Security of Laptop

amacfarl
amacfarl used Ask the Experts™
on
I would like some advice on security.  I have recently purchased a Microsoft Surface Pro 6.    Due to the nature of my work, I store a lot on it.

I use Google Drive to sync all documents and I am looking for the following solutions:

1) I am looking to find a solution to protect all of my data that is stored on the hard drive (synced with Google Drive), so if the laptop is stolen - the data is safe
2) I am looking for advice on how to protect log on - I am using Face ID - is that enough
3) I am looking for advice on recovery and tracing the laptop if it is stolen

Thanks

Angus
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You have your data safe (as you note above).

Face ID is fine. My laptop has Fingerprint access and that works as well.

Put a hard drive (SSD) lock on the drive. I have done that for years. Other person needs the hard drive password to turn on the computer. The odds that thief is a hard drive password cracker are very low. So this works as well.

Recovery once stolen:  Natively forget it. You can purchase software to track you computer but that does not guaranty return.  I make sure my laptop is in my bag and right near me when I am not using it.

I have never lost a laptop.
btanExec Consultant
Distinguished Expert 2018

Commented:
BitLocker can be considered as it provides encryption for full drives https://www.google.com.sg/amp/s/pureinfotech.com/enable-bitlocker-device-encryption-surface/amp/

If your Surface is lost or stolen, use the Find my device feature to locate and lock it remotely. Find my device uses your device’s location data to help you find your device if you lose it. https://support.microsoft.com/en-sg/help/11579/microsoft-account-find-and-lock-lost-windows-device

Author

Commented:
Thanks for the advice.  I have a couple of follow up questions.

Re the Bit Locker.... It is turned on.  Is there anything else that I need to do?

John - I don't understand what you meant by SSD thing?

Thanks
A.
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I don't understand what you meant by SSD thing?

A laptop can have a Hard Drive or SSD (solid state) drive. Either one is protected by a Drive password in BIOS and cannot be started without it. If you have a drive password, use it.

Bit Locker.... It is turned on.  Is there anything else that I need to do?  No, except do not do what many people do. Do not forget the Bit Locker password.
btanExec Consultant
Distinguished Expert 2018

Commented:
Remember to backup BitLocker recovery keys too. And yes pls password protect bios
https://hardsoft-support.kayako.com/article/54-how-to-backup-bitlocker-drive-encryption-recovery-key-in-windows-10

Author

Commented:
When I look at the settings, it says a back up copy is stored online in my Microsoft account.  Is that enough, or should I create another backup?

When would I need to BitLocker recovery key - under what circumstances?

Cheers
A.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If you are using your Microsoft Account - One Drive (we get a large amount of storage that way) then that is enough assuming it holds everything.

If you have to reformat or do like things, you will need the Bit Locker recovery key. Keep it in a safe place. Never imagine you will not need it.
btanExec Consultant
Distinguished Expert 2018

Commented:
E.g. when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. See more examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383583(v=ws.11)#what-is-bitlocker-recovery
FaceID and other biometrics are not secure as a sole method of logon.  Those can be more easily spoofed or bypassed than a complex password.  You really need another authentication factor for biometric logons.  

While there hasn't been an official bypass yet for the 3D properties of faceID, every biometric "security" measure has, so far, been bypassed in rather trivial ways.  Biometrics should really only be a 2nd factor of authentication.
https://www.macrumors.com/2017/11/14/face-id-spoofed-by-child-and-mask/
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I have not yet seen trivial bypassing of Biometric information, but all methods have password backups and these can be complex and these also can be broken (posted on sticky notes) but still are good things to do
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I expect that by the time this is widespread (so that a person in a coffee shop steals the credentials) vendors will further secure the mechanism. There was a big scare about LogiTech RF devices and these were secured as well
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
TL/DR

1) I am looking to find a solution to protect all of my data that is stored on the hard drive (synced with Google Drive), so if the laptop is stolen - the data is safe
Only the data in Google Drive folder is safe (unless Google drive changed since I used it). You should either save everything into the Google folder or junction your data folders into the Google folder.
1) I am looking to find a solution to protect all of my data that is stored on the hard drive (synced with Google Drive), so if the laptop is stolen - the data is safe

best way is not to store the data on the laptop at all and remotely access some secure location. and leave the data there.

any encryption mechanism that require a password any time you need to decrypt will do a relatively decent job. disk level encryption is an option. make sure that whatever you decrypt does not stay stored in non encrypted locations such as tmp dirs, swap space... a flah card for swap is a common hole in such setups.

also remember that any symmetric encryption can be brute forced given enough time.

also note that if your laptop is stolen while you're using it, the disk is decrypted. same applies to hibernate and suspend modes.

2) I am looking for advice on how to protect log on - I am using Face ID - is that enough

that's mostly a nogo
there is no single way to prevent a junior hacker from logging into a computer he/she has physical access to
additionally not being able to logon does not prevent anyone from booting on a usb key or sticking the drive in a different machine.

in real life, if your disk is encrypted, and you need a separate media or password, or preferably both in order to boot, that's much more efficient than any measure you can take to prevent logon.

3) I am looking for advice on recovery and tracing the laptop if it is stolen

any simple hidden shell script run regularly or rather hooked to some common operation can do quite a good job.
paid services won't do much more and are easier to detect since they are well known services.

again, IRL, there are few ways to do something useful. when a desktop gets stolen, it is usually reinstalled. the bios is often flashed. you probably can hide a piece of software in some device's microcode but that's a lot of complexity for next to no use.
You should get a service that is offered as a backup service and has versioning so that you can recover from ransomeware.  https://www.pcmag.com/article2/0,2817,2288745,00.asp

It's best to also get an external encrypted disk that you can copy data to once in a while.  This way, you have a disconnected backup that won't get silently overwritten.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial