ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Force USB encryption Windows and Mac

    Scheduled Pinned Locked Moved IT Discussion
    112 Posts 10 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender
      last edited by

      Now having an online chat with Sophos... and he's edging me toward - you only need encrypted USB?

      which of course leads me to - does the insurance company expect me to be running full disk encryption everywhere else ( EVERYWHERE else?) but simply not asking me about it.. seems like a huge gap...

      I hesitate asking for fear that they will suddenly require it, while right not I consider it NOT required.

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @Dashrender
        last edited by DustinB3403

        @Dashrender said in Force USB encryption Windows and Mac:

        How do you figure? We haven't even shown them the policy.. only mentioned we have one.

        7An9930.png

        "You mention technical controls are not in place to ensure USBs are encrypted" - Meaning you don't have a process or plan in place to encrypt USB storage

        "however, you do mention that it's stated in policy that USBs must be encrypted and company owned"

        If you own the devices, just start encrypting them when you first get them in office, create your policy on that process.

        The sophos isn't "Automatically encrypted" and it would violate your policy as it would allow anyone to bring a personal USB storage device into the business, encrypt it and pull anything from the business down onto it. You would then have no proof that said device was secured, or where it went. Nor how it's encrypted and secured.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • DustinB3403D
          DustinB3403 @JaredBusch
          last edited by

          @JaredBusch said in Force USB encryption Windows and Mac:

          Bit Locker can do it natively.

          So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?

          That's Windows only and wouldn't work for the second half of the question.

          DashrenderD 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @DustinB3403
            last edited by

            @DustinB3403 said in Force USB encryption Windows and Mac:

            @JaredBusch said in Force USB encryption Windows and Mac:

            Bit Locker can do it natively.

            So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?

            That's Windows only and wouldn't work for the second half of the question.

            yep.

            Though, I suppose if required, I could have two solutions.

            DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
            • DustinB3403D
              DustinB3403
              last edited by

              The word control is used to indicate a process or system of ensuring things are done. Not some magical tool, and Sophos is right, odds are your insurance simply isn't asking about the computers themselves.

              1 Reply Last reply Reply Quote 1
              • DustinB3403D
                DustinB3403 @Dashrender
                last edited by

                @Dashrender said in Force USB encryption Windows and Mac:

                @DustinB3403 said in Force USB encryption Windows and Mac:

                @JaredBusch said in Force USB encryption Windows and Mac:

                Bit Locker can do it natively.

                So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?

                That's Windows only and wouldn't work for the second half of the question.

                yep.

                Though, I suppose if required, I could have two solutions.

                :man_facepalming:

                1 Reply Last reply Reply Quote 0
                • DustinB3403D
                  DustinB3403
                  last edited by

                  The entire question originated from your lack of a control plan to ensure that USB storage is encrypted. Had you simply stated in your policy that USB storage is encrypted at the time of purchase and device usage is strictly controlled to trusted people you wouldn't be in this predicament of attempting to find some magical good ransomware that can tell when something isn't encrypted, and kindly asks you if you wish to encrypt the USB storage. . .

                  DashrenderD 1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in Force USB encryption Windows and Mac:

                    This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.

                    Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.

                    DashrenderD 1 Reply Last reply Reply Quote 1
                    • DashrenderD
                      Dashrender @DustinB3403
                      last edited by

                      @DustinB3403 said in Force USB encryption Windows and Mac:

                      The entire question originated from your lack of a control plan to ensure that USB storage is encrypted. Had you simply stated in your policy that USB storage is encrypted at the time of purchase and device usage is strictly controlled to trusted people you wouldn't be in this predicament of attempting to find some magical good ransomware that can tell when something isn't encrypted, and kindly asks you if you wish to encrypt the USB storage. . .

                      and you are under some delusion that people live to only follow the rules and would never just go to the store (or hell, pickup a USB stick in the parking lot) and just simply plug it into their computer.

                      DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in Force USB encryption Windows and Mac:

                        @Dashrender said in Force USB encryption Windows and Mac:

                        This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.

                        Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.

                        I'm waiting for just that reply already.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @DustinB3403
                          last edited by

                          @DustinB3403 said in Force USB encryption Windows and Mac:

                          @Dashrender said in Force USB encryption Windows and Mac:

                          @DustinB3403 said in Force USB encryption Windows and Mac:

                          You would have no way to do this.

                          You can setup encrypted volumes on USB drives you control, but there would be know way to do this for every USB drive.

                          This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.

                          I'm wondering if there is some type of MDM/end user device management (something like Intune).

                          How would it encrypt the drive? That would mean it would realistically ransomware people's devices if they mistakenly plug a personal USB into a work computer.

                          I think the only option is blocking unencrypted drives. But it wouldn't be encrypted versus not, it would be encrypted by a certain tool or not. That's about the only possible solution.

                          DustinB3403D 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in Force USB encryption Windows and Mac:

                            Insert the drive, it's scanned to see if it's encrypted

                            This is where it would fail at the high level. A computer can tell if something is encrypted with a specific tool or two if it reports that. But can't tell in the general sense.

                            @Dashrender said in Force USB encryption Windows and Mac:

                            Do you want to encrypt this drive? (if yes, all data currently on this device will be lost).

                            It would be more like "would you like to reformat this drive", because it's not encrypting, just erasing.

                            @Dashrender said in Force USB encryption Windows and Mac:

                            the bigger issue I see is - how will it KNOW it's encrypted? There are tons of different types of encryption. It's unlikely that any solution would know them all.

                            Exactly. Can only check for one type.

                            1 Reply Last reply Reply Quote 0
                            • DustinB3403D
                              DustinB3403 @Dashrender
                              last edited by

                              @Dashrender said in Force USB encryption Windows and Mac:

                              and you are under some delusion that people live to only follow the rules and would never just go to the store (or hell, pickup a USB stick in the parking lot) and just simply plug it into their computer.

                              I'm not under any delusion, I realize this can and does happen all of the time, but you have a policy in place and a means of slapping someone on the wrist if they do something they aren't supposed to.

                              @Dashrender said in Force USB encryption Windows and Mac:

                              I'm waiting for just that reply already.

                              They have no such workable solution, as @scottalanmiller they are likely trying to see if you can show them some magical unicorn software that can tell the difference between encrypted zeros and ones and non-encrypted zeros and ones.

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender
                                last edited by

                                The Sofos solution seems nice - it simply encrypts all files to the user's key by default, regardless of where the user is saving it.

                                That should solve the issue - the main thing the insurance company is trying to protect is any data being copied from the computer would be encrypted on the removable media.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in Force USB encryption Windows and Mac:

                                  Here is the statement from the insurance company, perhaps I'm reading it wrong.

                                  88a90920-77f4-4f1d-9ad8-e5530860b514-image.png

                                  Simply say "technical controls are not possible for all HR policies". That simple.

                                  1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in Force USB encryption Windows and Mac:

                                    @DustinB3403 said in Force USB encryption Windows and Mac:

                                    You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

                                    that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.

                                    If that were true, imagine how many HR policies don't have technical safeguards. ALmost all, I would assume.

                                    DashrenderD 1 Reply Last reply Reply Quote 1
                                    • KellyK
                                      Kelly
                                      last edited by

                                      Do you have a business need to allow USB drives to be plugged in? It seems simplest to just deny them entirely. There are so many ways of exchanging information that allowing USB drives is just a security vulnerability without much return.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in Force USB encryption Windows and Mac:

                                        Now having an online chat with Sophos... and he's edging me toward - you only need encrypted USB?

                                        which of course leads me to - does the insurance company expect me to be running full disk encryption everywhere else ( EVERYWHERE else?) but simply not asking me about it.. seems like a huge gap...

                                        I hesitate asking for fear that they will suddenly require it, while right not I consider it NOT required.

                                        They are responding to your policy statement, not claiming a need. They are stating that "because you have a policy" that "you should enforce it". Remove the policy, remove the problem.

                                        1 Reply Last reply Reply Quote 1
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in Force USB encryption Windows and Mac:

                                          @Dashrender said in Force USB encryption Windows and Mac:

                                          @DustinB3403 said in Force USB encryption Windows and Mac:

                                          You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

                                          that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.

                                          If that were true, imagine how many HR policies don't have technical safeguards. ALmost all, I would assume.

                                          Of course, many can't have technical safeguards, and they aren't asking about those.. they are asking about this very specific one.

                                          But - we might as well table this until I get a reply from them.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @DustinB3403
                                            last edited by

                                            @DustinB3403 said in Force USB encryption Windows and Mac:

                                            If you own the devices, just start encrypting them when you first get them in office, create your policy on that process.

                                            I agree. Encryption is up to IT, not the end user. Company owned is up to the end user. They won't ask for a technical safeguard that the company owns the USB sticks. So problem solved.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 2 / 6
                                            • First post
                                              Last post