Playing it safe
By Kay Ewbank
Kay Ewbank with tips and tools for securing your mobile devices while you’re on the road.
HardCopy Issue: 49 | Found In: Security | Published: 13/09/2010 | Last Revision: 17/09/2010
Most business users, and particularly those of us who are interested in computers and technology, acquire a variety of useful and fun hardware - a nice laptop, a top end mobile phone that can pick up emails, and probably several other bits of hardware too. While we may not be ‘road warriors’, spending most of our working life travelling as part of our jobs, we do like to take our techie toys with us.
However few of us like to think about the consequences of it getting mislaid or stolen. Last week I had to travel abroad, and in the process someone picked up my laptop in airport security and left me theirs instead. Thankfully mine was locked down and encrypted, and needed my fingerprint to activate it. Yes, I’ve lost laptops before. However the one I picked up had no encryption and lots of presumably confidential documents, emails and personal information. While I didn’t go prying, when I did turn it on in an attempt to find out which twit had nicked my machine, it didn’t even ask for a logon password, and from what I could see there was no protection at all.
We’ve all read the stories about laptops left on trains, mobile phones in taxis, USB pens dropped in cafés. The problem is, do you ever consider that next time it might be yours? It’s like being burgled: until it’s happened a couple of times, you don’t really think it’s going to happen to you.
The situation is worse if you have to manage security for other people. This is true whether you’re in charge of keeping the information on corporate laptops or USB drives safe, or if your security remit is limited to the information your family is carrying around on laptops and mobile phones. At least you can issue a formal warning to an employee who doesn’t install anti-virus upgrades; it’s a lot harder to have a formal warning system for your kids or your mum.
There are some things you can do to minimise the risk of losing your mobile devices, but more importantly, there are a range of things you can do to prevent any loss being a disaster. If you know the hardware is insured and the confidential information it contains is secure, then such a loss becomes just an inconvenience. These are our top tips for staying safe.
Secure your logons
If you’re going to carry a computer or mobile phone with data around, then at the very least use a password, and make sure it’s a good one. Having to enter a password is a pain, but it’s less of a pain than knowing you’ve left everything open. Alternatively, choose equipment that has some form of biometric device such as a fingerprint reader, or that needs a hardware key that you keep separate.
If you’re going to use a password, make sure it’s a strong one - at least ten characters and ideally up to fourteen characters long. Microsoft has advice on how to create strong passwords, and a password checker that will tell you if your chosen password is any good, on its Web site at www.microsoft.com/protect/fraud/passwords/create.aspx.
While it’s relatively easy to come up with a set of rules for what makes an acceptable password, making sure other people on the network stick to those rules can be more problematic. Even if you define policies on how frequently passwords must be changed, their minimum length and the inclusion of non-alphabetic characters, people are still naturally lazy.
It’s worth remembering that you can define a Group Policy in Active Directory that enforces a password complexity rule. If you want to make the rule more complex than Group Policy can handle, there are packages that can help enforce your rules and ensure passwords stay strong. For example, Specops Password Policy is a package that lets you set up as many password complexity rules as you want. Password Policy lets you prevent specific words appearing within passwords, bar the use of passwords that have previously been used, and stop usernames from being used as part of the password.
If you want to go further, there are user authentication and password management products to make your users more secure. Aladdin eToken, for example, is a suite of security applications that can be used for both password management and hardware-based user authentication. This allows mobile users to carry a USB hardware token with them: a small security fob that is inserted into the laptop’s USB port. If someone tries to use the laptop without the token, it won’t start.
Encrypt your disks
This is perhaps the most important measure. You can replace hardware, but losing data is disastrous. It’s one of the easier things to guard against as you can encrypt entire disks, including USB disks. There are also products that let you encrypt parts of disks, although this does allow the user to put sensitive material on the non-encrypted portion of the disk. Having part of the disk encrypted also runs the risk that temporary files created by the application may still be available to prying eyes.
With most encryption software, once a system has been turned off, put into hibernation or not used for a certain amount of time, a password has to be entered before the system can be used again. Suitable products include PGP’s Whole Disk Encryption, which gives you a range of encryption options right up to encrypting the entire disk including boot sectors, system files and swap files, and allows you to encrypt USB drives. You can use either keys or passphrases for the decryption, and keys and policies can be managed centrally using PGP’s Universal Server.
DESLock+ from Data Encryption Systems allows you to encrypt the whole drive or just individual folders or files. It includes options for encrypting data on memory sticks or CDs, and has plug-ins for Microsoft Outlook and Lotus Notes for encrypting email. Full disk encryption requires the user to authenticate before the system boots, and takes place transparently without the need for further user input.
BeCrypt DISK Protect is another option. This provides whole disk encryption for both fixed and removable disks. It gives you the choice of authenticating using a password or a password and token, and again this is checked before the system is booted.
One worry about encrypted disks is that if you, or a less competent user, forgets the password, then the machine is unusable. DISK Protect has an administrator option that lets the authorised user, with the help of an administrator, unlock such a machine and log into Windows before changing the password.
Of course, depending on your circumstances, you may not need a separate encryption product. If you’re running either the Ultimate or Enterprise editions of Windows Vista or Windows 7, or Windows Server 2008 onwards, then you can make use of BitLocker. This lets you encrypt all the data stored on the system volume. Once this is done, there are various methods of accessing the information. If the machine makes use of Trusted Platform Module (TPM) hardware, the machine appears just like any other Windows machine to the user: when the machine is turned on, the hardware checks that the boot files look correct, and so long as this is the case the disk is made available to Windows and the user. Alternatively, a PIN code has to be entered before the machine will boot, or you can insist that a USB key be inserted before the machine will start.
A belt and braces approach is to also make use of any encryption options offered by your applications software. Microsoft Office, for example, lets you encrypt documents on an individual basis, allowing you to keep your expenses spreadsheet or the letter applying for a new job under wraps.
Keep data seperate
It’s important to remember that what really matters isn’t the hardware, it’s the information that is stored on the hardware. All of us are guilty of carrying far too much data around just because we can. You may need your laptop when you leave the office, but does it have to contain the entire sales database and other sensitive data? It’s worth looking at whether a subset of data would give you just as much information - if someone only needs the sales figures for one particular customer, then that’s all they should be carrying.
Make sure you audit the information that users are taking with them, and that your security policy states that devices taken outside the security perimeter should only have the minimum data necessary. If data has to be available, put it onto an encrypted USB drive that’s attached to a key fob, or use a secure VPN connection and log in remotely to the corporate servers.
Lock down
If your company has laptops that are being used away from the corporate network then one way to improve security is to limit the applications that are installed and used on the machines, and control what devices they can connect to. SoThin Secure Desktop replaces Windows with a locked-down version that looks the same but only allows the user to make use of the applications and drives you’ve made available. This not only prevents users installing insecure software, but can also be used to ensure no sensitive data is stored on the device, making it less of a problem if it is lost or stolen.
Keep track
One of the main problems for companies is knowing just what mobile devices are being attached to your network. If someone attaches a USB memory stick they could copy data that you would prefer to keep confidential. It’s easy to see what desktop PCs are on your network, but laptops, mobile phones and USB drives are more difficult to track. This makes it more important that you know what you’ve got, who has it, and ideally, where exactly it is.
AuditWizard lets you monitor hardware, mobile and removable devices, and software. It has other uses including the monitoring of software licences, internet activity, and general hardware auditing, but from the viewpoint of mobile security, AuditWizard can be used to track mobile devices including USB drives, smartphones and PDAs. It can show you when such devices are connected to your network and provide information such as the make and model of the devices, its memory configuration, and any files that are stored on it.
Leave it at home
Finally, the best way to keep your hardware secure is not to take it with you when you go travelling. I frequently carry my laptop when I know that in reality I don’t really need it. If you’re going on a business trip, do you really need both a Blackberry and a laptop to check your emails? It turned out that the person who accidentally took my laptop at the airport was going on a family holiday to Greece. I know he never tried turning the laptop on (or his Blackberry) all week, because the frantic efforts made by his company to contact him all failed. So why did he find it necessory to carry both when he was going to spend the week by the swimming pool?
There are times when you need to carry computers, but it’s not actually compulsory. You can just leave it at home.