Getting a grip
You can't stop laptop loss altogether, but you can reduce the number that go missing and minimize the damage when they do<@VM>Sidebar | Anti-theft technology<@VM>Sidebar | Where did all that data go?
- By Drew Robb and Joab Jackson
- Aug 24, 2007
'With laptops, Blackberrys, iPods and iPhones, there is no definable edge to the network, and most people don't understand what kinds of sensitive data they have.' ' Dave Morrow, EDS
WPN Photo by Jaime R. Carrero
Experts have an adage: 'Security is a journey, not a destination.' But when the data itself goes on a journey ' riding on laptop PCs and BlackBerrys ' the destination could be misery for the systems administrator when those devices vanish.
'In the mainframe world, we used to know the limits ' a mainframe computer or its terminals didn't get up and walk around or get lost or stolen,' said Dave Morrow, chief security and privacy officer at Electronic Data Systems, who oversees security for the company's managed laptop services used by federal agencies such as the Navy-Marine Corps Intranet. 'But with laptops, BlackBerrys, iPods and iPhones, there is no definable edge to the network, and most people don't understand what kinds of sensitive data they have.'
So how does one go about securing laptops?Inherent insecurity
Losses of laptops containing sensitive data regularly make headline news. In July, a Transportation Department laptop containing personal information on 133,000 Florida residents was stolen from a car in the Miami area.
In January, a Veterans Affairs Department medical center in Birmingham, Ala., lost an external hard drive containing data on 250,000 veterans and 1.2 million health care providers. A Justice Department inspector general audit issued in February found that the FBI lost 2.6 laptops per month during a 44-month period, with at least 10 of the missing laptops containing sensitive or classified information. In May, the Energy Department reported 1,415 laptops missing during a six-year period, about 2 percent of its total inventory.
This article is not about those losses, however. The fact is that laptops will be lost or stolen ' as will other mobile devices. Safeware Insurance Agency estimates that 600,000 laptops are stolen or lost annually, with other estimates running as high as one in 10 laptops stolen. And the losses aren't limited to laptops. According to In-Stat, a business unit of Reed Business Information, 8 million cell phones will be lost this year.
It is possible, however, to reduce the number of laptops that go missing. For example, according to the DOJ IG report, the FBI lost only one-third as many laptops per month in the most recent audit period compared to one conducted in 2002.
'Major breaches of data inevitably make the news; people's information is potentially put in the hands of ID thieves,' said Robert Siciliano, chief information officer at IDTheftSecurity.com. 'People lose their jobs, their reputations, and it makes a big mess that could be prevented just by taking simple proactive and preventive measures.'
So, let's take a look at steps to take to minimize these losses and reduce the impact when losses do occur.Knowing what is there
Over the years, a number of best practices have developed regarding laptop security.
Many of these are recognized in the Office of Management and Budget guidelines released in June, 'Protection of Sensitive Agency Information' (GCN.com/83) and the July 2007 publication from OMB and the Homeland Security Department titled 'Common Risks Impeding the Adequate Protection of Government Information' (GCN.com/829).
Agencies must follow standards and guidance published by the National Institute of Standards and Technoloy, said OMB spokeswoman Andrea Wuebker. 'OMB encourages agencies to contemplate and incorporate best practices regarding prevention of loss and theft of federal information.'
The first step is to have a good idea of exactly what mobile assets an organization has.
'It begins with accountability,' Siciliano said. 'Too often, there are laptops being lost or stolen, and possession of them has not been properly accounted for.'
As audits routinely show, it is often not even known when a laptop went missing or who had control of it. It just can't be located right now. An organization must keep an inventory of who has possession of all the laptops and track when they change hands. Policies are required to ensure that oversight of the inventory doesn't drop off when an employee leaves or is transferred.
'There needs to be a master list and redundancy as to who is paying attention to that list and who is checking up on it,' Siciliano said.
But knowing who has the hardware is only the beginning. Even more critical is the data it contains, and Morrow said that users and managers are often clueless as to what is on the laptop.
'While I worry about the physical hardware, I worry much more about the data on the system,' Morrow said. 'It might be a $1,500 laptop that gets stolen, but it may have sensitive data that will cost $10 million to remediate.'The biggest risk
Proper asset management detects when a laptop is missing but doesn't prevent loss in the first place. No policy or standard replaces the need for vigilance by users.
'OMB recognizes job-specific training is necessary for a risk-based approach to security,' Wuebker said. 'The memorandum [Common Risks...] requires federal agencies to train employees regarding their respective responsibilities relative to safeguarding federal information on fixed and removable media, including personally identifiable information, and the consequences and accountability for violation of these responsibilities.'
Several agencies issue their own brochures giving best practices for laptop security including common-sense tips such as not leaving the laptop visible on the seat of a car, locking the laptop in a cabinet or desk when left in the office and using a cable to lock the computer to a pipe or table leg.Low profile
At the airport, travelers should let the line clear ahead of them before putting a laptop into the X-ray machine. You should carry the computer in a plain padded case or put inside a backpack or regular briefcase rather than carrying it around in what is clearly a laptop case, especially one bearing the manufacturer's logo. When sitting in a restaurant or other public space, the laptop should remain in contact with the user so it doesn't get accidentally left behind. If it is placed on the floor, it should at least be between one's feet. Users also need to make sure they don't give others access to their portable devices.
'Social engineering [employee negligence] is the biggest mistake,' said Kevin Kalinich, manager of professional risk solutions at Aon Financial Services Group. 'Say 'no' to unauthorized requests for information and access, including access to offices, cars and any other location where a laptop might be.'Central control
Vigilant employees are also a good safeguard against many laptop thefts but not a complete solution.
'Carelessness is one of the biggest problems I see,' Morrow said. 'People don't think of their laptop as something people would want to steal.'
The ideal solution, therefore, is to restrict what users can load onto their laptops. If an employee needs to access a database, that data should only be available through a secure connection, rather that loading the entire database onto the laptop. But sometimes there are valid reasons to have a full database loaded on the computer. For example, an auditor visiting a site may need to copy and review data from the target agency's files.
Then there are the caches and hidden files that the user doesn't even know exist.
'Most managers think that sensitive information is stored away safe and secure on servers,' said security consultant and author Kevin Beaver at Principle Logic. 'That's a dangerous misconception; you could randomly pick any given laptop in any organization and using the right tools, find sensitive information on the local drive in a matter of minutes.'
Kalinich advises implementing centralized policies that take security controls out of the control of users but push updates to the mobile devices as needed.
'Enterprisewide solutions must be implemented, which include a policy-based mobile data security and management solution that protects data on all kinds of portable devices, not just laptops,' Kalinich said. 'It takes a large portion of the responsibility out of the hands of the individuals and places it in the capable hands of the IT professionals.'
Portable devices should also be automatically backed up to the servers. This doesn't prevent data getting into the wrong hands, but it does prevent the loss of that data to the agency and having to spend time recreating or reloading the data.
'That way you are not sunk if your laptop goes missing or breaks,' Morrow said. 'None of this is rocket science ' it is stuff we have been talking about for years and years, just applied to a different venue.'In addition to routine security policies, there is also an assortment of technologies that are designed to keep data from getting into the wrong hands.
The first is that all portable devices should use full disk encryption, making it harder for the data to be deciphered.
Kevin Kalinich, manager of professional risk solutions at Aon Financial Services Group, recommends using a timeout function that requires reauthentication after 30 minutes of inactivity, as well as using a BIOS password and a biometric device. He said sensitive database extracts should be logged, and its erasure should be verified within 90 days, if the data is no longer in use.
There are also several options for wiping the data from a hard drive when it does go missing. Typically these involve erasing the encryption key on the laptop after a series of failed log-ins, or in response to a command from headquarters.
Robert Siciliano, chief information officer at IDTheftSecurity.com, recommends Tri-8's mylaptopGPS service. This has three parts ' a permanent identification label to deter theft, tracking of the missing laptop to the IP address it is logged on to, and remote removal and deletion of sensitive files.
EDS is looking at using a product from Absolute Software, called LoJack for Laptops, which also traces stolen laptops over Internet connections and destroys data on command or according to policy ' for instance, if the computer hasn't connected to the agency network within a certain time period. A similar product ' SureFind ' is offered by Oakley Networks. This system can verify whether or not data on a stolen laptop has been viewed and erase any sensitive data, once the missing laptop is connected to the Internet.
SecureTrieve's SecureTrieve Pro offers similar features.
Targus Group International makes a variety of cables and other devices to lock laptops, iPods, mice and keyboards. For higher protection, its DEFCON 1 Ultra Notebook Computer Security System comes with a 95 decibel alarm that sounds when the laptop is moved.Reported mobile device loss in the federal government, 2006-2007February 2006:
The Centers for Disease Control and Prevention disclosed that 22 laptop PCs ' containing Defense Department personnel information ' were stolen from a contractor facility.February 2006:
A Labor Department laptop with information on more than 1,100 individuals was lost.February 2006:
An Internal Revenue Service employee had a laptop stolen from his vehicle.March 2006:
A Marine Corps employee lost a thumb drive containing personnel records on more than 200,000 enlisted Marines.March 2006:
Eight laptops holding Centers for Medicare and Medicaid Services beneficiary and supplier information were stolen from a contractor's office.April 2006:
An IRS employee reported that a laptop with taxpayer information was stolen.May 2006:
A Social Security Administration employee lost a flash drive containing case information on six people.May 2006:
A Veterans Affairs Department analyst brought home a laptop with identity data on more than 26 million veterans and spouses. The laptop was subsequently stolen.June 2006:
CMS reported that a contractor lost a laptop with more than 49,000 personnel records.July 2006:
A Transportation Department laptop containing personal information on 133,000 Florida residents was stolen from a car in the Miami area.June 2006:
The Treasury Inspector General for Tax Administration reported that approximately 490 IRS laptops have been lost since 2003, many because of improper storage procedures.August 2006:
While riding a motorcycle, a Navy recruiter lost a laptop containing data on more than 30,000 applicants.Sept 2006:
The Census Bureau reported losing 672 laptops since 2001, of which 246 contained some personal data.November 2006:
The Army's Accessions Command in Fort Monroe, Va., reported that a laptop with personal information on 4,600 scholarship applicants for the Reserve Officer Training Corps was missing.January 2007:
The VA medical center in Birmingham, Ala., lost an external hard drive containing data on 250,000 veterans and 1.2 million health care providers.February 2007:
The Justice Department IG issued an audit showing that the FBI had lost 2.6 laptops per month during a 44-month period.May 2007:
The Energy Department reported 1,415 laptops missing during a six-year period, about 2 percent of its total inventory.June 2007:
The Government Accountability Office found that NASA could not account for more than $94 million worth of office equipment, including many computers.