Security Basics mailing list archives
Re: Notebook policy (need advice)
From: "Ryan Chow" <rynchow () gmail com>
Date: Sat, 27 Jan 2007 10:45:37 +0900
Its all about the risk profile. LE guy whilst in the car has not left the laptop unattended and forms a layer of physical security around the laptop. The moment he leaves the sight of the laptop then the risk likelihood increases that someone will steal it increasing the resultant risk. I don't have a problem with storing sensitive data on a laptop as its unrealistic to expect a VPN connection will always be avaliable. What I am always concerned about is how that data is treated and what controls are put in place commensurate to the risk level of data loss/leakage. FDE is a good way to achieve this across all risk levels however nothing is going to protect that data if the laptop is stolen whilst the user is working on it! Which means a feature to look for in FDE is the requirement for regular re authentication to reduce the window of opportunity. My experience from government was that some agencies made serious attempts to secure that data and others didn't have a clue. regards, Ryan. On 1/27/07, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:
On 2007-01-25 Eric Furman wrote: > I'll give you one very simple policy that you should enforce that will > make most of your concerns moot: > > NEVER EVER EVER STORE SENSITIVE DATA ON A LAPTOP! > > Anybody, and I mean ANYBODY, found with sensitive data on their laptop > should have it seized and they should be immediately dismissed. > > There is virtually no reason to ever store sensitive data on a laptop. > Sensitive data should only ever reside on hardened servers in a > physically secured server room. If your employees need to work with > this data there are several means to securely access this data > remotely. Just take your average insurance salesman. How do you guarantee that he has remote access from everywhere he may make a contract? cu 59cobalt -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- RE: Notebook policy (need advice), (continued)
- RE: Notebook policy (need advice) Huang, John, GCM (Jan 26)
- Re: Notebook policy (need advice) Eric White (Jan 26)
- Re: Notebook policy (need advice) Eric Furman (Jan 26)
- RE: Notebook policy (need advice) Sipes, Bob (Jan 26)
- RE: Notebook policy (need advice) Steveb (Jan 30)
- RE: Notebook policy (need advice) Patton Roub (Jan 29)
- RE: Notebook policy (need advice) Barrett, Will (Jan 29)
- RE: Notebook policy (need advice) Greg Jones (Jan 30)
- RE: Notebook policy (need advice) Sipes, Bob (Jan 26)
- Re: Notebook policy (need advice) Ansgar -59cobalt- Wiechers (Jan 26)
- Re: Notebook policy (need advice) Ryan Chow (Jan 29)
- Re: Notebook policy (need advice) Artur Baruchi (Jan 30)