Today’s mobile workforce has generated the awareness and subsequent need for mobile security like never before. As data growth increases, the requirements set forth in new laws and regulations also demand that organizations demonstrate due-care in protecting sensitive customer data.
Meanwhile, the ever-increasing amount of sensitive data continues to find its way onto laptops and adds additional threats to these devices. Because of these threats, organizations should follow a number of data protection and security best practices. Incorporating these top 5 practices can help any organization or individual protect sensitive information in order to mitigate the risk of regulatory and/or financial exposure, while keeping costs at a minimum.
Passwords are the obvious first choice; but there are many ways to implement a password in order to protect a laptop. The first and most common choice is a power-on or BIOS password. This helps to prevent an attacker from simply powering on the device and gaining access to the operating system. However, it does not protect against an attacker from physically removing the hard drive and placing it in another laptop or external drive case to gain access to the information it contains.
Other options for passwords can take the form of an encrypted partition, which also requires a password before any access to the system can be achieved. This is discussed more in-depth below. Also, depending on the operating system, non-Windows based laptops or laptops with dual operating systems have the option of implementing password protected boot loaders, such as GRUB, that allow you to implement passwords for specific partitions.
Overall, keep in mind that passwords should NOT be simple to guess. Best practices (as well as many regulations such as FFIEC, FISMA, etc.) dictate the complexity requirements for what may be considered a “strong” password. As a general rule of thumb, passwords should not contain dictionary words, any part of your name, birthdate, etc. and should be comprised of at least 10 alpha and numeric characters, along with several “special” characters (such as, ! @ # $ % &).
Laptop encryption is one of the most important aspects of secure mobile computing. Specifically, it is important to encrypt not only confidential company related information, but also confidential customer information. There are many ways to circumvent passwords, operating system vulnerabilities or other aspects of system security. However, when the data the attackers are after isn’t usable, this often mitigates many of the risks with mobile computing and data loss/theft.
But, what options should a user or organization choose? There are several options available, depending on the type of encryption and functional requirements by the user or organization. It should also be stated that if you are intending to encrypt your hard drive, due care should be taken to understand exactly what encryption protects and does not protect.
What does encryption protect?
A general misconception around laptops and hard disk encryption is that it makes your laptop impenetrable; meaning no one can get to your data without the proper credentials. While it is true that if someone steals your powered off laptop and tries to boot it up to gain access to your data, it won’t happen without the password to unlock the encryption. However, once you put in the password, the data is essentially unencrypted until you power off the system, and full disk encryption won’t protect you from attackers who try to compromise your system over a network, such as the Internet or public Wi-Fi. Your laptop is still vulnerable to application exploits, misconfigurations or other vulnerabilities that would allow an attacker to access your system.
Types of Encryption
For data-at-rest, there are generally two types of encryption options for laptops:
Whole Disk Encryption: As the name states, this type of encryption encrypts the entire partition on a hard drive. It generally requires a password, key and other method to “unlock” the system and continue the normal boot process. Once unlocked, everything is accessible by the user.
Solutions that offer whole disk encryption:
- Microsoft BitLocker
- Sophos SafeGuard
- Symantec EndPoint Encryption
- Check Point Full Desk Encryption
File or Container-Based Encryption: This type of encryption only encrypts individual files or creates a “container file” that must be manually mounted and is separate of the operating system. The container can then be closed at the user’s discretion and remain inaccessible to an attacker, even in the event the entire system is compromised, either physically or over a network.
Solutions that offer container-based encryption:
There are pros and cons to each of these methods, and which one you should choose ultimately depends on the requirements and specific risks associated with the organization and/or user. 10-D Security recommends that these requirements are evaluated carefully and the overall solution selected is supported by a risk assessment, where feasible.
- Anti-Malware/Virus Protection
One of the essentials (and often overlooked) in overall security, for any system, is having a trusted anti-malware/virus protection installed on your laptop or mobile device. Today’s modern end-point protection software provides a multitude of features that are much more advanced than just stopping known viruses, malware or other gremlins which may be encountered. Features such as detecting and stopping personal information leakage (i.e., social security numbers, credit cards numbers, etc.), heuristic analysis, file encryption, intrusion detection, file integrity and many other options are now available. These individual features alone provide many benefits, but when combined provide your organization’s mobile devices with a “defense-in-depth” strategy to ward off and defend attackers from stealing confidential data.
Physical security is also another common and often neglected area in securing mobile devices, specifically laptops. There are many options available that can help physically secure your organization’s assets without breaking the bank. Some of these include:
- Identification Tags: Asset tags, or other identification marks are used by most organizations today. However, most are easily removable. Tamper proof asset tags are available that can help identify when someone has tampered with them and can help identify potential malicious behavior. Other options can also include engraving of the outer case with contact information to assist in returning lost equipment.
- Locks and Cables: One of the most common options, is to install a cable lock on your laptop and securing it to your work area to deter the casual thief. While this won’t stop anyone with cable cutters or protect any peripherals, it can serve as a deterrent and make petty thieves think twice.
- Privacy Screens: “Shoulder Surfing” is one of the most often overlooked problems in mobile security. But, no one is reading your screen while in the coffee shop, right? Wrong. It’s human nature to be curious, and if you’re looking at confidential client or company information in a public environment, chances are someone is looking over your shoulder. A simple solution to this problem is the installation of a privacy screen. This prevents anyone from seeing your screen unless they are directly in front of it. Most are easily removable when not needed and provide a substantial level of protection when compared to the minimal cost.
- Travel Warriors
Most are familiar with virtual private networks (VPN). However, most individuals associate a VPN only with it being used to connect back to your corporate network in order to access internal systems. This is far from the case. VPNs can be used in many situations, particularly when connecting to public Wi-Fi or other non-secure networks. When you connect to your hotel’s Wi-Fi, anyone else that is also connecting to that same network can sniff your unencrypted traffic, alter it, steal it, or even attempt to attack your system.
While this is a more advanced level of protection, your organization can easily alter current VPN settings to force all network traffic through your existing corporate VPN software while traveling. This ensures that all data transmitted in public venues is protected from eavesdropping and other malicious actions to data in-transit over the network.
- Travel Router
Another option for the common road warrior is to use a personal travel router. While connecting to unsecured networks with a VPN provides many benefits, a travel router can provide yet another layer of protection. The travel router connects to the public network just like your computer would. But, instead it creates a private network that only your devices can connect to. This prevents others from connecting to your network and potentially conducting malicious acts such as sniffing network traffic or attacking your system.
Authored By: Ryan Strayer