[ISN] Lundquist's Guide To Not Getting Fired for Losing Your Laptop

InfoSec News isn at c4i.org
Wed Mar 29 03:40:10 EST 2006


http://www.eweek.com/article2/0,1895,1943208,00.asp

By Eric Lundquist 
March 27, 2006 

Opinion: Keeping your sensitive data off your laptop can help you keep
your job. Following these rules and guidelines to avoid becoming
another in the long line of recent data theft victims.

How often do we have to read about someone losing a laptop with a
bunch of client data? I've included some links to recent stories:  
Stolen Fidelity Laptop Exposes HP Workers and Lost Fidelity Laptop
Stirs Fear of ID Theft. Stop and think for a second. You are a
high-powered road warrior jetting around the world making lots of
complex but incredibly lucrative financial deals. You lose your laptop
with all that important information. You have to call your boss back
at the home office. Your next job involves asking customers if they
want the large or the super-jumbo Slurpee.

What follows is my guide to keeping from being a professional Slurpee
machine operator for the rest of your career.

The most important rule:

1. You will get fired for losing your data, but you will not get fired
for losing your laptop. Well, maybe you will get fired for losing your
laptop; I don't know your company's policies. But I do know I have
never heard about a company being forced to make a public announcement
because an employee lost a laptop. I have read lots of stories about
companies being forced to announce they lost customer data. In this
age of endless regulation, this public shaming will only increase. You
don't want to be the one stuck in the laptop pillory. Therefore,
remember: If the customer data does not exist on your laptop, it
cannot be stolen from your laptop.

Most articles on laptop security start backward. Here's how you can
encrypt your data and your files. Here's how to change your BIOS.  
Here's how to etch and chain your laptop to the leg of the table.  
Here's how you can dismantle your infrared port. Here's how to secure
your USB ports. I'll get into all of those, but the safest way to keep
you from being a Slurpee-lever puller is to not have the data on the
laptop in the first place. If the data you are displaying or
manipulating for your big-time financial deal really resides only at
the corporate headquarters, then your laptop is in the clear. It is up
to the IT security staff at HQ to figure out how to build a secure
channel, provide user authentication and make sure the valuable data
is being displayed but not downloaded. Not your problem. If you are
the entire IT staff, then it is your problem, but, then again, you
know who you are, which makes authentication a whole lot easier. Far
greater minds than mine have worked at making thin clients fast,
secure and reasonable in price. I think this year will see a big shift
to this architecture based on security considerations alone. Citrix is
a good place to start looking at and understanding thin-client
computing. Also, Sun, with its Sunray strategy, and CA (in particular,
its affiliation with Wyse Technologies) are committed to thin-client
strategies. Microsoft is more conflicted in offering thin computing.

This is a hot area of enterprise startups. On the hardware side, there
are several diskless laptop offerings.

The second most important rule:

If you are not going to leave your data back at the company HQ, then
divorce your data from your laptop.

People used to do this with floppy disks. Now you can put your data
with relative security on a USB drive that travels with you rather
than traveling in your laptop. I'll answer the question, "What if my
USB is stolen?" in a moment. But, first, a little divergence to talk
about data and data storage.

When people kept paper files in folders, they used to set up a
hierarchy of storage. The files you used all the time but weren't
confidential were readily available. The files you only used once in a
while were shifted to some file cabinet in the storeroom. The files
that were private but not super-confidential were kept in a locked
cabinet. The files that really, really mattered and were confidential
were kept locked away and had to be signed out and signed in and,
often, read only in certain areas to keep you away from copy machines.  
Remember all those spy movies with the files and the tiny cameras?

Laptop computers and the software that runs those machines often
treated all files as one big heap of files that any user, once logged
on, could peruse as their curiosity led them. This is changing, but it
is still a hassle.

The file might be secure, but the presentation made from the data
might not be secure. The file might be secure, but the spreadsheet
that links to the data might not be secure. This leads to the odd
situation where the data might be secure, but the information created
from the data is not secure.

If the best answer (see rule number one) is to keep your data back at
HQ, then the second-best answer is to keep your data divorced from
your laptop. There are many ways to do this today, but most of them
involve a storage device being attached to a laptop via a USB port.  
Those drives can be further protected by passwords and encryption.  
This is still a second-best answer, in my opinion. Passwords can be
stolen and encryption can be defeated; although, at the point where
someone is hacking your password and defeating your encryption, you
are up against a professional data thief.

But you are still way ahead of the game of leaving your data on your
laptop. If you treat the USB drive as what it is: the only thing
standing between riches and the Slurpee machine, you can lose the
laptop and still keep the job. But all your private data and
presentations, files and so on associated with that data all have to
reside on that drive.

You can always back up the data at HQ where backed-up data is supposed
to reside. Get a special little case for your USB drive rather keep it
in your pocket, and make sure the drive is in that case when it is not
attached to your computer. The USB drive market may be the fastest
changing tech business on the planet. You can get drives that require
fingerprint authentication. You can get drives that shred the data
after a certain number of password attempts. All those products are
intriguing. The better idea is to not lose the drive and to keep it
separate from your laptop.

Which gets us to the laptop. Your laptop is not secure and is an easy
target for someone wanting to steal data or simply to steal your
laptop.

Your laptop isn't secure because it was never designed to be secure,
and all the security features are bolt-ons added after the fact. That
cool wireless connection always searching for the next Wi-Fi hot spot?  
Big hole. Those USB ports ready to accept all those nifty USB devices?  
They are ready to cough up your data. The password you always forget?  
The hackers are better guessers than you are and are more than ready
to look over your shoulder.

If you remember that your laptop is not designed to be secure, you
will gain a lot more respect for rules 1 and 2. There is plenty you
can do to make your laptop harder to hack, make your file folders more
secure, make your files contain encrypted data and to shut down the
easy access into your computer via all those nifty sockets. I'll go
over those, but you should really read rules 1 and 2 again.

A lost laptop is not a big deal if it doesn't have any confidential
data on it. Try saying this, "Gee boss, somebody stole my laptop out
of the hotel room while I was at dinner. What a bummer, but you should
know first off that I made sure that all my data was (and here you can
go off script) (1) safe back at the home office or (2) safe in the USB
drive that I keep locked in the hotel safe." That is a far easier
conversation to have.

Here are some ways to secure your laptop:

1. Encrypt everything and make sure the encryption extends all the way
to before you boot up of the system. I haven't tried it yet, but a
product that intrigues me is from a company called WinMagic. The
product is being incorporated into Toshiba notebooks in Japan.  
WinMagic is working with the Department of State on a Homeland
Security project.

2. Make your Microsoft operating system password-protected and
encrypted. This is at least a minimum starting point.

3. Use password protection in general. You can have passwords for your
BIOS (the stuff your computer needs to know before it starts), for
your operating system, for your files and probably for just about any
other part of your computer. If you rely on passwords for your sole
source of protection, you might as well leave the system wide open.  
Passwords will deter the curious but will not deter the determined.  
Don't store your passwords on your computer. They are safer on a piece
of paper in your wallet than in any electronic file. Don't assume a
password that keeps you from starting up your computer also protects
the data on a disk drive. You'd be surprised how easy it is to take a
disk drive out of one computer, put it in another system and start
reading files.

4. Lock up all those leaky ports. I think your first (and maybe your
last) stop should be Safend. Is was the first to bring to my attention
over a year ago the vulnerabilities inherent in USB as well as
Bluetooth wireless and all those other ports where data can flow. This
company understands the problems associated with locking down the
laptop.





More information about the ISN mailing list