Do you know where your laptops are and how they're being handled? Probably not -- that's the essence of mobile computing, right? Perhaps the more important issue is whether or not you feel confident that sensitive information stored on your laptops is secure from malicious abuse when the time comes for loss or theft. I'm convinced most people aren't ready, and that the vulnerability is much greater than we think it is.
Laptop security essentials
The following are seven essential requirements for locking down laptops:
- First and foremost -- encrypt! The technology's here, and it's relatively mature and enterprise ready. I especially like whole-disk encryption, such as PGP's Whole Disk Encryption product and the BitLocker technology built into Windows Vista.
- Consider the whole-disk encryption alternatives and only encrypt specific partitions or folders. Just be careful with this. Sensitive information can easily "jump ship" and wind up being copied to an unprotected area of the disk. Consider content-based laptop encryption, such as that provided by Safeboot and hardware-based encryption, like what's included in Seagate's Momentus drives.
- Tighten up your laptop login requirements. At a minimum, require strong passwords, or better yet, passphrases. Make it policy and standard configuration to use locking screensavers with a reasonably short time-out period, such as 4-to-5 minutes.
- Ensure password re-entry is required from all modes of startup; initial boot as well as return from standby, hibernate and screensaver time-out.
- Make it policy and help instill the habit of everyone locking their screens with CTRL-ALT-DEL anytime they leave their desk. Management buy-in can really help hold users accountable for this.
- Use physical security mechanisms, like laptop locks sold by vendors, such as PC Guardian and Kensington.
- Get a handle on your unstructured information. Unless and until you know what sensitive information is stored where, it's going to be tricky justifying laptop security expenditures and making the proper controls work in your environment.
These basic controls are essential. You may even need more depending on your circumstances. One thing's for sure -- never, ever rely on your users to do the right thing to protect their laptops all the time. Whether through carelessness, ignorance, or malice, users can and will create laptop security exposures.
Encryption's not everything
For those who do encrypt their laptop drives, there is a certain false sense of security. Encrypted doesn't mean secured. It's all the business processes and usage requirements associated with encryption that typically cause problems. There are a lot of ways to exploit basic encryption controls, but there's one vulnerability in particular with laptop encryption that stands out to me. Here's the scenario: A user is logged into his laptop (often with full admin rights/access). His screen is not locked or his screensaver has a too long timeout period. He leaves his desk or seat, table, room, as is the case in restaurants, coffee shops, airports and hotels. A criminal comes by and takes the laptop with the screen unlocked and the user still logged in. The criminal now has unfettered access to the entire system for as long as the battery holds out or until he can get the laptop plugged into a universal power supply. Obviously, not good for business.
I see the potential for this scenario literally every time I'm in a public place where laptop users happen to be. Who's to say this can't happen very easily, especially in a crowded area. It's textbook -- the laptop user, trusting by nature as humans are, thinks to himself, "I'm just going to step away real quick -- everything will be safe. If someone tries to do anything, others will see it happening and stop him." Despite what we think will be done, there's something called "bystander apathy" whereby "good Samaritans" don't really do what we think they're going to do to help.
The problem is not going anywhere
The bottom line is that bad things are happening, and we can't rely on others to keep our laptops safe. Inject a good dose of technical controls backed up with policies that are actually enforced by management. This combined with a trust no one stance is the best form of vigilance for protecting your laptops. If you do experience the unfortunate do laptop breach, I've outlined what to in this article from SearchMobileComputing.com.
Sensitive information that used to be protected in a highly controlled storage environment now has feet. With laptops being the majority of new computers being shipped, combined with the fact that very few of them end up with an encrypted disk or partition, we've got a problem on our hands that's here to stay.
A new mindset is required for mobile storage security. Rise above all the laptop encryption noise and at least implement the basics. Like all things security related, a little common sense goes a long way.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments revolving around compliance and risk management. Kevin can be reached at kbeaver at principlelogic.com.