To Encrypt or Not to Encrypt, that Is the Question
Encrypting has been a problem faced by every IT team. It’s been around so long even Shakespeare wrote about it! From dealing with the complaints from Sales that you slowed down their demo boxes, to having to enter the Recovery Key for George for the umpteenth time, we all ask ourselves if encrypting our machines is worth it.
With the recent article from TechCrunch titled “ Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data,” we may be asking ourselves again, is it really worth it?
The answer to this is still a loud, resounding YES! Last December, Forbes published an article containing research from Kensington with some shocking statistics:
- On average, a laptop is stolen every 53 seconds.
- On average, over 70 million smartphones are lost each year.
- Forty-one percent of data breach events from 2005 to 2015 were caused by lost or stolen laptops, tablets, and smartphones.
Now is the winter of our discontent.
With the published article, your users may start to ask why we’re pushing encryption on them when it can be bypassed so easily. The situation isn’t as bad as the article makes it sound.
As mentioned in the article, the bypass only applies to certain devices, and for those affected devices there are ways to configure your disk encryption to mitigate the risk. This, like many security issues, is first and foremost an Asset Management problem—understanding what you have and if it’s at risk.
Next, you need to understand how these devices are configured.
- Encryption of tablets and smartphones is still safe.
- Enabling the wipe after 10 wrong PIN attempts can help if your device falls into the wrong hands.
- Apple devices with a T2 chip aren’t affected by this vulnerability.
- Using a firmware PIN for both BitLocker and FileVault can help mitigate the risk.
Once you have an understanding of your assets, if Disk Encryption is enabled, and if the firmware PIN is enabled, you next want to identify devices at risk. For example, if there’s a laptop that’s owned by a user who has access to more sensitive data, you may want to ensure that user is employing the firmware PIN and also prioritize that user for an upgrade if the vulnerability can be eliminated altogether.
Such as we are made of, such we be.
At Ivanti, we use our Unified Endpoint Manager solution to manage recovery keys for both Windows and Mac to help those forgetful users. For devices not compatible with BitLocker and FileVault, WinMagic, an Ivanti ONE partner, offers a solution. We are also using the Ivanti Asset Manager solution to identify older devices (especially those used by the key players in your organization) to identify and prioritize them for a hardware refresh.
Kaleb Knobel is a Security Engineer at Ivanti and has also worked as a Technical Support Specialist for the State of Utah and a Service Assurance Technician for Integra Telecom. He is working towards a bachelor’s degree in Computer and Information Systems Security/Information from Western Governors University.