Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops?

From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Tue, 13 Jun 2006 10:22:30 -0600 (MDT)
If somebody has physical possession of the equipment, then there's not
much you can do.  BIOS passwords can be reset.  Fingerprint readers aren't
silver bullets.  Any encrypted data can be cracked given sufficient
determination and time.  There's ERD to reset the local admin password,
then the EFS does you no good, since that person is a local user on the
system that owns the EFS.

USB tokens would probably have been left in the laptop...just like CACs
get left in by most users.

I'm not first hand familiar with TruCrypt or TPM...

Your better bet would have been to have the laptop act as a thin client to
a remote, secured computer (physically secured as well)...such as Citrix
or something.  Then, unless the user wrote down his credentials to get
onto the Citrix solution, he's got no actual data.

It's not bullet proof, but better than having sensitive data outside of a
secured environment.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org


Mike Foster wrote:

In light of what has happened with the theft of the VA laptop, what are
the "best practices" for securing laptops?  Am curious how all of you feel
about the options.

How do  you feel and/or what is your experience with:
--Power-on passwords in the hardware/CMOS/BIOS Setup
--Hard drive locking passwords in the hardware/CMOS/BIOS Setup
--Laptops equipped with fingerprint readers for the above two options
--Windows NTFS EFS encryption
--TrueCrypt from www.truecrypt.org for encrypted storage areas
--Trusted Platform Module (TPM) https://www.trustedcomputinggroup.org
--Tokens that plug into USB
--Others?

Thank you in advance...
Previous By Date Next
Previous By Thread Next

Current thread: