[ISN] Laptop loss: How to avoid becoming the next Starbucks

From: InfoSec News (alerts@private)
Date: Sun Nov 12 2006 - 22:08:30 PST


http://www.networkworld.com/news/2006/111006-laptop-loss.html

By Deni Connor
Network World
11/10/06

When Starbucks earlier this month revealed it couldnt find four laptops 
containing data on thousands of employees, IT administrators everywhere 
once again were forced to ask themselves: Whats our policy on protecting 
data on mobile devices?

The seemingly never-ending string of high-profile data loss cases from 
Los Alamos National Laboratory to Allina Health to U.S. Veterans Affairs 
is pushing more organizations to encrypt data on such devices as laptops 
and USB flash drives, and establish associated security policies.

We do have policies specific to laptops that fall under our Mobile 
Device Policy, says Tom Gonzales, senior network administrator for the 
Colorado State Employees Credit Union in Denver. The organization has 
codified a policy for securing laptops, disk drives, USB flash drives 
and CD-ROMs.

Gonzales describes the policy this way: USB ports are disabled using the 
Cisco Security Agent, so only certain people such as IT can write to 
flash drives. We usually dont encrypt the entire drive on users laptops, 
but do provide secure storage areas so that end users can just save the 
files to that location and they will always be encrypted. Our desktop 
PCs dont have floppy drives or CD-ROM writers.

The reason that companies are going to these extremes is clear: Data 
loss is costing them lots of money. The Ponemon Institute suggests each 
incident costs about $4.7 million $182 per record. Using these numbers, 
the incident at Starbucks put as much as $10.9 million of data at risk 
(Starbucks said in a press release it is not sure what became of its 
laptops but has seen no evidence that data has been misused.)

Given the sensitive nature of security policies, some IT and network 
professionals are reluctant to discuss their policies regarding data 
protection on removable storage devices and mobile gear.

Policy prevents me from answering most of your questions so I should 
probably decline, says Ken Walters, senior director for enterprise 
platforms at the Public Broadcasting Service in Alexandria, Va. My 
personal feeling is that we need some easy way to encrypt all data 
leaving the building and a mechanism that allows only the authorized 
employee to see it.

For Lenny Goodman, director of desktop management for Baptist Memorial 
Hospital in Memphis, Tenn., protecting data on laptops, flash drives and 
other removable media is an everyday experience that started with the 
hospitals adhering to the Health Insurance Portability and 
Accountability Act.

Compliance is a supposed to approach to managing the enterprise, whereas 
it infers best practices the things we should do whether we want to be 
compliant or not, Goodman says. Encryption is a should do thing.

Goodman protects the data stored on USB flash drives with software from 
Safend that identifies when a USB drive is connected to the network and 
lets IT set policies that allow or disallow their use.

Like all organizations, we have discovered rather prolific use of 
inexpensive, plug-and-play thumb drives, Goodman says. We didnt provide 
them, but that didnt stop our users from taking advantage of the 
technology. When you start seeing 1GB thumb drives available at Target 
or in a Sunday newspaper brochure, you know that they are going to show 
up in the enterprise, and whether there is malice or not, its something 
the enterprise has to address.

Goodman wrote a policy for managing flash drives, identified the flash 
drives in use at his organization and replaced them with Kingstons 
DataTraveler Secure flash drives. The Safend software recognizes only 
the Kingston drives and disallows others.

Where there was a legitimate business need for removable storage, we 
provided a solution that had password protection and nonoptional 
encryption, he says.

At Baptist Memorial Hospital, as many as 6,000 desktops and 100 laptops 
are protected with the Kingston/Safend combination.

We are encrypting hard drives, he says. On our older PCs, weve disabled 
the diskette drives through group policy. We do not have CD burners. 
Users that bring in CD burners are detected through our endpoint 
control.


A more flexible approach

Other IT professionals are less concerned with laptop and USB security, 
saying they leave the decision to encrypt data or password protect it up 
to users.

Jeff Mery, system administrator for an instrumentation and test 
equipment manufacturer in Austin, Texas, says controlling removable 
media such as flash drives is nearly impossible in his environment.

The main reason is the vast majority of our users are engineers that 
have very valid business reasons for using USB and CD-ROM media in their 
day-to-day jobs, he says, adding that he is considering drive encryption 
for desktop and laptop users. Whole-drive encryption is one reason were 
looking at Microsoft Windows Vista and its BitLocker technology, he 
says. Users can currently encrypt data they feel needs it, but BitLocker 
will allow us to transparently encrypt the entire disk. Users wont have 
to remember to encrypt or whats been encrypted.

For Dominic Marcinelli, vice president of IT at Rackable Systems in 
Milpitas, Calif., laptop users default configuration is a home directory 
located on a network drive. When users connect with the network, data is 
synchronized, enabling automated backup.

Marcinelli, like Mery, doesnt have a policy for USB drives or CD-ROMs. 
We do ask that users use their best judgment, he says. We do have 
policies for PDAs if a PDA falls out of someones pocket in New York, we 
want to be able to remotely erase its contents. Marcinelli relies on 
passwords to protect laptop contents and is looking to implement 
encryption by year-end.?

All contents copyright 1995-2006 Network World, Inc.


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Sun Nov 12 2006 - 22:25:10 PST