ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender
      last edited by

      What are you paying for SEDs?

      BRRABillB 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @BRRABill
        last edited by

        @BRRABill said:

        @scottalanmiller said:

        @BRRABill said:

        You are correct in that if the password is 1234 it's easy to crack. But it is not so easy if you are using the recommended letters, numbers, etc..

        Studies show that those factors do absolutely nothing to slow cracking. It's purely for duping humans into feeling things are secure, it does nothing to secure against an attack. Only length does that in any meaningful way. Complexity is a direct enemy of security because it makes humans unable to remember it while making it no harder for a computer to crack.

        Right.

        If you are serious about it not getting cracked, it's gotta be looooooong.

        Every extra character makes it quite a bit longer to crack. Complexity doesn't slow it down in any way.

        BRRABillB DashrenderD 2 Replies Last reply Reply Quote 0
        • BRRABillB
          BRRABill @Dashrender
          last edited by

          @Dashrender said:

          What are you paying for SEDs?

          For endpoints, I buy the Samsung EVO line. They are pretty reasonable these days.

          The software that manages the encryption is $39. I'm not sure what it costs in a larger scale.

          1 Reply Last reply Reply Quote 0
          • BRRABillB
            BRRABill @scottalanmiller
            last edited by

            @scottalanmiller said:

            Every extra character makes it quite a bit longer to crack. Complexity doesn't slow it down in any way.

            Do you have statistics on how long it takes to guess passwords of a given length?

            I looked through quite a few articles and the estimates are all over the place.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said:

              @BRRABill said:

              @scottalanmiller said:

              @BRRABill said:

              You are correct in that if the password is 1234 it's easy to crack. But it is not so easy if you are using the recommended letters, numbers, etc..

              Studies show that those factors do absolutely nothing to slow cracking. It's purely for duping humans into feeling things are secure, it does nothing to secure against an attack. Only length does that in any meaningful way. Complexity is a direct enemy of security because it makes humans unable to remember it while making it no harder for a computer to crack.

              Right.

              If you are serious about it not getting cracked, it's gotta be looooooong.

              Every extra character makes it quite a bit longer to crack. Complexity doesn't slow it down in any way.

              That's not entirely true. If you KNOW that the character set doesn't have any special characters, that's like 30 points of entropy per character lost.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                I think that we are mostly on the same page. In the OP the question was "why wouldn't you" basically asking why every machine everywhere shouldn't be encrypted. Many machines should be, some are a middle ground of it could go either way and many should not be. Encryption adds cost, complexity and certain types of risk while reducing other types of risk, mostly around theft. If your goal is blinding speed, data is not important or you need systems that can restart themselves, encryption is problematic. If you need systems that are highly secure against physical theft, you probably want encryption. It's not that I'm saying you shouldn't have encryption, you just shouldn't have it "everywhere".

                BRRABillB 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said:

                  @scottalanmiller said:

                  @BRRABill said:

                  @scottalanmiller said:

                  @BRRABill said:

                  You are correct in that if the password is 1234 it's easy to crack. But it is not so easy if you are using the recommended letters, numbers, etc..

                  Studies show that those factors do absolutely nothing to slow cracking. It's purely for duping humans into feeling things are secure, it does nothing to secure against an attack. Only length does that in any meaningful way. Complexity is a direct enemy of security because it makes humans unable to remember it while making it no harder for a computer to crack.

                  Right.

                  If you are serious about it not getting cracked, it's gotta be looooooong.

                  Every extra character makes it quite a bit longer to crack. Complexity doesn't slow it down in any way.

                  That's not entirely true. If you KNOW that the character set doesn't have any special characters, that's like 30 points of entropy per character lost.

                  Except you don't know that.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @BRRABill
                    last edited by

                    @BRRABill said:

                    @scottalanmiller said:

                    Every extra character makes it quite a bit longer to crack. Complexity doesn't slow it down in any way.

                    Do you have statistics on how long it takes to guess passwords of a given length?

                    I looked through quite a few articles and the estimates are all over the place.

                    that's because it depends on the algorithm, the password length and the hardware used. So there is no easy answer. If you are trying to crack something with a laptop or with a Tesla cluster, you get very different results.

                    1 Reply Last reply Reply Quote 1
                    • BRRABillB
                      BRRABill @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      certain types of risk

                      Being catastrophic data loss?

                      But wouldn't a good backup cover you there?

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @BRRABill
                        last edited by

                        @BRRABill said:

                        @scottalanmiller said:

                        certain types of risk

                        Being catastrophic data loss?

                        But wouldn't a good backup cover you there?

                        Presumably. If the assumption is that people need data in dangerous places (like laptop endpoints) because they have to work offline then the assumption is that there is data there that might not be easy to back up either.

                        1 Reply Last reply Reply Quote 0
                        • BRRABillB
                          BRRABill
                          last edited by

                          BTW: I get what you mean about a place like a bank. If you are running updates in the middle of the night, and it needs to reboot, someone needs to be there to get it back up.

                          But for a doctor office, no one is working at 3 in the morning. I understand your feeling that the doctor him or herself won't ant to do it. But if it is important to them, don't they have to be given the option?

                          Of course for a bank you'd want it in a secured data center if possible.

                          I'm talking more the fringe cases. Smaller doctor offices. Accountant with tax returns. That kind of stuff.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @BRRABill
                            last edited by

                            @BRRABill said:

                            BTW: I get what you mean about a place like a bank. If you are running updates in the middle of the night, and it needs to reboot, someone needs to be there to get it back up.

                            But for a doctor office, no one is working at 3 in the morning. I understand your feeling that the doctor him or herself won't ant to do it. But if it is important to them, don't they have to be given the option?

                            Of course for a bank you'd want it in a secured data center if possible.

                            I'm talking more the fringe cases. Smaller doctor offices. Accountant with tax returns. That kind of stuff.

                            It's less about updates, you can schedule that. It's blips that cause reboots. You can run into problems if you have regular, unexpected updates because they are inconvenient. You can run into if you want to do scheduled weekly backups as we often recommend. And you can easily run into it if you go two years without a reboot and when it happens no one knows what is wrong with the system and it is just "dead".

                            BRRABillB 2 Replies Last reply Reply Quote 0
                            • BRRABillB
                              BRRABill @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              It's less about updates, you can schedule that. It's blips that cause reboots. You can run into problems if you have regular, unexpected updates because they are inconvenient. You can run into if you want to do scheduled weekly backups as we often recommend. And you can easily run into it if you go two years without a reboot and when it happens no one knows what is wrong with the system and it is just "dead".

                              But how often do servers just randomly reboot? Or do random updates?

                              So if the server doesn't ever reboot, what's the issue?

                              1 Reply Last reply Reply Quote 0
                              • BRRABillB
                                BRRABill @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                and when it happens no one knows what is wrong with the system and it is just "dead".

                                Then they call their friendly MSP/Consultant and say "hey it's asking for some Bitlocker password" and you give it to them and all is good in the world.

                                Why wouldn't this work?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @BRRABill
                                  last edited by

                                  @BRRABill said:

                                  @scottalanmiller said:

                                  and when it happens no one knows what is wrong with the system and it is just "dead".

                                  Then they call their friendly MSP/Consultant and say "hey it's asking for some Bitlocker password" and you give it to them and all is good in the world.

                                  Why wouldn't this work?

                                  It assumes...

                                  • Good MSP records.
                                  • That they still have the same MSP or can find the right one.
                                  • They know enough to call the MSP.
                                  • They consider this something for the MSP to fix and aren't mad at the MSP for breaking the system.
                                  • The people who worked with the MSP are still around.
                                  • The MSP is available immediately at the time needed and doesn't need time before responding.

                                  Lots to go wrong there. Look at @Dashrender's description of a doctor's office. They can't even figure out what app to use to open a document. how could they possibly deal with knowing what vendor to call when. They'd far more likely call the NAS vendor and yell at them for not supporting their product.

                                  BRRABillB 2 Replies Last reply Reply Quote 0
                                  • BRRABillB
                                    BRRABill @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    how could they possibly deal with knowing what vendor to call when.

                                    There is only 1 vendor to call. The people who helped them with all their computer stuff.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @scottalanmiller
                                      last edited by

                                      @scottalanmiller said:

                                      • The MSP is available immediately at the time needed and doesn't need time before responding.

                                      That's the only issue I see there.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • BRRABillB
                                        BRRABill
                                        last edited by BRRABill

                                        But again ... what are the odds a server is just going to reboot in the middle of the day. It doesn't happen on any of my servers. Is this something you see a lot?

                                        J scottalanmillerS 2 Replies Last reply Reply Quote 0
                                        • J
                                          Jason Banned @BRRABill
                                          last edited by Jason

                                          @BRRABill said:

                                          But again ... what are the odds a server is just going to reboot in the middle of the day. It doesn't happen on any of my servers. Is this something you see a lot?

                                          This would suck in a data center environment. Remote reboots .. Having to hop into the Out of band management to get it booted up. No Thanks.

                                          This is why physical security is important. Have audit trails for server room access.

                                          Also not even sure how you do this with a large scale SAN setup like ours. It's just not practical.

                                          BRRABillB scottalanmillerS 4 Replies Last reply Reply Quote 0
                                          • BRRABillB
                                            BRRABill @Jason
                                            last edited by

                                            @Jason

                                            I was reading that and saw it edited before my eyes! LOL.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 17
                                            • 18
                                            • 6 / 18
                                            • First post
                                              Last post