I am giving a short workshop at the upcoming IAAITC’s Business Continuity and Risk Management Summit where I will be talking about open source security software. As I have only got a short time and I think it is quite topical I will be basing the workshop on open source encryption software. It appears that not a week goes by without a story in the newspaper about a laptop/hard drive/CD/USB stick containing sensitive and confidential data being lost or left in a train/taxi/car park. Events like this are inevitable as data becomes more and more portable. Of course we should continually work towards minimising these situations but one of the best practical steps a practice can take to protect data is to ensure that any ‘at risk’ confidential information is encrypted. The latest saw a USB RAM stick of confidential Government information found in a car park in Cannock, Staffordshire. Link to the news story here.
It was noted that the USB was encrypted so at least that was something but as detailed below many of the ‘proprietary’ encryption systems on USB sticks have been compromised.
At this stage it is worth defining what encryption is:
‘Encryption is the process of transforming information using an algorithm called a cipher. Once data has been encrypted then it can only be read by users who have the encryption key.’
Using software to encrypt data has been used for a long time by governments and large organisations. Today it is becoming common place, often being found on the better quality USB RAM sticks. The problem with a lot of the software supplied with such devices is that it is often ‘proprietary’ meaning that the source code of the software is in itself a secret. At first this may appear to be the best approach, after all does the code being a secret not make the solution more secure?
What has actually been proven time and time again is that security through obscurity is no security. Good security software’s source code should be available for all to see to ensure that it is secure. The science of encryption is well documented and any software implementation should be made available for checking. Many of the proprietary systems have been compromised by attacks and often it is a case of ‘when’ not ‘if’ they will be compromised.
Truecrypt (www.truecrypt.org) is one of the best known and well trusted encryption software programs available today. Truecrypt, as recommended above, is free and open source, meaning that anybody can see the source code. Truecrypt will work on Windows, Apple Mac and Linux operating systems and can be setup to encrypt a whole drive, a single folder or a portable device like a USB Flash RAM stick.
The one possible downside of Truecrypt is that it requires a client install to read a an external drive like a USB or portable drive. If it is required to be able to use a portable devise on a machine that would not have Truecrypt installed then for Windows users there is FreeOTFE (www.freeotfe.org) which is free and open source encryption software that can also be installed on a USB stick and does not require a client install. FreeOTFE can also be used on a Microsoft PDA.