Why Current Security Solutions Fail To Prevent Data Theft

Discussion in 'Computer Security' started by WB Randolph, Nov 19, 2006.

  1. WB Randolph

    WB Randolph Guest

    I saw a story at net-security.org describing why current security
    solutions might be unable to prevent data theft. It describes why
    application password protection, disk encryption, file encryption, etc.
    fail to prevent data theft so I submitted it here:

    http://www.digg.com/security/Why_Current_Security_Solutions_Fail_To_Prevent_Data_Theft

    Googling about the story, I found this Flash video showing how password
    protected Palm Treo 700p smartphone contacts can be exposed on a PC
    running Palm Desktop, disk encryption, firewall, antivirus, etc.:

    http://www.innersafe.com/demos/palm_desktop_insecure/index.html

    It seems the situation is worse than the story (which doesn't even
    mention keylogging):

    1. disk encryption doesn't help while the disk is mounted (which can be
    hours while we're online & using the disk)

    2. file encryption requires decrypting to disk which can leave
    sensitive data on disk even after the file is re-encrypted again (seems
    NTFS and some thumb drives don't always overwrite files.)

    3. keylogging software can pretty much steal passwords or file content
    before it is encrypted which makes #1 and #2 worse

    4. firewalls are vulnerable to insiders with physical access to PC's
    and open ports people need to access the web or email.

    5. antivirus and antispyware don't detect 100% of malware, require
    signature updates, and doesn't address the fact a thief can use
    uninfected programs for data theft.

    6. password recovery tools can instantly extract passwords or reset
    passwords of many popular file formats like Microsoft Outlook 2003 .PST
    files.

    7. When using EFS (Encrypted File System), "a file's original
    unencrypted file data is left on the disk after a new encrypted version
    of the file is created." according to Microsoft at
    http://www.microsoft.com/technet/sysinternals/utilities/SDelete.mspx

    Besides the "don't run Microsoft Windows" or "don't store sensitive
    data on PC's" type of advice, what can be done to secure sensitive data
    on a PC?

    What do you use today to secure your data? I know keypass and
    truecrypt are free & popular, but is there anything better?

    Is computer security even possible without spending a fortune?
     
    WB Randolph, Nov 19, 2006
    #1
    1. Advertisements

  2. WB Randolph

    Jim Watt Guest

    Shortly after the invention of the safe, the safecracker
    came into being. Its the same with computer security
    whatever measures are devised, someone will come up with
    a countermeasure.

    Security is about building a wall around assets, how high
    the wall is and what its topping and alarm system is
    depends on the nature of the asset protected and the
    threat analysis.

    Computer security uses physical protection as the first
    layer to address the threat, if someone can steal the
    system it deprives the user of it and allows access to
    the hardware. Thats why laptops are vunerable because
    they are not locked away in a secure room.

    The bottom line is that security aims to make it difficult
    for the unauthorised user, whilst not making it impossible
    for the genuine user.

    How much you need to spend depends on what you need to
    protect. You do not need a steel box encased in rock
    for your holiday pictures, unless you lead a particularly
    interesting life.
     
    Jim Watt, Nov 19, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.