Main Menu

laptops and security

Started by Lynne Desrochers, September 26, 2011, 01:23:15 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Lynne Desrochers

I got a laptop for the Personal Lines Producer. I've been reading on the security for it and everyone says "make sure data isn't stored on it". Well how do I do that? Or is the answer, if you have to ask you have no hope. My thoughts are she would connect via citrix while out at a client.
Thank you everyone.
Lynne Desrochers

Bloody Jack Kidd

It could be as simple as providing the mobile user(s) with an IronKey.  They keep all docs etc. on that and not on the notebook hard drive.

https://www.ironkey.com/personal

Depends on how the device is used.
Sysadmin - Parallel42

Jeff Zylstra

I wouldn't get too concerned about it, as long as you don't store anything like drivers license, social security or credit card numbers on it.  Your proposals and/or power point presentations aren't probably on anyone's desired reading list.  Sorry.  ;)
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Alice

Not saying this is a good thing or a bad thing...just mentioning what they do here.

They lock the laptops down so hard that nothing can be accessed except IE to connect to the Citrix Xenapp server. Everything they need to do their job is there.  But here's the thing...all laptop users need to make an appointment to bring them in to:
- install Windows updates
- install virus updates
- install printer drivers
- anything that requires local files be updated/installed/changed.

I'm not involved with all that...seems like a pain in the butt for the user, especially if they live/work 60 - 90 minutes away. And we all know that producers never complain about anything...right? ???

Mark

IronKey is slick, but I would just not have them use the laptop for anything other than connecting back to the office.  It's as simple as that.  All the laptop should be is a portable remote access tool.  Get a 3G/4G card for it if you're worried they may not always have an Internet connection wherever they go, or if you don't want to bother the client with connecting to the Internet.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Kevin Crow

We use TrueCrypt (www.truecrypt.org) to encrypt our laptops at the system level. ALL data on the laptop is AES 256 bit encrypted (1 of 8 encryption options). You can't boot Windows without first entering the password to unlock the volume. We also changed the password prompt to "HARD DRIVE NOT FOUND" to throw off the would-be thief (customizing the password prompt is a nice feature of TrueCrypt).
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

Jeff Golas

What Kevin said - that way they can use it as they would any other computer and the data is safe.
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Bloody Jack Kidd

Quote from: Kevin Crow on September 26, 2011, 04:36:33 PM
We use TrueCrypt (www.truecrypt.org) to encrypt our laptops at the system level. ALL data on the laptop is AES 256 bit encrypted (1 of 8 encryption options). You can't boot Windows without first entering the password to unlock the volume. We also changed the password prompt to "HARD DRIVE NOT FOUND" to throw off the would-be thief (customizing the password prompt is a nice feature of TrueCrypt).

Had this done at one time, but had some disk errors and the entire thing became unrecoverable - was unpleasant.  I now use a TrueCrypt "drive" that uses keyfiles instead of a password, and the keyfile is on my AES encrypted IronKey. 

I joke that it's 4-factor since you need to know I have a TrueCrypt drive in the first place (isn't mounted at boot), you need to know it's keyfile-based, you need the IronKey and the IronKey password.  You also need to know which file on the IronKey I used as the keyfile.
Sysadmin - Parallel42

Mark

Quote from: Bloody Jack Kidd on September 26, 2011, 06:31:46 PMYou also need to know which file on the IronKey I used as the keyfile.

I wonder if something like trid would be able to tell me which file is the keyfile.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

not sure - you can actually use anything as a keyfile, but I believe mine is cryptographic, which could be a bit of a giveaway.
Sysadmin - Parallel42

Mark

Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Kevin Crow

We encrypt the whole drive because a lot of data goes to the system volume (browser and other temp files, Outlook cache files, etc). It's a lot of work to reroute all that to the TrueCrypt volume and I wouldn't be confident we got it all.

Also, the key file can be any file but it's very specific. The TrueCrypt web site warns about using an MP3 because if you rate the song (which changes the metadata) it won't unlock your volume any more.

Our users are told that nothing on their computer is backed up, so if it's lost, it's lost. All important data is to be stored on the network and cached to the laptop for offline access.
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

Mark

Hey Kevin,

I heard you talk about this probably a few years ago, but since hardware is constantly evolving, could you talk about the performance hit that you see on these TruCrypt'd laptops?
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Golas

I use Truecrypt and its not too bad, but doing it on a 5400rpm drive may be a bit slow.

I've heard of other people using it on SSDs but there's issues in doing so, particularly if the SSD was already in use before encrypting (as the wear leveling may leave data outside the encrypted realm), and the fact that the entire drive gets filled/encrypted thwarts the wear leveling mechanics.

Long story short although anything can happen, I think the key thing is protecting the drive if someone grabs the laptop. I'm not sure how many laptop thieves put an SSD under a microscope, but anything's possible.
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Kevin Crow

Personally, I haven't noticed a performance hit and my laptop's 3 years old. I think for business purposes, CPU, memory and disk speed far exceed our needs these days. If you were running a gaming machine with an encrypted drive you'd probably feel some loss of performance.
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

Bloody Jack Kidd

Thou shalt not impede performance of thy gaming rig!
Sysadmin - Parallel42

Lynne Desrochers

Thank you everyone. Plenty to go off of. I appreciate the help. The user better not be doing any gaming.
Lynne Desrochers

Gene Foraker

A year ago, I looked into Lojak and a competitor and wrote a small white paper on it for another association.   Lojak's big advantage is that you can send a signal to a stolen PC and have it delete designated files or folders.   One version's software even sent you back confirmation of the data deletion that you can show regulators.   Most laptop manufacturers even load Lojack into the bios so reformatting or replacing the HD won't get rid of it.

When I speak of the features of Lojack, I am really referring to their business product, Computrace.   Some of the features are still in Lojack, but the Computrace has a bit more.   You don't have to buy it new from the computer manufacturer to have it connect with the system bios, most laptops have that feature built into all of their laptops.
Gene Foraker CPCU
Gates-Foraker Insurance Agency
Norton, OH


My posts are a natural hand made product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

Kevin Crow

We used CompuTrace before switching to TrueCrypt. The flaw in CompuTrace is that if the lost or stolen device doesn't connect to the internet, the erase commands are not delivered and the data remains on the device. If that data isn't encrypted, it's easily accessed.
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

Gene Foraker

Very true, but what laptop computer doesn't ever connect to the internet?   If it has a broadband wireless card, Computrace can have you issue a remote command to wake it up and connect on it own.

Still, lots of data could be accessed before it is even reported missing or the disk could be removed and read for data on another computer.   If they steal the laptop to get the data, Computrace is not as effective as if they steal the laptop for the laptop.   I did think the report log for the deleted data was kinda cool, though.

TrueCrypt is a better solution for extreme data security.   I'd never encrypt the entire drive on my netbook, though.   It is slow enough already!
Gene Foraker CPCU
Gates-Foraker Insurance Agency
Norton, OH


My posts are a natural hand made product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

Mark

If the laptop is locked when it's turned on (as it most likely is -- or at least SHOULD BE!) then there is no way it's going to connect to a wireless Internet connection unless you have LinkSys unsecured saved to automatically connect -- and even that is pushing your luck.  Who the heck is going to plug in a laptop to the Internet if they can't even unlock the screen?

A 3G or 4G card might be a different story, but even for those, don't you usually need a login to access the Internet?
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Kevin Crow

Quote from: Gene Foraker on September 29, 2011, 11:41:52 AM
what laptop computer doesn't ever connect to the internet?
As you say, if they know to go after the data by removing the drive, CompuTrace is no help.

With TrueCrypt and a screen locking policy in place, I know that if it goes missing, unless the thief or finder has the employee's password, they're never getting at the data. There was a news story last year about how the FBI gave up after trying unsuccessfully for 12 months to crack TrueCrypt on a Brazilian criminal's computer (http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/). That's good enough for me.
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

Billy Welsh

I just got this the other day and used it for the first time yesterday.  I plugged in 2 hard drives from retired PC's, and had instant access to ALL user data, including that in folders with a padlock icon.

So unless I am missing something (as I often am), the user password or screen lock without any encryption does not protect the data.

Billy Welsh
Director of Accounting
LCMC Health

Mark

Quote from: Billy Welsh on September 30, 2011, 09:57:46 AM
So unless I am missing something (as I often am), the user password or screen lock without any encryption does not protect the data.

Windows 98 all over again!!  ;D ;D

Seriously though, you are correct.  Those are just locks on the door, but everything behind is still in plain sight.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Kevin Crow

Quote from: Billy Welsh on September 30, 2011, 09:57:46 AM
So unless I am missing something (as I often am), the user password or screen lock without any encryption does not protect the data.
Correct. And to be clear: when I mention using a screen lock on a laptop I know that doesn't lock the data. What most thieves would do in that situation, I believe, is restart the machine or pull the hard drive, both of which mean dealing with the encrypted drive and without the TrueCrypt password, they're out of luck.
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

Jeff Golas

Another option that you may see is a hard drive lock - supposedly this secures the interface of the drive (without actually encrypting it) so that any computer that drive goes into has to be programmed with the password of the drive before the drive can be accessed.

Although its pretty much free (most computers/laptops and hard drives support this now) its not the best solution - if you take the circuit board off the hard drive and swap it with another identical drive one could access the data again.

Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com