challenges with encryption assist mobile technology workshop. · challenges with encryption assist...
TRANSCRIPT
Challenges with Encryption
Assist Mobile Technology Workshop.
Tim Wilson CISSP, FBCS CITP.Head of ICT
City and Hackney Teaching PCT
Timeline
• December 2007 – Attempted theft of PC from reception desk.
• January 2008 – CHTPCT Trust Board approves recommendation from investigation that all devices should be encrypted. – Identifies Checkpoint Pointsec Endpoint (CPE)
encryption product.– Checkpoint industry leader – used by Central
Govt including MoD and DH!
Timeline (2)
• Late January 08 – Letter from Matthew Swindles to NHS Trusts instructing them to encrypt mobile devices.
• February 08 – CfH announces that encryption will be purchased centrally.
• End February 08 – CfH announces that procurement action imminent.
• Early March 08 - announces that procurement action very imminent.
Timeline (2)
• 12th March 08 – CfH still not announced results – CHTPCT Chief Executive agrees to purchase Checkpoint Pointsec Endpoint as approved by Trust Board.
• Mid-March still no news from CfH.• 27th March 08 – All fixed and mobile devices
encrypted within CHTPCT.
Single Agent, Single Interface
‐
Reduces time and costs of endpoint security
management‐
Simplifies deployment‐
Assured compatibility of endpoint security
technologies
Highest Rated, Best of Breed Components
Industry leading firewall ‐15 years of leadershipsAntivirus/anti‐spyware
‐
based on award‐winning
ZoneAlarmData security ‐
based on market leading Pointsec
technologyRemote access ‐12 years of leadership in VPN
First and Only Single Agent for Total Endpoint Security
Unique to Check Point!
Slide kindly provided by Egress Software Technologies
Full Disk EncryptionWindows
Linux
Pointsec Mobile
Pocket PC
Pointsec Mobile
Palm OS®
Pointsec Mobile
Smartphone
Media Encryptionwith Port
Protection
Pointsec Mobile Symbian OS
Slide kindly provided by Egress Software Technologies
Checkpoint Pointsec Encrypted Mobile Systems
MasterBoot
Record
MandatoryAccessControl
ModifiedPartition
Boot Record
OperatingSystem
System Files(PW Swap etc.)
Full Disk EncryptionCheck Point
Data
User Data
Unprotected
Highly Sensitive FilesBoot Records
MBR PBR DataOperatingSystem
System Files(PW Swap etc.)
File Encryption
MBR PBR DataOperatingSystem
System Files(PW Swap etc.)
Secured Information
Open Information
The Endpoint FDE solution provides the most complete & comprehensive protection for all data!
Slide kindly provided by Egress Software Technologies
Endpoint Security Media Encryption Product Operation
Endpoint PC
Endpoint Security Media Encryption
Centralized Auditing and ManagementAudit utility provided for initial assessment of port usage and security policy planning
Wired Wireless DevicesUSB Bluetooth Memory cardsFirewire Infrared Digital camerasSerial WiFi Music playersPrinter ModemsIDE Smart phones
PrintersKeyloggers
Controls Activity on ports and devices including:
Slide kindly provided
by Egress Software
Technologies
PC and Notebook Encryption Implementation
• Egress Software Technologies awarded contract early March 07.
• Egress staff are ex-developers from Pointsec.• Checkpoint Pointsec Endpoint (CPE) was installed
on all ICT Department PC and Notebook systems.• CPE software dashboard installed on server.
Integrated directly with Checkpoint Firewall dashboard.
• 2 week testing within ICT Department.• Implementation within 2 days for the rest of the
Trust. Implemented from server.• PC and Notebooks Hard disk encrypted (AES 256 bit)
in 4 hours, full port control applied.
Issues with Memory Sticks at City and Hackney Teaching PCT
• Memory sticks were unencrypted.• Issued or purchased without any control.• Most memory sticks were actually personal
property.• No audit trail on the use of the memory stick.• Small and easy to loose.
CPE - Audit Trail Memory Cards / Sticks
• Full audit trail of all actions:-– Details of files copied to and from the card
including all path information.– Details of files deleted from the card.– The identification of the devices the files were
copied from or to.– The date and time of all actions.
• Audit trail information instantly available if required.
Memory Cards
• Purchased 400 memory cards – Currently 8GB (£14 each).
• Freecom printed Trust logo on the cards.• CPE encryption were added to the memory
cards.• Managers asked to approve the issue of
memory cards. They have two choices:-– Approve use of the cards only within the Trust– Approve use of the cards inside or outside the
Trust.
Memory Cards cont....
• Recalled ALL memory sticks.– Staff warned to remove all personal information.– Business related information copied to memory
card and encrypted.– Memory sticks wiped to MoD UK secret standard – Memory stick given to staff member.
• New memory cards issued to staff – Accountability – issued to named staff member.– Memory card serial number used for audit trail
purposes.
Memory Card Operation to date
• Overall 3 Cards lost or broken– 2 lost
• Audit trail available within 15 minutes• Able to make risk assessment rapidly.• Caldicott Guardian provided with full audit taril and
assessment.• One incident highlighted misuse of computer system
and staff member educated on the use of Trust equipment.
Memory Card Operation to date
• One card eaten by 150lbs Newfoundland Dog.
• No Audit trail action required!!
VPN Access
• Trust investing in 100Mbit/s Internet link as part of a City and Hackney wide COIN supplied by N3.
• Internet link will provide VPN access for mobile working.
• Additional Checkpoint firewalls being implemented.
• Seamless integration between CPE and Checkpoint Firewall, including a shared dashboard.
Additional Enhancements
• nCircle IP360– systems vulnerable to a specific threat or threats – location and ownership of vulnerable systems – comprehensive host information including operating
system, applications and their versions, open ports, protocols, and host tracking information
– current and historic vulnerability trend status of specific systems
• Every device using VPN will be subject to a scan by IP360. Check for CPE installed or up to date patching.
• IP360 can prevent a device from VPN access.
Lessons Learned
• You cannot litigate for stupidity!!• CPE was very easy to implement.• Identify computers used for presentations and by
USB devices.– Relaxation of control of an individual port.– Memory cards on cameras can be encrypted for example
• Bandwidth freed up as port controls stops use of iPod– FACT compliance!!!!
• A few older PCs needed firmware updates. Egress assisted the PCT in this area.
Lessons Learned (cont)
• Mobile computing and encryption requires planning.
• Mobile Computing requires more than an ICT policy - H&S, IG, HR, Finance
• Staff need briefing on encryption issues.– Use of FAQs
• CE and Trust Board support.• DH Freedom of Information Request.