GPSolo Magazine - December 2005
Lock It Up! Protect Your Clients (and Yourself) with Encryption
You return to your office one morning to find your computer stolen. You’ll be able to recover your client and administrative files from backups—maybe off-site or online backups—and resume business, but what about the data on your hardware that the thief made off with? Are your privileged documents and financial information now available to the thief? Could the patent application you were working on have fallen into the hands of a rival corporation? If you used the right encryption software, not even an expert in computer forensics will be able to recover the information on your hard drive; your encryption software will render it irretrievable without the correct password.
There are two approaches to encrypting documents. One way is to use the built-in password protection provided by the program you are using to author the document. I don’t recommend this method. Many programs that claim to offer password protection use easily defeated encryption methods. An Internet search for “password recovery” and the name of the application used to create your document will show there are many companies selling software to “recover” the password used to protect the document. What’s worse, if a thief recovers the password for one document, the thief (or the thief’s customer) may be able to use it to decrypt data protected by a more secure program that was protected with the same password.
The alternative to trusting a program’s built-in protection is to use system-level encryption. In this method, all files are stored in a directory that can only be used after a password has been entered to unlock the directory. All files, regardless of the program that created them, are then written to this directory using encryption. Many experts do not consider Windows’ built-in encrypting file system (EFS) to be secure because it writes unencrypted data to a temporary file before encrypting it. These temporary files can be easily recovered with undelete software. A better alternative is Paragon’s Encrypted Disk 3.02 (http://encrypted-disk.com). It has military-grade encryption and can password protect and encrypt directories.
An even better solution, especially if you work with secure documents on multiple computers, is to dedicate an external USB “thumb drive” to secure documents. Unless you are working with a lot of large video files, most documents can easily fit onto a thumb drive that can store up to several gigabytes of data. Keynesis Lockngo Professional 3.1 (www.keynesis.com) can encrypt all data stored on one of these removable drives. Whenever the drive is attached to a computer, the system prompts for a password before the drive can be accessed. The drive is safe from forensic recovery because the data is protected by 256-bit encryption. Encryption utilizing 128 bits or better is considered secure.
Encrypting data can make backing up that data more complex. That’s because your backups should also be encrypted. The best way to back up the data and guarantee that it’s protected is to copy the data you want to back up to another drive or folder that is also protected by encryption software.
Remember that encryption software, if used improperly, can lock you out of your own data files. Keep an unencrypted backup around—in a secure location, such as a safe-deposit box—until you are certain that your system is working properly and that you can recover your data from the encrypted files.
It is important that you have a long, “strong” password containing letters, numbers, and punctuation marks to protect your encrypted files. Many “brute force” password crackers are capable of recovering short passwords composed solely of letters. One thing to keep in mind is that if you did a good job protecting your data and then lose your password, you are not going to be able to recover your files. Because your password should be long and complex, it might be easy to forget. It’s very important that the password be written down and kept in a secure location. The password should be kept at home or in another office to make it unlikely that a thief could gain access to both your written password and your computer during the same burglary.
Another important aspect of keeping your password safe is to make sure that your computer is free of spyware that might record your keystrokes. Such “keylogging” spyware is quite common these days and can be difficult to spot once it is surreptitiously installed on your computer via web browser security flaws or by someone with access to your computer. In order to detect spyware and prevent its installation, it’s a good idea to routinely scan with anti-spyware software such as Webroot’s Spy Sweeper ( www.webroot.com), Lavasoft’s Ad-Aware Professional ( www.lavasoftusa.com), or Safer Networking’s Spybot ( www.safer-networking.org/en). You also should run a general anti-virus and firewall solution, such as those offered by McAfee ( www.mcafee.com) or Norton ( www.norton.com).
With these applications, properly implemented and maintained, your data is as safe as you can make it. If someone steals your hardware, it will only be useful as a doorstop. If someone steals the data itself, it cannot be used for anything.
Justin Sher is a systems architect with Credit.Com, Inc., in San Francisco, California.