Laptop with secret data, what to do to secure it?
Goto page 1, 2  Next  :||:
Networking/Security Forums -> Physical Security and Social Engineering

Author: n707 PostPosted: Tue Apr 03, 2007 9:49 pm    Post subject: Laptop with secret data, what to do to secure it?
    ----
What everything would you do, if you will have a laptop with secret data to protect the laptop and the data as well??

I can start: encrypt the data, use Kensington lockers to protect computer, make BIOS and harddisk password.

What else? Please write as many ideas you know.

Author: EOS PostPosted: Tue Apr 03, 2007 10:48 pm    Post subject:
    ----
FULL Disk Encryption

Physically secure the laptop at all times.

Author: bhavukLocation: New Delhi PostPosted: Tue Apr 03, 2007 11:01 pm    Post subject:
    ----
try this open source tool
works quite well

http://www.truecrypt.org/

Author: n707 PostPosted: Wed Apr 04, 2007 12:15 pm    Post subject:
    ----
EOS wrote:
Physically secure the laptop at all times.


Sure I know this rule but.. won't it destroy the hardware? I mean when I take it when I travel by buses, in traffic transport in underground, won't some kinds of shaking destroy my harddisk?

OK. So physical security and full disk encryption. What else? I am sure there are many more such things. So?

Author: hax0r26Location: United States of America PostPosted: Thu Apr 05, 2007 9:30 pm    Post subject:
    ----
How about making sure your system is secure like FORT KNOX.


If they do somehow manage to breach your notebooks security, they still have to crack the encryption to even see the data on the system.

What OS are you running on this notebook?

Author: stimpy99 PostPosted: Thu Apr 05, 2007 10:05 pm    Post subject: Re: Laptop with secret data, what to do to secure it?
    ----
n707 wrote:
What everything would you do, if you will have a laptop with secret data to protect the laptop and the data as well??

I can start: encrypt the data, use Kensington lockers to protect computer, make BIOS and harddisk password.

What else? Please write as many ideas you know.


Full disk encryption. PGP FDE is great.

When you say "secret" do you mean Government Protectively Marked Secret (they will have there own rules - I know!) or this this just intellectual property that your company need to keep safe?

Author: n707 PostPosted: Fri Apr 06, 2007 12:25 am    Post subject:
    ----
stimpy99 wrote:
Full disk encryption. PGP FDE is great.


Is sufficient to use TrueCrypt?

stimpy99 wrote:
When you say "secret" do you mean Government Protectively Marked Secret (they will have there own rules - I know!) or this this just intellectual property that your company need to keep safe?


That is Top secret degree, with many money (believe me - really many money) left in case of stoling or copying. Really.

hax0r26 wrote:
What OS are you running on this notebook?


Win XP pro. Is that important?

Moderator note: please do not use nested quotes - capi


Last edited by n707 on Fri Apr 06, 2007 10:51 am; edited 2 times in total

Author: hax0r26Location: United States of America PostPosted: Fri Apr 06, 2007 4:27 am    Post subject:
    ----
Quote:
Win XP pro. Is that important?


Is that important? Laughing Seriously, you want *us* to give you information including different ways and methods to secure this notebook. However, you don't even give an OS.

Cheers, Hax0r26

Quote:
When you say "secret" do you mean Government Protectively Marked Secret (they will have there own rules - I know!) or this this just intellectual property that your company need to keep safe?


stimpy99 You work for the Government? Yes or No?

Laughing

Author: NetworkguyLocation: UK PostPosted: Tue Apr 17, 2007 1:55 am    Post subject:
    ----
If this is really secret (as defined by the government) then you have made your first mistake by putting this data onto a laptop and taking out of a secure building.

Likewise, if this is gov then in the UK and the US then your local infosec team will be on hand to give you guidance.

If this is just sensitive commercial grade stuff however thn start with good full disk encryption. Others here have already pointed you at a few products so use these to secure the laptop whilst it is at rest.

This now means that even if your laptop is stolen, they can't just boot the thing up and even if they put the hard disk into a different machine, they still need to spend time breaking the encryption before they gain access.

And finally, if this is really SECRET, fill the RJ45 ethernet port with some sort of epoxy resin to avoid the urge to plug it into an unsecure network such as a college LAN or even the internet.

Author: PhiBerLocation: Your MBR PostPosted: Tue Apr 17, 2007 6:19 pm    Post subject:
    ----
In addition to what NetworkGuy has already said, do note that the majority of attacks against strong encryption do not occur against the algorithm itself, but against other vulnerabilities. In otherwords, why crack the encryption when a simple rootkit, trojan or vulnerability exploit can render your data compromised? Your connection to the Internet is your biggest threat. If the data you are trying to protect is as important as you make it out to be, take the advice of others from this posting and get guidance from industry level security professionals. Online postings can only help you so much, and the risk of misconfiguration in the security realm is incredibly high if you are not a seasoned professional.

Author: stimpy99 PostPosted: Tue Apr 17, 2007 9:51 pm    Post subject:
    ----
hax0r26 wrote:
stimpy99 You work for the Government? Yes or No? Laughing

Work for a defence contractor, as their sec admin, that has upward links to "other areas" - nuff said

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Wed May 09, 2007 10:27 am    Post subject:
    ----
Protecting your data?...ehmm.... ok!

First of all , as networkguy mentioned , these data should never be out of the premises in the first place...

Anyway... lets give it a shot.

1-First of all encryption. Use PGP or other encryption program , capable of providing a 1024bit RSA key.

Take your keys now , created by PGP and store them into a usb stick which should be kept in a different place than your notebook. Without those keys , data are useless even from a physical attack.

2-Hide them. Use a security suite like Steganos and create a virtual drive with full encryption provided by the software. The complexity of getting the files cracked, should reach to max, if you think that you have first used PGP, then Steganos and then hide them all together into a file (virtual drive) which open only with a very strong alphanumeric password. Not to mention that you need to have this USB with the keys for the PGP program.

3-On top off all that you can use a biometric fingerprint usb device that will ask for the password and match it with your fingerprint.

So no matter if the attacker steals your notebook (which should be insured) he will never crack the procedure, cause he will be missing 3 things.

USB and keys of PGP, Password for Steganos , Fingerprint of yours along with the local password of your account. Even from a physical point of view , if he tries to "read" the HDD with another device/system he will get an encrypted file with 1024-RSA encryption (PGP) multiplied with the encryption strength of Steganos Security.

I do not have to mention though that this case , is valid and easy to use , only if the data you are reffering to , are not more than 500MB. Otherwise it might take you a period of 10-20mins , to encrypt-decrypt every time those files.

Your choice...


Gandalf

Author: stimpy99 PostPosted: Wed May 09, 2007 9:23 pm    Post subject:
    ----
n707
PhiBer wrote:
Online postings can only help you so much, and the risk of misconfiguration in the security realm is incredibly high if you are not a seasoned professional.


Good point. What I always ask people is "do you want The Sun Test? <insert your biggest selling newspaper here!>. Meaning if you fook up do you want your face on the front page of a newspaper saying "this was the guy that lost 45.7 million credit card details... leaked the personal detail of 40,00 veterens, lost a billion pound order because tender documents were lost..., etc <add you own headline in here!>.

Author: RoninV PostPosted: Sat May 12, 2007 6:22 pm    Post subject: It's not just security from theft
    ----
When it comes to full hard drive encryption, one is always weary that corruption will make the data unusable. Of course, this corruption would happen at the worst time (company meeting, conference). So for me, it's not just a security against data loss (via theft) question. It also has to do with reliable data access, once these security measures ar in place. So, I like the suggestions given, including Gandalf's meshing of them. Could someone bottom line the data access reliability factor?

Author: groffg PostPosted: Wed May 16, 2007 7:03 pm    Post subject: data security options
    ----
In response to the original post, I'd say that a layered security approach that is commensurate with the level of risk is entirely appropriate. A reasonable (rather than paranoid) approach to security is appropriate in most environments. First, it's good to divide security in terms of the computer being "live" as well as the computer (and data) being "at rest." Let's start w/ the first.

While the computer is on, you could face a variety of potential data-breaching scenarios. If you surf the web with your laptop, a single piece of malware on a rogue (or even legitimate) web site could render your machine owned (breached). At that point, you *might* have a data breach (or, your machine might simply be used as a spambot, not that that's a good thing). Regardless, being proactive is key to protecting your data. I won't regurgitate the "top 10 security tips" lists that are out there and readily available, but I'll say that 2 bafflingly seldom-mentioned suggestions are as follows:
* use a limited user account for daily computer use
* turn on DEP for all progs/services, and verify that your hardware supports marking pages in memory as "no execute" (NX, aka XD)

Logging in as a limited user will reduce your security "surface area" in the event that malware executes within the security context of your login. Regarding DEP, I strongly recommend using hardware that supports it. If your machine does not, then you could consider upgrading (i.e., purchasing) a new machine.

Now, in regards to data that is "at rest," I like the idea of FDE (full disk encryption). FDE encrypts everything on the disk, sector by sector, excluding necessary startup code residing in the MBR (master boot record). The idea of FDE is that, if someone steals your computer and attempts to read data directly off the disk, that data will all be encrypted and nearly impossible to access.

Given the availability of EFS (encrypting file system) in the "professional" or "business" edition of Windows, why not just use EFS? EFS is certainly an option, but non-Vista versions of Windows cannot encrypt the paging files and confidential files might appear in unencrypted form in the %temp% directory. One solution to both problems would be to 1) encrypt the %temp% folder & sub-folders (in addition to your "documents" directories or wherever your secret files reside) and to 2) not use paging at all (assuming your have a liberal amount of physical memory). Again, with FDE this is not an issue since file fragments, paging files, as well as temp files are all encrypted anyway, and furthermore, FDE is more "thorough" in that literally everything (well, almost) is encrypted, so for the paranoid FDE is a better route, but for the mere "security conscious" individual, EFS might be an acceptable solution.

Again, I'll skip the "top 10" lists that recommend such obvious suggestions as to use a firewall (that actually works), use AV, be judicious in your downloads, and so forth. I will say that, on a final note, good security is layered, such that if a breach occurs, the bad guy will not immediately have full access to your data, but will instead have to undergo at least one or two more hurdles.

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Mon Jul 09, 2007 12:08 pm    Post subject:
    ----
Quote:
Could someone bottom line the data access reliability factor?


This is an issue which has all to do with your HDD life limit as hardware part. As long as your drive is spining right and your system can read all data from it, then you can work with 100% efficiency.

Since now , we are aware that as hardware it will certainly fail at some point in teh future, backup is another case that we need to examine. Backup should be made in a scheduled way as to have a 90-95% data integrity and availabillity.
Confidentiality however should be achieved in a more physical way , like for instance storing them in a remote place (e.g. safe box or bank deposit box) according to your data value. If you are a simple user, i think that a small locked cabinet would be enough to store any CD/DVD/USB sticks you might have to safe keep your files.
Keep in mind also that there are 2-4GB usb sticks out there with built-in encryption module and biometric devices on board. So you might feel a bit more safer with them.

Gandalf



Networking/Security Forums -> Physical Security and Social Engineering


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page 1, 2  Next  :||:
Page 1 of 2

Powered by phpBB 2.0.x © 2001 phpBB Group