Educause Security Discussion mailing list archives
Re: Laptop encryption experiences
From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Tue, 16 Nov 2010 08:52:51 -0500
Not having to notify is a big advantage. Especially if you are talking lots of data on a spreadsheet or heaven forbid a personal database of some sort. - Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified AVP Information Security & Special Projects Interim Assistant Vice President, Systems & Operations University of Cincinnati 513-556-9177 The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison F Dolan Sent: Tuesday, November 16, 2010 7:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Laptop encryption experiences Rich - one reason to consider FDE is compliance related - in Massachusetts, there is a regulatory requirement to encrypt personal data on laptops (and other portable devices) and in other states, if the lost/stolen laptop has been encrypted, then you don't need to notify ......Allison Dolan (617-252-1461) On Nov 15, 2010, at 4:34 PM, Rich Graves wrote:
And don't forget that "suspend" or "hibernate" is *not* a power-off. This is particularly important for those laptop users who almost always suspend, and only actually power off or reboot every few months, if at all.If your encryption suite synchronizes passwords with login passwords, which is true of most; and if you effectively enforce a policy of lock-on-sleep; then I'm not sure how much real difference there is. I don't consider cold-boot attacks a real-world threat against my class of users. They require non-trivial preparation, expertise, and luck. Networked attacks are possible, though it has been a while since there was a classical remote exploit effective against our default desktop firewall policy. I'm not sure how possible FireWire memory injection/extraction attacks are nowadays. For the thief, booting from an alternate OS is far less work, and usually more effective, than any of the above attacks. Faced with a logon screen that makes no reference to FDE, why would they go to the trouble of mounting an online attack? I'd just pop in a boot CD, say "*&%@*@, it's encrypted," and wipe/resell the hardware. If it's a targeted attack, they might have foreknowledge of the encryption used. So we tell people to hibernate if they have top-secret data or if they're going to an airport. Otherwise, I don't think it's worth waiting for wake-from-hibernate every time they move between conference rooms. If you balance the risk/benefits differently, why? -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529
Current thread:
- Re: Laptop encryption experiences, (continued)
- Re: Laptop encryption experiences Everett, Alex D (Nov 15)
- Re: Laptop encryption experiences Sherry Callahan (Nov 15)
- Re: Laptop encryption experiences Shahra Meshkaty (Nov 15)
- Re: Laptop encryption experiences randy marchany (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Tonkin, Derek K. (Nov 15)
- Re: Laptop encryption experiences SCHALIP, MICHAEL (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Mclaughlin, Kevin (mclaugkl) (Nov 16)
- Re: Laptop encryption experiences randy marchany (Nov 16)
- Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Shahra Meshkaty (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 16)
- Re: Laptop encryption experiences Sherry Callahan (Nov 17)
- Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)