The human factor in laptop encryption Hardly a day goes by without news of some laptop containing sensitive information about customers or staff getting lost or stolen. The latest high profile example is the Bord Gais burglary in Dublin in which an unencrypted laptop containing the bank details of 75,000 electricity customers was stolen. Hilariously, Bord Gais told …
I know that the user is the weakest link in the chain, and that most managers store their passwords on post-it notes stuck on the top of their laptops, but no manager should have the user rights necessary to remove encryption from a device in any organisation that carries sensitive information. And no decent encryption should allow a user to turn it off.
Any organisation that doesn't use decent encryption methods deserves to have their data stolen, and should be held accountable for the consequences of that data loss.
There is a reason why IT experts are hired. It is a wise idea not to ignore their advice just because you don't like the results.
I have a small USB drive that is tinfoil-encrypted with TrueCrypt.
It uses a key file that is my PGP private key, on a USB stick.
It has a password that is about 40 (garbage) characters long. I can't remember it, and I use it every day.
I keep that password in a "wallet" file (also password-protected), on the same USB stick as the PGP key. The "wallet" password is a memorable one. I don't have it written anywhere, but it is a deliberately mispeld wurd.
I have EVERY SINGLE bit of work data on that disk, including symlinks to things like my Thunderbird directory, Microsoft Office User directory and Mozilla directory.
The disk gets backed up in the clear at my desk, but is never copied or backed up anywhere else.
Every morning, I:
1) Plug in my Truecrypt disk
2) Plug in my USB stick (Which I carry separately from the Truecrypt disk)
3) Open the wallet file
4) Enter the wallet password
5) Copy the Truecrypt password
6) Run Truecrypt
7) Enter the system password in order to access the Truecrypt disk
8) Select the Truecrypt disk
9) Enter the password I have copied
10 ) Mount the disk
It takes about 45 seconds.
I'm a manager.
Often email me their passwords when they ask me to fix something on their laptops while they are at lunch or in a meeting (most of the problems don't require me to log on as them) and then get annoyed when they get the "user must change password" prompt when they get back.
I once locked one of the sales/marketing guys out of his laptop by changing a 3 to an 8 on his password sticky note stuck to his laptop :p
Get said middle managers to buy and use THEIR OWN laptops, I wonder how much it would focus their mind on keeping it safe.
For instance, i DO take my laptop to work (contract developers need real computers with development tools on them!)... and yet I DO NOT take it to the pub after work.
I lock it to my desk at work, even when i am in front it.
Is this because i value it like a family heirloom? No, its because i cannot afford to fork out for a replacement!
P.S. I never copy ANY databases to my own machines... i stamp my feet until i get a test DB at work - that stays on a server at work.
I banged on and on about whole-disk encryption for ages and my company finally brought in PointSec (not due to me tho!). It is absolutely great and almost problem free. The only disadvantage I have come across is resume-from-hibernate takes somewhat longer than before - regular booting is not noticeably different.
Unfortunately we have the stupid password expiry policy that many big companies have ... password expiry is a kind of religious mantra that I don't understand. Every single person I know users weaker passwords than they would like to because of password expiry policies. So that's what I'll bang on and on about now.
BTW I note a lot of laptop advertising lists wide-angle viewability as if it is a good thing. Surely it is nearly always the opposite?
That's the fundamental issue. It's bad enough to lose sensitive presentations or other competitive information, but there is no justification for putting customer data on a laptop in the first place. Any company that allows this to happen has improper data-loss prevention procedures.
Sensitive data has no business being on the laptop. End of.
It belongs in the datacentre behind some decent T-FA. Acess via VPN if outside the corporate firewall.
Having said that we have a policy that says everyone has PGP-WDE. Makes my work laptop as good as useless if I'm working unconnected so I use my own for development work on customer sites or with VMs on USB Drives.
Guess why I'm an anonymouse
And stop this nonsense that employees are expected to "work" when travelling, there wouldn't be so much "need" to download critical data onto laptops.
Nobody should ever have to take a laptop home, either, for the same reason. If it's work, do it in the office.
Not true for all employees, of course, but is for managers - who are mainless feckless, stupid ass-kissers anyway. How else did they claw their way into the management caste?
Fly in the ointment: I suspect carting a laptop around is something of a status symbol among the management castes. "Lookit me, me big honcho, me have laptop, whoop-de-doo"
by making it so that people don't get a laptop as standard, only as an exception. 90% of the people i see with work laptops, don't actually need them. they move between different company sites, where they could easily log onto a company desktop. Or they work from home, where they could be set-up with a desktop at home. Very few people really need one away from certain fixed locations, and those few times that they actually do could be served by a shared machine scrubbed back to a base image after each use.
One, quick solution would be to put a networked desktop machine into every meeting room, that would remove the need to have a laptop just to give a presentation, for some strange reason fixed projectors are there, but no-one ever connects a pc to them.
it's just a shame that being high up in a company seems to automatically grant the use of a laptop, regardless of need, which are also the numpties most likely to do something stupid with one.
Security is only as good as your: A) Most clueless users & B) Most tech savvy users. You can preach to, bitch at and demand that people follow policy and you will still be ignored. The only thing left is to inflict pain... invasive anti-virus & malware scans that run every 2 hours, software encryption on hard drives, a policy that forces a password change every 45 days (every now and then change it to 5 days, just to fock with them), to something that's completely obscenely long and damn near impossible remember without writing down, personal firewalls that do stateful inspection and full logging, enterprise firewalls, proxy servers, reverse proxy servers & VPN's (RSA tolken or Certificate). And I would be remiss if I didn't mention that every update, no matter how minor, requires a reboot.
BOFH? <yawn> That's bush league compared to what I'm getting away with... Just because I can.
A huge corporation just laid me off, bless them, and their laptops were rather less than useful.
They 'forced' full disk encryption, which meant they'd send an email to anyone who hadn't installed it on their laptop about once a week. I assume new machines came with it pre-configured. After one person in a given office had tried it and found how much slower (on already amazingly slow machines) it make everything, nobody else bothered. For my office it probably wasn't a huge deal, but others in the company could have access to data that would sell on some sort of market for many millions of US dollars.
On top of the full disk encryption we wer erequired to do file level encryption, plus the AV ran non-stop, and the centrally-managed software update deal would fire off whenever you really needed to get some work done. Plus all of our internally developed apps were slower than the Ankh in the dead of Winter, even on quick machines.
And to think my boss thought he had to warn me not to use the laptop for personal activities. Too bad he was too inept to understand any remark I could have made involving machines utilizing the wonderful Intel 486DX.
do the user's turn off the encryption? maybe it's because (like the wonders who run IT here) they manage to cripple laptops down so far they are taking literally 15mins to boot.
Make a process painless, and no-one will worry about it. Make someones life difficult and they'll work around it.
The alternative is to beat people with a stick to force them to do what you say is right, and then express outrage and surprise when they go and do the opposite as soon as your back is turned.
Things you can do - and why you don't
1 - only carry data as needed, see if you can use VPN (against: not always possible - prevents offline work, needs permanent comms link - and who do you know who unloads that data afterwards)
2 - use full disk crypto (against: it already takes centuries to reboot a system -after 15 years of so-called "innovation"- so chances are standby and hibernate will be used - which nukes full disk crypto. In addition, the legalised espionage at the US borders requires you to give access or at least the appearance of, so you're better off using a Truecrypt volume with polluted but viable looking data - but try teaching the use of Truecrypt to people having trouble with keyboard shortcuts ..)
3 - encrypt sensitive stuff separately and ensure it unmounts or locks when the system has been left alone too long or has gone into standby/hibernation (against: ever tried to resume any MS Office session when the file underneath disappeared for a moment? You're history, even if you recover the drive mount as the session will self destruct anyway)
4 - establish DATA ownership in some form. It's all well and good making people contribute to their own kit, but the value of a laptop tends to be insignificant compared to the value of the data on it. (against: I have no idea where to even start - adopt a database? What about shared data - collective responsibility means no responsibility, ask any UK MP with an expense allowance).
5 - add stuff like Smartwater or engraved marking to the physical device, and offer a reward for recovery. That changes the risk model for a thief if they're just after the physical device. Oh, and fancy laptops are more desirable, as BOFH you should convince the powers that be that a beaten up tech laptop is less likely to get stolen, and you should, of course, use the new stuff until it looks sufficiently beaten up to be used for travel. (against: smartwater costs money and few figures are available on return of investment as few companies do this. And respect if you manage to sell option 2 :-))
So there. Interesting article - love the staggering figures..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
