Information Security, Privacy and Regulatory Compliance - Commercial Products

Whole Disk Encryption (WDE) – And Comparison of PGP vs TrueCrypt for WDE

nospam@example.com (Keith Pachulski) — Thu, 03 Jun 2010 20:40:37 -0400

Whole Disk Encryption (WDE^[?]) – And Comparison of PGP vs TrueCrypt for WDE

In this day and age there is absolutely no reason for any business with laptops being used for business or personal reasons that contain sensitive information to not be encrypted.

Whole Disk Encryption, also known as Full Disk Encryption, is what it says; it encrypts all information contained on the specified disk or partition. WDE should not however not to be confused with file system encryption. With WDE one key is used to encrypt the entire disk. Should the key become compromised, the entire disk is thereby compromised. For those individuals needing or who are required to transmit sensitive information on their laptops, I would strongly recommend using WDE in conjunction with file system encryption.

File system encryption is often known as folder or file encryption because it was designed, from a high level, to encrypt specific targets within the system whereas WDE deals with the entire disk.

File System encryption examples can be found in a previous blog post on TrueCrypt Containers for examples.

TrueCrypt vs PGP	TrueCrypt	PGP
Cost	Free	$149.00
Encrypt internal, external and removable media	yes	yes
Encrypt all user data, applications, boot sector and swap files	yes	yes
Shred/Wipe Function	no	yes
Encrypt Email	no	option $$
Encrypt IM	no	option $$

TrueCrypt Whole Disk Encryption on Windows - Step by Step

Select Create Volume

Encrypt the system partition or entire system drive

Type of System Encryption - Normal

Area to Encrypt – Encrypt the whole drive

Encryption of the Host Protected Area – If you know there are utilities in the Host Protected Area (HPA) you do not want encrypted, select No – Otherwise encrypted the HPA as well

Number of Operating Systems – Select the appropriate response, typically this will be 1

Encryption Options – Select the Preferred Encryption and hashing Algorithms – for NIST^[?] compliance select AES^[?]

Notes:
Unlike PGP below where you generate your public/private keypair that can be used for other PGP plug-in applications, the keys for TrueCrypt are generated based on the movement of your mouse and are only used for drive encrypt/decrypt functions
If you are overly paranoid, you can select a cascading algorithm here such as AES+TwoFish to increase the strength

Password – enter the password, this will be used to access the system once the entire disk has been encrypted

Rescue Disk – The iso image created must be copied off the system and it is recommended it be burnt to a CD. This will be required if the password is forgotten or any portion of the loader becomes corrupted. Once the image has been burnt, eject and reinsert the CD and click next to allow Truecrypt to verify the image. Once it has completed, it will ask you to reboot, select yes for the encryption Pretest.

At the boot prompt, enter the password you had entered earlier.

Once Windows boots, you'll be presented with the Pretest screen and the option to begin the encryption process, select Encrypt, go for a coke...

The encryption status window will appear, once the disk encryption has completed a notification window will appear.

That’s about all that you need to do.

If for whatever reason you want to permanently decrypt the drive, open the TrueCrypt application, select System then “Permanently decrypt system partition/drive”.

PGP (Pretty Good Privacy) WDE on Windows - Quasi Step by Step

The setup is pretty straightforward and almost identical to the TrueCrypt setup; install the application from the exe. Once it finished open the PGP Desktop application from the system tray and click on PGP Disk then Encrypt Whole Disk.

During the installation you`ll be prompted to create a key pair. These keys will be used for encrypting and decrypting the drive(s). These are also the keys you`ll use if you buy the extra PGP addons such as email. Make sure you use your legitimate email address during creation.

It is recommended you create a recovery disk, same as a above.

Select the disk to encrypt then select the keys you created during installation by selecting Add User Key.

Click Encrypt, go for a coke..

By default PGP uses AES-256 for encryption and SHA-1 for hashing. As far as I am aware there is no possible customization to either the encryption or hashing algorithms.

Soap Box

While I am a huge fan of TrueCrypt for only WDE or file system encryption, it does not scale well in large deployments like PGP offers with the Universal Server. With the PGP Universal Server, enrollments and encryption policies can be controlled and deployed from a central server. The PGP server can generate "reports" from the server on demand. I put the quotes around the word report because the export is simply a csv export of the entire database structure, which is severely lacking in the ability to perform decent reporting and database maintenance.

Seriously though, with whatever solution you choose..choose one. The 30 minutes of your time it takes to install and configure the software will pale in comparison to being immortalized on the Internet as yet another failure to protect sensitive information...

Metasploit/NeXpose integration from the webconsole on CentOS

nospam@example.com (Keith Pachulski) — Sat, 30 Jan 2010 10:25:00 -0500

In integrating the use of the two products, this will walk you through the step by step setup and use for this to work with success.

Download the latest copy of ruby, currently 1.9.1 - ruby 1.9.1

Configure ruby as follows:

cd ruby-x
./configure --prefix=/opt/msf3 --enable-pthread --enable-shared
make && make install

Add ruby to your PATH: export PATH=/opt/metasploit3/bin:$PATH

After installing ruby, download and install the latest rubygems

- untar the ball, enter into the directory and execute ruby setup.rb

Install libpcap-devel via yum: yum search libpcap-devel

- cd /opt/msf3/external/pcaprub/
- ruby extconf.rb
- make && make install

After you have ruby and rubygems installed, downloaded the most recent version of metasploit or update it via svn

- svn checkout https://www.metasploit.com/svn/framework3/trunk /opt/msf3/

Install the database driver, choose one or both:
- gem install sqlite3-ruby
- gem install mysql
- gem install postgres-pr

Download and install NeXpose if you haven't done so already. Don't go any further until NeXpose is installed and operational.

Start the metasploit console: ./msfconsole

Create the database: db_create
- [*] Creating a new database instance...
- [*] Successfully connected to the database

After the database has been created, load the nexpose plugin: load nexpose
- [*] NeXpose integration has been activated
- [*] Successfully loaded plugin: nexpose

Connect to the NeXpose instance: nexpose_connect "username" "password" 127.0.0.1 3780 ok

Launch your first scan and automatically pass results to metasploit for processing

- nexpose_scan -x -t full-audit

To see the full list of nexpose_connect options, execute the following: nexpose_connect -h

If there are any successful exploitations as a result of the scan, you will be presented with the following:

- [*] Command shell session 1 opened

To view the active sessions, execute the following: sessions -l -v

Full results from the audit can be viewed by logging into the NeXpose web console.

Disconnect from NeXpose via the metasploit msfconsole or weird things happen: nexpose_disconnect

Suggestion, once this is all working correctly and you`re happy; Setup metasploit to update daily or however often you prefer via cron

* svn update /opt/msf3/

When attempting to execute future metasploit/nexpose session, be sure to reconnect to the database before connecting to nexpose:

- ./msfconsole
- db_connect
- nexpose_connect "same stuff as above"

And you`re done...go have some fun now..

Product Comparison - Nessus 4.2.0 vs. Rapid7 NeXpose

nospam@example.com (Keith Pachulski) — Tue, 12 Jan 2010 11:15:00 -0500

I've been a Nessus user for quite some time now, likely as far back as version 1. I've liked the product up till the most recent release of 4.2.0. I began having all sorts of problems. Audits not completing, when they did complete the report either would not generate or if it did generate it would present large black boxes sporadically throughout the report, the console would crash or restart without warning...

After contacting Tenable support, I was told some of the most outrageous excuses such as "We don't support scans through firewall", "We don't support scanning that large of a network segment", "You report is to large, you need to add this filter to remove some of the entries to have the report generate".

With that said, Tenable all I can offer you is this. Before your next product release, I suggest you download NeXpose from Rapid7 and seriously reconsider how your product functions and what the end-user security community actually needs.

Installation and Setup

Both products were easy to install, Nessus required no dependencies and installed after about 5 minutes. NeXpose required one dependency which took approximately 2 minutes to locate and install. After which the install process was approximately 5 minutes.

Functionality

If you download Nessus, you're restricted to only auditing for Windows vulnerabilities. If you want more, you need to buy the professional feed for $1200.00 a year.

NeXpose is fully functional with the only restriction on the "Community" version being that you cannot have more tha 32 IP's in the UI at a given time and regulatory audits are disabled. NeXpose also integrated directly with Metasploit. This makes the actual testing portion of the audit process far easier as you can just hop down to the console and test for the reported vulnerabilities rather than hunting for the source to actually verify a reported issue.

Front-End

Nessus has the very sexy front-end UI, while NeXpose has the php front-end. I honestly prefer the php front end, it loads faster and doesn't chew up a large chunk of memory. If you like flashy stuff though, the Nessus UI would likely hook you.

Audit Policies

Nessus comes with no pre-configured audit policies and while there is some user documentation, once you configure your first policy and it fails you`ll learn most of the options they`ve described in the User Guide are neither support or recommended by Tenable.

NeXpose - comes with several preconfigured policies to test for not only regulatory regulations such as PCI^[?], SARBOX, HIPAA^[?], web application audit, "full" and "exhaustive" audits or a full blown penetration test.

This of course makes the auditors jobs much easier as they do not need to spend 20 minutes trying to develop a working audit policy, run it then work out the bugs by reconfiguring the policy as with Nessus.

Audit Function and Reporting

With Nessus, after you've created your policy and finally executed the scan, you are offered a single technical report. Within the report provided by Tenable you'll have cursory overviews of the detected vulnerabilities along with the occasional CVSS^[?] score assigned to a vulnerability^[?]. From there, you have no other option but to generate your report and start the process or going to your external vulnerability management system, adding all the issues, then beginning the process of addressing the individual vulnerabilities. The actual report are only available to be generated in HTML or the Nessus specific file formats. Nessus used to have a PDF option but they removed it with version 4.x.x.

With Nessus; if you want to re-audit the system(s), you need to repeat the processing of entering the IP or netblock to rescan and assign the policy. Time consuming and slightly annoying.

NeXpose on the other hand, once you enter the IP or netblock information into the UI. The information is stored and you can setup an automated schedule process. With this you can say every 3 months for example, for those PCI-DSS folks out there, re-audit this specific asset. Yes, with NeXpose you can create an asset object.

Once the audit has been completed, the NeXpose console will list out all vulnerabilities discovered. It will also provide you with an overall CVSS score for the entire asset as well as Risk score per system within the asset group. Unlike Nessus you have two reporting options, Technical and Executive. The Executive report offer the high level overview along with graphs, charts and risk levels. The technical reports provides a complete list of all discovered issues, how the issues were discovered along with a step by step on how to resolve the issues.

NeXpose reports are also able ot be customized to the type of vulnerabilities you wish to report, such as "All Vulnerabilities", "Critical Vulnerabilities" or "Critical and Severe Vulnerabilities". Reports are able to be generated in PDF, XML or HTML.

In additional to the exhaustive reporting NeXpose provides, it also gives you the ability to track the issue directly through the NeXpose console. Once an issue has been resolved, you click on the "exclude" image and you are requested to enter why you are excluding the vulnerability. This integrated vulnerability management system makes the analysts life easier as all of the information he/she needs it contained within the single system. The entire life cycle from discovery, verification and resolution all resides on a single webpage.

The other added bonus, NeXpose runs off an integrated postgresql database. If an analyst should so desire, custom reporting can be retrieved from the database as needed.

In closing, if you are a Nessus user. I would strongly urge you to go to the rapid7 website and download NeXpose..kick the wheels and give it a spin. I promise you that you will not be disappointed.

NeXpose
Nessus