571-366-0473

Interesting research: “Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)“:

Abstract: We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret. BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the SSD advertises supported for it. Thus, for these drives, data protected by BitLocker is also compromised. This challenges the view that hardware encryption is preferable over software encryption. We conclude that one should not rely solely on hardware encryption offered by SSDs.

This vulnerability impacts Microsoft Bitlocker which is discussed in some detail in the whitepaper. Microsoft issued security advisory ADV180028 on Tuesday for computer users that have self-encrypting solid-state drives (SSDs) that are ostensibly protected by Microsoft’s BitLocker encryption scheme. So if you are using Microsoft Bitlocker in your enterprise take a look at security advisory ADV180028 for further details on how to overcome and remediate the vulnerability.

Perma details to security advisory ADV180028

ADV180028 | Guidance for configuring BitLocker to enforce software encryption

Security Advisory

Published: 11/06/2018

Microsoft is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs). Customers concerned about this issue should consider using the software only encryption provided by BitLocker Drive Encryption™. On Windows computers with self-encrypting drives, BitLocker Drive Encryption™ manages encryption and will use hardware encryption by default. Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker.

To check the type of drive encryption being used (hardware or software):

  1. Run ‘manage-bde.exe -status’ from elevated command prompt.
  2. If none of the drives listed report “Hardware Encryption” for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.

For drives that are encrypted using a vulnerable form of hardware encryption, you can mitigate the vulnerability by switching to software encryption using Bitlocker with a Group Policy.

Note: After a drive has been encrypted using hardware encryption, switching to software encryption on that drive will require that the drive be unencrypted first and then re-encrypted using software encryption. If you are using BitLocker Drive Encryption, changing the Group Policy value to enforce software encryption alone is not sufficient to re-encrypt existing data.

IMPORTANT: You do NOT need to reformat the drive or reinstall any applications after changing BitLocker settings.

To mitigate vulnerabilities associated with self-encrypting drives on Windows systems:

  1. Configure and deploy a Group Policy to enable forced software encryption.
  2. Fully turn off BitLocker to decrypt the drive.
  3. Enable BitLocker again.

Bitlocker Group Policy settings 

Configure use of hardware-based encryption for operating system drives

/docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdeosd

Configure use of hardware-based encryption for fixed data drives

/docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdefxd

Configure use of hardware-based encryption for removable data drives

/docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hderdd

References

/www.ru.nl/publish/pages/909275/draft-paper_1.pdf
/redmondmag.com/articles/2018/11/06/microsoft-ssd-security-advisory.aspx
/portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028
/docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings
0

My CISSP Journey.

Make a plan, stick with it!

By popular demand I am sharing my CISSP study plan. It’s fairly wordy, longer than future posts I am planning, but take away from it what you will. And I really hope it helps and motivates you to study and pass.

The Base.

Up to this point I have been working in an Information Security governance, risk and compliance role for 4 years with 20 years’ additional experience in IT, with Microsoft MCSE and Certified Novell Engineer (yes my career does go back pre Y2K!) qualifications. This provided me with a base of networking, cryptography and operations. Everyone will have a different base of knowledge, so use yours and identify gaps to focus on.

My employer provided me with CISSP training from Global Knowledge CISSP which demystified the content and domains that make up CISSP. A quick note about this course, it was death by powerpoint but the instructor really made it for me as he added anecdotes. In all fairness the course wasn’t his, he was just teaching it. I realised that the CISSP knowledge wasn’t as hard as I thought it might be and it mirrored my Information Security role.

After the course while I was more comfortable with the concepts I didn’t feel ready to take the exam. Then work and life got in the way, so two years went by. During this time I parked my CISSP study and studied Certified Ethical Hacker (EC-Council) eventually picking up CISSP for Dummies. Part of the issue was that while work had paid for my course they hadn’t paid for the exam and with tighter budgets they weren’t willing to prioritise paying for my exam.

So this year I decided to take the lead in my Infosec journey, invest in myself and pay for the exam. It was the best decision that I could make and totally empowering.

The Start.

My study for CISSP started on the 5th June. The week before I had been on holiday in the sunny south of Spain and had decided during this time that on my return I would book the exam and start studying when I got back. A  number of factors influenced my decision, not least the fact I had waited long enough to take CISSP. I felt ready. The exam was booked for late August giving me just over two months of intensive study.

For motivation I kept a tracker using Google Sheets recording what I did towards CISSP every day. Planning which days I could study and what times of the day worked. Found that Sunday to Thursday evenings, between 8 and 10, along with drive in worked for me. This worked out to around 4 hours a day, about 20 hours a week.

I recommend looking at how much time you can set aside to study, be creative with time available and develop a plan and stick to it.

My study plan went along the lines of making sure I knew a domain then did sets of 50 questions to make sure I got it. If I achieved 80% I would move onto the next domain, read it and do the questions and repeat. My typical day would be read Sybex CISSP 7th Edition, listen to Cybrary CISSP in the car and then do practice questions either on the current domain or the previous one as a refresher.  

Make notes

OK, so this depends on how you remember stuff. I bought an exercise book wrote down notes for various concepts that I felt I needed to remember. I didn’t note take everything, more the core concepts like managing risk, business continuity, disaster recovery, cryptography, etc etc.

Be creative; write, type, mind map, mime                

Weekly review

Guess what the tracker is for. The weekly review really helped me keep on track and motivated to ensure that I was moving forward and at the right pace. Two months is not a long time. Time wise the review was just a quick 10 minute session to correct my approach, maybe I skipped a day, recognise that, adjust, move on. Immerse yourself in CISSP. Immersive training in any field helps to gain knowledge and CISSP is no different As I said above spending most of my free time like in the car listening to podcast training helped cement the knowledge. I didn’t use flash cards. Mentioning this as I know some people like that sort of thing. Not me.

Exam Strategy.

My strategy for the exam, from the very beginning was, know the concepts and how to apply them. If you come across a concept you don’t understand, google it, find it in one of the resources ( which I have shared below) and make sure you understand the pros and cons of using it. Take practice tests. So long as you are getting 80% or higher you will be fine.

I read somewhere that get 80% in practice tests for a domain before moving onto another domain.

To be honest when you are revising take questions that take in a few domains or more. During the exam you will be asked questions from different domains so be used to getting a crypto question then risk then physical security. Read the question and all the answers. Then go back over and read the question and answers again. Only then, look to answer the question. Each exam question has four available answers. Eliminate at least one answer, two if possible.

When you are down to two, think Kirk and Spock. It does work.

CISSP is like an English language exam. I didn’t get that until I took the exam. Larry Greenblatt talks about this. See resources below. Before submitting your answer, think does the answer I chose answer the question. What is the question asking and what are they looking for. Don’t ask me to repeat any questions on the CISSP exam. It is against ISC2 ethics and my honest answer is that I cannot remember any anyway. Understand and remember the ISC2 code of ethics.

Resources; how they worked for me.

Shon Harris All-In-One book – I  bought this when I started my Infosec role, read the first few chapters but didn’t touch this during my study this year. I had it by the side of my couch ready for last minute revision but never opened it.

CISSP for Dummies Guide – A great resource and recommended reading. Having attended the CISSP course few years back I knew the syllabus and CISSP for Dummies had enough detail to feel comfortable I understood the concepts. I read this over the last couple of years and referred back to it during my exam prep.

11th Hour CISSP – Not recommended. A buddy loaned me a copy and I read it in two evenings, only 200 or so pages. I found it a waste of time. Glad I didn’t pay £20 for it. If you are wondering how I read it in two evenings, skim reading.

Cybrary CISSP – A great resource and recommended listening.  A Free CISSP course that is well presented and I found helped cement many concepts needed for the exam. I mostly listened to it in the car, so two hours a day. Went through it again a few weeks before the exam. /www.cybrary.it/course/cissp/

CCCure exam questions website – I paid for a 3 month subscription and was taking 50qs exams generally twice a day, morning and evening. As its online based you can dive in do a few then save and carry on where you left off next time. So great for lunchtimes and other breaks in the day. Overall I would give CCCure 7 out of 10. It isn’t essential but it gave me confidence. /www.cccure.education/

Sybex CISSP 7th Edition – A great resource and recommended reading. I valued this over all the others. It is a long read but knowing the CISSP content I skim read each chapter then did test questions until I could move onto the next chapter and repeat.

Sunflower CISSP Cram Study Guide – A good resource. I read this the Sunday before my exam, fully expected to read it in 2 hours, spent 8 hours reading through it and identified some factual errors in it. Reason for the 8 hour read, I read it carefully, absorbing everything.   

Kirk and Spock /www.youtube.com/watch?v=eLYbFtS7G9E&t=0s&index=4&list=PLoMRAM_UwwHc_SA_10Yb5kAzGNmtzxuNw Larry Greenblatt shares his exam tips along with some anecdotes. I watched this video a few days before the exam and I found it worked for me. Kirk and Spock? Just watch the video, they did help me in the exam.

CISSP Official ISC2 Practice Tests – Mixed feelings about the test engine and questions. The UI is not as friendly as CCCure but the questions do get you thinking.

Countdown to the exam.

I managed to get three full days of study, around 30 hours, before the exam. Saturday through Monday, with exam on Tuesday morning. Reviewed Sunflower CISSP cram study guide.Read 11th Hour CISSP. Skim read it. Practiced lots of questions, including doing two lots of 150 questions, to simulate the exam conditions. Felt ready to pass CISSP.

In part 2 I will share the next steps following success in passing the CISSP exam.

0