Are You Sure That Laptop is Secured?  - WST

One of the many areas we look at when conducting an IT audit is the security of portable devices, including laptops. With the proliferation of laptops that are now enabling so many remote workers, it seems obvious to inquire about the security of the information that might be found on devices that are sometimes outside the institution’s normal physical controls. Laptops are at a higher risk of being lost, stolen, or accessed by unauthorized persons. 

When discussing laptop security, we sometimes hear, “Our policy is not to let employees store any customer information on the laptop, so we don’t feel there is any value in encrypting the laptop’s storage.” While this is probably a well-intentioned belief, this overlooks several ways sensitive information may be stored locally.

Application data – Many applications will keep working copies of files, at least in temporary storage. For example, when you open a Word or Excel file, the application may open temporary storage locally on the laptop or workstation while you are editing files. Think of it as a scratch pad the application uses, which could include almost any content from the file being edited. If the application ends abnormally, that temporary data may accumulate instead of being deleted normally. Other application data may be more permanent, such as personal archive files that Outlook may be saving locally (i.e., .pst files) that may contain massive amounts of personal or sensitive information. 

Windows temporary data – Much like the application-specific temporary storage discussed above, Windows creates temporary files as well. These files are usually hidden from the end user seeing them, but they also can contain some sensitive information. Not as likely to include customer data, but these temporary files could provide useful information for a potential attacker as there may be user IDs, network topology data, configurations, recovery files, and other infrastructure information that shouldn’t be disclosed.

Deleted files – Wait, how are deleted files a risk? Often, when files or folders are deleted, Windows won’t truly delete all the data from storage and will instead only erase the listing (or index) of that information. An analogy would be a library where the index listing for a book is deleted but the book is left on the shelf. Deleting the index listing will make it harder to locate the book, but it will still be there. That is essentially how Windows works when a file is deleted, only the index is deleted, and the actual file contents will often stay on the local drive until the space is needed for a new file object. There are special applications made for discovering the data from “deleted” files, available to any motivated person.      

Cloud storage – If an institution is using a cloud storage solution, such as Google Drive or Microsoft OneDrive, and it is configured to synchronize data locally, then it will retain copies of files on the laptop or workstation. As an example, OneDrive will usually keep local copies in C:\Users\[username]\OneDrive

Intentional – Even when the institution is operating with the best of intentions, it is not uncommon for a rogue individual to intentionally circumvent the rules or inadvertently save files to their desktop. They may only be taking home a file to work on over the weekend, but it is a potential risk, nonetheless.

There is a simple solution, and that is whole disk encryption. Most versions of Microsoft Windows have the functionality built in (BitLocker) and only need it to be configured (by a qualified IT administrator). Whether built-in encryption or another readily available commercial solution is used, implementation will result in well-protected storage on the laptop (this functionality also exists for desktops). If a laptop with encrypted storage is lost or stolen, the institution will be out the value of the device but will have a substantially lower risk of information disclosure. 

Authored by: Jim Baird