Hi Again, Sorry if this is long. I'll try to be brief. I am looking to protect the data on our corporate pc's. I am evaluating solutions from the following perspectives 1. security strength, 2. ease of implementation, 3. administration, 4. recovery/investigation. I am investigating three solutions, 1. bios passwords, 2. hard disk encryption, 3. drive locks. From the security strength perspective I rate bios passwords the least in strength, a far distance away from 2. hard drive encryption with the strongest being drive locks. From an ease of implementation aspect I would rate the bios password to be the easiest to implement followed by the drive lock, then followed by the encryption. The bios and drive lock implementation would occur at the corporate distribution center taking minutes to implement whereas the hard disk encryption would take several hours to complete. From the administration aspect, the bios password can be set at user level and also administrator level on most pc's. Plus when one needs to be reset it is relatively easy. (Except new IBM's see below.) The hard disk encryption package I am evaluating comes with a password recovery engine and master key. There are also several other methods. The drive lock, I do not know enough about from an administrative standpoint. From a recovery aspect, I want to be able to secure the data to the utmost, but I also need to be able to recover data. As the only forensic examiner in the company, I cannot waste time getting into a pc. (Employment at will is great, but firing a person for not disclosing a password will still leave me unable to prosecute if I cannot get the evidence.) From that perspective does anyone know a way around drive locks? I do not know of a recovery service out there that can recover a locked drive. I can get around the encyption with the master key and the bios isn't difficult (except for the new IBM laptops...I'll provide models for anyone who wants them. The bios password is linked with the partition table of the hard disk. The two have to be connected to get access to the drive. reset the bios on the board without resetting the drive will get you nowhere. Also removing the drive gets you nowhere. A boot disk with a bios crack gets you nowhere because you are promted for the password before the floppy even mounts. Changing one without the other results in an inaccessible drive until the passwords are again synced. I had to actually go into the cmos with the passwords, disable them, save the settings, then exit, then power down as quick as possible. I then recorded the fifty some files that were accessed during that time, noted them, and included in the report an explanation. So with solutions in mind and looking at it from these perspectives, which would you choose? I am leaning on hard disk encryption mainly for good security but also to have a way back in for me to investigate people later. Sorry this is so long. Thanks for any help. Darren Welch Manager, Information Security Technical Applications 150 N. Radnor-Chester Road St. David's, PA 19087 610-902-2676 welchdat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 14 2001 - 06:33:29 PST