http://www.eweek.com/article2/0,1895,1943208,00.asp By Eric Lundquist March 27, 2006 Opinion: Keeping your sensitive data off your laptop can help you keep your job. Following these rules and guidelines to avoid becoming another in the long line of recent data theft victims. How often do we have to read about someone losing a laptop with a bunch of client data? I've included some links to recent stories: Stolen Fidelity Laptop Exposes HP Workers and Lost Fidelity Laptop Stirs Fear of ID Theft. Stop and think for a second. You are a high-powered road warrior jetting around the world making lots of complex but incredibly lucrative financial deals. You lose your laptop with all that important information. You have to call your boss back at the home office. Your next job involves asking customers if they want the large or the super-jumbo Slurpee. What follows is my guide to keeping from being a professional Slurpee machine operator for the rest of your career. The most important rule: 1. You will get fired for losing your data, but you will not get fired for losing your laptop. Well, maybe you will get fired for losing your laptop; I don't know your company's policies. But I do know I have never heard about a company being forced to make a public announcement because an employee lost a laptop. I have read lots of stories about companies being forced to announce they lost customer data. In this age of endless regulation, this public shaming will only increase. You don't want to be the one stuck in the laptop pillory. Therefore, remember: If the customer data does not exist on your laptop, it cannot be stolen from your laptop. Most articles on laptop security start backward. Here's how you can encrypt your data and your files. Here's how to change your BIOS. Here's how to etch and chain your laptop to the leg of the table. Here's how you can dismantle your infrared port. Here's how to secure your USB ports. I'll get into all of those, but the safest way to keep you from being a Slurpee-lever puller is to not have the data on the laptop in the first place. If the data you are displaying or manipulating for your big-time financial deal really resides only at the corporate headquarters, then your laptop is in the clear. It is up to the IT security staff at HQ to figure out how to build a secure channel, provide user authentication and make sure the valuable data is being displayed but not downloaded. Not your problem. If you are the entire IT staff, then it is your problem, but, then again, you know who you are, which makes authentication a whole lot easier. Far greater minds than mine have worked at making thin clients fast, secure and reasonable in price. I think this year will see a big shift to this architecture based on security considerations alone. Citrix is a good place to start looking at and understanding thin-client computing. Also, Sun, with its Sunray strategy, and CA (in particular, its affiliation with Wyse Technologies) are committed to thin-client strategies. Microsoft is more conflicted in offering thin computing. This is a hot area of enterprise startups. On the hardware side, there are several diskless laptop offerings. The second most important rule: If you are not going to leave your data back at the company HQ, then divorce your data from your laptop. People used to do this with floppy disks. Now you can put your data with relative security on a USB drive that travels with you rather than traveling in your laptop. I'll answer the question, "What if my USB is stolen?" in a moment. But, first, a little divergence to talk about data and data storage. When people kept paper files in folders, they used to set up a hierarchy of storage. The files you used all the time but weren't confidential were readily available. The files you only used once in a while were shifted to some file cabinet in the storeroom. The files that were private but not super-confidential were kept in a locked cabinet. The files that really, really mattered and were confidential were kept locked away and had to be signed out and signed in and, often, read only in certain areas to keep you away from copy machines. Remember all those spy movies with the files and the tiny cameras? Laptop computers and the software that runs those machines often treated all files as one big heap of files that any user, once logged on, could peruse as their curiosity led them. This is changing, but it is still a hassle. The file might be secure, but the presentation made from the data might not be secure. The file might be secure, but the spreadsheet that links to the data might not be secure. This leads to the odd situation where the data might be secure, but the information created from the data is not secure. If the best answer (see rule number one) is to keep your data back at HQ, then the second-best answer is to keep your data divorced from your laptop. There are many ways to do this today, but most of them involve a storage device being attached to a laptop via a USB port. Those drives can be further protected by passwords and encryption. This is still a second-best answer, in my opinion. Passwords can be stolen and encryption can be defeated; although, at the point where someone is hacking your password and defeating your encryption, you are up against a professional data thief. But you are still way ahead of the game of leaving your data on your laptop. If you treat the USB drive as what it is: the only thing standing between riches and the Slurpee machine, you can lose the laptop and still keep the job. But all your private data and presentations, files and so on associated with that data all have to reside on that drive. You can always back up the data at HQ where backed-up data is supposed to reside. Get a special little case for your USB drive rather keep it in your pocket, and make sure the drive is in that case when it is not attached to your computer. The USB drive market may be the fastest changing tech business on the planet. You can get drives that require fingerprint authentication. You can get drives that shred the data after a certain number of password attempts. All those products are intriguing. The better idea is to not lose the drive and to keep it separate from your laptop. Which gets us to the laptop. Your laptop is not secure and is an easy target for someone wanting to steal data or simply to steal your laptop. Your laptop isn't secure because it was never designed to be secure, and all the security features are bolt-ons added after the fact. That cool wireless connection always searching for the next Wi-Fi hot spot? Big hole. Those USB ports ready to accept all those nifty USB devices? They are ready to cough up your data. The password you always forget? The hackers are better guessers than you are and are more than ready to look over your shoulder. If you remember that your laptop is not designed to be secure, you will gain a lot more respect for rules 1 and 2. There is plenty you can do to make your laptop harder to hack, make your file folders more secure, make your files contain encrypted data and to shut down the easy access into your computer via all those nifty sockets. I'll go over those, but you should really read rules 1 and 2 again. A lost laptop is not a big deal if it doesn't have any confidential data on it. Try saying this, "Gee boss, somebody stole my laptop out of the hotel room while I was at dinner. What a bummer, but you should know first off that I made sure that all my data was (and here you can go off script) (1) safe back at the home office or (2) safe in the USB drive that I keep locked in the hotel safe." That is a far easier conversation to have. Here are some ways to secure your laptop: 1. Encrypt everything and make sure the encryption extends all the way to before you boot up of the system. I haven't tried it yet, but a product that intrigues me is from a company called WinMagic. The product is being incorporated into Toshiba notebooks in Japan. WinMagic is working with the Department of State on a Homeland Security project. 2. Make your Microsoft operating system password-protected and encrypted. This is at least a minimum starting point. 3. Use password protection in general. You can have passwords for your BIOS (the stuff your computer needs to know before it starts), for your operating system, for your files and probably for just about any other part of your computer. If you rely on passwords for your sole source of protection, you might as well leave the system wide open. Passwords will deter the curious but will not deter the determined. Don't store your passwords on your computer. They are safer on a piece of paper in your wallet than in any electronic file. Don't assume a password that keeps you from starting up your computer also protects the data on a disk drive. You'd be surprised how easy it is to take a disk drive out of one computer, put it in another system and start reading files. 4. Lock up all those leaky ports. I think your first (and maybe your last) stop should be Safend. Is was the first to bring to my attention over a year ago the vulnerabilities inherent in USB as well as Bluetooth wireless and all those other ports where data can flow. This company understands the problems associated with locking down the laptop. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Mar 29 2006 - 00:55:43 PST