Main Menu

laptops and security

Started by Lynne Desrochers, September 26, 2011, 01:23:15 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Lynne Desrochers

I got a laptop for the Personal Lines Producer. I've been reading on the security for it and everyone says "make sure data isn't stored on it". Well how do I do that? Or is the answer, if you have to ask you have no hope. My thoughts are she would connect via citrix while out at a client.
Thank you everyone.
Lynne Desrochers

Bloody Jack Kidd

It could be as simple as providing the mobile user(s) with an IronKey.  They keep all docs etc. on that and not on the notebook hard drive.

https://www.ironkey.com/personal

Depends on how the device is used.
Sysadmin - Parallel42

Jeff Zylstra

I wouldn't get too concerned about it, as long as you don't store anything like drivers license, social security or credit card numbers on it.  Your proposals and/or power point presentations aren't probably on anyone's desired reading list.  Sorry.  ;)
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Alice

Not saying this is a good thing or a bad thing...just mentioning what they do here.

They lock the laptops down so hard that nothing can be accessed except IE to connect to the Citrix Xenapp server. Everything they need to do their job is there.  But here's the thing...all laptop users need to make an appointment to bring them in to:
- install Windows updates
- install virus updates
- install printer drivers
- anything that requires local files be updated/installed/changed.

I'm not involved with all that...seems like a pain in the butt for the user, especially if they live/work 60 - 90 minutes away. And we all know that producers never complain about anything...right? ???

Mark

IronKey is slick, but I would just not have them use the laptop for anything other than connecting back to the office.  It's as simple as that.  All the laptop should be is a portable remote access tool.  Get a 3G/4G card for it if you're worried they may not always have an Internet connection wherever they go, or if you don't want to bother the client with connecting to the Internet.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Kevin Crow

We use TrueCrypt (www.truecrypt.org) to encrypt our laptops at the system level. ALL data on the laptop is AES 256 bit encrypted (1 of 8 encryption options). You can't boot Windows without first entering the password to unlock the volume. We also changed the password prompt to "HARD DRIVE NOT FOUND" to throw off the would-be thief (customizing the password prompt is a nice feature of TrueCrypt).
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

Jeff Golas

What Kevin said - that way they can use it as they would any other computer and the data is safe.
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Bloody Jack Kidd

Quote from: Kevin Crow on September 26, 2011, 04:36:33 PM
We use TrueCrypt (www.truecrypt.org) to encrypt our laptops at the system level. ALL data on the laptop is AES 256 bit encrypted (1 of 8 encryption options). You can't boot Windows without first entering the password to unlock the volume. We also changed the password prompt to "HARD DRIVE NOT FOUND" to throw off the would-be thief (customizing the password prompt is a nice feature of TrueCrypt).

Had this done at one time, but had some disk errors and the entire thing became unrecoverable - was unpleasant.  I now use a TrueCrypt "drive" that uses keyfiles instead of a password, and the keyfile is on my AES encrypted IronKey. 

I joke that it's 4-factor since you need to know I have a TrueCrypt drive in the first place (isn't mounted at boot), you need to know it's keyfile-based, you need the IronKey and the IronKey password.  You also need to know which file on the IronKey I used as the keyfile.
Sysadmin - Parallel42

Mark

Quote from: Bloody Jack Kidd on September 26, 2011, 06:31:46 PMYou also need to know which file on the IronKey I used as the keyfile.

I wonder if something like trid would be able to tell me which file is the keyfile.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

not sure - you can actually use anything as a keyfile, but I believe mine is cryptographic, which could be a bit of a giveaway.
Sysadmin - Parallel42

Mark

Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Kevin Crow

We encrypt the whole drive because a lot of data goes to the system volume (browser and other temp files, Outlook cache files, etc). It's a lot of work to reroute all that to the TrueCrypt volume and I wouldn't be confident we got it all.

Also, the key file can be any file but it's very specific. The TrueCrypt web site warns about using an MP3 because if you rate the song (which changes the metadata) it won't unlock your volume any more.

Our users are told that nothing on their computer is backed up, so if it's lost, it's lost. All important data is to be stored on the network and cached to the laptop for offline access.
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/

Mark

Hey Kevin,

I heard you talk about this probably a few years ago, but since hardware is constantly evolving, could you talk about the performance hit that you see on these TruCrypt'd laptops?
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Golas

I use Truecrypt and its not too bad, but doing it on a 5400rpm drive may be a bit slow.

I've heard of other people using it on SSDs but there's issues in doing so, particularly if the SSD was already in use before encrypting (as the wear leveling may leave data outside the encrypted realm), and the fact that the entire drive gets filled/encrypted thwarts the wear leveling mechanics.

Long story short although anything can happen, I think the key thing is protecting the drive if someone grabs the laptop. I'm not sure how many laptop thieves put an SSD under a microscope, but anything's possible.
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Kevin Crow

Personally, I haven't noticed a performance hit and my laptop's 3 years old. I think for business purposes, CPU, memory and disk speed far exceed our needs these days. If you were running a gaming machine with an encrypted drive you'd probably feel some loss of performance.
Kevin Crow
Kapnick Insurance Group
@kevincrow1 on Twitter
www.linkedin.com/pub/kevin-crow/8/8b6/4bb/