Force USB encryption Windows and Mac
-
-
@Dashrender said in Force USB encryption Windows and Mac:
Here is the statement from the insurance company, perhaps I'm reading it wrong.
Yeah that makes 0 f****** sense.you can encrypt the drives that you own but you have no way to actually tell that a drive or volume is encrypted because the computer needs to know what format is used to encrypt it and would have to know what the password is in order to decrypt it to be able to tell if it's all
-
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
-
The policy is the issue that is caused your impossible question simply update your policy to say that any external storage devices need to be encrypted before they can be used on company equipment by the IT department and any devices that is not provided by the IT department cannot be used on company equipment
-
@DustinB3403 said in Force USB encryption Windows and Mac:
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.
-
@black3dynamite said in Force USB encryption Windows and Mac:
https://www.sophos.com/en-us/products/safeguard-encryption.aspx
OK - this looks promising.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.
The insurance statement is made in response to the shitty policy.
Fix the policy, and then the insurance request is resolved.
-
In your example of a user plugging in a device that's encrypted already and then this is asked if they want to encrypt that the device and they say no would mean that the system would report that there's a unencrypted device because it doesn't know the difference.
That's way more troublesome than just fixing your policy.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.
The insurance statement is made in response to the shitty policy.
Fix the policy, and then the insurance request is resolved.
How do you figure? We haven't even shown them the policy.. only mentioned we have one.
-
Bit Locker can do it natively.
So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?
-
Now having an online chat with Sophos... and he's edging me toward - you only need encrypted USB?
which of course leads me to - does the insurance company expect me to be running full disk encryption everywhere else ( EVERYWHERE else?) but simply not asking me about it.. seems like a huge gap...
I hesitate asking for fear that they will suddenly require it, while right not I consider it NOT required.
-
@Dashrender said in Force USB encryption Windows and Mac:
How do you figure? We haven't even shown them the policy.. only mentioned we have one.
https://i.imgur.com/7An9930.png
"You mention technical controls are not in place to ensure USBs are encrypted" - Meaning you don't have a process or plan in place to encrypt USB storage
"however, you do mention that it's stated in policy that USBs must be encrypted and company owned"
If you own the devices, just start encrypting them when you first get them in office, create your policy on that process.
The sophos isn't "Automatically encrypted" and it would violate your policy as it would allow anyone to bring a personal USB storage device into the business, encrypt it and pull anything from the business down onto it. You would then have no proof that said device was secured, or where it went. Nor how it's encrypted and secured.
-
@JaredBusch said in Force USB encryption Windows and Mac:
Bit Locker can do it natively.
So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?
That's Windows only and wouldn't work for the second half of the question.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
Bit Locker can do it natively.
So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?
That's Windows only and wouldn't work for the second half of the question.
yep.
Though, I suppose if required, I could have two solutions.
-
The word control is used to indicate a process or system of ensuring things are done. Not some magical tool, and Sophos is right, odds are your insurance simply isn't asking about the computers themselves.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
Bit Locker can do it natively.
So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?
That's Windows only and wouldn't work for the second half of the question.
yep.
Though, I suppose if required, I could have two solutions.
:man_facepalming:
-
The entire question originated from your lack of a control plan to ensure that USB storage is encrypted. Had you simply stated in your policy that USB storage is encrypted at the time of purchase and device usage is strictly controlled to trusted people you wouldn't be in this predicament of attempting to find some magical good ransomware that can tell when something isn't encrypted, and kindly asks you if you wish to encrypt the USB storage. . .
-
@Dashrender said in Force USB encryption Windows and Mac:
This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.
Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
The entire question originated from your lack of a control plan to ensure that USB storage is encrypted. Had you simply stated in your policy that USB storage is encrypted at the time of purchase and device usage is strictly controlled to trusted people you wouldn't be in this predicament of attempting to find some magical good ransomware that can tell when something isn't encrypted, and kindly asks you if you wish to encrypt the USB storage. . .
and you are under some delusion that people live to only follow the rules and would never just go to the store (or hell, pickup a USB stick in the parking lot) and just simply plug it into their computer.
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.
Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.
I'm waiting for just that reply already.