Thanks a lot for your quite detailed posts, ezlage.
Rather than respond to the security measures you have stated I am once again bringing up the method you use to come up with security measures is very important.
As others (ludob etc) and I mentioned before, you need to have an analysis that considers:
1. possible threats, for clarity categorized into e.g. confidentiality/integrity/availability, then subcategorized (i.e. confidentiality when the usb stick is lost by the customer)
2. amount of damage that can be expected if these threats materialize
(1+2 will describe the risks for your system)
then you need to assess if you think the risks are acceptable. Obvously in your case they are not, so you
3. design and implement measures to stop these threats from doing damage, taking care to first address the easiest attacks/biggest damage
4. now you go on until you are satisfied that your risks are covered.
The point of this is that it forces you to think systematically about what you are protecting against.
The discussion in this thread showed a lot of measures that can be taken which can be quite effective, but my point is that you need to be sure you covered the right things.
Now you posted some measure you took which may be effective, but:
1. we cannot know if you took the biggest risk into account
2. you have to take into account the effects of your measures on the risks for other components (e.g. if you do server side backups+"online functionality to store and retrieve user password"=>the password will be on your server so you can open the encrypted backups.)
You may very well protect extremely well against attackers that try to debug your running code while that has a much lower chance of occurring than a keylogger on the user's pc catching all his financial details being entered.
So let me give an example of what I'm trying to say:
1. Confidentiality (somebody else has access to client data)
1.1 while program is running and client has stick etc. => countermeasure: screensaver password to be mentioned in documentation. User responsiblity
1.2 while program is not running and client has stick inserted in machine => encryption of data files on stick. Problem: password management needs to be done. See availability
2. Integrity of client data (is the data corrupted)
2.1 while program is running with stick in pc:
- programming errors should be caught, use try/except etc.
- use checksums to check integrity
- provide automatic backup snapshots somewher. Note: probably has security implications; to be further detaild
2.2 while program is not running and client has stick inserted in machine: basically this means the OS thrashes the encrypted files.
- provide backup mechanism (automatic or manual); note backup has confidentiality issues as well, see... <insert another section>
- do checksum of entire data file on startup to detect integrity problems
2.3 if somebody else has the stick: too bad; irrelevant if a thief cannot get good date off the stick
3. Availability of client data (does the client have access to the data):
3.1 if program is starting and stick is in pc: only a serious os error would lead to this: file has been deleted by user or OS or something.
- solution: notify user & provide facility to restore backup to same or other stick; see section <....> for security issues
3.2 stick is gone:
- solution: provide facility to restore backup to another stick; see section <....> for security issues
You could perhaps have a look through
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard for some more information.
Thanks,
BigChimp
Recent
