Software HDD Encryption: Poll
-
@scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.
-
@MattSpeller said:
@scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.
Gotcha, so we are of one accord then. It's not for protection from a running system, it's for protection against physical separation from the chassis.
-
I guess then the question would be.... is there a certification requirement that states what to do or just one that states an end goal.
And what is the end goal?
-
Great Question/request @Reid-Cooper .
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
So if FDE does not provide any protections against a whole laptop that is stolen, I'd argue that FDE on a laptop is near useless.
FDE on a memory stick or server drives or copier drives, etc on the other hand are very useful because the chances are you don't have the entire chassis that first encrypted it.
-
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
-
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?
-
@Dashrender said:
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
HIPAA requires encryption of data at rest. That doesn't imply FDE.
-
@Dashrender Yup, plus you disable displaying the last logged in user name. Now the attacker is extra boned.
-
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
FDE isn't needed for that, though. Just encrypt the data.
-
@scottalanmiller said:
@Dashrender said:
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
HIPAA requires encryption of data at rest. That doesn't imply FDE.
Unless the law was updated, I don't think even that is required, but considered actionable.
How is data on a laptop that is turned off not considered 'at rest'?
-
@Dashrender said:
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?
Not in the least. If your data is encrypted you have no more risk than if you do FDE. Cracking the OS makes no difference if it is properly set up with data encryption.
-
@scottalanmiller You mean with a local file encryption software thing? I wouldn't trust a user to do that correctly.
-
@MattSpeller said:
@scottalanmiller You mean with a local file encryption software thing? I wouldn't trust a user to do that correctly.
Would you rather trust them with FDE where the password is normally shared!??!
-
Here is a bigger question.... why is HIPAA data being allowed onto laptops at all?
-
(3) "Encryption" means the conversion of data using technology that:
(a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the** Federal Information Processing Standards**: and
(b) Renders the data indecipherable without the associated cryptographic key to decipher the data;
(2) (a) For agreements executed or amended on or after January 1, 2015, any agency that contracts with a nonaffiliated third party and that discloses personal information to the nonaffiliated third party shall require as part of that agreement that the nonaffiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction.(9) "Security breach" means:
(a) 1. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or
2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals.
(b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure.We are also governed by Department of Local Governments -
-
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
This is not true - not if you don't use a BIOS level password that enables/disables the FDE. Which was my whole point. If you don't require a password to unlock the drive, then the drive is being unlocked automatically when the BIOS/UEFI boots, so using your tools will probably work.
Only removing the drive in this case would offer you any protection.
So again I ask, what's the point in FDE is the whole laptop is stolen and no password is required to unlock the drive. -
@Dashrender said:
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
This is not true - not if you don't use a BIOS level password that enables/disables the FDE. Which was my whole point. If you don't require a password to unlock the drive, then the drive is being unlocked automatically when the BIOS/UEFI boots, so using your tools will probably work.
Only removing the drive in this case would offer you any protection.
So again I ask, what's the point in FDE is the whole laptop is stolen and no password is required to unlock the drive.BIOS passwords are trivial to remove.
-
@scottalanmiller said:
@MattSpeller said:
@scottalanmiller You mean with a local file encryption software thing? I wouldn't trust a user to do that correctly.
Would you rather trust them with FDE where the password is normally shared!??!
This gets back to the OP's original line of thought. The OP does not want to have to manage unique passwords for each machines FDE or shared ones (in what world is that safe or wise?), but instead wants a centralized solution that allows for password resets when the user forgets the password.
-
@scottalanmiller said:
Here is a bigger question.... why is HIPAA data being allowed onto laptops at all?
Indeed! It's asking for trouble!
-
@scottalanmiller said:
@Dashrender said:
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?
Not in the least. If your data is encrypted you have no more risk than if you do FDE. Cracking the OS makes no difference if it is properly set up with data encryption.
So you're proponent of encrypting the data only. You're right you have little to no risk if the data is encrypted on top of the FDE, but I don't think that most people go that route. They probably choose one or the other, not both.