With so many staff working from home and everyone wanting connectivity from anywhere in the world, laptops have become critical tools. Pretty much every organisation now has a VPN to give staff remote access across the Internet, yet only a small minority understand the risk laptops pose. If an attacker were able to gain control of a lost or stolen laptop, that person would have access to all of the information stored on it, plus the opportunity to connect to the corporate network via the VPN. This laptop security tip looks at how to secure a laptop and defend against the threats a lost or stolen laptop represents.
From time to time, my firm is asked to test the security of a laptop build -- perhaps the organisation intends to migrate to a new version of Windows or has simply designed a new standard configuration. The first check should be to see whether a BIOS password, which provides access control to prevent unauthorized changes to a system's hardware settings, has been set. The password poses a small hurdle to the would-be attacker, one that is usually overcome fairly simply by a bit of jiggery-pokery on the motherboard or by removing the hard disk and putting it in a another system.
A hard-disk password, used to protect the contents of a hard drive from unauthorised access, is more difficult for an attacker to crack; it often requires specialist assistance, and is therefore a considerably more effective defensive measure. Unless, that is, the hard-disk password is the same as the BIOS password, in which case the problem is solved.
Despite the increased security for laptops that either or both of these passwords can provide, most corporate laptops fail to utilise either form of power-on password, probably because of the anticipated support costs of all those forgotten passwords! Still, with no secondary password in place, all a thief needs to hack into a notebook is a Windows username and password, which for an educated attacker is easy to obtain with the help of any number of freely available tools.
There is one simple solution to protect laptops: laptop encryption. Full-disk laptop encryption provides the laptop user with the facility to protect everything with one easily remembered passphrase (much simpler to manage and remember than a complex password), which is entered immediately when the laptop starts up. If an attacker attempts to access the laptop or even removes the hard drive to install in another computer, he or she will be unable to read anything from the hard drive without knowing the passphrase.
Full-disk laptop encryption also provides the IT support people with a legitimate "backdoor" into the laptop, in case the user's passphrase is forgotten or if the member of staff leaves the organisation under a cloud. For example, multiple passphrases can be configured for each encrypted drive, so IT support could have one passphrase and the user another (of his or her choosing). Alternatively, some laptop encryption products support a challenge-response passphrase reset option, which present personally identifiable questions to the user for authentication.
Encryption products such as PGP Corp.'s Whole Disk Encryption for Enterprises lock down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system files, and swap files. Encryption runs as a background process that is transparent to the user, automatically protecting data without requiring the user to take additional steps.
Some companies might have resisted laptop encryption in the past on the grounds of complexity or performance degradation. But improvements in both hardware and software mean that encryption is now much easier to manage, and has no perceptible effect on system performance. Furthermore, extensive press coverage of many embarrassing data loss incidents involving unencrypted laptops and USB sticks has highlighted the benefits of this approach, and convinced most of the doubters.
About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.