Local Encryption Scenarios
-
@BRRABill said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
There is no such software. You can't actually make software that has to run on a laptop to work (you COULD make a license like that, but no one has.)
It's false, because this situation can't exist in the real world today. Anyone making it happen would be doing so purely for the purpose of making an example like this come true. It has no technical or market value.
I understand, as a software based yes it is not dictated by which computer it is installed unless is a software with a USB Dongle or something like that.
Even that, rarely would a dongle cause an issue either. You can still access the machine that has the dongle in it remotely.
Yeah, but not everyone wants to pay for it (Be it extra device, server, cloud service and so forth). I think that is the biggest issue when dealing with things like these.
That is kind of where I am going with this question.
Yes, you can use cloud VMs and cloud CPA software (in this example) but why not just encrypt the machine with VeraCrypt for free?
Because one is secure and responsible, one is insecure and irresponsible. Local encryption as you are now describing it is actively bad because it is being used as an excuse to not properly secure the data.
-
That highlights my concern... doing something that "sounds super secure to non-technical people, but in reality does very little" is bad when it triggers human emotional responses. To a purely logical being (a computer) making decisions, local encryption would not do this. But in the real world with human users, it normally does. And if ANY behaviour changes based on using the local encryption, then in that scenario, the local encryption was a bad thing, not a good thing. Not just a waste, but actually a negative to the security.
-
If you add the encryption and no one knows about it, or you truly get no other decisions or behaviour to be made based on it, then it can be a good thing as long as the data is properly protected (there is a much higher risk of data loss when using encryption.)
But for a CPA, data loss is minor while data exposure is big.
-
If it's a laptop, how can it be stolen and still not locked? As soon as you close the lid it's locked by a password. I doubt a thief would not close the lid if he grabs it while someone is using it.
Anyway, the best option would be to not have sensitive information on the laptop at all, but that is not always possible. It's also a question of how sensitive the information is.
-
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe or similar when not in use.
-
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
-
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.
In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up. So it's less likely to happen.
-
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.
In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up.
You have those examples a bit mixed up.
The comparable scenario would be "getting to the data" The physical medium housing that data doesn't matter.
You break the lock, you get the data. If you break the encryption key you get the data.
But a physical lock is likely easier to break and get into whatever than it would to decrypt a encrypted volume.
-
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.
In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up.
You have those examples a bit mixed up.
The comparable scenario would be "getting to the data" The physical medium housing that data doesn't matter.
You break the lock, you get the data. If you break the encryption key you get the data.
But a physical lock is likely easier to break and get into whatever than it would to decrypt a encrypted volume.
Reminds me of this classic:
-
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.
In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up.
You have those examples a bit mixed up.
The comparable scenario would be "getting to the data" The physical medium housing that data doesn't matter.
You break the lock, you get the data. If you break the encryption key you get the data.
But a physical lock is likely easier to break and get into whatever than it would to decrypt a encrypted volume.
Reminds me of this classic:
Exactly.
-
@Pete-S said in Local Encryption Scenarios:
If it's a laptop, how can it be stolen and still not locked? As soon as you close the lid it's locked by a password. I doubt a thief would not close the lid if he grabs it while someone is using it.
That's not always he case, and thieves know not to close lids.
-
@scottalanmiller said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
If it's a laptop, how can it be stolen and still not locked? As soon as you close the lid it's locked by a password. I doubt a thief would not close the lid if he grabs it while someone is using it.
That's not always he case, and thieves know not to close lids.
What kind of thieves are we talking about here? The kind that are after national security secrets or the kind that needs money to buy drugs? Or are we talking about professionals that make a living stealing things?
-
@Pete-S in the discussion of hitting the person with a $5 wrench, that of course means the goal is to steal the data. Not the File Cabinet that houses the data.
But the same applies for the laptop too. If the goal is to steal the laptop, you don't care about the data and just want to steal a laptop.
Bolting the cabinet down or using a cable lock on the laptop are just deterrents to prevent theft of the house. The lock is a deterrent to prevent data theft.
-
@scottalanmiller said in Local Encryption Scenarios:
And if ANY behaviour changes based on using the local encryption, then in that scenario, the local encryption was a bad thing, not a good thing. Not just a waste, but actually a negative to the security.
Right, but if the user stays the same (with the exception of entering in a password) [NOTE: if they don't put it on a post-it note LOL] then the local encryption could be seen as a plus.
-
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S in the discussion of hitting the person with a $5 wrench, that of course means the goal is to steal the data. Not the File Cabinet that houses the data.
But the same applies for the laptop too. If the goal is to steal the laptop, you don't care about the data and just want to steal a laptop.
Bolting the cabinet down or using a cable lock on the laptop are just deterrents to prevent theft of the house. The lock is a deterrent to prevent data theft.
I think in 99.99% of the cases the CPA would face, the goal is to steal the laptop and not the data. It is unlikely the hard drive would face any other fate than being wiped. But the guys doing the wiping would probably check if the drive had something of value first that they could sell.
If someone was after the data it would probably be criminals and they would go the $5 wrench route. Or bribe someone for $1500 or whatever would be required..
-
@Pete-S exactly.
So you would go with simple traditional and easily employed security. Cable locks for the hardware, encryption for the data at rest.
-
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S exactly.
So you would go with simple traditional and easily employed security. Cable locks for the hardware, encryption for the data at rest.
I think I would just put the entire laptop in the safe and not bother with the encryption.
Cable locks doesn't withstand a simple bolt cutter. -
If you wanted to take it one step further, you could virtualize the workload that this 1-person CPA does, have them RDP to a VM, decryption the system with bitlocker or veracrypt or something else. Do and save all work on the VM and have nothing of extreme value sitting out on a desk.
But that is overkill for the scenario.
-
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S exactly.
So you would go with simple traditional and easily employed security. Cable locks for the hardware, encryption for the data at rest.
I think I would just put the entire laptop in the safe and not bother with the encryption.
You could do that too, but if the goal is to steal the laptop. Taking a safe isn't entirely impossible either. So you'd have the safe and a laptop to sell.
-
All of this depends on how invested someone is in stealing <insert thing>.
If they are incredibly motivated and have unlimited time and resources nothing would stop them.
You as a IT person can create deterrents and that is all.