Educause Security Discussion mailing list archives
Re: Stolen Laptops
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 29 Jul 2010 18:31:22 -0400
Hi, Take a look at: http://technet.microsoft.com/en-us/library/ee732028%28WS.10%29.aspx It shows how you can add an Audit facility to your AD for BitLocker Thanks, Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Thursday, July 29, 2010 1:40 PM -0500 Sherry Callahan <scallahan () KUMC EDU> wrote:
We considered Bitlocker as well because we already had Active Directory and it would be easy to implement. And, let's face it, the price doesn't get any better. However, what made us move to purchasing a commercial solution (Safeboot\McAfee) was our need to verify with 100% certainty that a device was encrypted on the day it was stolen. Without a central console, Bitlocker can't give you that assurance beyond knowing that it was encrypted at one point. We have some researchers and faculty that sometimes decide they don't want certain applications on their laptops, so they wipe the drives and reinstall the operating system, thus wiping off the encryption. We can see that they've done that within our CompuTrace and McAfee consoles. Since whether or not the device was encrypted when stolen is now the biggest factor in determining if a disclosure has happened under the HITECH Act (HIPAA), having that 100% certainty is of HUGE benefit. Having said that, however, Bitlocker and FileVault are steps in the right direction and are certainly better than not using encryption. Sherry Callahan Information Security Officer University of Kansas Medical Center (913) 588-0966 scallahan () kumc eduKimberly Heimbrock <heimbrockk () NKU EDU> 7/29/2010 12:48 PM >>>Thanks to all for your input so far - just a little more background on what we are dealing with at NKU... Over the past 8-9 months we have had a LOT of theft on campus, particularly laptops. Overall, 36 laptops were stolen since last October (that I know of) - likely by an internal staff member who has keys to lots of campus areas and can go around unnoticed at night and on weekends. Our biggest concern has been the data within, not just the equipment. We have been able to prove that sensitive data resided on some of the systems - so yeah we are on the breach reports :-( As several posts have commented, a layered approach will be employed. We just implemented a new policy for all new laptops to be Encrypted with MS Bitlocker, and are considering desktops too. Macs will be using Filevault as soon as we test more completely. We just licensed Identity Finder and will be removing sensitive data - hopefully all over campus if we can get our users to understand that they need to do so. We continue to increase security cameras and electronic locks as budget permits. Usually we are one step behind the thieves! As one advised, we may look into tracking cameras too. We will be investing in some sort of laptop tracking software, but not sure yet which one. We are leaning toward the tools that allow us to 'push' it out to the systems, so we can make progress without having to touch 1200 laptops individually - which would never get done. From a physical aspect, we will be increasing laptop security education for employees, possibly looking into physical etching, tags, or rfid's, etc. All we need is agreement and budget - easy right??!? We have also added more cameras, electronic door readers, etc. I find that nearly all the time, users 1) do not think they have any sensitive data; 2) it won't happen to them; and 3)don't care to spend time or energy on security. We are trying to push out awareness in heavy doses but user behavior continues to be our biggest risk. Hopefully we are close to catching the recent theft ring, but we will continue with efforts to reduce the issue - especially with laptops. Thanks again to all who posted...very helpful as always. Kim Heimbrock Director, IT Policy and Compliance Northern Kentucky University (859) 572-5139 heimbrockk () nku edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk Sent: Thursday, July 29, 2010 1:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stolen Laptops To be more specific, we're requiring encryption on university owned or leased laptops. We do not require it on personally owned laptops. We discourage use of personally owned laptops to access university information resources, but the responsibility for authorizing use of personal equipment lies with the respective dean or VP. We do require documented technical controls on ALL laptops that access Private or Confidential information. (This information is in our Information Access and Protection Standard--http://security.rit.edu/iap.html) Ben Woelk '07 Policy and Awareness Analyst Information Security Office Rochester Institute of Technology ROS 10-A204 151 Lomb Memorial Drive Rochester, New York 14623 585.475.4122 585.475.7920 fax ben.woelk () rit edu http://security.rit.edu/dsd.html Become a fan of RIT Information Security at http://rit.facebook.com/RITInfosec Follow us on Twitter: http://twitter.com/RIT_InfoSec -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Green Sent: Thursday, July 29, 2010 12:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stolen Laptops http://www.educause.edu/sites/default/files/library/presentations/SEC10/SESS11/SPC%2B2010%2Bdisk%2Bencryption%2B-%2Ball.pdf slide 16 is what we did and now do. A big pain point was a lot of personally owned approved devices for work and needing to support encryption on those. There's nothing like bricking an associate dean's brand new "I want to watch movies on a plane and keep up with my UAB work that may include sensitive email" $300 netbook right before a month long trip to France. Don't require it: Expect the edge cases not to do it. Require it: Expect a painful process dealing with edge cases if you don't have a fairly locked down set of hard ware platforms. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Wednesday, July 28, 2010 9:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stolen Laptops Are your institutions "encouraging encryption" on laptops, or "requiring encryption" on laptops? We're moving to Symantec Endpoint Encryption (it was GuardianEdge, but they got bought by Symantec - which is actually good for us, since we use Symantec Altiris, SEP, etc.) and will be doing full disk encryption on any/all non-instructional (student use) laptops..... M -----Original Message-----
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: Stolen Laptops, (continued)
- Re: Stolen Laptops Ben Woelk (Jul 28)
- Re: Stolen Laptops Joel Rosenblatt (Jul 28)
- Re: Stolen Laptops Russell Fulton (Jul 29)
- Re: Stolen Laptops Beechey, Jim (Jul 29)
- Re: Stolen Laptops Maloney, Michael (Jul 28)
- Re: Stolen Laptops Chris Green (Jul 29)
- Re: Stolen Laptops Ben Woelk (Jul 29)
- Re: Stolen Laptops Kimberly Heimbrock (Jul 29)
- Re: Stolen Laptops Walter Petruska (Jul 29)
- Re: Stolen Laptops Sherry Callahan (Jul 29)
- Re: Stolen Laptops Joel Rosenblatt (Jul 29)
- Re: Stolen Laptops Sherry Callahan (Jul 29)
- Re: Stolen Laptops Chris Green (Jul 31)
- Re: Stolen Laptops Ray McClure (Jul 31)