Force USB encryption Windows and Mac
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You would have no way to do this.
You can setup encrypted volumes on USB drives you control, but there would be know way to do this for every USB drive.
This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.
I'm wondering if there is some type of MDM/end user device management (something like Intune).
How would it encrypt the drive? That would mean it would realistically ransomware people's devices if they mistakenly plug a personal USB into a work computer.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You would have no way to do this.
You can setup encrypted volumes on USB drives you control, but there would be know way to do this for every USB drive.
This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.
I'm wondering if there is some type of MDM/end user device management (something like Intune).
How would it encrypt the drive? That would mean it would realistically ransomware people's devices if they mistakenly plug a personal USB into a work computer.
yes it would... or at least could...
I would assume it would work something like this:
Insert the drive, it's scanned to see if it's encrypted - if not, a dialog would pop and say - this drive is not encrypted, due to policy only encrypted drives can be attached to this device. Do you want to encrypt this drive? (if yes, all data currently on this device will be lost).
then I would expect it to prompt me for a password to use to decrypt the drive.
the bigger issue I see is - how will it KNOW it's encrypted? There are tons of different types of encryption. It's unlikely that any solution would know them all.
-
Here is the statement from the insurance company, perhaps I'm reading it wrong.
-
@Dashrender how the f*** would you know if it's encrypted or not all I would see is zeros and ones?
-
-
@Dashrender said in Force USB encryption Windows and Mac:
Here is the statement from the insurance company, perhaps I'm reading it wrong.
Yeah that makes 0 f****** sense.you can encrypt the drives that you own but you have no way to actually tell that a drive or volume is encrypted because the computer needs to know what format is used to encrypt it and would have to know what the password is in order to decrypt it to be able to tell if it's all
-
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
-
The policy is the issue that is caused your impossible question simply update your policy to say that any external storage devices need to be encrypted before they can be used on company equipment by the IT department and any devices that is not provided by the IT department cannot be used on company equipment
-
@DustinB3403 said in Force USB encryption Windows and Mac:
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.
-
@black3dynamite said in Force USB encryption Windows and Mac:
https://www.sophos.com/en-us/products/safeguard-encryption.aspx
OK - this looks promising.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.
The insurance statement is made in response to the shitty policy.
Fix the policy, and then the insurance request is resolved.
-
In your example of a user plugging in a device that's encrypted already and then this is asked if they want to encrypt that the device and they say no would mean that the system would report that there's a unencrypted device because it doesn't know the difference.
That's way more troublesome than just fixing your policy.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.
The insurance statement is made in response to the shitty policy.
Fix the policy, and then the insurance request is resolved.
How do you figure? We haven't even shown them the policy.. only mentioned we have one.
-
Bit Locker can do it natively.
So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?
-
Now having an online chat with Sophos... and he's edging me toward - you only need encrypted USB?
which of course leads me to - does the insurance company expect me to be running full disk encryption everywhere else ( EVERYWHERE else?) but simply not asking me about it.. seems like a huge gap...
I hesitate asking for fear that they will suddenly require it, while right not I consider it NOT required.
-
@Dashrender said in Force USB encryption Windows and Mac:
How do you figure? We haven't even shown them the policy.. only mentioned we have one.
https://i.imgur.com/7An9930.png
"You mention technical controls are not in place to ensure USBs are encrypted" - Meaning you don't have a process or plan in place to encrypt USB storage
"however, you do mention that it's stated in policy that USBs must be encrypted and company owned"
If you own the devices, just start encrypting them when you first get them in office, create your policy on that process.
The sophos isn't "Automatically encrypted" and it would violate your policy as it would allow anyone to bring a personal USB storage device into the business, encrypt it and pull anything from the business down onto it. You would then have no proof that said device was secured, or where it went. Nor how it's encrypted and secured.
-
@JaredBusch said in Force USB encryption Windows and Mac:
Bit Locker can do it natively.
So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?
That's Windows only and wouldn't work for the second half of the question.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
Bit Locker can do it natively.
So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?
That's Windows only and wouldn't work for the second half of the question.
yep.
Though, I suppose if required, I could have two solutions.
-
The word control is used to indicate a process or system of ensuring things are done. Not some magical tool, and Sophos is right, odds are your insurance simply isn't asking about the computers themselves.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
Bit Locker can do it natively.
So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?
That's Windows only and wouldn't work for the second half of the question.
yep.
Though, I suppose if required, I could have two solutions.
:man_facepalming: