Full Drive Encryption on Laptops – Time for all of us to “nut up or shut up!”
…or "He who liveth in glass houses should either learn to throw small stones or investeth in glass insurance…lots and lots of glass insurance. I, by the way, have lots and lots of glass insurance ;)"
Given all of the recently disclosed privacy/identity breaches which have been demonstrated as a result of stolen laptops inappropriately containing confidential data, we’ve had an exponential increase in posts in the security blogosphere in regards to this matter.
This is to be expected. This is what we do. It’s the desperate housewives complex. 😉
These posts come from the many security experts, analysts, pundits and IT Professionals bemoaning the obvious poor application of policies, procedures, technology and standards that would "prevent" this sort of thing from happening and calling for the heads of those responsible…of the very people who not only perpertrated the crime, but also those responsible for making the crime possible; the monkey who put the data on the laptop in the first place.
So, since most of us who are "security experts" or IT professionals almost always utilize laptops in our lines of work, I ask you to honestly respond in comments below to the following question:
What whole-disk encryption solution utilizing two-factor authentication do you use to prevent an exposure of data should your laptop fall into the wrong hands? You *do* use a whole-disk encryption solution utilizing two-factor authentication to secure the data on your laptop…don’t you?
Be honest. If you don’t use a solution like this then please don’t post another thing on this topic condemning anyone else. Ever.
Sure, you may say that you don’t keep confidential information on your laptop and that’s great. However, if you’ve got email and you’re involved in a company as a security/IT person (or management or even as a general user,) that argument’s already in the bullshit hopper.
If you say that you use encryption for specifically identified "confidential" files and information but still use a web-browser or any Office product on a Windows platform, for example, please reference the aforementioned bovine excrement container. It’s filling up fast, eh?
See where this is going? If we, the keepers of the gate, don’t implement this sort of solution and we still gabble on about how crappy these errant users are, how irresponsible their bosses, how aware we should make and liable we should hold their Board of Directors, the government, etc…
I’ll ask you the same question about that USB thumb drive you have hanging on your keychain, too.
Don’t be a hyprocrite…encrypt yo shizzle.
If you don’t already, stop telling everyone else what lousy humans they are for not doing this and instead focus on getting something like this, or at a minimum, this.
/Chris
Chris, I don't think it is a people thing. Laptops should not be able to store the 26 million records. There is a difference between that stuff and my email. I will post a more on this tomorrow.
Alan:
I can't argue the fact that data shouldn't make it's way onto laptops, but it *does.*
It's going to be difficult to prevent information leakage because things like data classification simply don't work without a way to enforce it…how many pieces of paper or emails have you seen stamped 'confidential' and end up somewhere they are not supposed to be.
See http://www.fuckedcompany.com for an example.
My point was that we, AS SECURITY PROFESSIONALS, prattle on an on about this sort of thing and yet the solutions exist to help at least deal with the inevitable fact that information *will* get stolen/lost. What do we do about it, personally? I polled 10 associates in the InfoSec field and while 6 of them use something like PGP for email and the occasional folder/file encryption, only 2 use full disk encryption. Yikes!
Encryption isn't THE ONLY answer, but it's one that is available now and it works.
BTW, you didn't answer the question! 😉 HA!
(Just to be clear, my trackback was only a reference to the harvested collection of ID theft posts I've scraped up over the last few days. Sorry if that caused any confusion.)
chris – no offense taken, and no I dont use encrypted email or full disk encryption. I would like to see some access controls technology on sensitive data that it can be worked on but not stored locally. Sort of like a sandbox or SSL VPN to access data stored on servers, with no local write privileges. I think this would be a great thing for EMC to come up with or some other storage company
Do as I say, not as I do …
Chris Hoff over on his Rational Security blog writes that he has had enough of us holier-than-thou security folks bitching and moaning about laptop data loss. Chis takes a people in glass houses approach, saying in less you are taking
The Daily Incite – June 12, 2006
June 12, 2006 Good Morning: I hope everyone enjoyed their weekend. Mine was a blur, I seemed to be running around literally the entire weekend. Its pretty scary when Im looking forward to a day at work to slow the pace down a bit. On the ne
Why are people so shocked re: privacy breaches?
This is getting more and more laughable by the minute. From Dark Reading:JUNE 22, 2006 | Another day, another security breach: In the last 48 hours, Visa, Wachovia, Equifax, and the U.S. Department of Agriculture have joined a growing list
I dont think hes out of hisbody. exposed thong shots Ill make herbelieve him. I moved.