Encrypting your computer hard drives helps reduce the likelihood that someone who manages to make off with a computer will also make off with the data therein. Full disk encryption, done properly, turns your stolen computer into a fancy brick. It costs nothing to implement and goes a long way in protecting what’s of value to you from both a data and resource perspective.
Every PC or laptop sold in the last decade or so has a built-in encryption mechanism in the operating system that will encrypt the entire hard drive. Windows, Macs, it doesn’t matter. If it’s a Windows computer, the solution is called BitLocker; if it’s a Mac, it’s called FileVault. They’re both Full Disk Encryption (FDE) tools. Activate FDE on every system you can. Links on how to do so, and what to do if you can’t use BitLocker or FileVault, are in the Resources section at the end of this chapter.
Why encrypt your computer hard drives? A stolen computer is a wealth of information about you and your business. Think about what data gets processed in your office every day. Think about all that information in the hands of your competitors (local or foreign). Think about all the data someone can learn about you by seeing what web sites you’re logged into, or information about corporate infrastructure that could be used to facilitate a more extensive hack. Forget industrial espionage: think about all that data on the Internet for anyone to read. Encrypting your computers means that if they’re stolen, they’re not computers, they’re fancy, expensive bricks. The data on the computer is inaccessible to the person who stole it.
How inaccessible?
If you haven’t written your FDE password down on the inside of your laptop in permanent ink, the effort required to brute-force your way into an encrypted computer is not measured in hours or days, but lifetimes. The kind of computing power required to reduce that time to mere years or months is really only something governments can muster. If you think the National Security Agency is keen on getting access to your secret recipe, okay, but for everyone else, there is little to worry about. If someone cracks your FDE password, and you’ve been dead for 50 years, that’s effectively unbreakable, as far as most of us would be concerned.
FDE isn’t a perfect defense against physical loss. If you don’t completely shut down your computer (e.g. you just close the lid on your laptop to put it to sleep instead of shutting it all the way down), and you have not password protected it, whoever stole the computer has full access to the data on it (assuming discrete files are not encrypted via some other mechanism). Even if you have password protected the computer, if you haven’t used a strong password or phrase, the thief, if they were actually after data and not a laptop they can pawn for cash (the most common motivation in a smash-and-grab scenario), could still gain access to that data on the system. The full protection provided by FDE depends in part on doing a few things right, which can overcome the potential risk associated with doing one thing (leaving a laptop unattended) wrong.
Resources
Windows
If you’re using Windows 10, the Microsoft support page on how to implement BitLocker is a great resource:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10
If you’re running Windows 7 or other versions of Windows:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/ee449438(v=ws.10)
Note: Not all Windows software implements full disk encryption natively. See the third-party options below for more detail.
Mac
Apple OS X users can implement FDE with FileVault:
https://support.apple.com/en-us/HT204837
Third-Party FDE Options
Not all versions of every operating system come with full disk encryption built-in. In those situations, you should consider FDE software from a third party. Some options include:
• DiskCryptor (free)
https://sourceforge.net/projects/diskcryptor/
• BestCrypt (paid)
https://www.jetico.com/data-encryption/encrypt-hard-drives-bestcrypt-volume-encryption
• Symantec Endpoint Encryption (paid)
https://www.symantec.com/products/endpoint-encryption
• McAfee Complete Data Protection (paid)
https://www.mcafee.com/enterprise/en-us/products/complete-data-protection.html
• Sophos SafeGuard (paid)
https://www.sophos.com/en-us/products/safeguard-encryption.aspx
No comments:
Post a Comment