Assigned to secure vital information; need some help.

[GuesswhatyourIT]

First a tiny bit of background. I work for a government department and one of the things we do is support outside citizens who do various work for us, things like mediation, legal hearings etc. Previously notes, and actual file information, was given to these outside citizens in paper format, then shredded here at the office once they were finished with them. Information rarely left the office.

Now, in an effort to modernize and go green, these outside citizens will take notes on computers and the information will be emailed to them. I was given the task of securing their systems, because apparently I know everything about computers. We have no IT professionals on staff, I was told we have no budget to support hiring outside professionals. We do have a small amount in the budget for software. I tried contacting our government's head of Information security, which was useless. To sum up his knowledge level, he had no idea what wikipedia was.

I have done reading on the subject of securing computers but I have to admit, the more I read the more unsure I am as to the proper course of action to protect this information.

This situation is frankly quite frightening, as the information is health, legal, and financial information. This is the kind of stuff hackers would love to get their hands on.

So my question is as follows, how do I secure the computers of these outside citizens to prevent this information from being compromised?

Pertinent information:

• There are ~40 computers that will need to be secured. These comprise both laptops and desktops.
  
  
• I also assume people may want to access their email through their phone but if that makes it too difficult to accomplish then I suppose we could always tell them that is a no go.
  
  
• Operating systems include Windows 7, Windows 8 and 8.1, and Windows 10. Two people have macs, but if we cannot make the solution work seamlessly across all systems I have been given permission to tell those two people they are out of luck, so having a solution that works on a mac is not imperative.
  
  
• Email programs range from Gmail to Yahoo Mail, Hotmail, Outlook, and using a webmail service provided by their internet provider.
  
  
• Remote wipe capability was requested.
  
  
• Disc encryption is required.
  
  
• A rollback capability was requested.
  

If there is any other information you would like to know I would be happy to provide it.

I appreciate any help you can give me in this situation.

 

[SHvFl]

I can't help you on the matter because i am not capable enough and neither you as you noted. Government documents are of high value so target attacks are a possibility. I could give you a few recommendation but that will not help a lot and i don't want to provide a false sense of security.
Remember to make it obvious that what they asked you to do it's above your capabilities and you should ask for help for another government agency. Good idea is to tell this to your boss in writing so you have some proof for the future.
Ok for sure email with those emails you say it's not really secure. I assume you are going to encrypt files and send them and they will have the key to decrypt. But having a static key will not be smart so you will have to change it often. Email over mobile it's really hard to secure and more attack vectors so tell them no. Also you should force them to use emails that at least support 2step authentication(i know gmail/hotmail/outlook do have)
About drive encryption the government should have a standard and using some other will probably break some guidelines. Assuming none cares use Bitlocker which will be the easier and a free option(You need windows pro or enterprise) .
Now you need a software to lock the computer. The only one step solution i can think of that is relative low maintenance and high standard is Appguard but it also has it's limitations. See this.
The most important part would be to tell them to never take off appguard from lockdown mode and not install any extra software. You will have to make a list of software they are allowed to use on this computers or you will be lost. Then you are stuck with who will do the program updates on this computers. If they are not idiots you can let them do it but if not then your work is ever harder.
Easier solution would be if you could afford buying 40 identical laptops and then keeping one for you. Then each time they come you backup their files, use your laptop image on all computers and then put back their information. You said small budget though so i assume this is not an option.
Secure wipe i will not comment because i have no clue but make sure it is good and not easy to abuse(2step authentication/credible company/etc) or else someone will wipe all pc and guess who they will blame.
Rollback you can check Macrium Reflect it's pretty solid but in this area you will find many options. Just remember the program has to have encryption of some sort.
Good luck mate and remember to note your concerns in writing to your boss.

 

[GuesswhatyourIT]

Yah, I cannot begin to understand how they feel they can do this without a professional handling it. I was very clear about all the issues I feel stem from this in the multiple emails I sent to cover my ass.

I appreciate all your comments, they are leading me in a more directed manner than before as I was overwhelmed with options and it seemed like there was an unlimited amount of overlapping security that could be put on a computer.

Alas, they are all using personal computers. If it was possible to provide computers to everyone with a set package and then lock them down that would be amazing. That is what is frustrating as I initially assumed we could use Bitlocker for encryption but of course since the computers are personal no enterprise editions present or pro.

Again, thanks for your help. I am still hoping I can avert this disaster in its entirety.

 

[SHvFl]

I guess you can use Veracrypt then for encryption if no pro/enterprise editions.
VeraCrypt - Home

 

[shmu26]

Even if you could lock down those computers, which is not going to be easy, you still did not solve the bigger problem: people will get their gmail and yahoo accounts hacked. It happens all the time because people choose easy passwords that are hackable.

So I agree with other posters, that encryption is the solution for you.
All docs must be encrypted right away, before sending by email or uploaded to cloud storage.
You must control the encryption key, making sure it is strong.
And don't email the key to them, because then it is a sitting duck. You need to tell it to them verbally over the phone (not by text), or deliver it on physical paper. Make sure people understand not to store the password on their computer or in their email or their dropbox account, because that defeats the whole purpose.

 

[hjlbx]

If all you need to do is secure information being sent to the client - then use Proton Mail. It is free and will secure the e-mail contents. As long as the client does not save the e-mail contents to their system, it is secure.

Mobile ProtonMail apps are available.

Secure email: ProtonMail is free encrypted email.

You will have to do some reading on Proton Mail - how it works, how to set up, etc. Each client will have to set up their own account.

I am sure there are limits to the amount of data you can send each client - afterall, Proton Mail is free.

Then to make sure the information does not remain on a system, there is only one viable free option (but there is no mobile app):

- ToolWiz Time Freeze

• User signs into virtual ToolWiz Time Freeze session.
• User signs into Proton Mail.
• User views information (shall be viewed only within Proton Mail; no downloading, copy\paste, etc - for best security; may be downloaded and manipulated - but ONLY in ToolWiz virtual environment - and NOT saved permanently to physical system).
• User signs out of Proton Mail.
• User signs out of ToolWiz Time Freeze session.
• Reboot system.
  
• Infos are deleted\gone from system.

Simple procedure - but it only works if followed every time - exactly.

Using ToolWiz Time Freeze is a secondary measure - above and beyond Proton Mail - to ensure the information is safe; it is not required - IF - the client does not download the e-mails to the system.

If the client downloads the e-mail permanently to their system - to view it, copy it, study it, print it, etc - then the information is no longer secure. Even if they do not download it, if their system is hacked and\or has various types of malware - the screen can be viewed. But this would be the nightmare worst case scenario... and is statistically improbable.

There are online guides to disable remote access services and harden Windows, but this is all time-intensive. And even if you insist that the clients follow these guides, there is no way to ensure that they will actually do it.

Even if you secure a user's system, you and your governmental agency will have absolutely no control over what the client does with their very own system. Companies with multi-million dollar IT budgets face this very problem every day. While those companies do make the user's system more secure, it is a monumental effort - and still - users manage to cause all manner of problems with their systems.

You could develop a policy that clients must sign into their systems using a Limited User Account - but how do you enforce that all the time ? Same with securely destroying any information copied manually using pencil & paper - how do you enforce it ?

There is no way you can secure other people's computers; even with a big IT security budget - it is a futile enterprise. Users will mess up everything you do to secure their systems... everything that can go wrong will go wrong. Plus, you will constantly have to provide support for modifications that you make to their systems.

You cannot secure another person's computer without - at the least - a large amount of knowledge, time and effort PLUS physical access to their system.

The best you can do to achieve your goal of securing the information is to send it encypted. After that, there is virtually no control over it...

I feel for you buddy...

The only other solution is for your governmental agency to have a portal - in which clients can sign into to view the information - but not be able to copy, paste, download, etc the information.

There is a product that does this for free (Quarri MyPOQ). Each user would have to sign up for the account independently. But it might or might not cause problems on various systems: XP thru W10. It only works with certain browsers - last time I check Internet Explorer.

And then there is the learning curve to operate a secure system on top of implementing it.

On top of all of this -- your government agency's own computers are very likely not secure...

Disk encryption will almost certainly cause problems for some systems - in one way or another (VeraCrypt - free).

Rollback functionality will almost certainly do the same (Rollback RX Home - free).

There are free options for all of what you listed as the requirements, but implementing all of them will require a massive amount of time and effort. I estimate a year - to learn each soft, to implement, to train, to sort out problems.

You know, using mobile devices to view\manipulate sensitive infos isn't very secure. It depends upon whether it is simply viewing an e-mail or other types of files - like documents, spreadsheets, etc.

 

[_CyberGhosT_]

@GuesswhatyourIT
like hjlbx suggests,
Make all users utilize ProtonMail and set expiration dates so the communications will delete after X amount of time ?
When sending a new communication through ProtonMail you have the option to deploy this feature.
If you can convince them to all download the App or for PC users create an account and explain it's for their own security and piece of mind they may comply,
then the info sent will be encrypted both ways without you having to do anything. I believe ProtonMail has a iphone app as well.
Good Luck

 

[GuesswhatyourIT]

Thank you guys very much. I appreciate all your help. @hjlbx I really appreciate your deep dive into it. I feel like your solution provides what is needed in a way that should be possible given the impossible situation. And yah, our government agency's computers are far from secure. The horror stories I have about the way we do IT and security here are insane.

Can't say enough good things about this forum.

 

[jamescv7]

Encryption the hard drive and documents to avoid any possible leaks because of someone manage to access it.

Government documents are prone on sensitive leaks so that is your number one priority.

Next stop as mentioned was rollback program and system image maker to revert any changes easily no matter if struck like ransomware.

Another suggestion is use Appguard as hardening protection, yes it can be confusing because of complicated structure but many manuals in the internet to provide easy steps.

You may add McShield to remove USB based worm attacks and turn off Autoplay by going to Control Panel.

 

[Deleted member 178]

First of all, those computers are property of the company or their personal computers?

This is important because if it is the company's computers, you have full power on how you set the security.

 

[SHvFl]

First of all, those computers are property of the company or their personal computers?

This is important because if it is the company's computers, you have full power on how you set the security.

He said on this second reply it's personal computers unfortunately.

Alas, they are all using personal computers.

 

[Deleted member 178]

so nothing much to do except installing some light protection with low user input...

 

[Deleted member 178]

• Email programs range from Gmail to Yahoo Mail, Hotmail, Outlook, and using a webmail service provided by their internet provider. Try Protonmail, efficient & secure.
• 
  
• Remote wipe capability was requested.
  
  
• Disc encryption is required. Veracrypt
  
  
• A rollback capability was requested. Try Shadow Defender , Rollback RX is too unstable in unaware hands.

 

[hjlbx]

@Umbra - I don't think they have the $1200 for Shadow Defender; why I suggested:

• Proton Mail
• ToolWiz Time Freeze
• VeraCrypt
• Rollback RX Home

However, the clients will be using mobile devices to access e-mail - so it doesn't really matter... LOL.

If the just use Proton Mail and never save anything to disk, then that is about as good as it is going to get - using all free products.

 

[Deleted member 178]

yep, in that case TTF is the only choice.