אבטחת מידע באמצעי תקשרות נתיקה - דרכים לפתרון
DESCRIPTION
הרצאה של ד"ר אורן איתן, במסגרת כנס הקיץ (2010) של לשכת המבקרים הפנימיים ישראל שהתקיים ב 26/27.5.2010 בתל-אביבTRANSCRIPT
1
מצגת לכנס הביקורת הפנימית
מרצה: ד"ר אורן איתן
2010מאי
Non-Secure USB Drives - Threats
High Risk 51% of enterprise users stored
confidential data on flash drives 61% disclosed they had lost data
bearing devices
– Ponenmon Institute. 2009
Bans often impractical Harms productivity Too ubiquitous Alternatives are equal or higher risk
DataCrypto © 2009, All rights reserved.
Great for convenience and mobility but…
3DataCrypto © 2009, All rights reserved.
The USB Problem: Nearly 100 Million Flash Drives in Businesses
350 million USB drives in use worldwide
25% used in the enterprise
86% of enterprises use USB flash drives to
store and exchange data.
83% of IT workers have USB drives
2/3 not encrypted
Sources: Forrester Consulting, Credant, InformationWeek, TechWorld, Ponemon
Typical users of DOK
Federal Government
Financial Services
Healthcare and Pharmaceutical
Technology
Energy and Utilities
Law Enforcement and State or Local Agencies
…and more…
IronKey– © 2009 All rights reserved.
DataCrypto © 2009, All rights reserved.
10 Required Security Features
1. Automatic, Hardware-based
Not optional and much more secure & faster than software encryption
2. Strong Key Protection
Keys are stored on the device & managed in Cryptochip (hardware)
3. Highest level of certification
Always look for FIPS 140-2 or CC highest grades
4. Self-defending capabilities
To prevent physical, software and malware attacks
5. Secure Mode of AES
Uses Cipher Block Chaining (CBC) not Electronic Code Book (ECB)
DataCrypto © 2009, All rights reserved.
10 Required Security Features (cont’)
6. Policy control and enforcement
7. Remote management
Extends control even to devices in the field
8. Trusted Updates
Allows devices to be maintained and upgraded safely
9. Access control and Silver Bullet Service
Ensures security even if lost
10. Secure manufacturing and provisioning process
allows customers to trust the supply chain and management
workflow.
7DataCrypto © 2009, All rights reserved.
Additional requirements
Secure Device Recovery & Password Reset
Read-only Mode
Onboard Anti-Malware Scanning
Secure AutoRun Protects Against Worms
8DataCrypto © 2009, All rights reserved.
FIPS 140-2 Standard
Issued by National Institute of Standards and
Technology (NIST). The Federal Information Processing Standardization
140 (FIPS 140) coordinates the requirements and
standards for cryptographic modules which include
both hardware and software components for use by
departments and agencies of the US federal
government. Current standard FIPS 140-2. Four levels FIPS 140-2 level 1 to level 4. Level 1 is
the lowest.
9DataCrypto © 2009, All rights reserved.
FIPS 140-2 Standard
Level 1 - very limited requirements.
Level 2 - physical tamper-evidence and role-based
authentication.
Level 3 - physical tamper-resistance, identity-based
authentication and physical or logical separation
between interfaces.
Level 4 - physical security requirements more
stringent and requires robustness against
environmental attacks.
10DataCrypto © 2009, All rights reserved.
Common Criteria Standard
Issued by the International Standard Organization
(ISO/IEC 15408) for computer security certification.
Common Criteria (CC) for Information Technology
Security Evaluation.
Current standard version 3.1.
Assures that the process of specification,
implementation and evaluation of a computer
security product has been conducted in a rigorous
and standard manner.
11DataCrypto © 2009, All rights reserved.
Common Criteria Standard
Seven levels of evaluation. Level 1 is the lowest.
Evaluation Assurance Level (EAL).
EAL1: Functionally Tested
EAL2: Structurally Tested
EAL3: Methodically Tested and Checked
EAL4: Methodically Designed, Tested, and Reviewed
EAL5: Semi formally Designed and Tested
EAL6: Semi formally Verified Design and Tested
EAL7: Formally Verified Design and Tested
12DataCrypto © 2009, All rights reserved.
Common Criteria Standard
Confidence that the system's principal security features are
reliably implemented.
The EAL level does not measure the security of the system itself,
it simply states at what level the system was tested.
13
Most secure encryption technologies.
Onboard Crypto chip.
Encrypted in hardware using AES CBC-
mode encryption.
All data written to your drive is always
encrypted.
Dual channel SLC Flash.
FIPS 140-2 level 3 compliant.
True Random Number Generator.
Physically hardened metal casing.
Epoxy layer prevents reverse engineering.
Waterproof and tamper resistant.
The IronKey
Company’s profile and products.
Cellular Security Experts | Hardware & Software Security Solutions | Security Surveys © 2008 DataCrypto
אזרחי/פיננסי
14אזרחי/פיננסי
World's Most Secure Flash DriveAn ultra-secure encrypted USB flash drive, ideal for military and commercial customers. FIPS 140-2 Validated.
SDV®
World's top encryption Hard DriveHardware based disk encryption – secure your data and eliminate data/identity theft
Smart Card MicroSD/MMCSecure MicroSD/MMC storage platform, with integrated Smart Card functionality for mobile applications with high security demands.
KoolSpan Secure Voice- end-to-end GSM voice encryption solution
The ultimate cost-effective solution for documentation and Email classification
Hitachi VeinID Hitachi's Finger Vein attesting technology identifies finger vein patterns that exist inside the human body
Company’s profile and products.
Cellular Security Experts | Hardware & Software Security Solutions | Security Surveys © 2008 DataCrypto
אזרחי/פיננסי
15אזרחי/פיננסי
www.toyoram.co.ilwww.datacrypto.com
Thank YOU !