Re: Laptop

["Spransy, Derek" <DSPRANS () EMORY EDU>]

This article that I ran across a few months ago might be an interesting new development along the lines of this 
conversation:
http://blocksandfiles.com/article/3989

I'm  a little skeptical of some of the features described in this article, but marrying the ability to remotely 
lock/wipe data along with asset recovery is an interesting idea.  Regardless of how this particular solution works, I'm 
sure we'll be seeing more options like it in the future.


===========================
Derek Spransy
IT Security Lead
Emory College of Arts & Sciences
404-712-8798
derek.spransy () emory edu
===========================



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, 
Brian
Sent: Thursday, June 12, 2008 11:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop


 I think this thread is getting a bit at cross-purposes.

 Lo-jack/Computrace address a different need than Full disk encryption. FDE is largely compliance driven by the 44 
states that now have data breach notification laws. Lo-jack is driven by an operational need to minimize the impact of 
theft. Valdis' response is a good response to critique about problems in theft deterrence.

 I don't think anyone has suggested that theft prevention techniques satisfy the legal requirements of data breach 
notification. IANAL, but the mere act of losing the defined data is cause for notification - intent, probability, or 
any other attempt to characterize the nature of the incident as a loss, theft, etc was intentionally made irrelevant by 
 lawmakers.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harold 
Winshel
Sent: Thursday, June 12, 2008 8:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop

If your notebook is stolen and there is sensitive data that is not encrypted then you're risking it being treated as a 
data incident with its required reporting.  The damage to an organization of a breach of data can be exponentially 
greater than the dollar loss of the value of the hardware.

Additionally, users likely have sensitive data on their notebooks even if they say they don't or if they are unaware 
that they do.  I, for one, would not base a notebook security strategy on an unproven assumption that most notebook 
thefts are stolen for reasons other than the data.  For one, I don't think you have any way of proving that assumption 
- short of interviewing the thieves who, of course, you wouldn't even know who most of them are.  Also, even if you 
think that most notebook thefts are not for the data, why ignore protection for the ones that you think are not.



At 11:55 PM 6/11/2008, Mike Waller wrote:

There's not a single answer to this question. Like everything else, it all comes down to risk posture and the 
organization's tolerance for risk. I have a laptop for my job. I don't store anything on it (all my data is on the 
network), but my employer has decided that the cost of encrypting all laptops is worth it "just in case".

We didn't have mandatory encryption at my last job, but we were using CompuTrace. It provides some level of mitigation 
to the risk of a lost/stolen laptop. It's not a perfect solution, but it fit the cost/benefit balance for that 
organization.

Anecdotally, I do think there's some relevance to the view that laptops are most often stolen because they are devices 
that can be sold, but if my data was valuable enough, I wouldn't use that view as my defense strategy. Like everything 
else we do, a "defense-in-depth" strategy is usually best. CompuTrace can be one of many tools -- encryption, sound 
data management practices, available network based storage (which obviously presents its own risks) can all be used to 
help secure laptop assets.

CompuTrace is pretty good at what it is supposed to do. It's not infallible, but it is a tool that can help you track 
down a lost device or simply send out a "kill" command to turn the machine into a brick.

Everytime you give an employee a laptop, you're increasing the risk of data loss. Often, however, the productivity and 
efficiency gains by providing that laptop outweigh the increased risk, especially if you're employing a sound set of 
security controls.
Mike
On Wed, Jun 11, 2008 at 11:04 PM, Harold Winshel < winshel () camden rutgers edu<mailto:winshel () camden rutgers edu>> 
wrote:
With all due respect, I don't know if there's data to back up that viewpoint.  Regardless, I wouldn't think I'd want to 
develop an encryption model based on that assumption.
At 02:34 PM 6/11/2008, Valdis Kletnieks wrote:
On Wed, 11 Jun 2008 11:24:15 PDT, Sarah Stevens said:
> If lo-jack is BIOS-based, and one has administrative access to the laptop,
> what stops the person from disabling the software?
Nothing, other than the fact that usually, a laptop is stolen by somebody
who is just looking for quick cash to finance a drug or alcohol habit. As
a result, you only have to defend against somebody who has most of their
neurons chemically inhibited.
Trying to defend a laptop against a targeted attack by somebody who
has all their neurons and is stealing *that* laptop because they know it
has sensitive info on it is a lot more difficult...

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)

________________________________
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).