8

There usually is a lot to do about the security of servers since a lot of sensitive information is stored there but I think it's more important to make sure the company-laptops (and USB-Sticks) are secure since they're way easier to lose (or steal).

So what I want to know is: What does your company do to protect the confidential information on laptops and usb-drives?

Huppie
  • 432
  • 5
  • 10

8 Answers8

8

We use TrueCrypt. For laptops we insist on a BIOS password as well.

nickd
  • 5,052
  • 2
  • 17
  • 14
  • BIOS passwords can be easily disabled. Pull the what battery,reset the jumper and wait. – cbrulak Apr 30 '09 at 12:54
  • @starko: this doesn't work on laptops as the BIOS password is stored in a security chip (unless you replace the chip) – mwore Apr 30 '09 at 13:39
  • So pull out the harddrive, put it in a USB box, read it from another machine. TruCrypt will stop people getting any useful data from it, of course, but it still doesn't stop your shiny laptop being nicked by someone. – David Hicks May 06 '09 at 22:29
  • Sure, but the question was about the data. – nickd May 12 '09 at 21:29
3

Whole disk encryption.

There are quite a few methods for doing this.

I've personally used TrueCrypt, but there are many more options on this wikipedia page.

I also used to work for an accounting company that rolled out PointSec (Now Check Point). Their solution seemed far more complete that truecrypt, but of course, that comes at a price.

chills42
  • 202
  • 4
  • 10
2

I've used a product called SafeGuard Easy from Utimaco. You couldn't boot the laptop w/o first entering a password. It also encrypted the entire drive. If someone tried hacking the password it progressively increased the timeout between attempts (something like 3X the timeout each attempt, so it would have a crazy-long delay even after only a few incorrect attempts). It had some nice tools for remotely allowing a log-in if someone got locked out via a generated key and it let you set an expiration policy on users.

They had some command line tools so you could push down these changes inside of a config file, which was nice since we could automate that through the primary application they ran on the notebook. If the notebook went missing we knew the user/password would be expiring within a week (even if they knew the password) they'd eventually be locked out.

Paul Mrozowski
  • 415
  • 2
  • 6
  • 12
1

Not allow it to get there in the first place (at least, that's what we're working towards...). Technology, and the way computers work and are used, is changing - it is now perfectly reasonable to have always-available Internet access from every/most places a user could be expected to be, either through a wired connection at work, via a wireless network, or by handing them a laptop with a built-in 3G broadband dongle. Therefore you can disable the use of USB drives via Windows GPO and have them access data via a VPN, probably simply by using applications via Terminal Services (or VNC/SSH, or whatever) and using however-many factor security you like.

David Hicks
  • 2,258
  • 2
  • 15
  • 12
1

Whole disk PGP encryption

cagcowboy
  • 1,064
  • 1
  • 14
  • 21
0

We use a whole disk encryption solution which has single sign-on built in. SafeGuard is one such solution. This allows the user to log on once, which is right after the POST finishes. If you enter the wrong password, the length of time between password attempts continue to double. And if you restart, it stays at whatever the last time period was, but starts it over. Therefore, brute forcing isn't really a possibility. If the user types the correct password it will log them onto the computer with the same username\password combo (or a cached set of credentials).

This won't stop the case of a user booting through and then leaving the laptop unlocked, but it does protect the drive "at rest."

K. Brian Kelley
  • 9,004
  • 31
  • 33
0

Not being facetious but the best way is to not put it there in the first place. (Agree with David Hicks).

Think of it this way: If the laptop was stolen or lost and contained all your companies secrets - how would you feel? Even if you use TrueCrypt with a super strong password.. you'd always have that doubt in your mind.

Consider publicity; the press take a simplistic view of things. They'd say "Acme corp loses laptop with 30,000 employee records". The fact that it was highly encrypted might not be enough to prevent reputational damage.

Fortyrunner
  • 161
  • 1
  • 4
0

true crypt virtual drives. We can manage them by backing up the headers in case the passwd gets lost and since they are easy to use, no problems getting the users to use them. Mind you, we only have 5 ppl

cbrulak
  • 121
  • 1
  • 5