RE: In light of what has happened with the theft of the VA laptop, what are the "best practices" for securing laptops?

["Bryan S. Sampsel" <bsampsel () libertyactivist org>]

Except that sensitive data such as this should NEVER be on a laptop or any
other computer resource that isn't physically secured as well as logically
secured.

Physical possession gives the possessor quite an advantage if he thinks
the payoff is worth his investment.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org


Robertson, Seth (JSC-IM) wrote:
> These steps basically work but if your theif has any data
> recovery/forensics skills he may find 5 temporary versions of your "My
> Documents" Word docs in other places of the drive (unencrypted) or
> unencrypted versions of deleted spreadsheets, etc. (deleted files are
> just deallocated but not wiped from the drive).  The reason for
> full-disk encryption is to be sure that all free space, slack space,
> swap space, database, and temp files are always encrypted so that no
> matter how sophisticated the theif (or the person he sells the hard
> drive to) your data is safe.
>
>
> Seth Robertson
>
> -----Original Message-----
> From: Ruiz, Rolando [mailto:rolando_ruiz () jetaviation com]
> Sent: Tuesday, June 13, 2006 1:54 PM
> To: Depp, Dennis M.; security-basics () securityfocus com
> Subject: RE: In light of what has happened with the theft of the VA
> laptop, what are the "best practices" for securing laptops?
>
> Here's my thoughts on this:
>
> We had a similar incident here and we (finally) put the following steps
> in place.
>
> 1 - We sync data to server at logon and logoff. This ensures that if the
> laptop is lost or stolen the data is AVAILABLE to the VP. Critical data
> MUST be stored on My Documents folder to ensure its availability
>
> 2 - We encrypt the data on both ends.
>
> 3 - We enable and password protect screensavers
>
> 4 - If stolen while in screensaver, thief will have to force restart.
> For this we enable Bios password. When enabling bios password you have
> to change the default bios admin password to prevent access to bios.
>
> 5 - In some cases we enable Outlook to prompt for password.
>
> Hope this helps.
>
> Regards,
>
>
>
> Rolando Ruiz
>
> Information Technology
>
>
> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm () ornl gov]
> Sent: Tuesday, June 13, 2006 12:12 PM
> To: Mike Foster; security-basics () securityfocus com
> Subject: RE: In light of what has happened with the theft of the VA
> laptop, what are the "best practices" for securing laptops?
>
> 1.  Don't put unnecessary sensitive information on a laptop.
> 2.  Encrypt data on the drive or encrypt the entire hard drive.
>
> Dennis
>
> -----Original Message-----
> From: Mike Foster [mailto:mike () mytechcoach com]
> Sent: Monday, June 12, 2006 8:49 PM
> To: security-basics () securityfocus com
> Subject: In light of what has happened with the theft of the VA laptop,
> what are the "best practices" for securing laptops?
>
> In light of what has happened with the theft of the VA laptop, what are
> the "best practices" for securing laptops?  Am curious how all of you
> feel about the options.
>
> How do  you feel and/or what is your experience with:
> --Power-on passwords in the hardware/CMOS/BIOS Setup --Hard drive
> locking passwords in the hardware/CMOS/BIOS Setup --Laptops equipped
> with fingerprint readers for the above two options --Windows NTFS EFS
> encryption --TrueCrypt from www.truecrypt.org for encrypted storage
> areas --Trusted Platform Module (TPM)
> https://www.trustedcomputinggroup.org
> --Tokens that plug into USB
> --Others?
>
> Thank you in advance...