and with the advent of cryptology, cryptanalysis has now been born which is the study of breaking various codes and ciphers. In its simplest form, a cipher is a mathematical algorithm or set of rules that are used to encrypt or decrypt information in a way that is only readable by those that know the 'key'. This ensures relative security when keys are protected well, and that sufficient strength of cipher is used to ensure mathematical or computational attacks are impossible. Keys are elements of data, which are used to ensure that the cipher can encrypt the information required and that it is possible to be decrypted by the person who holds the decryption cipher. Depending on the type of cipher used, there may or may not be multiple ciphers required (Asymmetric Keys vs. Symmetric Keys). Hackers and crackers are becoming increasingly more adept at breaking the 'un-crack able' encryption algorithms and ciphers, by either direct brute-force attacks against the cyphertext or theft of private encryption keys. Technological breakthroughs has ensured that cryptanalysis, and successful reverse engineering methods are possible with the advent of technology such as distributed computing, and also the birth of the supercomputer. As a direct result, many corporations are relying on old and outdated data encryption technologies that have been proven unreliable by international organizations and government bodies such as the NSA. 4

5 As a direct result of the rise in cyber-snooping and all out digital warfare, how does an organization know that it can rely on encryption technologies and ensure that they are adequately protected not just for the immediate future, but also for the long term? Windows File system Encryption & Data Storage Issues Vulnerabilities The windows operating system is being used by millions of computers worldwide, and many corporations are neglecting the fact that this operating system comes under constant daily attack by those that seek to steal not just the data of corporate organizations, but any information thieves can get their hands on. As a direct result, many corporation and home systems are more than likely at risk. By Relying on Windows file security, which is vulnerable to attack, corporations are effectively giving information thieves access to their files, user passwords and communications. Hackers are known for their ability to exploit system vulnerability, and subsequently capture whole networks of computers to search for valuable information that has the potential to cost organizations millions of dollars to recover. Security professionals recommend that third-party encryption be used to ensure that organizations are not limited in choice of cryptography and that they are not being affected by export laws, which effectively handicap and restrict the capabilities of U.S produced software. Using third-party file and encryption software, organizations can ensure that password security is not the weak-point in security policy. Windows security measures base everything on a single password, which as a direct result creates numerous weaknesses due to the many times it is used from remote-login to roaming and accessing network shares. As a result, relying on password security is no longer an appropriate method of ensuring data privacy, and only by using high-level encryption methods, which the operating system does not support by default, can organizations actually ensure the security and privacy of data. 5

6 DEVELOPING STRONG ENCRYPTION POLICY The Encryption Standards present an everyday operating systems have seen numerous attacks, and various vulnerabilities, so corporations are advised to use encryption methods that are recommended by governments known for their international independence in encryption related matters. Organizations and individuals need to make informed choices based on encryption techniques not software reputation. Proof of this is evident in Microsoft Windows, which sees critically high adoption rates, yet is known for its insecurities. DES Encryption or (Data Encryption Standard) up until very recently was one of the main forms of encryption used by the US government for sensitive information from Because of its governmental popularity, it enjoyed widespread use on an international level based on a 56-bit Key model. AES Encryption Is the current evolution of DES and the primary choice of symmetric key algorithm by Gold Line Group Ltd. The Advanced Encryption Standard (AES) uses the AES-256 block cipher, which has been analyzed extensively by worldwide academia and governmental institutions. AES was ratified in 2001 as the replacement to DES, and it has been effectively standard in government since At the time of writing, AES is currently one of the most popular forms of encryption algorithms for symmetric key cryptography due to its high security and speed that it provides for both hardware based encryptions, and also software computations. RSA Encryption differs from AES encryption due to its nature, as it is primarily an asymmetric key algorithm, which is used for public-key cryptography. RSA was one of the first algorithms developed that involved using both a public key and a private key to encrypt and sign messages. RSA is known to be vulnerable when used with small keys and as a result, many software applications tend to use RSA keys, which are below 1024 bits bits is theoretically breakable, however RSA (2048) remains physically and theoretically unbreakable. Gold Lock Desktop uses RSA (2048) to ensure maximum security. 6

7 DEVELOPING STRONG ENCRYPTION POLICY There are a variety of ways in which hackers and information thieves will try to breach system defenses in order to try to acquire information or disrupt business, however there are two main categories of attacks : General Security Probing Which falls under the realms of general computer hacking. System breaches do occur as a result of general security probing, and often more times than not the result is an attack which brings down network infrastructure. This is perhaps the more traditional form of hacking, and whilst carries significant risk, does not pose as significant a threat to Intellectual property. Targeted System Attacks, which are for example cases of corporate espionage, when the attacker is motivated to specifically cause harm to one individual company or government. These attacks may be financially motivated in cases of corporate sponsored espionage, or personally motivated by those with a personal grudge against the corporation. These targeted system attacks do not just stop at general probing, but aim to acquire and steal any valuable piece of information that is available on the data system. We will discuss the main aspects of targeted security attacks below: Man in the Middle Attacks are effectively snooping attacks, which place the attacker directly in-between communications of both parties. The attacker then literally acts as a silent proxy and subsequently has the ability to eavesdrop on information and manipulate it without either party's awareness. Using encryption can eliminate the effectiveness of MITM attacks however, it is important to use good key security by using verbal verifications and authentication to ensure that key security is maintained on a regular basis. Side Channel Attacks have been present in hardware solutions for a while, yet they also exist in the software world between the encryption algorithm and the software used. It is effectively like safe cracking as it analyzes variables in the system to gain information about the cryptographic process being used. Timing attacks, power-monitoring attacks and observational attacks are examples of side channel vulnerabilities. It is possible to minimize side channel attacks by ensuring that good system administration policies are followed, and that unauthori zed system use is kept to a minimum. 7

8 Weak Key Attacks is perhaps the most well known vulnerability of poorly coded encryption software. With today's availability of distributed computing, and super computers, a weak encryption key can sometimes be cracked in seconds. Many 'corporate' level products release software that is based on old, or out dated technologies such as DES or Triple-DES, and these are known to be vulnerable to weak-key attacks. By using encryption algorithms that use small keys, vulnerability exists, which hackers can exploit using either brute force attacks or mathematical computation using a variety of methods. Social Engineering happens to be the major weakness of developing strong encryption protocols. File and encryption will only ever be as effective as the people that are trained to use it. Without adequate security awareness training, the greatest vulnerability to information security and key divulgence will be by the users themselves. By raising awareness and teaching basic security principles such as key privacy, organizations ensure that their systems are secure not only from data theft, but also from the risks of satellite workers, remote access and communications. Conclusion By using modern encryption technologies, corporations can ensure that their assets and intellectual property are not under threat even if systems are compromised. Effective encryption guarantees against theft, and it ensures that only those that need access to information are allowed to have it. By looking at past government disclosures based on information loss and theft, one can see how urgent the need for rigorous data security policies are. By ensuring that data and communications are secured with encryption, data theft and loss thus becomes a non-issue if appropriate cryptography methods are used in conjunction with adequate user education. 8

9 About Gold Lock Desktop Gold Lock Desktop implements Advanced Encryption Standard (AES) encryption using a 256-Bit key. This is based on the Rijndael algorithm, which is a symmetric block cipher, which has been standardized as according to FIPS 197, and is certified up to top-secret level by CNSS Policy No.15 Each component of the Gold Lock Desktop has been tested against most conceivable attacks, and the Israeli government (Ministry of Defense) has certified Gold Lock Desktop, and its manufacturer Gold Line Group Ltd. Gold Lock uses encryption technology as well, namely RSA utilizing a public and private key system to encrypt and secure messages Based on a 2048-bit key system. Gold Lock Desktop provides secure military grade file encryption, which ensures that information sent over unsecured networks is only viewable by its intended recipients. By using transparent encryption methods, utilizing our software is both simple and straightforward. This encourages good data security practices and it minimizes the effects of a security breach. By applying a third-party software solution such as Gold Lock Desktop with appropriate security awareness and end-user training, organizations effectively immunize themselves against the theft of data and save significant expense when compared to other solutions. Gold Lock Desktop is available free of charge from our corporate website: 9

10 About Gold Line Group Ltd. Gold Line Group Ltd. - a mobile security company, which focus on developing solutions to the threats of corporate espionage and information theft. Established 2003, Gold Line Group have became an international leader in providing secure point-to-point IT and telecommunications encryption solutions, which subsequently allow individuals and organizations to protect files, communications and intellectual property from theft. Gold Line Group employs a team of over 20 analysts, programmers and mathematicians, which are constantly analyzing the current trends on information theft and digital security. They currently market a range of products including Gold Lock Desktop a file and based encryption, which delivers military grade encryption for communications and files on the windows platform. Gold Lock Enterprise Delivering high-grade encryption solutions to corporations which extends to VOIP, text and file transfer using fully encrypted ECIES using ECC-256 and 18,384 Bits data integrity authentication (based on a modified Diffie-Hellman algorithm) and AES -256 Bits encryption. 10

11 Gold Line Group Ltd. (Israel) Mobile Security Division Corporate Headquarters Tel: Fax: Meginei Hagalil 5 Rehovot, Israel Time Zone: EET = East-European time = GMT+2 Hours