Re: Laptop

[KOVICH Greg <Greg.Kovich () ALCATEL-LUCENT COM>]

Hello,
 
Not intending to incur the wrath of vendor participation - aka shameless
shilling our products/solutions - I believe I can contribute something
germane to this thread...
 
Alcatel-Lucent, through Bell Labs introduced the Non-Stop Laptop
Guardian last year which accomplishes disk encryption and host of other
security / management tasks.
 
To learn more, please review the following pdf - particular note -
section 5.4.1 describes the volume encryption algorithms.
 
http://www1.alcatel-lucent.com/com/en/appcontent/opgss/ENT_Apps_OA3500NL
G_Technical_Overview_0208_EN_tcm228-1391981635.pdf
 
The above pdf is a technical overview and not a sales brochure.
 
If I have stepped over the line, would someone from Educause please
contact me and explain how I can politely contribute to a discussion
referencing my company's products/solutions?
 
Thank you,
Greg
 

________________________________

From: Spransy, Derek [mailto:DSPRANS () EMORY EDU] 
Sent: Thursday, June 12, 2008 11:15 AM
Subject: Re: Laptop



This article that I ran across a few months ago might be an interesting
new development along the lines of this conversation:

http://blocksandfiles.com/article/3989

 

I'm  a little skeptical of some of the features described in this
article, but marrying the ability to remotely lock/wipe data along with
asset recovery is an interesting idea.  Regardless of how this
particular solution works, I'm sure we'll be seeing more options like it
in the future.

 

 

===========================

Derek Spransy

IT Security Lead

Emory College of Arts & Sciences

404-712-8798

derek.spransy () emory edu

===========================

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Thursday, June 12, 2008 11:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop

 

 

 I think this thread is getting a bit at cross-purposes. 

 

 Lo-jack/Computrace address a different need than Full disk encryption.
FDE is largely compliance driven by the 44 states that now have data
breach notification laws. Lo-jack is driven by an operational need to
minimize the impact of theft. Valdis' response is a good response to
critique about problems in theft deterrence. 

 

 I don't think anyone has suggested that theft prevention techniques
satisfy the legal requirements of data breach notification. IANAL, but
the mere act of losing the defined data is cause for notification -
intent, probability, or any other attempt to characterize the nature of
the incident as a loss, theft, etc was intentionally made irrelevant by
lawmakers.  

 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harold Winshel
Sent: Thursday, June 12, 2008 8:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop

 

If your notebook is stolen and there is sensitive data that is not
encrypted then you're risking it being treated as a data incident with
its required reporting.  The damage to an organization of a breach of
data can be exponentially greater than the dollar loss of the value of
the hardware.

Additionally, users likely have sensitive data on their notebooks even
if they say they don't or if they are unaware that they do.  I, for one,
would not base a notebook security strategy on an unproven assumption
that most notebook thefts are stolen for reasons other than the data.
For one, I don't think you have any way of proving that assumption -
short of interviewing the thieves who, of course, you wouldn't even know
who most of them are.  Also, even if you think that most notebook thefts
are not for the data, why ignore protection for the ones that you think
are not.



At 11:55 PM 6/11/2008, Mike Waller wrote:


There's not a single answer to this question. Like everything else, it
all comes down to risk posture and the organization's tolerance for
risk. I have a laptop for my job. I don't store anything on it (all my
data is on the network), but my employer has decided that the cost of
encrypting all laptops is worth it "just in case". 
 
We didn't have mandatory encryption at my last job, but we were using
CompuTrace. It provides some level of mitigation to the risk of a
lost/stolen laptop. It's not a perfect solution, but it fit the
cost/benefit balance for that organization.
 
Anecdotally, I do think there's some relevance to the view that laptops
are most often stolen because they are devices that can be sold, but if
my data was valuable enough, I wouldn't use that view as my defense
strategy. Like everything else we do, a "defense-in-depth" strategy is
usually best. CompuTrace can be one of many tools -- encryption, sound
data management practices, available network based storage (which
obviously presents its own risks) can all be used to help secure laptop
assets.
 
CompuTrace is pretty good at what it is supposed to do. It's not
infallible, but it is a tool that can help you track down a lost device
or simply send out a "kill" command to turn the machine into a brick. 
 
Everytime you give an employee a laptop, you're increasing the risk of
data loss. Often, however, the productivity and efficiency gains by
providing that laptop outweigh the increased risk, especially if you're
employing a sound set of security controls.
Mike
On Wed, Jun 11, 2008 at 11:04 PM, Harold Winshel < 
winshel () camden rutgers edu <mailto:winshel () camden rutgers edu> > wrote:

With all due respect, I don't know if there's data to back up that
viewpoint.  Regardless, I wouldn't think I'd want to develop an
encryption model based on that assumption.

At 02:34 PM 6/11/2008, Valdis Kletnieks wrote:

On Wed, 11 Jun 2008 11:24:15 PDT, Sarah Stevens said:

> If lo-jack is BIOS-based, and one has administrative access to the
laptop,

> what stops the person from disabling the software?

Nothing, other than the fact that usually, a laptop is stolen by
somebody

who is just looking for quick cash to finance a drug or alcohol habit.
As

a result, you only have to defend against somebody who has most of their

neurons chemically inhibited.

Trying to defend a laptop against a targeted attack by somebody who

has all their neurons and is stealing *that* laptop because they know it

has sensitive info on it is a lot more difficult...

 

Harold Winshel

Computing and Instructional Technologies

Faculty of Arts & Sciences

Rutgers University, Camden Campus

311 N. 5th Street, Room B10 Armitage Hall

Camden NJ 08102

(856) 225-6669 (O) 

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)


________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

Attachment: Greg Kovich.vcf
Description: Greg Kovich.vcf