Well that sucks... (IT/network security disaster)

Willem Fick · 09-07-2015, 08:24 AM

Today's rant:

In another thread the OP looks for ways to get around network security. I am living proof today that this is paramount.

Our company invested in McAfee's security solution for our enterprise, which came with a hard drive encryption widget which they implemented on my laptop. Shortly thereafter my laptop hard drive fails, followed shortly by my backup drive. "No problem!" we think we'll get it from the enterprise backup. Turns out that isn't an option either, as the enterprise backup policy actually doesn't cater for desktop/laptop machines.

OK, so still no stress, as the drive failure was "the click of death" the information is still there, the drive just needs be repaired. "So" we thought, "let's get through our pressing project commitments now (not affected by the lost data) and then simply have the data recovered at a later point."

So the date and time arrives and the drive gets shipped of to the recovery center, who in turn come back and ask for a decryption key, as one does. Problem is that when asked, the network security guys get a little uncomfortable and skirt the issue. Seriously skirt the issue I should say. It takes some heavy handed interrogation (just short of waterboarding) but we ultimately get to the real issue:

The *&@! stupid idiots lost the encryption key for my device!

Not only this, but they only keep backups of the security keys for a few months, after which they get overwritten, so there is absolutely no way for them to recover it.

I am therefore left with my data on my (now repaired) drive, but with absolutely no way on earth that I can access that data, which means that I have lost some hugely important information that will, in those cases where it can actually be rebuilt, take months and months worth of effort.

Seriously - at this point our company should be less concerned about network security and more about the physical well-being off their network security team as I am quite ready to shoot someone right now.

HardDrive · 09-07-2015, 08:34 AM

Utterly incompetent IT staff. The ugly reality is that heavy handed security measures have the perverse effect of making things less secure. Staff drop sensitive data into third party stores like Dropbox and Google Docs because they get tired of dealing with corporate hassles.

John Rogers · 09-07-2015, 10:25 AM

Hummmm it sounds like you IT security "experts" are all young and well trained Microsoft professionals??!! Having worked with folks like this is one of the reasons I have grey hair now (well geting old too) and they never seem to look down the road at what could be the worst case and it that occurs, how do we handle it. Sounds like they ignored a bunch of common sense things such as:

- Have a COB plan for each computer/server AND TEST IT!
- Never overwrite license or encryption keys or contact information.
- Keep a written copy of the above and do not trust the electronic copies.
- Have multiple backup sources for ALL computers and test their ability to return your data.
- Cloud or enterprise backups should be ONE of your backup methods and I recommend in my security classes to have a company wide method but also an external drive for each computer that is used nightly and then tested.

I hope you don't mind but I plan to mention this in my class next week (we are off this week due to the holiday) as real life experiences are worth more than reading stuff in a book!

Willem Fick · 09-07-2015, 10:48 AM

John, my experience has actually uncovered a problem that we now realise has brought immeasureable damage and potential risk to my organisation - something your class might find very educational. Will PM you in the morning.

Willem Fick · 09-07-2015, 10:57 AM

HardDrive, yes and this is exactly what is happening as we speak. Sure this loophole will also be blocked in due course, but all they are doing is to push people to move their thinking further underground and to make it so much more difficult and costly to control.

dennis in se pa · dennis in se pa's Garage

Sorry to hear. I was a field IT tech/engineer for years. Supported medium to large enterprises when they needed to go outside for help. I was amazed at how poorly most of the IT departments were run. Incomplete backups, poor policies etc. But they were big on making sure everyone knew they were Microsoft Certified. You don't have to know much to get Microsoft Certified. Cisco Certified? Now that's a certification. Have you tried ONTrack Data Recovery?

Willem Fick · 09-07-2015, 11:06 AM

Dennis, what is sad is that some of these guys are actually very senior, very experienced and should have known much better. In fact my organisation is typically the benchmark for financial services infrastructure in South Africa.

Had a look at ONTrack (Kroll?) But my problem is not getting to the data - it is about decrypting the data in the absense of the McAfee decryption key. Right now it seems like praying for a miracle is about the most reasonable thing to do...

intakexhaust · intakexhaust's Garage

That's a bad story OP. But whats sad is possibly 90 percent of companies are vulnerable and in high risk. They just don't know it. Its only been in just two maybe three years that major insurance, medical industry have finally become serious of it. Won't reveal who but it scares the hell out of me.

Scott R · Scott R's Garage

Who doesn't back up their critical documents to their network drive?

Willem Fick · 09-07-2015, 11:46 AM

Scott we use a combination of Sharepoint (projects) and external backup drives (in-flight work). Most crucial documents are easily catered for in this way, especially given that to me critical implies research, financial models etc. It was a complete fluke that my laptop drive and backup drive both failed in short succession, and even this would not have been a crisis had IT not lost the encryption key.

mikester · 09-07-2015, 03:12 PM

Security folks who say 'no' simply disable a company or force folks to do things in less secure ways around a given bad policy. You have to say 'no, but we can do it this way...' And have a way to stop the bad practices and enable good practices that are just as good or easy.

This problem you have is because you delayed repair and did not know the keys would expire. This expiration policy is normal and a best practice for good encryption policy. Keys that last forever are bad, once they get compromised then everything that was encrypted with them is compromised. Keys need to expire to prevent this even bigger vulnerability to encryption. Still, as a user you should have been educated on how your hard drive was being encrypted and then you wouldn't have delayed the repair and all would have likely been fine. Try to not be too hard on the security professionals around you unless they are the type that just says no and disables your ability to work.

Be hard on those guys.

930addict · 930addict's Garage

We use bitlocker with an mbam server on the back end. When the device is encrypted it writes the encryption key to a sql box automatically - you can have it populate active directory as well. Your IT folks implemented a poor solution. As far as where to store files, it is our policy that if the files are on our enterprise storage it's our responsibility. If the files are stored locally on the users device it is the users responsibility. Some of our users travel. They know to save important data to our cloud storage in case of hardware failure/loss.

Bill Douglas · 09-07-2015, 09:36 PM

Can't you just put the word out on the street there is pizza and small change in the office, and someone else does the shooting for you?