Slashdot Mirror
Storage Security
Storage Security is not about turning on the right configuration options on your XYZ brand server appliance. It's about applying solid, methodical security practices to your storage systems, regardless of whether they are disks directly attached to a single computer, Network Attached Storage or part of a Storage Area Network. The authors address the full security cycle, too, starting with evaluating the security of proposed new storage solutions. Comparative data in hand, the book shows you how to narrow the field to a single solution that offers the best balance between functionality and security.
And once the system is selected, you can't stop there. You've got to decide on appropriate security policies for the new storage system, draft and implement a backup and restore plan, deal with disaster recovery and take care of a host of other issues. In short, this is a good guide to an entire range of considerations necessary to select, deploy and manage a secure storage solution.
The book's evaluation methodology is particularly valuable. Each type of storage (directly attached, NAS and SAN) is covered in a chapter of its own. Within each chapter, the authors address specific technologies used to implement that type of storage. For example, the direct-attach chapter discusses such common storage technologies as SCSI and IDE, moderately exotic systems like USB and Firewire drives, and some more advanced solutions like HiPPI and SSA. Each technology is then placed in a matrix and scored in 11 different categories, including popularity and industry acceptance, built-in data protection features, typical fault tolerance and physical security characteristics.
The authors assign each rating on a scale of 1 (poor) to 5 (the best). This gives a good general indication of how each technology measures up, but they tend to rely on a straight average of the ratings when determining the best technology. Although it's true that the average allows you to make a quick ballpark comparison, there are many other factors to consider as well, such as the suitability for your particular environment and the way in which your users need to access their data. The matrixes are quite useful, but just remember that you can't always boil things down to a simple numerical score.
Probably the biggest problem with this book is that it's pretty dry. As a reference book, the writing style is fine, since it's easy to find what you're looking for, and the chapters are concise. It's difficult to read from cover-to-cover, though, which is a shame because that's what you should probably do the first time through. Take it in small doses, a chapter or so at a time, and you should be fine.
Storage Security is about just what you'd think: the security of your data as it's being stored on your server(s). It's not a detailed look at the configuration of any one product, but rather a comprehensive, theory-based approach to managing the security of your storage subsystem from evaluation to purchase to daily operations. If you manage a small or mid-size network, you may or may not need this book. If you have a larger network, though, or have significant data-storage needs, this deserves a space on your shelf.
You can purchase Storage Security: Protecting, SANs, NAS and DAS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I am having a computer related problem, and was hoping that you, being mainly technically minded could help.
Up until recently I was a proficient Java programmer, and the code that I released for my company earned us a significant revenue. I used the various coding tools available to me on the robust platform of Microsoft Windows 2000 and all of the user friendliness and support it has to offer.
Recently, I was involved in an accident which left me immobile in hospital for a couple of months. In this time, without the ability to excercise, I began to gain weight, and would now go as far as to say I am fat. Also, because I could not get a haircut easily, my hair is long and unkempt. Fortunately, I have made a full recovery and since left hospital and gone back to work.
Here is the problem:
Now at work, I refuse to use Java, instead prefering to use what I used to think was a garbled mess of inefficiency - perl. Not only that, but once I have completed any code (which takes a lot longer than it used to with Java - but it can't be perl's fault because perl is perfect) I now genuinely believe that giving away the past few months worth of work for free is a valid business model! Equally, my productivity has plummeted because I have switched from Windows to Linux, as I now realise that it is better to write a 75 line bash script to copy files than to drag and drop in explorer - I think it has something to do with being l337 and having control, not like you M$ Windoze lusers LOL!!
Clearly something is wrong with me and I would love to know what it is. Does anybody know why I have lost all common sense, personal hygiene, business sense and instead gained the ability to program in a rune like language?
Please, I need all of the help I can get.
--gazbo
PS. I can't add any more details now, as I have an irrepressible urge to learn to play the GNU/flute.
Troll 72 of 208 from the annals of the Troll Library .
Said like ONLY a Marine could say it!
;are the odds? Winning a hundred Powerball Lotteries in a row? A thousand? A million? And now a Secret Service guy has been tossed off a plane and we're all supposed to cry about it because he's an Arab? Didn't it have the tiniest bit to do with the fact that he filled out his forms incorrectly three times? And then left an Arab history book on his seat as he strolled off the plane? And came back? Armed? Let's please all stop singing "We Are! the World" for a minute and think practically! I don't want to be sitting on the floor in the back of a plane four seconds away from hitting Mt. Rushmore and turn, grinning, to the guy next to me to say, "Well, at least we didn't offend them." SO HERE'S what I resolve for the New Year:
A speech by former ACC Commander, Gen Hawley:
"Since the attack, I have seen, heard, and read thoughts of such surprising stupidity that they must be addressed. You've heard them too. Here they are:"
1) "We're not good, they're not evil, everything is relative."
Listen carefully: We're good, they're evil, nothing is relative. Say it with me now and free yourselves. You see, folks, saying "We're good" doesn't mean, "We're perfect." Okay? The only perfect being is the bearded guy on the ceiling of the Sistine Chapel. The plain fact is that our country has, with all our mistakes and blunders, always been and always will be, the greatest beacon of freedom, charity, opportunity, and affection in history. If you need proof, open all the borders on Earth and see what happens. In about half a day, the entire world would be a ghost town, and the United States would look like one giant line to see "The Producers."
2) "Violence only leads to more violence."
This one is so stupid you usually have to be the president of an Ivy League University to say it. Here's the truth, which you know in your heads and hearts already: Ineffective, unfocused violence leads to more violence. Limp, panicky, half-measures lead to more violence. However, complete, fully-thought-through, professional, well-executed violence never leads to more violence because, you see, afterwards, the other guys are all dead. That's right, dead. Not "on trial," not reeducated," not "nurtured back into the bosom of love." Dead. D-E-Well, you get the idea.
3) "The CIA and the rest of our intelligence community has failed us." For 25 years we have chained our spies like dogs to a stake in the ground, and now that the house has been robbed, we yell at them for not protecting us. Starting in the late seventies, under Carter appointee Stansfield Turner, the giant brains who get these giant ideas decided that the best way to gather international intelligence was to use spy satellites. "After all," they reasoned, "you can see a license plate from 200 miles away." This is very helpful if you've been attacked by a license plate. Unfortunately, we were attacked by humans. Finding humans is not possible with satellites. You have to use other humans. When we bought all our satellites, we fired all our humans, and here's the really stupid part. It takes years, decades to infiltrate new humans into the worst places of! the world. You can't just have a guy who looks like Gary Busey in a Spring Break '93 sweatshirt plop himself down in a coffee shop in Kabul and say "Hi ya, boys. Gee, I sure would like to meet that bin Laden fella." Well, you can, but all you'd be doing is giving the bad guys a story they'll be telling for years.
4) "These people are poor and helpless, and that's why they're angry at us."
Uh-huh, and Jeffrey Dahmer's frozen head collection was just a desperate cry for help. The terrorists and their backers are richer than Elton John and, ironically, a good deal less annoying. The poor helpless people, you see, are the villagers they tortured and murdered to stay in power. Mohamed Atta, one of the evil scumbags who steered those planes into the killing grounds - I'm sorry, one of the "alleged hijackers," according to CNN. They stopped using the word "terrorist," you know, is the son of a Cairo surgeon. But you knew this, too. In the sixties and seventies, all the pinheads marching against the war were upper-middle-class college kids who grabbed any cause they could think of to get out of their final papers and spend more time drinking. At least, that was my excuse. It's the same today. Take the Anti-Global-Warm-ing (or is it World T! rade? Oh-who-knows-what-the-hell-they-want) demonstrators. They all charged their black outfits and plane tickets on dad's credit card(!) before driving to the airport in their SUV's.
5) "Any profiling is racial profiling."
Who's killing us here, the Norwegians? Just days after the attack, the New York Times had an article saying dozens of extended members of the gazillionaire bin Laden family living in America were afraid of reprisals and left in a huff, never to return to studying at Harvard and using too much Drakkar. I'm crushed. I think we're all crushed. Please come back. With a cherry on top? Why don't they just change their names, anyway? It's happened in the past. Think about it - how many Adolfs do you run into these days? Shortly after that, I remember watching TV with my jaw on the floor as a government official actually said, "That little old grandmother from Sioux City could be carrying something." Okay, how about this: No, she couldn't It would never be the grandmother from Sioux City. Is it even possible? What !
Never to forget our murdered brothers and sisters.
Never to let the "relativists" get away with their immoral thinking. After all, no matter what your daughter's political science professor says, we didn't start this.
Have you seen that bumper sticker that says, "No More Hiroshimas"?
I wish I had one that says, "You First. No More Pearl Harbors."
make it even harder to get the hard drive out of this #$%@% Presario...
Duct tape your storage devices.
Protect Freedom!
Buy Tom Ridge Brand Duct Tape, it's minty fresh!
Have you seen that bumper sticker that says, "No More Hiroshimas"?
I wish I had one that says, "You First. No More Pearl Harbors."
MOD PARENT UP!!!!!
I have a very simple answer:
The Impeachment of Ashcroft, Bush, Cheney, Poindexter, and Rumsfeld
Cheers,
W00t
I don't know why those darned crackers shame me by hishonorably stealing by data using hurtful, yet clever tricks.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Storage Security is not about turning on the right configuration options on your XYZ brand server appliance. It's about applying solid, methodical security practices to your storage systems, regardless of whether they are disks directly attached to a single computer, Network Attached Storage or part of a Storage Area Network. The authors address the full security cycle, too, starting with evaluating the security of proposed new storage solutions. Comparative data in hand, the book shows you how to narrow the field to a single solution that offers the best balance between functionality and security. And once the system is selected, you can't stop there. You've got to decide upon appropriate security policies for the new storage system, draft and implement a backup and restore plan, deal with disaster recovery and take care of a host of other issues. In short, this is a good guide to an entire range of considerations necessary to select, deploy and manage a secure storage solution.
The book's evaluation methodology is particularly valuable. Each type of storage (direct attach, NAS and SAN) is covered in a chapter of its own. Within each chapter, the authors address specific technologies used to implement that type of storage. For example, the direct attach chapter discusses such common storage technologies as SCSI and IDE, moderately exotic systems like USB and Firewire drives, and some more advanced solutions like HiPPI and SSA. Each technology is then placed in a matrix and scored in 11 different categories, including popularity and industry acceptance, built-in data protection features, typical fault tolerance and physical security characteristics. The authors assign each rating on a scale of 1 (poor) to 5 (the best). This gives a good general indication of how each technology measures up, but they tend to rely on a straight average of the ratings when determining the "best" technology. Although it's true that the average allows you to make a quick ballpark comparison, there are many other factors to consider as well, such as the suitability for your particular environment and the way in which your users need to access their data. The matrixes are quite useful, but just remember that you can't always boil things down to a simple numerical score.
Probably the biggest problem with this book is that it's pretty dry. As a reference book, the writing style is fine: since it's easy to find what you're looking for, and the chapters are concise. It's difficult to read from cover-to-cover, though, which is a shame because that's what you should probably do the first time through. Take it in small doses, a chapter or so at a time, and you should be fine.
Storage Security is about just what you'd think: the security of your data as it's being stored on your server(s). It's not a detailed look at the configuration of any one product, but rather a comprehensive, theory-based approach to managing the security of your storage subsystem from evaluation to purchase to daily operations. If you manage a small or mid-size network, you may not need this book. If you have a larger network, though, or have significant data storage needs, this deserves a space on your shelf.
--Rosie
This is something I've wondered about, and this reminded me.
Is there any operating system that supports encrypting the storage at the file system level. In other words, is there any operating system where I can specify that I want a particular path encrypted, and then copy files over, edit files, etc without worrying about having to decrypt, recrypt manually all the time?
Even a weak encryption would satisfy me.
This is nothing new. Administrators and other have known for a long thime that no machine is secure if someone has access to the physical machine. If someone can open your box up, reboot it, attach new devices to its private subnet, etc. then it is not secure.
Why anyone thinks this should be different for storage systems is beyond me. If someone can break in and steal your data, or attach new devices to the data transfer channel, or whatever, then your data isn't secure. That the authors think this comes as a revelation to anyone means either they are really stupid or they think administrators are really stupid.
Get your machines installed in a location with good physical security. That's really all there is to it.
a friend of mine recently pointed me to
this ebay auction: Real Time IDE Hard Drive Encryption Kit (Bay)
the link has lots of pretty pictures.
i like the physical usb key that the drive bay has.
loopback seems a better solution than $50+ for this.
Use my userscript to add story images to Slashdot. There's no going back.
"Security is a process, not a product"
Why is this something you'd need a book for? It comes down to the basics.
One, never allow physical access to what you're trying to secure.
Two, _never_ allow physical access to what you're trying to secure.
Three and so on: log all security events, break users into groups for simplification of manageability, set permissions properly, protect network shares and device access, and be aware of the content that's being secured (what it is, how it's used, etc.)
Beyond that, there's not much else to consider. However, from the review it looks like they go beyond security issues to stuff like, "what hardware is best for my particular application." Sure, it's a big consideration. For example, you wouldn't want a two million row database running off a Network Appliance over NFS across switched fast ethernet, but there's enough free information out there that making decisions like that should be trivial. Furthermore, if you're doing system specifications w/o knowing about the technologies you have to choose from, I sure hope you're not an employee of the place for which you're building a system, because they're not going to like you very much when it dies on a regular basis.
Not having actually read the book, I may be way off base, but from the title and the review above, I don't see how it would be all that helpful except maybe as a primer to a junior-level engineer.
IEEE is working on a standard (IEEE P1619) which will allow encryption to shared media (SANs I guess). They've set up a working group.
They're looking at (from the website):
Something to look at in the future. Hopefully it'll be more secure than WEP. :)
Security books are pure crap. If the software you are using is so insecure, you change to something better which does the same job, or write something yourself.
The slashdot "community" is actually a bunch of hypocrites who aren't really interested in "sharing" information at all, but rather stealing things for free because they don't want to pay for it.
So all you slashdoters are a bunch of hypocrites eh? Gee... who would have guesed that?
--Rosie
I know that the term security here is refering to keeping thinigs secret, but I've often wondered what is the best medium for stable storage of data. Right now I've got a large external firewire hd that I backup everything to. However, I'm really paranoid about keeping the drive level, keeping it away from monitors an all other sorts of magnetic devices. I wonder if I'm being too paranoid?
Anyway, the question I ask is what is a good place to backup data to (besides tape). I know if my firewire were to die I'd probably wanna die too. I've got gigs of my own music on there, and that stuff is not replacable. How paranoid about magnets etc. should I be?
Go here for teh [sic] funny.
MS products, in particular, like to create a large number of temp files and there is no way of configuring where they are kept. I'm not sure if OSS alternatives have this configuration ability.
And of course, you also have to worry about elements of documents in memory (which can be recovered).
(Far, wide, and full of hot grits!)
perhaps not on the hard drive but on a cd, floppy, network/internet. it can be off of the hard drive in case you lose all your warez...uh...i mean back ups in some police raid or something...
if you used a cd you could take it with you (the back up copy of course, scratch your key up and you might lose everything).
if you used the net, and got your key from another place online (secure place if there is such a thing), perhaps you'd have a big enough key that it'd take a REALLY long time for a supercomp to crack. now a days, i can dl a file that's 1.44mb within seconds on my cable internet (shaw in van bc).
not sure how the key could be protected from people copying it along the way. perhaps even more encryption for your net connection.
alot of trouble but if yer a business or someone who has alot to lose, it might be worth investing in security.
i recently lost 30gb of music and movies, the bad side is i lost alot. the good side is it made room for more (was at 50mb left...lol)
blue tiger
It's a safe bet no one's going to reach in there
I've had this similar thinking before, because the information in and of itself is not important, from a technical perspective, it's the mechanism to access that needs to be secure. Hence, a SAN with a fibre-channel fabric would seem secure (a client needs an HBA card), but hook it up to a MS File server, SQL Server, or Oracle, and suddenly all the same exploits apply.
;)
I would suggest it's not the type of nails used, it's the design of the front door. I could be wrong.
Peace, Out!
~Airrage
"This isn't a study in computer science, its a study in human behavior"
Some machines are more secure then others. With Suns you can lock the PROM (== BIOS) so that even to boot you need to enter a password. You basically need to open up the box, pull the EEPROM chip, and put in another before you can even think about booting.
Alot harder then simply press DEL on bootup, wouldn't you say? :)
Try doing that with a regular PC BIOS. (I think Apple also uses OpenFirmware (IEEE 1275 as well.)
In fact, today there was a high profile F-Up by someone in my department; they wanted to be in charge of upgrading our mainframe, even tho they have no experience whatsoever working on such equipment, and know nothing about Unix. Thousands of dollars an many consultant hours later they got it 'Live', and now it routinely drops printer support, and was down for three hours this morning.
Funny, somewhere they forgot that the information on that machine was very important, and that hundreds of users need that machine to function so they can work. Oh well.
Manipulate the moderator system! Mod someone as "overrated" today.
Erm, several PC BIOSes support passwords on boot etc., likewise necessitating opening the machine up (to discharge the battery or whatnot)..
One particular memo was about the servicing of the water coolers, and went out to the whole company. When I strings'ed the memo, though, at the top was a draft of an employee's termination letter! Oops. Apparently, this was the undo buffer for Word -- the writer of the memo had just written the termination letter, printed it, deleted it from the document, and wrote the water cooler memo in the same instance of word. However, if opened this doc in Word, I couldn't access the hidden info, no matter what I tried.
Since then, I've always wondered how much other sensitive information has snuck out, via MS Word.
Yes, and there are programs that either crack or read the password (doing a quick Google):
If you don't the PROM password for a Sun the only thing you can do is can a new EEPROM chip -- you can't access the password in anyway. There is no ``discharging'' the battery (though I think some PC BIOSes now do this). Of course you can simply do a BIOS-update to get rid of all the values....
Keys are stored in smart cards. Reading backup tapes requires a Cyberntics drive and the correct key. Obviously you need to manage this very well to avoid being SOL during an actual recovery situation.
Of course, consider how vulnerable your backup media really is. I don't need to hack your network, just show up in an Iron Mountain uniform with forged ID maybe 30 minutes before the real Iron Mountain guy shows up. I then drive off with ALL you data.
If your children ever found out how lame you are, they'd murder you in your sleep
Which idiot modded down this comment? It's hardly offtopic, and rather interesting. Do you mods just click buttons at random?
The next problem to securing data on EFS is Window's use of a recovery agent.
By default, the Administrator is recognized as the recovery agent so in an environment without a properly configured domain, it is very possible that someone can take ownership of your EFS files/folders and decrypt them.
Windows does encode a unique marker onto each drive to identify it's affiliation with a certain domain or Admin, but if someone has physical access to the drive it's also quite easy for the Admin on another system to take ownership of the physical disk.
If I want the data on a machine, I don't care about booting. One could just remove the hard drive.
I used to work for a Fortune 500 company as a Unix sys admin. One of my projects was to assist in bringing a new Oracle financials system on line. The data on this system was so sensitive that only the executive board was given access, and then only via SecurID cards from specific locations during specific time windows.
Nightly backup tapes were queued in a fireproof walk-in vault before going offsite at the end of each day. I happened to be strolling by the vault one day and noticed the backup tapes sitting there on a shelf in the vault, right next to the open vault door. I did some checking and found out that the vault was left open during business hours so that the operations folks had easy access to backup media. The vault was in a different department than I/S, on a main hallway, right near the front door of the building. Obviously, I mentioned this to the Operations Manager. The new policy limited access to only a couple of operations supervisors, and instituted a media checkout policy (nothing a little social engineering couldn't thwart, but far better than the previous situation).
So what's the moral of the story? Make sure your security policy deals with backup media. Don't just assume that your operations department (or the offsite storage provider) is securely managing your media.
I've taken the pessimistic stance that most of them are... otherwise I wouldn't be regularly bombarded by worm attacks. That and this overwhelming feeling that my universities networking department is run by monkeys...
I know the author of a similar book that hasn't quite finished up yet. He was concentrating on the SAN's aspect of it since NAS security is pretty much the same FAQ as 'how to setup a file server'.
Secure SANs was slated to come out last year but hasn't ever been more then a link on Amazon. It dealt with the ugliness of iSCSI and how the 'air gap' security that protected this data for so long is now gone and storage administrators are struggling to learn how the real world works.
Not to bash storage admins but they've relegated most of their 'security efforts' to LUN masking and other such techniques. Now that SCSI drive commands are traversing networks huge security vulnerabilities are opened up. I read an advanced chapter of the Secure SAN title and the best part was an executive from a prominent NAS company stating that he wasn't worried about the security of the products since "only a handful of ppl in the world could have this conversation".
Check out the recent efforts at Storage Networking Industry Association who have come as close to working miracles as I've personally seen. They have managed to create some various technial frameworks and security processes that make vendors work together.
One interesting note about the book featured here is that it also deals with NAS and DAS. NAS and SANS have been fighting it out as IDE and SCSI have. One is cheap and easy the other pricey and very difficult. DAS on the other hand is a joke to me. The ability for one computer to change bits in another's memory DIRECTLY does not sound like a good idea. Hackers have worked for decades to write shell code that allows the ability to change bits in memory and now the storage industry has created a way to get directly in there bypassing all OS security.... yea great idea
http://linux01.gwdg.de/~alatham/ppdd.html
/.'s mandatory 20 second reply delay is gay. Now I will write stupid shit here so I can submit this comment. Blahblahblah. Windoze sucks.
PS.
www.decru.com ofers both.
I'm sure others have said this already, but there's more to security than physical location. You're only as secure as your weakest link. If any unauthorized people can gain physical access to the system you KNOW its insecure. If it uses any unencrypted network protocols it is possibly insecure, depending on what data is transmitted over them, like NFS and possibly SMB, telnet, ftp, etc. Its unlikely that, on a switched network, an attacker could gather much valuable data, but there's always the possibility.
Security is almost a state of mind. If anyone in your company isn't thinking securely and isn't trained to think this way you may be insecure. In short EVERY corporation I've worked for is entirely insecure and could easily be hacked by a professional like myself. Its a good thing I choose to work for the high paying tech industry instead of the high paying black market.
And if you think things are insecure now just wait a couple years as our modern technology pours out into the hands of those black hat script kiddies. A 400Mhz PDA sitting outside your building could be logging and forwarding all wireless communications anywhere and to anyone and nobody would ever know it. That same PDA could easily be walked into a building and connected to a live net drop for an hour at lunch someday, again snooping for useful data. Its only a matter of time before they find something and gain access. Then you're hacked. Its almost that easy, for them.
Some years ago I hacked up GNU tar to encrypt the tar file as it wrote it. It used the Blowfish algorithm with a key derived from a user-supplied passphrase. It was fast enough to keep my 500 kbyte/sec DDS-2 tape drive streaming when running on the 33 mhz 80486 that I had back then. If there's interest I may dig out the source and put it on my web site. These days though, it's probably simpler to use an external encryption program, since the performance penalty from the external program is more than made up by today's much faster cpu's (tape drives haven't gotten faster by nearly as much).
You'd know the format of the file.
Imagine you had mypic.jpg encrypted. Well, if the attacker knows it's a JPEG file, he can guess at the first few bytes and struture of the file, reverse engineer the algorithm and key and have access to ALL your files...
Rename your file 0x7si69fa876fdes987 and it makes it harder. Pad and compress your files, too.
OK, now how do you manage all these cryptic file names? Do you encrypt that reference list/file? What if that file is comprimised?
After all that effort, you're better off with an encrypted file system. IMHO.
If you have your network attached through a hub and someone roots one of your hosts attached to the hub, they can sniff out any clear text passwords that go by -- like for sql servers, imap servers, maybe even logins if you have rsh or telnet. Everyone knows that...
but if you have a switch instead of the hub, you can still sniff all the traffic through the switch on many types of switch by using a technique called "arp poisoning". Basically, you flood the switch with a bizillion arp messages so that it no longer knows which mac addressses are on which of its switch ports. If it's going to pass traffic, it has to basically turn into a hub by repeating all the traffic on all the ports until the arp cache times out again.
while the arp cache is poisoned, the switch will show you all the clear text just the same as a hub.
moral of the story -- a switch isn't a security device really. It's better than a hub for performance and to a degree for security, but it's not as good as physically seperated subnets.
now... if you have a big switch divided up with vlans, and you poison the arp cache, does it start sending data for all the vlans out all the ports? I don't know. I would doubt that since it would be a huge security problem.
this is what i use for windoze:
http://www.drivecrypt.com/dcplus.html
encrypts bootsector also. very cool app.
fed computer cops (read: weasles) will check your hidden cache files if you only encrypt a folder/partition (like your print cache when you printed that supposedly secure file, it's saved in plain text in non encrypted portions of your filesystem/os), they can also run brute dictionary attacks on your password/phrase within the operating system if you do not fully encrypt your OS/Filesystem & boot sector.
If you don't want to spend $150 and just encrypt your pr0n partion, then I'd check out some secret cache/.dat file cleaning utilities, though who knows if this'll do the full trick.
PS, DCPP works on win2k also bud, not just XP
I also read Storage Security and found it to be quite thought provoking. I think there could have been more scenarios and modeling, but all in all, it gave me several ideas and confirmation that the building blocks I've started will help make and ensure my SAN environment is more secure. There were many topics covered that really got me thinking. I'd recommend it. Techierat
Check out OmniSecure. It encrypts the files themselves, independently of the FS. Temp files can be auto-encrypted; SMB traffic is encrypted; files are decrypted locally, and only as needed (unlike NT encryption, which has the whole file in cleartext while it is open). Strong and weak encryption, pluggable encryption modules, and even auto-delegation of keys to applications like Apache.
I'm ordering this book. It often surprises me that there isn't a *lot* more attention paid to protecting data at its source: the files on disk. Sure the mechanisms are there, but philosophy of use often seems vague.
Sure, sure, everyone knows the deal about keeping your data physically secure. Keeping up with patches to stay ahead of whatever buffer overflow was discovered yesterday, protecting your username/password stores, building strong perimeter protection (firewalls), and various log-reading or network-sniffing techniques (IDS) for detecting attacks in progress.
But it seems to me there just isn't enough attention paid to the various strategies available for protecting the files at filesystem level. This seems to me, where the action is really at, and on far too many networks, a small subset of data has structured access controls, while the larger majority of data is either wide open or a free-for-all mishmash of whatever someone thought at the time - no overall strategy for data valuation & protection, sunsetting, etc. Little thought is given to tamper protection, evidence chains, etc.
I'm hoping this book will bring a few file permission/encryption/management strategies to light.