Sleep (S3) Mode - Risks - Please read and understand!
Advisory re: Sleep Mode – Please read:
Sleep Mode (S3) presents a risk to users of most, if not all Encryption products such as SecureDoc, whether using Hardware Encryption in the form of a Self-Encrypting Drive (SED), or if using Software Encryption.
Understanding this risk: When in sleep mode, the computer is put into a low power state. Information currently in memory continues to exist in memory.
Attacking Memory directly: While being able to get information directly out of memory is beyond the abilities of the casual hacker or thief, examples of data at risk through memory attack could be:
• a large confidential document that was being worked on when the computer was put into sleep mode
or of more broad risk are:
• the cached Encryption Key that protects the computer’s disk
• the cached PIN that protects a Self-Encrypting Drive
NOTE that both Self-Encrypting Drives and Software-Encrypted drives can be at risk for this type of attack during Sleep Mode.
Self-Encrypting Drives, when put into S3 Sleep mode, will be powered-down completely. With SecureDoc, the drive will be automatically authenticated-to using a cached credential upon resumption of power to the drive.
Protection of the Windows password provides little security, in the SED scenario. Since the drive is unlocked upon resumption from sleep, a thief can simply soft-reboot the computer from a bootable USB drive or a CD/DVD-based operating system and readily access all the contents of the Disk Drive.
RECOMMENDATION: WinMagic always recommends that customers use Hibernate mode instead of S3 Sleep Mode.
Hibernation provides the strongest combination of Security, yet still permitting the user to quickly resume a hibernated work session.
How Hibernation Mode differs:
• Hibernate Mode writes all current information in memory securely to disk, and performs a complete power-down (returning the disk to secure Data-At-Rest state).
• With Software-Encryption, the memory has been cleared so the encryption engine is no longer running.
• With Self-Encrypting Drives, the flow of power to the drive is stopped, the drive is re-locked.
• In either case, hibernation re-establishes total security.
• Upon resumption from Hibernate Mode, the computer obliges the user to re-authenticate at Pre-Boot (or through PBConnex), unlocking the drive, which will then proceed to restore the memory image that had been in effect before hibernating, reinstating the computer to its work-in-progress state prior to hibernating.
For those customers who cannot move to Hibernation over Sleep Mode, please follow these recommendations and understand and accept the residual risks where indicated, below.
1 – Windows 7 ONLY: Disable option to permit computers to be shut down without having to log on .
This is a Windows Policy setting. Steps to effect this change (to be performed on each computer at risk) are:
1) Click on Start, go to Control Panel, click on Performance and maintenance, and then click on Administrative Tools.
2) Now double-click on Local Security Policy.
3) Now Expand Security Settings, then expand Local Policies, and then click Security Options.
4) In the right pane, double-click the Shutdown: Allow system to be shut down without having to log on policy, click on Disabled radio button, and then click OK.”
NOTE: Windows XP has no equivalent functionality to the above.
Some other options to explore:
• Use the Intel AT S3 resume timer to force a hibernate if the user doesn’t authenticate within a set period of time coming out of sleep
• Do not use sleep on a machine that has a "soft reset” button
• Enterprises IT department could lock down the BIOS to prevent booting from CDs and USBs. That way even if a thief were to try a soft-restart, the computer can only boot back into Windows
• If using Lenovo machines, HPM may be a more secure alternative to explore (It has a BIOS based caching of credentials and it can manage the BIOS passwords too.)
So, in summary, where users are in the habit of locking their computers at the end of day and leaving them running so they can be resumed quickly the next day or after the weekend, they are gaining no real protection from SecureDoc (nor would they from any other encryption product) since the drive has been authenticated-to, and is therefore "open".
SecureDoc and similar products protect data "at rest", which means when the device has been powered off and cannot be accessed without authentication.