Encrypted Data Exposed

teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
I came across a question worded similarly to the following:

An organization is enforcing full disk and removable media encryption for all computers. Which threat can expose sensitive data on these computers?
A. Header manipulation
B. Botnet infection
C. Stolen laptop
D. Spam

The answer is "B". I come to the same answer by the process of elimination. However, I'm not familiar with how a Botnet would specifically accomplish this. Thoughts?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D

Comments

  • lsud00dlsud00d Member Posts: 1,571
    Malware/botnets can steal the encryption key
  • mjb2424mjb2424 Member Posts: 17 ■□□□□□□□□□
    If the computer is part of a botnet, an intruder has access to the system. If they can access the system, the full disk encryption is irrelevant. Any data could be relayed back to said intruder since the disk encryption is undone when the operating system uses data on the disk. The data is only encrypted when stored (at rest) on the disk. Once loaded into memory, the data must be decrypted otherwise the data could not be used.

    This whitepaper outlines this briefly:
    http://community.pepperdine.edu/it/content/how-wde-works.pdf
  • teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
    mjb2424 wrote: »
    If the computer is part of a botnet, an intruder has access to the system. If they can access the system, the full disk encryption is irrelevant. Any data could be relayed back to said intruder since the disk encryption is undone when the operating system uses data on the disk. The data is only encrypted when stored (at rest) on the disk. Once loaded into memory, the data must be decrypted otherwise the data could not be used.

    This whitepaper outlines this briefly:
    http://community.pepperdine.edu/it/content/how-wde-works.pdf

    Great explanation and whitepaper, thanks! So basically, the botnet can only access the data while the user is logged in. The botnet can access the data in RAM because it has been decrypted. Also, the botnet can access the data at rest because it is retrieving the data with the user's credentials (i.e. the user has logged in so the botnet's data "request is sent to the OS's I/O manager, which forwards the request to the file system manager.").

    Please confirm my understanding.
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
  • mjb2424mjb2424 Member Posts: 17 ■□□□□□□□□□
    That pretty much sums it up to my knowledge. However, bear in mind that any fine details will depend on the environment. For this specific question though, your post is the explanation for the answer.
Sign In or Register to comment.