Of laptop data security
Done the basics - or sleepwalking along a precipice?
Perhaps the first thing to say is: “It's nobody's fault.” We could blame the laws of physics for the current capabilities of laptops, but not those who discovered them, nor those who have successfully pushed the data storage of hard disks to terabyte capacities. Nor indeed, the people who squeezed the processing equivalent of several mainframes into the flat rectangle of electronic wizardry that we give to our mobile workers.
The downside, of course, of being able to carry the equivalent of several million copies of Encyclopedia Britannica in a briefcase, is that we can now lose, corrupt or inadvertently reveal vast quantities of information, whereas before we could only do so for relatively small quantities. It is like living in a palace after living in a shed - but of course, the shed had one door and a single room to maintain.
All the same, the risks associated with storing data on a laptop remain relatively straightforward to define. First, any piece of information will have an associated value, be it a laundry list or the recipe for Coca Cola – it only takes one slip of paper to be left on a photocopier to find out the difference. Similarly, a single spreadsheet may contain cricket scores, or indeed the pricing structures offered to different customers.
The scale of today's laptops give us increased risk – it is now far easier to store a great deal more information than before. A terabyte could easily equate to the entire repository of information for many businesses for example, and with that much space available, it is tempting to store as much as possible. This does increase the risk of having high-value information in the mix, which also raises the bar in terms of protection needed.
We can consider the threats in terms of the acronym CIA - that's:
- Confidentiality - that only those who should see the information, can see the information.
- Integrity - that the information cannot be changed without authorisation or knowledge.
- Availability - that the information is protected against loss.
For laptop users, there are some relatively straightforward mechanisms that can be implemented to reduce the risks of each.
Both confidentiality and integrity need to be dealt with in a number of ways. The first is to ensure the information itself is protected. By far the simplest mechanism is to ensure the laptop is password protected - either at login time, or for the more security conscious, in the bios.
But this does not protect against someone removing the hard drive. To protect against this, most current laptop operating systems have some kind of hard disk encryption mechanism built in – there’s Bit Locker for Windows Vista, for example.
Also, the Trusted Computing Group has just announced a specification for direct hard drive and USB stick encryption, which should help things even more.
You don't have to be an expert to extract information from a laptop, if the person in front of it insists on showing it to all and sundry. On trains, in planes and in cafés, there have been countless, quite flabbergasting occurrences of business executives showing off their corporate secrets, in spreadsheets or slide decks.
It would be funny if it wasn’t so frequent – perhaps it is the ultimate demonstration of the belief that security breaches only happen to other people (the best example I can remember was a loud-mouthed senior exec of an systems integrator explaining to a colleague – and indeed the rest of the carriage – how to interpret next year’s competitive analysis spreadsheet).
It's not just the 'data at rest' that needs protecting, but also 'data in motion' - as we describe in another article for example, rogue Wi-Fi hotspots can be capturing information from unsuspecting users. Surprisingly perhaps, individuals do not always use the basic protections available to them - using secure channels to access their email servers, for example. For larger organisations, SSL VPN is another mechanism to protect against this threat – not only do such encrypted links give secure access to corporate systems, but this also means mobile workers will be using corporate protections when they access the Internet.
Data leakage protection (DLP) deserves a mention here, as a technology which will monitor what's being sent through a corporate firewall and block anything that looks suspect. We need to remember that security breaches can be as much down to stupidity as malice, and also that a laptop user may well be accessing the internet directly rather than via a VPN.
An information leak may be quite simply a case of attaching the wrong file to an email, or sending it to the wrong person - who hasn't inadvertently used the 'autocomplete' feature in their email client, and sent a document off to the wrong 'Sarah' or the wrong 'Graham'? As individuals we should question how much we need such features in the first place, and whether they are worth the risk.
And lets not forget the ever-so-obvious topics of anti-virus, personal firewalls and so on. Just because there isn't currently a big scandal about computer worms hacking information off hard drives and posting it on the Internet, that's probably just because the hackers haven't got around to it yet. Your McAfee or Norton may be up to date, but when did you last patch your operating system and applications?
Lastly, we have availability. This can be dressed up in all kinds of ways but in its most simple form it equates to being confident that the information we had yesterday will still be there tomorrow. The laptop’s biggest strength is also its greatest weakness in this respect - that of portability. It is quite possible to lose every last bit of information one has, just by leaving it on the bus. Equally, only the most resilient of laptops can resist the effects of knocking a glass of water over the keyboard; note also that most hard drives are mechanical - marvels maybe, but prone to damage.
The answer is backup - which can be as straightforward as taking a copy of important data on a USB stick and stowing it somewhere sensible (USB sticks can be a solution as well as a problem – but see confidentiality, above). Mobile workers don't always have access to corporate systems, which means they are not always going to be supported by corporate backup mechanisms; equally, offline access can result in storing more information than strictly necessary on the local drive. Using a laptop without doing personal backups is like driving without a safety belt, in the vain hope that accidents only happen to other people.
In conclusion then, there may be corporate mechanisms in place for data security, but these do not always extend out to laptop users. There’s always more that we can do, but those who do not follow the basics are sleepwalking along a precipice. ®
@AC - 9/2/209 07:40
Who the hell needs cloud computing? Ever heard of VPN?
Hide it in the Cloud
If your site was not so rabidly against cloud computing, your correspondent could have suggested a very good alternative to safeguarding the data - keep it in the cloud with a strong log-in password, or even encrypted.
Nothing to loose if the netbook goes AWOL!
Federico el Sueco
shades of gray
Lost or stolen laptops (pretty common in my experience), misplaced flash, CDs / USB HDs and the inadvertent leaking of next year's marketing campaign to the rest of the railway carriage (or the guy in the next seat) have a lot in common with ankle-biting malware outbreaks. Even those of us lucky enough to have been able to convince management to enforce a locked down laptop config (users are users, not admins, and can only write to My Docs - see the MS XP Hardening Guide for waaay more detail on that) still get regular malware detects, and sometimes these are of things that sneaked onto a machine weeks or months earlier and are only now being detected by updated AV signatures. 99.9% of the time they're a nothing worse than a nuisance, though.
In principle, finding out the CFO's laptop's had a typical remote access trojan/rootkit/password sniffer installed for the last 6 weeks should elict a code red, OMFGwe're-all-doomed, Major Security Incident Plan, response. 99 times out of 100, though, it's just a random drive-by download via an infected banner ad site or such like. The attacker was only ever interested in adding the infected machine to his botnet to spew spam or DoS traffic, or in grabbing direct access to dosh - bank account login credentials. In theory the attacker *could* be working for the NSA, or the company's main competitor, or serious industrial espionage types, but it's pretty unlikely. In the same way, the proverbial USB key in the pub carpark with a spreadsheet of PID on it is much more likely to be picked up by Owld Jolter weaving his way home via the Offie and kebab shop who's going to either use it as a spare flash stick (or a toothpick) than to be found by someone who'll analyse the data, realise what it is and think "Aha, this would be very useful if I were (the head of SMERSH / Chinese Espionage / $competitor)!". Even if they do realise it, they're much more likely to take it to the press than the Chinese Embassy - and doing otherwise could mean a long stretch at one of HM's less exclusive guesthouses. I would hope that a typical corporate whose CEO is approached by a dodgy geezer loitering by reception going "Pssst, wanna buy some 'interesting information' ?"
Likewise, the odds of having an infosec journalist in your carriage is - well, higher than that, especially in London, but still pretty low I imagine. The fact is that people high enough up their orgs to have their own sensitive data - C-level execs, some FLAC wonks, HR perhaps, dev if they're a dotcom or s/w development firm - often have a delusional concept of how important their work is to the world at large. What makes my life as an infosec grunt interesting is the /other/, much rarer sort of attacker: the malicious insider, or the external targeted attacker. Anyone paying attention knows there really ARE state-sponsored industrial espionage attackers and aggressive, highly skilled and motivated criminals after a 7 or 8 or 9 figure score who are prepared to spend six months scoping your systems and networks before even beginning active attacks. Those buggers are much, much harder to defend against...