Comments on: Some computers are too important to be networked

Computers that store your most sensitive files should be kept off-line

[mynameiscoffey]

I hear about things like this all the time, I don't know why companies continue to allow this.

Might want to add heavily restricting the USB Mass Storage Devices. I've seen people walk off with sensitive information on their iPods before.

[htan68]

Infrared is can be use to transfer data to other devices with infrared support.

[cheddazneez]

"Windows passwords are easily hacked. Instead of relying on a Windows password for local physical security, set both a power-on password and, if the computer supports it, a hard disk password. Whole disk encryption is another option, but one that involves much more work to implement."

Boot level authentication or full hard disk encryption will only protect the machine and data if the computer is compromised when shutoff (like a stolen laptop). Once you are booted into Windows, these types of measures will provide little to no help.

Your Windows password will remain weak. In this sense, the second best measure that can be taken behind the obvious "abstinence" of remote access would be a 2 or 3 factor authentication approach, something you have (physical token - smart card, OTP app on cell phone, etc), something you know (PIN), and for extreme security (3FA), something you are (some sort of biometrics)...

[mhinnewyork]

Good point about boot level authentication and full hard disk encryption only being useful if the computer is powered off. I should have mentioned that. Michael Horowitz

[TheBrewerySysop]

Though most of the hack tools (if not all; I don't pretend to be an expert or even a very good hacker) require you to boot into something else, so the passwords make sense. Though correct me if I'm wrong, can't you jumper a pin on most BIOS to reset them to factory defaults (i.e. no longer have a password)? If so, then drive encryption is really the way to go.

Regarding the jumper pin to reset the BIOS - this was true years ago, but is no longer possible on newer laptops.

[cheesehead2]

These are all terrific suggestions. I have a problem with the assumption that it has to be this way. Sun was right - the network is the computer. The article goes through a lot of guidance in how to make your computer a dead brick. Besides, the most valuable stuff for them to sift through is communications (email). Therefore, the computer isn't even a target. This is why the military has separate networks and protects the gateways. There are two issues here.
1) Windows is too expensive. What is your time and security worth? Windows is a POS that is fantastically high maintenance and therefore expensive. Microsoft for 15 years now has shown contempt for security. They're trying to bolt it no now, but it still doesn't work. The fact that there has NOT been some world wide class action lawsuit for their delivery of products that don't work and are WILLFULLY insecure is something I will never understand. Basically, you could do everything suggested above, or simply get a different operating system. Pretty much ANY other operating system (cp/m) it more secure.
2) The network is the computer. What's the point of having a computer you're not going to use? Very little can be done on the hardware side, but the article has some reasonable suggestions. I encrypt my home directory and personal swap on the hard drive. Every OS has that available. I save sensitive files in my home directory and put large files and different "media" directory (pictures, music) for performance. Depending on the level of encryption, that serves as a very effective deterrent for people stealing the data. However, one someone has physical access, all network and software security bets are off. The main problem is software security. If you software is insecure, get different software.

For this and many reasons, many years ago I made a decision to not own windows. I do my best not to use it. This one decision has brought so much peace to my life. No random crashes. No pressure to run the latest updates to apply the newest bugs. No constant worry and expense of maintaining a operating system just to deal with security issues. I have LOTS of free time that was once spent rebooting and patching. Sure I don't have everything I want (hardware drivers are the biggest issue - you can't just get a device and expect it should work)., and I still have to tolerate windows computers once and a while, but my computers now last longer, are more productive, and are therefore more affordable.

[celticbrewer]

Those are good methods to isolate your data. But, c'mon- what's the point of isolated data if you can't have people working on it and using it? Any computer with internet access is a target. Firewall or not, there's a way in. Critical services and information need to be on an internal network without any path outside- either via the internet or on physical media (from thumbdrives to prints/faxes).

[mhinnewyork]

Agreed. I was thinking of a small business that might, for example, run their payroll on a dedicated computer that is never connected to the Internet. But your point about an internal network that is never directly connected to the outside world is the same concept, just scaled up. Michael Horowitz

[ivorycruncher]

Haven't you seen Mission Impossible with Tom Cruise? Even the Fort Knox of standalone non-connected computers can be hacked. ;)

[mhinnewyork]

The idea that a foreign entity hacked into the computers of a presidential campaign, and did it remotely, is right out of a movie. Michael Horowitz

[alh42]

The problem is... Information isn't like some gold bar, information is worthless if you lock it up.

For the information to be worth anything to the organization, you have to let people access it, use it, and develop it.

Information only has a worth when put into the mind of a human, it doesn't do any good on a harddisk in a vault.

So you will always have the access problem as long as people insist on monopolizing information.

[mhinnewyork]

Your point is valid. There are extremes and each extreme is sub-optimal. In the cases I mentioned though, it appears that sensitive files were too shared. There needs to be a happy medium. Michael Horowitz

[supertramped]

Perhaps instead of having an isolated computer one could store important information and files on an external Hard Drive and then "secure" the hard drive when not in use... Therefore providing an easier and far more affordable way of protecting the "valuables" but not making this so called "brick" of a computer to be stored away with very little usability options... Just my contribution...