Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Notebook policy (need advice)

from [Greg Jones] Network Security [Permanent Link]
Subject: RE: Notebook policy (need advice)
Date: Mon, 29 Jan 2007 10:21:17 -0600 
If you follow that policy, then you pretty much limit the majority of what 
makes a laptop useful in the business world.  There has to be a balance and by 
using encryption tools and training/educating you can mitigate security 
problems.  There are even services that can remotely destroy the data on a HDD 
if it is lost or stolen.  I work for an industry that is federally regulated 
and the regulators are simply looking for a means of mitigating potential 
security breaches.  They don't want anyone to stop working; they just want them 
to work smart.  


Sincerely,

Greg Jones


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of Barrett, Will
Sent: Sunday, January 28, 2007 7:21 PM
To: Eric Furman; Patton Roub; security-basics@lists.securityfocus.com
Subject: RE: Notebook policy (need advice)

So what you are saying is:


NEVER EVER EVER STORE SENSITIVE DATA ON A LAPTOP! (Unless it is in the 
custody of a armed law enforcement official)

Anybody, and I mean ANYBODY, (unless they are an armed law enforcement 
official) found with sensitive data on their laptop should have it seized and 
they should be immediately dismissed.


You should have said so to begin with.

Whether you carry a gun or not there will be occasions where there is someone 
in your company/agency/organization that needs to have secure information on a 
laptop or other portable device.  The best you can do is mitigate the threat 
that this presents depending on your organizations and threat acceptance.

And don't use absolutes.  Absolute rules will absolutely get you in trouble.

"Thank you for playing, try again."

Cheers,
 
Will Barrett

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of Eric Furman
Sent: Friday, January 26, 2007 9:32 AM
To: Patton Roub; security-basics@lists.securityfocus.com
Subject: RE: Notebook policy (need advice)

Oh please, this is hardly worth replying to. 
Said laptop would be in the possession of an armed law enforcement official. 
Hardly an unsecure environment.
Thanks for playing, try again.

On Fri, 26 Jan 2007 09:09:49 -0700, "Patton Roub" <proub@dci.wyo.gov>
said:

What would be your recommendation to the drug enforcement Special 
Agent who is recording the sensitive data outside the house of a 
suspect, and then using that data to create a search warrant on that 
computer to present to a Judge down the street?  Oh, did I mention the 
data he must have downloaded earlier to make sure he is looking for the right 
guy?
Wireless is not available, and we don't want Special Agents climbing 
poles.

Never ever say never.

Regards

Patton J Roub


-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
On Behalf Of Eric Furman
Sent: Thursday, January 25, 2007 2:09 PM
To: security-basics@lists.securityfocus.com
Subject: RE: Notebook policy (need advice)

I'll give you one very simple policy that you should enforce that will 
make most of your concerns moot:

NEVER EVER EVER STORE SENSITIVE DATA ON A LAPTOP!

Anybody, and I mean ANYBODY, found with sensitive data on their laptop 
should have it seized and they should be immediately dismissed.

There is virtually no reason to ever store sensitive data on a laptop.
Sensitive data should only ever reside on hardened servers in a 
physically secured server room. If your employees need to work with 
this data there are several means to securely access this data 
remotely.

(And, indeed, make sure the room AND its data storage is truly secure. 
There have been recent break-ins at certain companies and data tapes 
containing sensitive data were stolen.)

On Wed, 24 Jan 2007 22:50:47 -0500, "Tony UcedaVélez"
<tonyuv@versprite.com> said:

Definitely agree with the previously made comments on the use of 
full disk encryption and points made on AV, however, I wanted to 
simply add to those points by saying that the issuance of notebooks 
should be focused on those user groups that would most benefit from 
a portable computing device.

Not all positions within a company require the use of a notebook for 
work (although, in the near future this may very well change).
Obviously, the portability of laptops could be recommended to be 
reserved for those who travel/ telecommute or use it for working 
sessions in company war rooms (developers, project managers come to 
mind).  Point here is that the scope and applicability of any 
security policy could achieve a more targeted audience, versus a 
broad unknown audience who truly don't benefit by having a notebook.

This recommendation is obviously touch to act upon in organization's 
where notebooks have already been issued without specific 
consideration to the job function.  However, if possible the added 
value in the above mentioned is the following:

1. IT Operations adheres to imaging and providing laptops to those 
whose roles and responsibilities require the use of a notebook.
Often times, IT Ops groups elect to image a resource that is readily 
available or one in which the user prefers.
2. Again, a policy surrounding notebook usage will be geared to a 
specific audience instead of rolling out a policy to everyone, 
regardless of whether they have a notebook or not. Improved 
accountability, focused security CBT modules (related to mobile
computing) are some positive by-products that result.
3. Cost savings can be multi-fold here.  Since roles and 
responsibilities will dictate who gets a notebook, cost savings are 
realized not only on the price per notebook, but also the costs 
associated with software licenses that are specific to portable information 
assets.

Again, this suggestive advice obviously depends on the 'mobile' 
culture of your company's workforce.  Also affecting the above is 
whether you'll be able to 'backtrack' to make such a recommendation.

Regarding local admin use, again, I would revert to what the roles 
and responsibilities are for the employees and creating various 
images that coincide with their respective user groups/ types.
Ideally, a collaborative effort between HR and IT Security should make this 
work.

Btw, along with AV and FDE, I'd include in the policy the use of 
personal firewalls and HIPS agents, especially for the road warriors 
of your organization.

Hope this helps.

Best Regards,

Tony UcedaVélez, CISA, GIAC
VerSprite, LLC
(office) 678.938.3434
(email) tonyuv@versprite.com
(web)   www.versprite.com
 




-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
On Behalf Of Nicolas Arias
Sent: Tuesday, January 23, 2007 8:12 AM
To: security-basics@lists.securityfocus.com
Subject: Notebook policy (need advice)


Hi guys!, in my company we have a lot of notebooks, but theres no 
formal security policy about them.

Can you tell me how do you handle this?

Do you give an local admin for the owner?, do you use full disk 
encryption?, what about anti-virus and external scans?

Any idea is going to be really preciated.

Cheers!!



"This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. If you are not the intended recipient you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited."

 

This email has been scanned by the MessageLabs Email Security System.

For more information please visit http://www.messagelabs.com/email

This e-mail and any documents transmitted with it are the property of SOUTHBank 
F.S.B. ® and/or its subsidiary or affiliate companies, is confidential, and 
intended solely for the use of the individual or entity the e-mail is addressed 
to.  If you have reason
to believe that you have received this message in error, please notify the 
sender and delete this message immediately from your computer.  Any other use, 
retention, dissemination, forwarding, printing, or copying of this e-mail or 
attachments is strictly prohibited.

SOUTHBank, F.S.B. and/or its subsidiary or affiliate companies do not endorse 
the use of unsolicited e-mail.  If you believe this e-mail was sent to you in 
error or you do not wish to receive these types of e-mail, please notify us by 
forwarding this message to remove@southbank.com.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Erasing private files from Windows XP., Monrad.DC
Next by Date:  Re: DNS poisoning or ??, Paul daSilva
Previous by Thread:  RE: Notebook policy (need advice), Steveb
Next by Thread:  RE: Notebook policy (need advice), Sipes, Bob
Indexes:  [Date] [Thread] [Top] [All Lists]