Local Encryption Scenarios
-
That highlights my concern... doing something that "sounds super secure to non-technical people, but in reality does very little" is bad when it triggers human emotional responses. To a purely logical being (a computer) making decisions, local encryption would not do this. But in the real world with human users, it normally does. And if ANY behaviour changes based on using the local encryption, then in that scenario, the local encryption was a bad thing, not a good thing. Not just a waste, but actually a negative to the security.
-
If you add the encryption and no one knows about it, or you truly get no other decisions or behaviour to be made based on it, then it can be a good thing as long as the data is properly protected (there is a much higher risk of data loss when using encryption.)
But for a CPA, data loss is minor while data exposure is big.
-
If it's a laptop, how can it be stolen and still not locked? As soon as you close the lid it's locked by a password. I doubt a thief would not close the lid if he grabs it while someone is using it.
Anyway, the best option would be to not have sensitive information on the laptop at all, but that is not always possible. It's also a question of how sensitive the information is.
-
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe or similar when not in use.
-
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
-
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.
In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up. So it's less likely to happen.
-
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.
In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up.
You have those examples a bit mixed up.
The comparable scenario would be "getting to the data" The physical medium housing that data doesn't matter.
You break the lock, you get the data. If you break the encryption key you get the data.
But a physical lock is likely easier to break and get into whatever than it would to decrypt a encrypted volume.
-
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.
In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up.
You have those examples a bit mixed up.
The comparable scenario would be "getting to the data" The physical medium housing that data doesn't matter.
You break the lock, you get the data. If you break the encryption key you get the data.
But a physical lock is likely easier to break and get into whatever than it would to decrypt a encrypted volume.
Reminds me of this classic:
-
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
Anyway, in the case of the CPA we are talking about material that is not really sensitive at all.
The data files could be secured the same way as any paper records. Locked in a safe when not in use.
That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data.
Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe.
In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up.
You have those examples a bit mixed up.
The comparable scenario would be "getting to the data" The physical medium housing that data doesn't matter.
You break the lock, you get the data. If you break the encryption key you get the data.
But a physical lock is likely easier to break and get into whatever than it would to decrypt a encrypted volume.
Reminds me of this classic:
Exactly.
-
@Pete-S said in Local Encryption Scenarios:
If it's a laptop, how can it be stolen and still not locked? As soon as you close the lid it's locked by a password. I doubt a thief would not close the lid if he grabs it while someone is using it.
That's not always he case, and thieves know not to close lids.
-
@scottalanmiller said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
If it's a laptop, how can it be stolen and still not locked? As soon as you close the lid it's locked by a password. I doubt a thief would not close the lid if he grabs it while someone is using it.
That's not always he case, and thieves know not to close lids.
What kind of thieves are we talking about here? The kind that are after national security secrets or the kind that needs money to buy drugs? Or are we talking about professionals that make a living stealing things?
-
@Pete-S in the discussion of hitting the person with a $5 wrench, that of course means the goal is to steal the data. Not the File Cabinet that houses the data.
But the same applies for the laptop too. If the goal is to steal the laptop, you don't care about the data and just want to steal a laptop.
Bolting the cabinet down or using a cable lock on the laptop are just deterrents to prevent theft of the house. The lock is a deterrent to prevent data theft.
-
@scottalanmiller said in Local Encryption Scenarios:
And if ANY behaviour changes based on using the local encryption, then in that scenario, the local encryption was a bad thing, not a good thing. Not just a waste, but actually a negative to the security.
Right, but if the user stays the same (with the exception of entering in a password) [NOTE: if they don't put it on a post-it note LOL] then the local encryption could be seen as a plus.
-
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S in the discussion of hitting the person with a $5 wrench, that of course means the goal is to steal the data. Not the File Cabinet that houses the data.
But the same applies for the laptop too. If the goal is to steal the laptop, you don't care about the data and just want to steal a laptop.
Bolting the cabinet down or using a cable lock on the laptop are just deterrents to prevent theft of the house. The lock is a deterrent to prevent data theft.
I think in 99.99% of the cases the CPA would face, the goal is to steal the laptop and not the data. It is unlikely the hard drive would face any other fate than being wiped. But the guys doing the wiping would probably check if the drive had something of value first that they could sell.
If someone was after the data it would probably be criminals and they would go the $5 wrench route. Or bribe someone for $1500 or whatever would be required..
-
@Pete-S exactly.
So you would go with simple traditional and easily employed security. Cable locks for the hardware, encryption for the data at rest.
-
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S exactly.
So you would go with simple traditional and easily employed security. Cable locks for the hardware, encryption for the data at rest.
I think I would just put the entire laptop in the safe and not bother with the encryption.
Cable locks doesn't withstand a simple bolt cutter. -
If you wanted to take it one step further, you could virtualize the workload that this 1-person CPA does, have them RDP to a VM, decryption the system with bitlocker or veracrypt or something else. Do and save all work on the VM and have nothing of extreme value sitting out on a desk.
But that is overkill for the scenario.
-
@Pete-S said in Local Encryption Scenarios:
@DustinB3403 said in Local Encryption Scenarios:
@Pete-S exactly.
So you would go with simple traditional and easily employed security. Cable locks for the hardware, encryption for the data at rest.
I think I would just put the entire laptop in the safe and not bother with the encryption.
You could do that too, but if the goal is to steal the laptop. Taking a safe isn't entirely impossible either. So you'd have the safe and a laptop to sell.
-
All of this depends on how invested someone is in stealing <insert thing>.
If they are incredibly motivated and have unlimited time and resources nothing would stop them.
You as a IT person can create deterrents and that is all.
-
@Pete-S said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@Pete-S said in Local Encryption Scenarios:
If it's a laptop, how can it be stolen and still not locked? As soon as you close the lid it's locked by a password. I doubt a thief would not close the lid if he grabs it while someone is using it.
That's not always he case, and thieves know not to close lids.
What kind of thieves are we talking about here? The kind that are after national security secrets or the kind that needs money to buy drugs? Or are we talking about professionals that make a living stealing things?
The ones after drugs don't care about the encryption. They will pawn it to a low rep pawn shop that will just reinstall Windows. They don't care about your disk at all.
The theives that want your laptop for identify theft absolutely know not to shut the lid.