[FDE] MAC OS X - FileVault

Brad Lhotsky lhotskyb at mail.nih.gov
Tue Oct 3 10:22:43 MDT 2006 

We're recommending that course of action to NIH.  Apple & Microsoft have
both started the FIPS 140-2 process.  According to FISMA guidelines, if
a product is currently in process, it counts as "FIPS 140-2 Certified"
until otherwise noted.

HHS recently settled on an XP only software FDE.  We didn't like any of
the software FDE's here as they only really solve 1 problem.  Your
laptop is stolen/lost while powered off.  Unless I'm mistaken, software
based FDE only work at boot.  I've never actually shutdown my laptop,
and the only time I reboot is for OS Updates (it's a mac too).

I'd also venture a guess that the majority of identity theft results
from Trojans and viruses, not physical loss.  I understand physical loss
is in the news now, but usually thieves are far more focused on selling
stolen laptops.

Plus, if someone is after your organization's sensitive data, why bother
with the possibility of being literally caught in the act when there are
so many unpatched vulnerabilities in OSes and major applications?
T.O.R. + Metasploit will give a fairly secure & reliable path into most
networks these days.

Or, just hand out USB Keys with autorun's on them.  Even if the entire
organization is running without those enabled and non administrative
rights, you're bound to hand it off to at least one executive or IT
professional who has an "exception" to policy and bam.  You could even
trade username/password combinations for chocolate bars!

I'm not enthralled by FDE, nor am I amused.  I subscribed to this list
to see if there are any valid reasons for FDE.  My personal experience
is "false sense of security", ie "security theater".

I'd much rather see people using folder or file based encryption for
sensitive data. (Like TrueCrypt) Better education, and less hype based
security policies would also go further towards better security.  FDE
seems like a ridiculous inconvenience, overhead, and cost for a 1%
problem.  Granted, if that 1% problem strikes your organization, and
you're not doing FDE, expect FoxNews to rip you a new one.  Catch-22, I
guess.

Ransel Yoho wrote:
> As there do not seem to be many vendor choices for FDE for MAC OS X, what does
> the list think of the following strategy:
> 
> Use FileVault on all user accounts on a MAC OS X,  escrow the master key with
> the IS Security group.
> 
> Thanks,
> Ransel

-- 
Brad Lhotsky <lhotskyb at grc.nia.nih.gov>
Security Administrator / NIA Alt. ISSO
Phone: 410.558.8006
"Those who would sacrifice liberty to gain security
 deserve neither and will lose both." - Ben Franklin

More information about the Fde mailing list