Challenges with Encryption

Assist Mobile Technology Workshop.

Tim Wilson CISSP, FBCS CITP.Head of ICT

City and Hackney Teaching PCT

November 07 – Encrypted Child Health Data lost by courier on route to CHTPCT

Timeline

Timeline

• December 2007 – Attempted theft of PC from reception desk.

• January 2008 – CHTPCT Trust Board approves recommendation from investigation that all devices should be encrypted. – Identifies Checkpoint Pointsec Endpoint (CPE)

encryption product.– Checkpoint industry leader – used by Central

Govt including MoD and DH!

Timeline (2)

• Late January 08 – Letter from Matthew Swindles to NHS Trusts instructing them to encrypt mobile devices.

• February 08 – CfH announces that encryption will be purchased centrally.

• End February 08 – CfH announces that procurement action imminent.

• Early March 08 - announces that procurement action very imminent.

Timeline (2)

• 12th March 08 – CfH still not announced results – CHTPCT Chief Executive agrees to purchase Checkpoint Pointsec Endpoint as approved by Trust Board.

• Mid-March still no news from CfH.• 27th March 08 – All fixed and mobile devices

encrypted within CHTPCT.

Why Checkpoint Pointsec Endpoint?

Single Agent, Single Interface

‐

Reduces time and costs of endpoint security       

management‐

Simplifies deployment‐

Assured compatibility of endpoint security 

technologies

Highest Rated, Best of Breed Components

Industry leading firewall ‐15 years of leadershipsAntivirus/anti‐spyware

‐

based on award‐winning 

ZoneAlarmData security ‐

based on market leading Pointsec 

technologyRemote access ‐12 years of leadership in VPN

First and Only Single Agent for Total Endpoint Security

Unique to Check Point!

Slide kindly provided by Egress  Software Technologies

Full Disk EncryptionWindows

Linux

Pointsec Mobile

Pocket PC

Pointsec Mobile

Palm OS®

Pointsec Mobile

Smartphone

Media Encryptionwith Port

Protection

Pointsec Mobile Symbian OS

Slide kindly provided by Egress  Software Technologies

Checkpoint Pointsec Encrypted Mobile Systems

MasterBoot

Record

MandatoryAccessControl

ModifiedPartition

Boot Record

OperatingSystem

System Files(PW Swap etc.)

Full Disk EncryptionCheck Point

Data

User Data

Unprotected

Highly Sensitive FilesBoot Records

MBR PBR DataOperatingSystem

System Files(PW Swap etc.)

File Encryption

MBR PBR DataOperatingSystem

System Files(PW Swap etc.)

Secured Information

Open Information

The Endpoint FDE solution provides the most complete & comprehensive protection for all data!

Slide kindly provided by Egress  Software Technologies

Endpoint Security Media Encryption Product Operation

Endpoint PC

Endpoint Security Media Encryption

Centralized Auditing and ManagementAudit utility provided for initial assessment of port usage and security policy planning 

Wired Wireless DevicesUSB Bluetooth Memory cardsFirewire Infrared Digital camerasSerial WiFi Music playersPrinter ModemsIDE Smart phones

PrintersKeyloggers

Controls Activity on ports and devices including:

Slide kindly provided 

by Egress  Software 

Technologies

PC and Notebook Encryption Implementation

• Egress Software Technologies awarded contract early March 07.

• Egress staff are ex-developers from Pointsec.• Checkpoint Pointsec Endpoint (CPE) was installed

on all ICT Department PC and Notebook systems.• CPE software dashboard installed on server.

Integrated directly with Checkpoint Firewall dashboard.

• 2 week testing within ICT Department.• Implementation within 2 days for the rest of the

Trust. Implemented from server.• PC and Notebooks Hard disk encrypted (AES 256 bit)

in 4 hours, full port control applied.

What about Memory Sticks?

Issues with Memory Sticks at City and Hackney Teaching PCT

• Memory sticks were unencrypted.• Issued or purchased without any control.• Most memory sticks were actually personal

property.• No audit trail on the use of the memory stick.• Small and easy to loose.

The Trust decided implement 8GB Freecom USB Memory Cards

CPE - Audit Trail Memory Cards / Sticks

• Full audit trail of all actions:-– Details of files copied to and from the card

including all path information.– Details of files deleted from the card.– The identification of the devices the files were

copied from or to.– The date and time of all actions.

• Audit trail information instantly available if required.

Memory Cards

• Purchased 400 memory cards – Currently 8GB (£14 each).

• Freecom printed Trust logo on the cards.• CPE encryption were added to the memory

cards.• Managers asked to approve the issue of

memory cards. They have two choices:-– Approve use of the cards only within the Trust– Approve use of the cards inside or outside the

Trust.

Memory Cards cont....

• Recalled ALL memory sticks.– Staff warned to remove all personal information.– Business related information copied to memory

card and encrypted.– Memory sticks wiped to MoD UK secret standard – Memory stick given to staff member.

• New memory cards issued to staff – Accountability – issued to named staff member.– Memory card serial number used for audit trail

purposes.

Memory Card Operation to date

• Overall 3 Cards lost or broken– 2 lost

• Audit trail available within 15 minutes• Able to make risk assessment rapidly.• Caldicott Guardian provided with full audit taril and

assessment.• One incident highlighted misuse of computer system

and staff member educated on the use of Trust equipment.

Memory Card Operation to date

• One card eaten by 150lbs Newfoundland Dog.

• No Audit trail action required!!

Other Issues Mobile Computing

VPN Access

VPN Access

• Trust investing in 100Mbit/s Internet link as part of a City and Hackney wide COIN supplied by N3.

• Internet link will provide VPN access for mobile working.

• Additional Checkpoint firewalls being implemented.

• Seamless integration between CPE and Checkpoint Firewall, including a shared dashboard.

Additional Enhancements

• nCircle IP360– systems vulnerable to a specific threat or threats – location and ownership of vulnerable systems – comprehensive host information including operating

system, applications and their versions, open ports, protocols, and host tracking information

– current and historic vulnerability trend status of specific systems

• Every device using VPN will be subject to a scan by IP360. Check for CPE installed or up to date patching.

• IP360 can prevent a device from VPN access.

Lessons Learned

Lessons Learned

• You cannot litigate for stupidity!!• CPE was very easy to implement.• Identify computers used for presentations and by

USB devices.– Relaxation of control of an individual port.– Memory cards on cameras can be encrypted for example

• Bandwidth freed up as port controls stops use of iPod– FACT compliance!!!!

• A few older PCs needed firmware updates. Egress assisted the PCT in this area.

Lessons Learned (cont)

• Mobile computing and encryption requires planning.

• Mobile Computing requires more than an ICT policy - H&S, IG, HR, Finance

• Staff need briefing on encryption issues.– Use of FAQs

• CE and Trust Board support.• DH Freedom of Information Request.

ANY QUESTIONS?