Force USB encryption Windows and Mac

DustinB3403

@Dashrender said in Force USB encryption Windows and Mac:

Here is the statement from the insurance company, perhaps I'm reading it wrong.

Yeah that makes 0 f****** sense.you can encrypt the drives that you own but you have no way to actually tell that a drive or volume is encrypted because the computer needs to know what format is used to encrypt it and would have to know what the password is in order to decrypt it to be able to tell if it's all

DustinB3403

You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

DustinB3403

The policy is the issue that is caused your impossible question simply update your policy to say that any external storage devices need to be encrypted before they can be used on company equipment by the IT department and any devices that is not provided by the IT department cannot be used on company equipment

Dashrender

@DustinB3403 said in Force USB encryption Windows and Mac:

You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.

Dashrender

@black3dynamite said in Force USB encryption Windows and Mac:

https://www.sophos.com/en-us/products/safeguard-encryption.aspx

OK - this looks promising.

DustinB3403

@Dashrender said in Force USB encryption Windows and Mac:

@DustinB3403 said in Force USB encryption Windows and Mac:

You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.

The insurance statement is made in response to the shitty policy.

Fix the policy, and then the insurance request is resolved.

DustinB3403

In your example of a user plugging in a device that's encrypted already and then this is asked if they want to encrypt that the device and they say no would mean that the system would report that there's a unencrypted device because it doesn't know the difference.

That's way more troublesome than just fixing your policy.

Dashrender

@DustinB3403 said in Force USB encryption Windows and Mac:

@Dashrender said in Force USB encryption Windows and Mac:

@DustinB3403 said in Force USB encryption Windows and Mac:

You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.

The insurance statement is made in response to the shitty policy.

Fix the policy, and then the insurance request is resolved.

How do you figure? We haven't even shown them the policy.. only mentioned we have one.

JaredBusch

Bit Locker can do it natively.

So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?

Dashrender

Now having an online chat with Sophos... and he's edging me toward - you only need encrypted USB?

which of course leads me to - does the insurance company expect me to be running full disk encryption everywhere else ( EVERYWHERE else?) but simply not asking me about it.. seems like a huge gap...

I hesitate asking for fear that they will suddenly require it, while right not I consider it NOT required.

DustinB3403

@Dashrender said in Force USB encryption Windows and Mac:

How do you figure? We haven't even shown them the policy.. only mentioned we have one.

https://i.imgur.com/7An9930.png

"You mention technical controls are not in place to ensure USBs are encrypted" - Meaning you don't have a process or plan in place to encrypt USB storage

"however, you do mention that it's stated in policy that USBs must be encrypted and company owned"

If you own the devices, just start encrypting them when you first get them in office, create your policy on that process.

The sophos isn't "Automatically encrypted" and it would violate your policy as it would allow anyone to bring a personal USB storage device into the business, encrypt it and pull anything from the business down onto it. You would then have no proof that said device was secured, or where it went. Nor how it's encrypted and secured.

DustinB3403

@JaredBusch said in Force USB encryption Windows and Mac:

Bit Locker can do it natively.

So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?

That's Windows only and wouldn't work for the second half of the question.

Dashrender

@DustinB3403 said in Force USB encryption Windows and Mac:

@JaredBusch said in Force USB encryption Windows and Mac:

Bit Locker can do it natively.

So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?

That's Windows only and wouldn't work for the second half of the question.

yep.

Though, I suppose if required, I could have two solutions.

DustinB3403

The word control is used to indicate a process or system of ensuring things are done. Not some magical tool, and Sophos is right, odds are your insurance simply isn't asking about the computers themselves.

DustinB3403

@Dashrender said in Force USB encryption Windows and Mac:

@DustinB3403 said in Force USB encryption Windows and Mac:

@JaredBusch said in Force USB encryption Windows and Mac:

Bit Locker can do it natively.

So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?

That's Windows only and wouldn't work for the second half of the question.

yep.

Though, I suppose if required, I could have two solutions.

:man_facepalming:

DustinB3403

The entire question originated from your lack of a control plan to ensure that USB storage is encrypted. Had you simply stated in your policy that USB storage is encrypted at the time of purchase and device usage is strictly controlled to trusted people you wouldn't be in this predicament of attempting to find some magical good ransomware that can tell when something isn't encrypted, and kindly asks you if you wish to encrypt the USB storage. . .

scottalanmiller

@Dashrender said in Force USB encryption Windows and Mac:

This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.

Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.

Dashrender

@DustinB3403 said in Force USB encryption Windows and Mac:

The entire question originated from your lack of a control plan to ensure that USB storage is encrypted. Had you simply stated in your policy that USB storage is encrypted at the time of purchase and device usage is strictly controlled to trusted people you wouldn't be in this predicament of attempting to find some magical good ransomware that can tell when something isn't encrypted, and kindly asks you if you wish to encrypt the USB storage. . .

and you are under some delusion that people live to only follow the rules and would never just go to the store (or hell, pickup a USB stick in the parking lot) and just simply plug it into their computer.

Dashrender

@scottalanmiller said in Force USB encryption Windows and Mac:

@Dashrender said in Force USB encryption Windows and Mac:

This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.

Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.

I'm waiting for just that reply already.

scottalanmiller

@DustinB3403 said in Force USB encryption Windows and Mac:

@Dashrender said in Force USB encryption Windows and Mac:

@DustinB3403 said in Force USB encryption Windows and Mac:

You would have no way to do this.

You can setup encrypted volumes on USB drives you control, but there would be know way to do this for every USB drive.

This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.

I'm wondering if there is some type of MDM/end user device management (something like Intune).

How would it encrypt the drive? That would mean it would realistically ransomware people's devices if they mistakenly plug a personal USB into a work computer.

I think the only option is blocking unencrypted drives. But it wouldn't be encrypted versus not, it would be encrypted by a certain tool or not. That's about the only possible solution.