Mobile computing demands special treatment from security pros. This article explains the practices you need to ensure that you can safely deploy and manage mobile devices and protect the data they contain.
In this article:
What laptop security means to your business
What comes to mind when you hear the term "information security"? Perhaps you think of firewalls, antivirus software, passwords, patches and the like? Well, if so, you're not alone. The central focus of information security as we know it is on the protective controls that help keep the riff-raff out of our networks. A large amount of money is spent securing Web applications, fending off viruses and patching servers, and that's fine. The problem lies with the grave security oversight present in many -- arguably most -- organizations: not locking down laptops.
But what does laptop security really mean to your business? Well, for starters, information security isn't the same across the board. Web application security is one thing. Server security is something else. Different systems are exposed to different risks, creating business liabilities in their own unique ways. The systems that most security controls are focused on (applications, databases, etc.) are contained in a relatively small, controlled environment. But mobile laptop systems are everywhere: inside the network, outside the network, literally strewn about the world and undoubtedly out of your control.
It's not just a problem in and of laptops themselves. More important is the sensitive data they contain. In any given organization, odds are nearly 100% that any given set of laptop computers have various sensitive information stored on them, and this data is at risk every single day. This not only poses general business liabilities but also creates compliance gaps across the board. From Sarbanes-Oxley and PCI to HIPAA, GLBA and beyond, I see compliance exposures resulting from weak laptop security in practically every security assessment I perform. And the right people -- the ones who are ultimately responsible for information security -- rarely know about the problems this poses.
I can't think of a greater exposure to any given business than under-secured laptop computers. Laptop computers contain the goods (sensitive customer data, confidential internal documents, passwords to access the network and more), and the goods are so easy to get to. When an under-secured laptop is lost or stolen, it takes only 10 minutes or so to gain full access to everything on the system. How's that for business exposure?
A big contributor to laptop insecurities is plain and simple: Business managers and IT administrators aren't being responsible with their goals for information protection. There are too many other fires to put out. It's no excuse, but it is reality. IT shops are undervalued and under-funded -- especially when it comes to touching and properly securing each and every laptop within the organization.
The security problem continues with IT focusing too much time and effort on other areas of security that don't (or shouldn't) matter as much. Johann Wolfgang von Goethe once said, "Things that matter most must never be at the mercy of things that matter least." In the spirit on von Goethe, it's time to share the security efforts on the big risks such as those introduced by improperly configured laptops. This means prioritizing how money and effort are being spent and focusing on the highest-payoff tasks. With the word "laptop" appearing nearly 300 times in the Privacy Rights Clearinghouse Chronology of Data Breaches, there's no arguing that we've got a business problem on our hands. And the hundreds of laptop-related breaches listed in this chronology are the ones that are known. Just imagine what's taking place -- including laptop compromises -- that we don't know about.
In the next two sections, I'll share with you some specific examples of laptop security vulnerabilities and how they can be -- and are being -- exploited right now. I'll also outline some practical steps you can take to plug the holes and avoid putting the sensitive data stored on your laptops at risk. It's these two things -- understanding how your systems are vulnerable and then actually doing something about it -- that will help make your information security investment whole.
How laptops are exploited
In the previous section, I outlined why laptop security is such an important business issue. Now let me share with you just how unsecured (and even under-secured) laptops are and how they are being exploited both inside and outside your network.
Laptop computers -- regardless of their use -- more often than not fall outside the scope of security testing. In the past couple of years, I've been including laptops in my security assessments, and the security weaknesses I'm seeing are quite alarming. The general mindset around laptops has been:
- Our users have to log in with their Windows password when the laptop boots, so they're secure.
- We put power-on passwords on every laptop, so they're secure.
- We use antivirus software, personal firewalls, and always stay current with patches -- what's the big deal?
- Our users know to keep their laptops secured when they're away from the office -- in their cars, hotel rooms and remote workplaces.
- We don't have any laptops here to test. They're all being used out in the field.
…and, finally, my favorite and perhaps the most ignorant mindset one could have when it comes to protecting sensitive information on laptops…
- We really don't have anything of value on our laptops, so if one gets lost or stolen, it's no real risk.
These are all silly laptop security assumptions that get businesses into trouble every day. Ten years ago, this wouldn't have been perceived as much of a problem. The trouble is that hacking tools have become more abundant and so have the laws regulating the protection of sensitive information -- regardless of where it's stored. In fact, all it takes is someone using a free tool such as the Ophcrack Live CD or the commercial product Elcomsoft System Recovery in malicious ways to render one of your corporate laptops completely exposed.
Let me share with you some laptop weaknesses that can -- and will (given time, tools and intent) -- be exploited in a matter of minutes if not seconds, along with some common justifications:
- No log-on requirement. "We had to turn that off because our help desk was getting inundated with calls."
- Blank passwords. "Oops, we left it blank because it's a shared laptop that different people check out."
- Really weak (i.e., easily guessed) passwords. "Oh, our users just wouldn't put up with our making them remember some complex password."
Those are just the basics. I've also seen situations where an administrator has attempted to secure laptops as follows:
- Power-on passwords. These are merely a hindrance because most BIOS passwords can be reset with relative ease. If not, an attacker in physical control of the laptop can simply take the hard drive out and put it in another laptop and gain access.
- Partial drive encryption such as encrypting a folder or specific set of files. This offers only partial protection because the computer can still be booted and other information residing outside of the protected area (where people tend to store their stuff) can be accessed.
Regarding the fatal assumption of "we don't have any sensitive information on our laptops to worry about," let me share with you what I've uncovered recently in my work, once I was able to get past the usual laptop security controls I mentioned above:
- User IDs and passwords -- including administrator-level accounts -- that can then be used for further access into the network through Windows Remote Desktop, VPN, Outlook Web Access and more.
- Complete source code of a critical production application.
- Personal banking information.
- Digital certificates that could be exported and then imported onto another system in order to gain full access into an internal wireless network.
- A financial analysis system, including internal-use-only information, which could be modified or otherwise abused.
The possibilities for sensitive data exploitation on laptops are endless, which is why there are laws governing these issues. Sarbanes-Oxley, GLBA, HIPAA, PCI DSS, and the state breach notification laws all come to mind. The fact is, folks, that laptop weaknesses can be taken advantage of anytime, anywhere with relative ease. And the stakes are high. The key to realistic laptop security and keeping sensitive data safe is using the right controls and managing them as closely as you would any other "critical" system on your network. In the next section, I'll outline exactly what you can do about it.
Proven techniques to protecet laptops
In the previous two sections, I talked about the business reasoning behind laptop security as well as what can happen when it's not made a priority. In this section, I'm going to bring things full circle and share with you some reasonable, practical and proven steps you can take to protect sensitive information residing on your laptops.
With the seemingly daily reports of laptop computer breaches, locking your laptops would seem to be an intolerable burden, and you'd think that it just won't happen. And then when you turn to find solutions, it's easy to get mired in all the hype out there surrounding endpoint security and encryption solutions. But it doesn't have to be that difficult. In fact, I've got some strong opinions about why people aren't taking laptop security seriously. I guess I'll never understand the ignorance and logic (or lack thereof), but if you're in a position to make a difference, it's really pretty simple. Here's what you can do:
Step 1 -- Find out what's at risk. Before you spend a dime on implementing any solution, it's critical to determine which laptops are at risk. The good news is this should be a simple exercise. Unless you have laptops in-house that don't leave the building, you pretty much know which ones you need to lock down: all of them. Sure, there are going to be some laptops that are more critical than others, but as I outlined in the previous section, you'd be surprised at the sensitive information that can be used against you and your network that can be found on even the most benign and innocent laptop.
Step 2 -- Get the right people on board. Securing laptops isn't going to be a free ride. Even if you use built-in hardware or operating system controls, there's still going to be administrative overhead and a culture shift. Locking down laptops is a prime opportunity for security to get in the way of doing business. This is why managers from key sectors of the business need to be on board making this call -- not just IT. When you get the right people on board in a security committee, projects such as this will go much, much more smoothly, and big changes actually have a good chance of adoption.
Step 3 -- Create a set of policies. Once you know where your laptops and sensitive information are vulnerable and you have the right people on board, it's time to create reasonable and enforceable security policies to help tighten things up. Security committee buy-in and enforcement is the only way to make this happen in the long term. If IT is doing this alone, it will be futile at best.
Step 4 -- Implement technical controls to enforce your policies. Here's where the rubber meets the road. Selecting the right laptop security technologies is key. I can say with certainty that if you had to choose just one single control to lock down sensitive information on laptops, whole disk encryption is it. No doubt about it. Whole disk encryption implemented and managed the right way is the simple answer to this problem we have before us. Be it from a third-party software vendor or directly from a hardware manufacturer, such as Seagate and its Momentus drives, this is the way to go. Sure, there are other controls that complement whole disk encryption, such as the various endpoint protection software options that you shouldn't be without. But dollar for dollar, whole disk encryption is the way to go. One important point to note here regarding why you must have technical controls to enforce your policies: you can never, ever trust users to keep their laptops out of harm's way. It's simply not in their interest, and they shouldn't be burdened with managing their own security anyway. It's a sad fact, but I see users being held responsible for the security of their laptops all the time.
Step 5 -- Get the word out to users on what's being done and why it's important. This is simple. Your security committee needs to show your users the laptop security policies, explain to them why they're important, get them to sign off on them, and give them some incentive to abide by your policies.
Step 6 -- Circle back and check for security gaps you may have missed. An initial risk assessment and subsequent technical controls are not a one-time deal. Laptop security is something that has to be managed, just like any other type of information security function: firewall management, content filtering, patching and so on. IT has to be proactive in maintaining the systems and the security committee has to be vigilant in reassessing the security on a periodic basis. You'll no doubt find gaps in implementation and management that are creating unnecessary exposures.
There's nothing new here. This information security formula is basically the same whatever you're trying to protect. The only difference is the exposure factor. If you haven't performed these steps and don't have solid laptop security controls you're confident in, then now's the time to make things happen. All things considered, sensitive data being exposed on laptops is very likely to be one of your greatest information security risks. It's clear and present -- no ifs, ands or buts about it. In the words of Og Mandino, use wisely your power of choice.