Re: Mobile Data - Protecting the University from unnecessary risk

["Buskill, Bruce M" <bbuskill () RADFORD EDU>]

<html><head><meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style></head>
<body>
<font size="2"><div class="PlainText">I like to make the point the FDE is not really security, it's risk management and 
compliance - it is installed to prevent the CNN moment - an insurance policy <br>
at best.<br>
<br>
Randy's post is excellent - it is up to us (the security folks) to make sure that management understands that just 
because FDE is installed on systems, it does <br>
not mean that we can dispense with other security programs.<br>
<br>
My 2 cents<br>
<br>
Joel<br>
<br>
--On Tuesday, May 11, 2010 1:12 AM -0400 Valdis Kletnieks &lt;Valdis.Kletnieks () VT EDU&gt; wrote:<br>
<br>
&gt; On Mon, 10 May 2010 21:53:07 EDT, randy marchany said:<br>
&gt;<br>
&gt;&gt; 2. This is significant in that as long as the system is booted up,<br>
&gt;&gt; your files are encrypted UNTIL they are accessed by a userid or<br>
&gt;&gt; process owned by a userid that has READ access to the files in<br>
&gt;&gt; question. World read access allows any userid to decrypt the file. A<br>
&gt;&gt; process running under your userid's privileges can decrypt any file<br>
&gt;&gt; you have read access and any malware running under your userid has<br>
&gt;&gt; that same access.<br>
&gt;<br>
&gt; Something that Randy implies, but a fair number of people need to be hit<br>
&gt; over the head with repeatedly till they get it:<br>
&gt;<br>
&gt; 2a) Full Disk Encryption is only really useful when defending against some<br>
&gt; miscreant who has wandered off with your computer *while it's powered off*<br>
&gt; under his arm, taken it back to their den of iniquity, and powered it on and<br>
&gt; said &quot;OK, now what?&quot;. This is a very real and valid threat model for a laptop<br>
&gt; or small desktop, but probably not your ERP system, which is probably hardly<br>
&gt; ever powered down, and probably won't fit under a miscreant's arm without<br>
&gt; the assistance of a forklift.<br>
&gt;<br>
&gt; And yet, I've heard more than one tale of a misguided security person<br>
&gt; insisting that FDE be installed on the ERP system - resulting in the loss<br>
&gt; of 1 or 2 nines of reliability because at the next reboot, it did exactly<br>
&gt; what FDE will make it do - sit there and not mount the disk till it gets<br>
&gt; fed the magic word.&nbsp; Whoops.<br>
&gt;<br>
&gt;<br>
<br>
<br>
<br>
Joel Rosenblatt, Manager Network &amp; Computer Security<br>
Columbia Information Security Office (CISO)<br>
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033<br>
<a href="http://www.columbia.edu/~joel"; target="_BLANK">http://www.columbia.edu/~joel</a><br>
</div></font>
</body>
</html>


Sent from my Android phone using TouchDown (www.nitrodesk.com)