April33
asked on
Help Stolen Laptops with Critical Data on them.
We had a break in on Thursday morning and the robber stole 2 laptops that had sensitive data on them. We have been changing passwords and informing clients of the breach. I'm am not sure anything can be done about these items but looking toward the future, we are looking for suggestions to better secure our data on laptops and tablets.
We use OneDrive/SharePoint for most of our data storage and Outlook for Office365 for email.
I am nervous to encrypt our entire hard drive in fear of not being able to access our data if there is a mishap...
What is a good solution for protecting our data if device is stolen and/or locating a missing device?
Your suggestions or shared experiences would be welcome.
We use OneDrive/SharePoint for most of our data storage and Outlook for Office365 for email.
I am nervous to encrypt our entire hard drive in fear of not being able to access our data if there is a mishap...
What is a good solution for protecting our data if device is stolen and/or locating a missing device?
Your suggestions or shared experiences would be welcome.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
rindi
Disks with exchanged controllers don't work, the controller needs to be matched and adapted to the disk. and the password isn't stored on the controller.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can't find the info anymore., few years back HP was afraid they would be charged with providing incorrect information to customer, who later became defendant in a criminal case, that was convicted because he had password protected his drive and by exchanging the controller the drive was made readable. There was a possible and probable conviction of HP to be expected because of misrepresenting the safety of "password protected disk" . The criminal accepted the verdict and did not file against HP to there was a relief there.
Not sure, but i think it was a case in NY.
With exchanging the controller i mean the board on the DRIVE unit itself, not the SCSI / IDE counter part on motherboards. Passwords ARE not a safety measure, they are more about keeping the right drive with the right system.
Not sure, but i think it was a case in NY.
With exchanging the controller i mean the board on the DRIVE unit itself, not the SCSI / IDE counter part on motherboards. Passwords ARE not a safety measure, they are more about keeping the right drive with the right system.
April33, feedback would be nice.
ASKER
Thanks for all the feedback thus far!
So, since the break in we have password protected all our important client files, set Hard Drive Passwords in the BIOS for each computer and turned on Find Device feature on Surface Pro Tabs and installed Prey on each computer and Tabs.
Only thing left is encrypting the Hard Drives, which makes me very nervous. You guys mentioned different software to use for encrypting but what would to the safest and simplest to use?
Can we encrypt a hard drive with an OS already running without having to reload OS/Programs?
We have mostly Windows 10 Pro machines and 1 Windows 7 Pro laptop.
So, since the break in we have password protected all our important client files, set Hard Drive Passwords in the BIOS for each computer and turned on Find Device feature on Surface Pro Tabs and installed Prey on each computer and Tabs.
Only thing left is encrypting the Hard Drives, which makes me very nervous. You guys mentioned different software to use for encrypting but what would to the safest and simplest to use?
Can we encrypt a hard drive with an OS already running without having to reload OS/Programs?
We have mostly Windows 10 Pro machines and 1 Windows 7 Pro laptop.
ASKER
Also, what would about securing the OneDrive that is stored locally on the computer when Office365 is installed? Guessing the whole hard drive encryption would solve this issue? Thoughts........
Also set passwords for the BIOS itself, not just the disk. You can usually set one for the admin, and another for the user. If possible also make sure that the PC asks for the password at each boot. That makes the PC unusable to a crook, unless he knows the password (and as I mentioned earlier, manufacturers will only help removing that if they get proof of ownership). That makes the PC unusable and unsellable to the crook, and might make him think twice about stealing in the future...
About OneDrive..., if your system boots and is configure to connect automatically without password etc.
then it is accessible (encrypted or not). Same for encrypted disks on laptops/PC's it must ask for a pass phrase (and not one of 3-6 characters, make it a healthy 15-20 characters, it can be a sentence, a rhyme the user can remember.).
To prevent access to OneDrive by MS. you need to encrypt it on yout system before sending the data there.
LUKS (for linux) supports up to 4 passwords. So you can have several users & admin each having their own password.
Now you are using Windows, try the earlier mentioned truecrypt. AFAIK Trucrypt could encrypt an existing system.
I have had no windows systems for a few years so someone else should comment on that.
then it is accessible (encrypted or not). Same for encrypted disks on laptops/PC's it must ask for a pass phrase (and not one of 3-6 characters, make it a healthy 15-20 characters, it can be a sentence, a rhyme the user can remember.).
To prevent access to OneDrive by MS. you need to encrypt it on yout system before sending the data there.
LUKS (for linux) supports up to 4 passwords. So you can have several users & admin each having their own password.
Now you are using Windows, try the earlier mentioned truecrypt. AFAIK Trucrypt could encrypt an existing system.
I have had no windows systems for a few years so someone else should comment on that.
Again: hard drive password are not secure. They are from the "better than nothing"-league, but nothing more. There are ways to overcome them, even devices sold cheap which will do it for you.
Read my link, answer my previous questions and you'll get a recommendation.
Read my link, answer my previous questions and you'll get a recommendation.
"Password protected all files" ... as in excel and word saving the file with password.??
There are tools to get the data out of such documents. At least for the windows classic files. Not completely sure about the modern variants though, i would not cont on it from a security standpoint.
A thing to look for can be a tool like ctmg ( http://git.zx2c4.com/ctmg/about/ ) again this is for linux, then again truecrypt had such a feature. It is different from bitlocker in that you can ask someone to audit code for you or prove for yourself there are no backdoors, while with closed source sou have to >100% trust the supplier 'to do the right thing'..
There are tools to get the data out of such documents. At least for the windows classic files. Not completely sure about the modern variants though, i would not cont on it from a security standpoint.
A thing to look for can be a tool like ctmg ( http://git.zx2c4.com/ctmg/about/ ) again this is for linux, then again truecrypt had such a feature. It is different from bitlocker in that you can ask someone to audit code for you or prove for yourself there are no backdoors, while with closed source sou have to >100% trust the supplier 'to do the right thing'..
You are just secure as the password which can be brute force. There should be account lockout if exceeded attemot counts. As mentioned, HDD encryption is baseline for user machine and if there is hardware chipset like TPM. Use it and its PIN as part of the encryption factor. Or better still add the TPM, PIN, and USB StartupKey. The usb key as another factor though not really as secure as a smartcard token.
https://mrhorn.com/wp/posts/bitlocker-with-tpm-pin-usb-startupkey/
One Drive that I see is like mapped drive similar. The on the fly encrypt and encrypt should apply with file folder software on top of HDD encryption. See BoxCryptor
https://www.boxcryptor.com/en/onedrive
https://mrhorn.com/wp/posts/bitlocker-with-tpm-pin-usb-startupkey/
One Drive that I see is like mapped drive similar. The on the fly encrypt and encrypt should apply with file folder software on top of HDD encryption. See BoxCryptor
https://www.boxcryptor.com/en/onedrive
btan - many keys complicate use.
I would just go the Snowden approach - use one big and complex key, and that's it. Impossible to break.
Or, if paranoid, use plausible deniability function of system inside system on TrueCrypt.
I would just go the Snowden approach - use one big and complex key, and that's it. Impossible to break.
Or, if paranoid, use plausible deniability function of system inside system on TrueCrypt.
Yap I don't disagree on the multi-factor checks - of course there must be a balanced decision taken.
Actually no "most" secure means or silver bullet. If things happened (and it will), timely response for isolation and recovery is most critical for damage controls.
At least we are (still) aware of this option is available - and there may be use case where risk appetite is really very low and cannot afford things to break, this may still be an option as deterrence. Nonetheless, recovery is more important too - need to verify it is working and complicate operationally.
Actually no "most" secure means or silver bullet. If things happened (and it will), timely response for isolation and recovery is most critical for damage controls.
At least we are (still) aware of this option is available - and there may be use case where risk appetite is really very low and cannot afford things to break, this may still be an option as deterrence. Nonetheless, recovery is more important too - need to verify it is working and complicate operationally.
ASKER
You guys have given lots of interesting information. I do have sensitive data Excel files Encrypted and you need a password to start the computers now.
I will have to look further into hard drive encryption before I feel comfortable moving forward on that point.
Thanks for all your input thus far!
I will have to look further into hard drive encryption before I feel comfortable moving forward on that point.
Thanks for all your input thus far!
You know about this document:
http://passcovery.com/helpdesk/knowledgebase.php?article=51
I hope you have taken that into account with "encrypting excel files".
http://passcovery.com/helpdesk/knowledgebase.php?article=51
I hope you have taken that into account with "encrypting excel files".
Bios startup password and file password protect with 7zp is also good. Key is not to leave any sensitive information in plain. Disk and file encryption creates two different layer of protection.
ASKER
noci, I did look at the link.
The lesson for me is that security is all about layers....... some is better than none and more is better there some!
The lesson for me is that security is all about layers....... some is better than none and more is better there some!
ASKER
Thanks for everyone's input!
I am a regular user here would like to express that it is once more funny to see that only very few askers will answer questions about their question. If I try to help, I usually need to know more about the problem before I feel I can even give sound advice. You just missed a chance to get advice on (real) disk encryption, maybe reconsider.