Re: Stolen Laptops

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Hi,

Take a look at:

http://technet.microsoft.com/en-us/library/ee732028%28WS.10%29.aspx

It shows how you can add an Audit facility to your AD for BitLocker

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

--On Thursday, July 29, 2010 1:40 PM -0500 Sherry Callahan <scallahan () KUMC EDU> wrote:

> We considered Bitlocker as well because we already had Active Directory and it would be easy to implement. And, let's face 
> it, the price doesn't get any
> better.  However, what made us move to purchasing a commercial solution (Safeboot\McAfee) was our need to verify with 
> 100% certainty that a device was
> encrypted on the day it was stolen.  Without a central console, Bitlocker can't give you that assurance beyond knowing 
> that it was encrypted at one point.
> We have some researchers and faculty that sometimes decide they don't want certain applications on their laptops, so 
> they wipe the drives and reinstall the
> operating system, thus wiping off the encryption.  We can see that they've done that within our CompuTrace and McAfee 
> consoles.  Since whether or not the
> device was encrypted when stolen is now the biggest factor in determining if a disclosure has happened under the HITECH 
> Act (HIPAA), having that 100%
> certainty is of HUGE benefit.
> Having said that, however, Bitlocker and FileVault are steps in the right direction and are certainly better than not 
> using encryption.
>
> Sherry Callahan
> Information Security Officer
> University of Kansas Medical Center
> (913) 588-0966
> scallahan () kumc edu
>
> > > > Kimberly Heimbrock <heimbrockk () NKU EDU> 7/29/2010 12:48 PM >>>
> Thanks to all for your input so far - just a little more background on what we are dealing with at NKU...
>
> Over the past 8-9 months we have had a LOT of theft on campus, particularly laptops.  Overall, 36 laptops were stolen 
> since last October (that I know of) -
> likely by an internal staff member who has keys to lots of campus areas and can go around unnoticed at night and on 
> weekends.  Our biggest concern has been
> the data within, not just the equipment.  We have been able to prove that sensitive data resided on some of the systems 
> - so yeah we are on the breach
> reports :-(
>
> As several posts have commented, a layered approach will be employed.  We just implemented a new policy for all new 
> laptops to be Encrypted with MS
> Bitlocker, and are considering desktops too. Macs will be using Filevault as soon as we test more completely.  We just 
> licensed Identity Finder and will be
> removing sensitive data - hopefully all over campus if we can get our users to understand that they need to do so. We 
> continue to increase security cameras
> and electronic locks as budget permits.  Usually we are one step behind the thieves!  As one advised, we may look into 
> tracking cameras too.
>
> We will be investing in some sort of laptop tracking software, but not sure yet which one.  We are leaning toward the tools that 
> allow us to 'push' it out to
> the systems, so we can make progress without having to touch 1200 laptops individually - which would never get done.  
> From a physical aspect, we will be
> increasing laptop security education for employees, possibly looking into physical etching, tags, or rfid's, etc.  All 
> we need is agreement and budget - easy
> right??!?  We have also added more cameras, electronic door readers, etc.
>
> I find that nearly all the time, users 1) do not think they have any sensitive data; 2) it won't happen to them; and 
> 3)don't care to spend time or energy on
> security.  We are trying to push out awareness in heavy doses but user behavior continues to be our biggest risk.
>
> Hopefully we are close to catching the recent theft ring, but we will continue with efforts to reduce the issue - 
> especially with laptops.
>
> Thanks again to all who posted...very helpful as always.
>
>
> Kim Heimbrock
> Director, IT Policy and Compliance
> Northern Kentucky University
> (859) 572-5139
> heimbrockk () nku edu
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk
> Sent: Thursday, July 29, 2010 1:10 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Stolen Laptops
>
> To be more specific, we're requiring encryption on university owned or leased laptops. We do not require it on 
> personally owned laptops. We discourage use of
> personally owned laptops to access university information resources, but the responsibility for authorizing use of 
> personal equipment lies with the
> respective dean or VP. We do require documented technical controls on ALL laptops that access Private or Confidential 
> information. (This information is in
> our Information Access and Protection Standard--http://security.rit.edu/iap.html)
>
> Ben Woelk '07
> Policy and Awareness Analyst
> Information Security Office
> Rochester Institute of Technology
> ROS 10-A204
> 151 Lomb Memorial Drive
> Rochester, New York 14623
> 585.475.4122
> 585.475.7920 fax
> ben.woelk () rit edu
> http://security.rit.edu/dsd.html
>
> Become a fan of RIT Information Security at http://rit.facebook.com/RITInfosec
>
> Follow us on Twitter: http://twitter.com/RIT_InfoSec
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
> Green
> Sent: Thursday, July 29, 2010 12:02 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Stolen Laptops
>
> http://www.educause.edu/sites/default/files/library/presentations/SEC10/SESS11/SPC%2B2010%2Bdisk%2Bencryption%2B-%2Ball.pdf
>  slide 16 is what we did and now
> do. A big pain point was a lot of personally owned approved devices for work and needing to support encryption on those.
>
> There's nothing like bricking an associate dean's brand new "I want to watch movies on a plane and keep up with my UAB work 
> that may include sensitive email"
> $300 netbook right before a month long trip to France.
>
> Don't require it:  Expect the edge cases not to do it.   Require it:  Expect a painful process dealing with edge cases if 
> you don't have a fairly locked down
> set of hard ware platforms.
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, 
> MICHAEL
> Sent: Wednesday, July 28, 2010 9:16 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Stolen Laptops
>
> Are your institutions "encouraging encryption" on laptops, or "requiring encryption" on laptops?  We're moving to 
> Symantec Endpoint Encryption (it was
> GuardianEdge, but they got bought by Symantec - which is actually good for us, since we use Symantec Altiris, SEP, 
> etc.) and will be doing full disk
> encryption on any/all non-instructional (student use) laptops.....
>
> M
>
> -----Original Message-----



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel