I’m writing, today, from a customer site in Barrington. I was called in because a laptop used to drive a conference room display was experiencing some peculiar behaviors. Perhaps you’ve seen such behaviors? I hope not. These were malicious.
This laptop displayed a screen for the input of a credit card. It sure did look official! There were logos and branding and colors. It looked like it was on the up-and-up, and that my credit card information would be well protected, once I put it in. But there were some tell-tale signs that all was not well.
The first tell was that you could not change the focus of the system away from this screen. Someone, earlier, had tried to bring up Task Manager and had gotten it to load, but you couldn’t make it the focus–you couldn’t, in essence, “reach” it, in order to make use of it.
This is a common indicator of a malware infection. Bad Actors don’t want you to be able to use Task Manager to stop their malicious code, so they prevent you from accessing it.
I tried to start a command-line through the Start Menu, and I was able to launch it, but again, was not able to change the screen focus to the command line I had just started.
No worries! We’ll just restart in safe mode with networking, and we’ll pull some anti-virus software down from the Internet and get this system cleaned. You may have used this approach yourself, or know people who have. It’s in the ordinary playbook for such things, but it doesn’t always work.
In this case, restarting in Safe Mode with Networking didn’t actually include the Networking part. For this system (at this particular point) Safe Mode with Networking couldn’t “see” the WiFi controller, so it was no different than Safe Mode.
Trouble was, when the system was attached to the network, the malware already on the system would fire and make the system unusable–pretty quickly after boot. Well, this was just a conference room laptop–there was nothing important on it, so we can just reset it, right?
Well… this customer had done what they were supposed to do at installation time: they had turned on local encryption with BitLocker. That’s good, right? Yes… but it’s an impediment if you don’t have the implementation-unique code generated at the time the encryption is established.
When something is as much a hazard as it is a help, we call it a double-edged sword. Few people actually use swords anymore, but if you think about it, it makes sense. A cutting edge that faces you as well as your enemy can cut you as easily as it could cut them.
Encryption keys are a lot like that. NIST standards call for all data to be encrypted at rest. Specifically, NIST Control SC-28 — Protection of Information at Rest calls for this. It’s good and sensible because if you encrypt your data with an encryption key it will be harder or impossible for a Bad Actor to get at, but if you lose that key, you may have a hard time getting it back again, if things go awry.
This is why CMIT offers a key management service to our customers. Part of a wide range of data protection services, we offer an alternative to slips of paper floating around with those precious keys on them, or relying on the picture someone took of the screen at installation time. CMIT’s services can maintain those encryption keys in a real-time database of encryption keys–making them available at any time in the future, no matter who comes and goes from the organization, or what happens to that folder of stuff you got when the computer was new.
In today’s case, there WAS a folder of stuff about the computer, from when it was new. There was a license key, for instance, for the operating system. There were even references to a laptop which seemed to pre-date the one currently in use, but there were no notes about the BitLocker encryption key or whose Microsoft account was used at installation time (which may then have a copy of that key).
This meant that we could not use some of the “easy” methods to reset the operating system to a prior, virus-free state. The choice was made to wipe the system completely and start from scratch. While this does work, it is time-consuming, and shouldn’t be necessary. In fact, it’s not necessary for customers who elect to have us manage their encryption keys for them.
So your call to action is to ensure you have a strategy for key management, and that you’re realistic about your organization’s ability to keep that strategy. If you would like help, don’t hesitate to reach out.
