Implementing whole disk encryption State Wide, the good, the bad and the encrypted

Background First

USB drives stolen that had

" personal information on them of students and staff members"

Data breaches that caused campus to spend several $$,$$$ getting fraud protection for each person that

" might have gotten there information stolen "

Started to get laptops stolen from instructors, and other staff members cars, homes, or just misplaced

"Which had several years of students personal information on them, like SS Numbers"

Along comes Policy & Standards UCSS ( U niversity C omputer S ecurity S tandards) What it means: The University Computer Security Standard (UCSS) is designed to help protect the university’s central and distributed telecommunications and computing environment from accidental or intentional damage and from alteration or theft of data while preserving university community members’ appropriate access and use.

That include:

Minimum Computer Security Standard (MCSS)

Critical Server Security Standard (CSSS)

Web Service Security Standard (WSSS)

Database Server Security Standard (DSSS)

UCSS is comprised of multiple standards What we are working on is MCSS !

Minimum Computer Security Standard Scope This Standard applies to all computer and telecommunications devices, whether owned by the university, a university community member or a 3rd party organization, that connects to the university data network or support infrastructure either directly or indirectly . Compliance with the standard is the responsibility of all university community members, including students, faculty, staff, agents, guests or employees of affiliated entities who connect a device, either directly or indirectly, to the university data network or support infrastructure.

All university community members using computing and communications devices at the university and all computing and communication devices connected to university resources in any manner must comply with this Standard. Central and distributed unit information technology staff will scan or examine devices for compliance and will disconnect any noncompliant device from the university data network and support infrastructure until the device is brought into compliance. In addition, central and distributed unit information technology staff may seize or quarantine noncompliant university-owned devices. Individual university community members who do not comply with this standard are in violation of the Policy on Responsible Use of University Computing and Network Resources. In accordance with that policy, violators may be denied access to university computing resources and may be subject to other penalties and disciplinary action including university disciplinary procedures appropriate to their university status. Enforcement

Focusing on data theft

We started looking at ways to protect data...

No Sensitive data on laptops

No external devices like: (flash drives, portable HD)

*Other groups started talking encryptions*

Encryption Options PGP - The console lacked the a bility to give administrative rights to certain staff TrueCrypt - Open Source, great for personal use only, no way to recover. Safeboot - Great console, ability to give admin rights to certain sections to staff members.

Time line A plan was made to send laptops off to a outside vendor to encrypt and update for time purpose. Desktops were encrypted by local techs. Total machines sent out: 233 Total done locally:1282

Along Comes SafeBoot

Which is now McAfee Endpoint Encryption

Installation issues we have seen

Discovered a few machines still running old OS

some equipment retired

Vendor utility partitions - had to be removed

Used Symantec Partition Magic or

Acronis Disk Director

Performed updates while at each machine

Time require to encrypt each machine

Installation issues we have seen

Machine/user naming convention adopted

Image backup essential

Bandwidth issues

downloading/synchronizing database

Install Process

After Re-Start

After Encrypted Cross your fingers and re-start the machine

The bad screen after installing The good screen after installing The Good / The Bad

Log-on Troubles

How to Get into the Machine

And a Challenge it is "Sometimes"

Client enters the recovery code

Windows Log-in after recovery

I am not able to log-in to Safeboot

Catch -22 How do we demonstrate that a device does not have restricted data, especially if it is stolen? During our analysis, the incidence response team will need to determine what that machine was used for and “guess” at the likelihood of restricted data’s presence. http://buckeyesecure.osu.edu/Policy/ImplementationPlanFAQ