A security administrator has deployed all laptops with Self Encrypting Drives (SED) and enforces key
encryption. Which of the following represents the greatest threat to maintaining data confidentiality with
these devices?
A.
Full data access can be obtained by connecting the drive to a SATA or USB adapter bypassing the SED
hardware.
B.
A malicious employee can gain the SED encryption keys through software extraction allowing access to
other laptops.
C.
If the laptop does not use a Secure Boot BIOS, the SED hardware is not enabled allowing full data
access.
D.
Laptops that are placed in a sleep mode allow full data access when powered back on.
Explanation:
Hardware-based encryption when built into the drive is transparent to the user. The drive except for
bootup authentication operates just like any drive with no degradation in performance. When the
computer is started up, the user is prompted to enter a password to allow the system to boot and allow
access to the encrypted drive.
When a laptop is placed into sleep mode (also known as standby mode), the computer is placed into a
low power mode. In sleep mode, the computer is not fully shut down. The screen is turned off, the hard
disks are turned off and the CPU is throttled down to its lowest power state. However, the computer
state is maintained in memory (RAM).
Most computers can be ‘woken’ from sleep mode by pressing any key on the keyboard or pressing the
power button. The computer can be configured to require a password on wake up, but if a password is
not required, the computer will wake up and be logged in as it was at the time of going into sleep mode.
This would enable full access to the data stored on the disks.
Incorrect Answers:
A: You cannot access the data by connecting the drive to a SATA or USB adapter. Only the encryption key
in the laptop’s hard disk controller can enable access to the disk. Therefore, this answer is incorrect.
B: Every laptop will have a different encryption key so one key will not enable access to other disk drives.
Therefore, this answer is incorrect.
C: A Secure Boot BIOS is not required for self-encrypting disks.https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption