Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops?

I would support the last comments, if you have physical access of
system you can preety much break any kind of security. Encrypting the
whole drive could be risky if you lose the OS/way to recover. So if
planning to use drive encryption, better make sure you have way to get
your data in case you got issues with OS. Still i would say don't keep
any confidential stuff on your laptop, rather keep it on secure
servers and just access remotely when really need to.

Noaman

On 6/13/06, Bryan S. Sampsel <bsampsel@xxxxxxxxxxxxxxxxxxx> wrote:
If somebody has physical possession of the equipment, then there's not
much you can do. BIOS passwords can be reset. Fingerprint readers aren't
silver bullets. Any encrypted data can be cracked given sufficient
determination and time. There's ERD to reset the local admin password,
then the EFS does you no good, since that person is a local user on the
system that owns the EFS.

USB tokens would probably have been left in the laptop...just like CACs
get left in by most users.

I'm not first hand familiar with TruCrypt or TPM...

Your better bet would have been to have the laptop act as a thin client to
a remote, secured computer (physically secured as well)...such as Citrix
or something. Then, unless the user wrote down his credentials to get
onto the Citrix solution, he's got no actual data.

It's not bullet proof, but better than having sensitive data outside of a
secured environment.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org


Mike Foster wrote:
> In light of what has happened with the theft of the VA laptop, what are
> the "best practices" for securing laptops? Am curious how all of you feel
> about the options.
>
> How do you feel and/or what is your experience with:
> --Power-on passwords in the hardware/CMOS/BIOS Setup
> --Hard drive locking passwords in the hardware/CMOS/BIOS Setup
> --Laptops equipped with fingerprint readers for the above two options
> --Windows NTFS EFS encryption
> --TrueCrypt from www.truecrypt.org for encrypted storage areas
> --Trusted Platform Module (TPM) https://www.trustedcomputinggroup.org
> --Tokens that plug into USB
> --Others?
>
> Thank you in advance...
>



Relevant Pages

  • Re: VOIP over Wi-Fi subject to eavesdropping?
    ... >>security is irrelevant. ... doors which are less secure than the average - I'm sure that it'd be ... >>or maybe you should read about the British achievements at Bletchley ... >fear and the major stumbling block preventing universal encryption. ...
    (comp.security.misc)
  • Re: VOIP over Wi-Fi subject to eavesdropping?
    ... >>security is irrelevant. ... doors which are less secure than the average - I'm sure that it'd be ... >>or maybe you should read about the British achievements at Bletchley ... >fear and the major stumbling block preventing universal encryption. ...
    (comp.security.firewalls)
  • Re: Protecting database from administrators
    ... there is no encryption while at rest it must still be secure. ... All the security MS has offered is weak. ... If it is attached to SQL Server on ...
    (microsoft.public.sqlserver.security)
  • Re: [fw-wiz] Re: Firewalls breaking stuff: [Was re: fwtk]
    ... but it does show that "security" features aren't ... > Encryption isn't a magic bullet- suddenly you're providing remote access ... in a way that's more secure rather than less secure. ...
    (Firewall-Wizards)
  • Re: simple solution!
    ... With proper backups EFS starts to look a whole lot safer. ... >outbound connections except the ones you want to secure. ... laptop a static IP ... >You'll want to add some sort of encryption to your ...
    (microsoft.public.security)