Re: Laptop

["Basgen, Brian" <bbasgen () PIMA EDU>]

 I think this thread is getting a bit at cross-purposes. 

 

 Lo-jack/Computrace address a different need than Full disk encryption.
FDE is largely compliance driven by the 44 states that now have data
breach notification laws. Lo-jack is driven by an operational need to
minimize the impact of theft. Valdis' response is a good response to
critique about problems in theft deterrence. 

 

 I don't think anyone has suggested that theft prevention techniques
satisfy the legal requirements of data breach notification. IANAL, but
the mere act of losing the defined data is cause for notification -
intent, probability, or any other attempt to characterize the nature of
the incident as a loss, theft, etc was intentionally made irrelevant by
lawmakers.  

 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harold Winshel
Sent: Thursday, June 12, 2008 8:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop

 

If your notebook is stolen and there is sensitive data that is not
encrypted then you're risking it being treated as a data incident with
its required reporting.  The damage to an organization of a breach of
data can be exponentially greater than the dollar loss of the value of
the hardware.

Additionally, users likely have sensitive data on their notebooks even
if they say they don't or if they are unaware that they do.  I, for one,
would not base a notebook security strategy on an unproven assumption
that most notebook thefts are stolen for reasons other than the data.
For one, I don't think you have any way of proving that assumption -
short of interviewing the thieves who, of course, you wouldn't even know
who most of them are.  Also, even if you think that most notebook thefts
are not for the data, why ignore protection for the ones that you think
are not.



At 11:55 PM 6/11/2008, Mike Waller wrote:



 
There's not a single answer to this question. Like everything else, it
all comes down to risk posture and the organization's tolerance for
risk. I have a laptop for my job. I don't store anything on it (all my
data is on the network), but my employer has decided that the cost of
encrypting all laptops is worth it "just in case". 
 
We didn't have mandatory encryption at my last job, but we were using
CompuTrace. It provides some level of mitigation to the risk of a
lost/stolen laptop. It's not a perfect solution, but it fit the
cost/benefit balance for that organization.
 
Anecdotally, I do think there's some relevance to the view that laptops
are most often stolen because they are devices that can be sold, but if
my data was valuable enough, I wouldn't use that view as my defense
strategy. Like everything else we do, a "defense-in-depth" strategy is
usually best. CompuTrace can be one of many tools -- encryption, sound
data management practices, available network based storage (which
obviously presents its own risks) can all be used to help secure laptop
assets.
 
CompuTrace is pretty good at what it is supposed to do. It's not
infallible, but it is a tool that can help you track down a lost device
or simply send out a "kill" command to turn the machine into a brick. 
 
Everytime you give an employee a laptop, you're increasing the risk of
data loss. Often, however, the productivity and efficiency gains by
providing that laptop outweigh the increased risk, especially if you're
employing a sound set of security controls.
Mike
On Wed, Jun 11, 2008 at 11:04 PM, Harold Winshel <
winshel () camden rutgers edu <mailto:winshel () camden rutgers edu> > wrote:

With all due respect, I don't know if there's data to back up that
viewpoint.  Regardless, I wouldn't think I'd want to develop an
encryption model based on that assumption.

At 02:34 PM 6/11/2008, Valdis Kletnieks wrote:

On Wed, 11 Jun 2008 11:24:15 PDT, Sarah Stevens said:

> If lo-jack is BIOS-based, and one has administrative access to the
laptop,

> what stops the person from disabling the software?

Nothing, other than the fact that usually, a laptop is stolen by
somebody

who is just looking for quick cash to finance a drug or alcohol habit.
As

a result, you only have to defend against somebody who has most of their

neurons chemically inhibited.

Trying to defend a laptop against a targeted attack by somebody who

has all their neurons and is stealing *that* laptop because they know it

has sensitive info on it is a lot more difficult...

 

Harold Winshel

Computing and Instructional Technologies

Faculty of Arts & Sciences

Rutgers University, Camden Campus

311 N. 5th Street, Room B10 Armitage Hall

Camden NJ 08102

(856) 225-6669 (O) 

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)