Educause Security Discussion mailing list archives
Re: Laptop encryption experiences
From: Allison F Dolan <adolan () MIT EDU>
Date: Tue, 16 Nov 2010 07:29:58 -0500
Rich - one reason to consider FDE is compliance related - in Massachusetts, there is a regulatory requirement to encrypt personal data on laptops (and other portable devices) and in other states, if the lost/stolen laptop has been encrypted, then you don't need to notify ......Allison Dolan (617-252-1461) On Nov 15, 2010, at 4:34 PM, Rich Graves wrote:
And don't forget that "suspend" or "hibernate" is *not* a power-off. This is particularly important for those laptop users who almost always suspend, and only actually power off or reboot every few months, if at all.If your encryption suite synchronizes passwords with login passwords, which is true of most; and if you effectively enforce a policy of lock-on-sleep; then I'm not sure how much real difference there is. I don't consider cold-boot attacks a real-world threat against my class of users. They require non-trivial preparation, expertise, and luck. Networked attacks are possible, though it has been a while since there was a classical remote exploit effective against our default desktop firewall policy. I'm not sure how possible FireWire memory injection/extraction attacks are nowadays. For the thief, booting from an alternate OS is far less work, and usually more effective, than any of the above attacks. Faced with a logon screen that makes no reference to FDE, why would they go to the trouble of mounting an online attack? I'd just pop in a boot CD, say "*&%@*@, it's encrypted," and wipe/resell the hardware. If it's a targeted attack, they might have foreknowledge of the encryption used. So we tell people to hibernate if they have top-secret data or if they're going to an airport. Otherwise, I don't think it's worth waiting for wake-from-hibernate every time they move between conference rooms. If you balance the risk/benefits differently, why? -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529
Attachment:
smime.p7s
Description:
Current thread:
- Laptop encryption experiences Alan Bowen (Nov 15)
- Re: Laptop encryption experiences Everett, Alex D (Nov 15)
- Re: Laptop encryption experiences Sherry Callahan (Nov 15)
- Re: Laptop encryption experiences Shahra Meshkaty (Nov 15)
- Re: Laptop encryption experiences randy marchany (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Tonkin, Derek K. (Nov 15)
- Re: Laptop encryption experiences SCHALIP, MICHAEL (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Mclaughlin, Kevin (mclaugkl) (Nov 16)
- Re: Laptop encryption experiences randy marchany (Nov 16)
- Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Shahra Meshkaty (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 16)
- Re: Laptop encryption experiences Sherry Callahan (Nov 17)
- Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences James Farr '05 (Nov 15)