To everyone complaining that this is paranoia, you don't know what OP does for work, this is a legitimate question please stop putting people off from wanting to secure themselves. Sure they can be paranoid, as long as they get their work done, it makes them happy, and makes them comfortable. Lots of work stuff can be very sensitive, and that's where most people need to care more imo. Provide OP with suggestions, let him decide what he should do based on his determination of his threat model. At least he is informed at most.
Here are some suggestions, even a few is better than none:
- If you can, just bring your own device. You can get a Thinkpad T430 for example, and buy the dock, keep the dock at work hooked up and then just bring the laptop and hook it up.
It'd be a dedicated work device. If you're worried about the dock itself getting stolen, you can throw it on a Kesington lock, this may deter a bit. But at least the laptop itself isn't at work.
- If you bring it back and forth to do work at home, turn on random mac address on the machine, and also put it on an isolated VLAN that can't talk to your main network. If you don't and never need to do work at home, never let it touch your wifi. Most thinkpads have a wireless killswitch btw.
- In bios, turn off anything you don't need, such as bluetooth, microphone, webcam, etc.
- If you can, remove the webcam and microphone. If you need to use a webcam and microphone, but external ones and hook them up when you need them. Unplug when not in use.
- Install a minimal install of some GNU/Linux distro, such as Arch or Gentoo. Keep backups.
Use full disk encryption on both the backups and the machine
- Don't allow automounting usb's, you can setup a script you run or there are some that do it, but just don't let them automount.Post too long. Click here to view the full text.