Security Basics mailing list archives

Re: Notebook policy (need advice)

From: "Ryan Chow" <rynchow () gmail com>
Date: Sat, 27 Jan 2007 10:45:37 +0900

Its all about the risk profile.

LE guy whilst in the car has not left the laptop unattended and forms
a layer of physical security around the laptop.  The moment he leaves
the sight of the laptop then the risk likelihood increases that
someone will steal it increasing the resultant risk.

I don't have a problem with storing sensitive data on a laptop as its
unrealistic to expect a VPN connection will always be avaliable.

What I am always concerned about is how that data is treated and what
controls are put in place commensurate to the risk level of data
loss/leakage.  FDE is a good way to achieve this across all risk
levels however nothing is going to protect that data if the laptop is
stolen whilst the user is working on it!  Which means a feature to
look for in FDE is the requirement for regular re authentication to
reduce the window of opportunity.

My experience from government was that some agencies made serious
attempts to secure that data and others didn't have a clue.

regards,

Ryan.

On 1/27/07, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:

On 2007-01-25 Eric Furman wrote:
> I'll give you one very simple policy that you should enforce that will
> make most of your concerns moot:
>
> NEVER EVER EVER STORE SENSITIVE DATA ON A LAPTOP!
>
> Anybody, and I mean ANYBODY, found with sensitive data on their laptop
> should have it seized and they should be immediately dismissed.
>
> There is virtually no reason to ever store sensitive data on a laptop.
> Sensitive data should only ever reside on hardened servers in a
> physically secured server room. If your employees need to work with
> this data there are several means to securely access this data
> remotely.

Just take your average insurance salesman. How do you guarantee that he
has remote access from everywhere he may make a contract?

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Current thread:

RE: Notebook policy (need advice), (continued)
- - - RE: Notebook policy (need advice) Huang, John, GCM (Jan 26)
    - Re: Notebook policy (need advice) Eric White (Jan 26)
    - Re: Notebook policy (need advice) Eric Furman (Jan 26)
    - RE: Notebook policy (need advice) Sipes, Bob (Jan 26)
    - RE: Notebook policy (need advice) Steveb (Jan 30)
    - RE: Notebook policy (need advice) Patton Roub (Jan 29)
    - RE: Notebook policy (need advice) Barrett, Will (Jan 29)
    - RE: Notebook policy (need advice) Greg Jones (Jan 30)
    - RE: Notebook policy (need advice) Sipes, Bob (Jan 26)
    - Re: Notebook policy (need advice) Ansgar -59cobalt- Wiechers (Jan 26)
    - Re: Notebook policy (need advice) Ryan Chow (Jan 29)
    - Re: Notebook policy (need advice) Artur Baruchi (Jan 30)
- Re: list of university hacked in 2006 jam (Jan 23)
- Re: list of university hacked in 2006 peresrod (Jan 23)
- Re: list of university hacked in 2006 anonymous (Jan 23)