Re: Laptop

[Harold Winshel <winshel () CAMDEN RUTGERS EDU>]

If your notebook is stolen and there is sensitive data that is not
encrypted then you're risking it being treated as a data incident
with its required reporting.  The damage to an organization of a
breach of data can be exponentially greater than the dollar loss of
the value of the hardware.

Additionally, users likely have sensitive data on their notebooks
even if they say they don't or if they are unaware that they do.  I,
for one, would not base a notebook security strategy on an unproven
assumption that most notebook thefts are stolen for reasons other
than the data.  For one, I don't think you have any way of proving
that assumption - short of interviewing the thieves who, of course,
you wouldn't even know who most of them are.  Also, even if you think
that most notebook thefts are not for the data, why ignore protection
for the ones that you think are not.



At 11:55 PM 6/11/2008, Mike Waller wrote:
> There's not a single answer to this question. Like everything else,
> it all comes down to risk posture and the organization's tolerance
> for risk. I have a laptop for my job. I don't store anything on it
> (all my data is on the network), but my employer has decided that
> the cost of encrypting all laptops is worth it "just in case".
>
> We didn't have mandatory encryption at my last job, but we were
> using CompuTrace. It provides some level of mitigation to the risk
> of a lost/stolen laptop. It's not a perfect solution, but it fit the
> cost/benefit balance for that organization.
>
> Anecdotally, I do think there's some relevance to the view that
> laptops are most often stolen because they are devices that can be
> sold, but if my data was valuable enough, I wouldn't use that view
> as my defense strategy. Like everything else we do, a
> "defense-in-depth" strategy is usually best. CompuTrace can be one
> of many tools -- encryption, sound data management practices,
> available network based storage (which obviously presents its own
> risks) can all be used to help secure laptop assets.
>
> CompuTrace is pretty good at what it is supposed to do. It's not
> infallible, but it is a tool that can help you track down a lost
> device or simply send out a "kill" command to turn the machine into a brick.
>
> Everytime you give an employee a laptop, you're increasing the risk
> of data loss. Often, however, the productivity and efficiency gains
> by providing that laptop outweigh the increased risk, especially if
> you're employing a sound set of security controls.
> Mike
> On Wed, Jun 11, 2008 at 11:04 PM, Harold Winshel
> <<mailto:winshel () camden rutgers edu>winshel () camden rutgers edu> wrote:
> With all due respect, I don't know if there's data to back up that
> viewpoint.  Regardless, I wouldn't think I'd want to develop an
> encryption model based on that assumption.
>
> At 02:34 PM 6/11/2008, Valdis Kletnieks wrote:
> On Wed, 11 Jun 2008 11:24:15 PDT, Sarah Stevens said:
> > If lo-jack is BIOS-based, and one has administrative access to the laptop,
> > what stops the person from disabling the software?
>
> Nothing, other than the fact that usually, a laptop is stolen by somebody
> who is just looking for quick cash to finance a drug or alcohol habit. As
> a result, you only have to defend against somebody who has most of their
> neurons chemically inhibited.
>
> Trying to defend a laptop against a targeted attack by somebody who
> has all their neurons and is stealing *that* laptop because they know it
> has sensitive info on it is a lot more difficult...
>
>
> Harold Winshel
> Computing and Instructional Technologies
> Faculty of Arts & Sciences
> Rutgers University, Camden Campus
> 311 N. 5th Street, Room B10 Armitage Hall
> Camden NJ 08102
> (856) 225-6669 (O)

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)