not permitted to contain classified information
This is in no way incredibly naive, honest, you believe me right? Not being permitted and it not being on there via some technical measure or validation are completely different things.
Friday is usually a good day to bury bad news and there are a number of stories bubbling under before we all head out for the weekend. US Secret Service lost a laptop The US Secret Service has admitted that one of its agents' cars had been broken into by persons unknown, and a laptop was stolen, along with other items. The …
Well, the thing apparently has full disk encryption, so it's hardly likely to matter one way or the other.
Backing up a soft control (the no classified content policy) with a hard, reliable control (full disk encryption, if done properly) is perfectly reasonable. So long as the laptop was powered down at the time and not just sleeping, there's almost nothing to worry about.
I beg to differ. It is much more reassuring to be sure that classified data was not on a stolen laptop then it is to trust in the strength of encryption to keep it hidden.
If it is there, they might just have the resources to dig it out, and then there will be trouble.
If it's not there, they cannot find it, period.
Apparently video shows the thief being delivered to the driveway, getting out and walking directly to the car, stealing the laptop and walking off. Hard to imagine this string of events being possible unless the agent was involved.
Given the agencies involved, I imagine the usual clown show will commence.
Sure, Streaky, you know more about security than the USSS
Plis most of us here work in tech and many of us work in information security. "know more" - I'm commenting on the naive PR guff they put out not their actual procedures but the naive PR guff they put out is extremely naive. That's why I mentioned it.
sure, they have whole disk encryption setup - assuming the drive ever completed the encryption process (i have encountered times where, after several months in use, it was noted that the disk had never encrypted, because the user only ever used the laptop disconnected from mains, and it was never powered on while connected).
Many public sector organisations also use incredibly insecure encryption passwords - often just some part of the asset tag of the machine - because users need something they can remember).
I have also seen cases where the encryption password was written on a label attached to the laptop, as the user could not remember what it was.
And of course, if the laptop was merely sleeping, then the disk encryption is bypassed - and it has already been shown that plugging in certain USB sticks, correctly configured, will net the account credentials.
All in all - you should always assume that if someone has physical access to a computer, that all data on it is accessible. The only way to be sure nobody can get anything off of a computer, is to make sure it never gets onto it in the first place (this applies to all computing devices, phone, tablet, desktops, laptops, etc...)
"sure, they have whole disk encryption setup - assuming the drive ever completed the encryption process"
Which would be ensured by the delivery team. I've built a fair few laptops for our staff, BitLocker is deployed as part our standard build, and laptops aren't issued until they meet all required criteria. We don't trust users to do that stuff themselves.
Biting the hand that feeds IT © 1998–2021