[ISN] Laptop lockdown

InfoSec News isn at c4i.org
Tue May 31 03:07:13 EDT 2005 

http://australianit.news.com.au/articles/0,7204,15431809%5E15864%5E%5Enbv%5E,00.html

Selina Mitchell
The Australian 
MAY 31, 2005  
 
EMPLOYEES may be able to use a notebook computer almost anywhere, but 
equally, a laptop can be stolen from almost anywhere.

An unexpected destination for a corporate traveller is often the local 
police station to report a stolen laptop. The handy little 
lightweights are swiped from cars, homes, airports and hotels as well 
as businesses. 

As the rate of notebook use increases in business, so does the number 
of thefts. 

The notebook itself may be expensive to replace, but the data on the 
system is sometimes priceless. 

Depending on the nature of the data and how well it is protected, the 
theft could lead to the leaking of state or company secrets and the 
downfall of a company or even a government. 

It is impossible to fully protect every laptop-toting individual from 
thieves, but there are products designed to make theft harder, and to 
protect data even if the hardware is stolen. 

The fear of data theft, accidental or intended, has led some laptop 
purchasers to begin demanding better built-in security from vendors. 

Figures on notebook thefts in Australia each year can only be 
estimated, as not all thefts are reported and there is no national 
tally. 

The Australian Computer Emergency Response Team's 2004 Australian 
Computer Crime and Security Survey reports that 58 per cent of 
respondents experienced laptop theft in the past 12 months, up from 53 
per cent in 2003. 

According to 63 per cent, the laptop theft had resulted in financial 
loss, ranging from as little as $1000 to as much as $200,000. 

The average loss was $17,670 – well down on the $27,500 quoted in last 
year's survey and perhaps reflecting lower costs of laptops. 

The total annual loss of $1.5 million accounted for 9 per cent of 
total losses from computer crime, behind virus infections, 
computer-facilitated financial fraud, and degradation of network 
performance because of network scanning. 

Almost three quarters of those surveyed said they had increased 
spending on computer security in the past 12 months. 

"The readiness of organisations to protect their IT systems has 
improved in three key areas: the use of information security policies, 
the use of information security standards or guides, and the number of 
organisations with experienced, trained, qualified or certified 
staff," the report says. 

However, despite these improvements, fewer respondent organisations 
reported they were managing all computer security issues reasonably 
well (only 5 per cent in 2004 compared with 11 per cent in 2002 and 
2003). According to IDC market analyst Michael Sager, company CIOs pay 
more attention to desktop security than laptop security. 

Despite 28 per cent growth in sales, laptops made up 31.4 per cent of 
the combined desktop/laptop market in the first quarter of 2005, he 
says. 

In laptops, "CIOs don't know what they want, so they are not 
necessarily getting what they need from vendors", he says. 

Some notebook vendors have begun to supply security products, but 
there's a lot of market particularly among small and medium 
businesses. 

"We're on the cusp of companies finding out that notebook security is 
an issue," Sager says. "There are so many vendors, the market is 
saturated and something has to give. 

"Vendors don't want to lose sales, so it may push back their ability 
to meet customer needs – or it could really drive change." 

Toshiba Information Systems general manager Mark Whittard says system 
and data security now tops the list of his customers' requirements. 

Enterprise clients are more concerned about data theft, but small 
business and education buyers are more worried about the loss of the 
notebook itself, he says. 

Lenovo offerings manager David Nichol says security is the top 
consideration for corporate clients, and data security is the 
increasing focus. 

"Organisations are realising that, as more of their staff use 
notebooks, their data is more likely to be in the public domain," 
Nichol says. 

"They want notebook-level security, where before they wanted 
network-level security." 

Hewlett-Packard enterprise notebooks market development manager Laurie 
White says the race is on for vendors to supply the best in business 
anti-theft options. 

As vendors introduce security measures, notebooks will become like 
cars, White says. Thieves will target the brands known to be easy to 
steal. 

"There will be brands of notebooks that thieves won't touch because 
they know they won't be able to get them to work." 

Theft and data protection are becoming more and more important, he 
says. "The loss of the notebook is minuscule compared with the value 
of the data that may be held on it. The data is worth 10 times more." 

The costs of introducing security are minimal – 5 per cent of the 
notebook's total cost, White says. 

Dell senior product marketing manager Jeff Morris says even old, slow 
notebooks are a target for thieves. 

"It's not down to how it looks, but how easy it is to take," he says. 

Nichol says physical security has a lot to do with the user and how 
they control the notebook in their care, and users are becoming more 
careful. 

They also, however, have more devices to help them keep their 
notebooks safe, including cable locks, alarms, and anti-theft tags 
that, if removed, disable the system or mark it as stolen. 

Some insurance options include no-excess cover for theft or damage, 
and premiums can be lowered if anti-theft measures are in place. 

If data is protected, there should be little concern that information 
on a stolen notebook will fall into the wrong hands. 

Tor Nordhagen, Accenture Asia-Pacific security group director, says 
all portable devices were a security risk as they involved information 
in transit, including memory sticks, pieces of paper and notebook 
computers. 

All businesses require an information policy that states clearly 
information pertaining to an enterprise should be treated as 
classified. "You need to protect all of that information," he says. 

The contents of the machine should be protected by encryption, and 
there are a number of ways to authenticate a user before a system can 
be accessed at all, including basic password protection, smartcard 
readers and fingerprint readers. 

Encryption can also be used to secure the network the laptop uses to 
communicate with its home base. 

Whittard says the wireless network technology has improved and if all 
the security levels are set it can be more secure than a wired 
network. 

Nordhagen says companies with high security requirements can use a 
form of mandatory access control, so only de-classified information is 
allowed in insecure zones. 

"You can also impose a very simple form of information management on 
the notebook," he says. "You can check in and out information to the 
laptop, information that is generally stored on a secure office 
network but can be released for use on a notebook." 

He also warns that some security measures can backfire, so it is 
important to ensure administrators can deal with any technical issue 
that arises, such as a forgotten password or a lost smartcard used to 
boot up a notebook. 

Security measures will only improve, vendors predict. 

Vendors are working on more security products. 

For example, Later this year Toshiba will release a privacy screen. 

When switched on the screen can only be viewed from directly in front, 
avoiding spying while in airport lounges, on planes or other public 
places. 


Handy tips on securing your laptop 

Physical security 

* Use a cable lock or alarm device to secure the notebook to the 
  office desk or to permanent structures such as airport seats. 

* Don't leave an unsecured notebook in the car - lock it in the boot 
  out of sight. 

* Don't use an obvious laptop bag that may make you a target. 

* Keep your laptop with you when travelling - take it on planes as 
  carry-on luggage. 

* Consider products that secretly mark your computer as your own, or 
  as stolen if a business tag is removed.


Data security 

* Develop and enforce an information security policy. 

* Require passwords for boot-up access. 

* Encrypt data on the notebook and data that is transferred to and 
  from the notebook when on the road. 

* Consider insurance that can cover theft or accidental loss – 
  premiums can be lower if security measures have been adopted. 

* Back up all data.


Examples of products and services available 

* Software at BIOS level that tracks a reported stolen computer when 
  it is reconnected to a network, or vendor services that provide identity 
  tags that can be tracked when a new user tries to access support or 
  products for a stolen notebook. 

* Software that ensures a notebook will not work outside a set radius. 

* Software that locks off sections of the system, or particular 
  devices, such as the DVD writer. 

* Technology that provides shock protection, spill resistance. 

* Built-in or external smartcard and fingerprint reader - no card no 
  boot-up.

More information about the ISN mailing list