Encryption with BitLocker – Protecting against Attacks

Covered entities and business associates who need to comply with HIPAA encryption standards first have some high-level planning which is addressed in the post Encrypting Mobile Devices – First Create a Plan. Many organizations will choose to use Microsoft’s BitLocker since it is built into many versions of Windows and supports centralized management. But is it secure? How should it be configured and implemented?

Microsoft published an excellent whitepaper Countermeasures: Protecting Bitlocker-encrypted devices from attacks in January 2014.

This paper outlines five categories of attacks which can be used to compromise hard disk encryption:

1. Bootkit and rootkit attacks
2. Brute-force sign-in attacks
3. Direct memory access attacks
4. Hyuberfil.sys attacks
5. Memory remanence attacks

These attacks are not unique to Microsoft’s BitLocker and can be used against any full disk encryption product. Properly implemented, Eagle’s opinion is that BitLocker provides excellent security. One caveat, of course, is the unknown factor of whether Microsoft is cooperating with the NSA to provide them with a back door allowing access to your data. For most entities concerned with HIPAA compliance, our opinion is that when conducting your HIPAA Security risk analysis, this will be an acceptable risk. System administrators and others planning BitLocker implementation are highly encouraged to review the entire white paper which not only explains the above attacks, but provides specific countermeasures. Your implementation will vary based on these factors:

1. Operating System – while Windows 8 and 8.1 have been much maligned and while enterprise adoption levels remain low, they do provide advantages over the much more popular Windows 7. Security improvements, such as the introduction of Early Launch Anti Malware (ELAM) were introduced in 8.0 and more improvements were made in 8.1. These are detailed in the whitepaper.
2. Hardware considerations – whether devices include Trusted Platform Module (TPM), the newer UEFI which supports Secure Boot, and/or any DMA ports (e.g. Firewire or Thunderbolt)
3. Administrative procedures – by adopting standard configuration policies which include testing that any drivers you use are recognized by the Early Launch Anti-Malware (ELAM) software you select.

Depending on your mix of operating systems and hardware environment, the Microsoft whitepaper provides specific configuration guidelines. A secure implementation will require that these guidelines be followed. Finally, other organizational policies are important – notably insuring that secure drivers be included as part of your standard configurations.