Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 08/27/07 issue

Getting a grip

You can’t stop laptop loss altogether, but you can reduce the number that go missing and minimize the damage when they do

By Drew Robb, Special to GCN

Experts have an adage: “Security is a journey, not a destination.” But when the data itself goes on a journey — riding on laptop PCs and BlackBerrys — the destination could be misery for the systems administrator when those devices vanish.

“In the mainframe world, we used to know the limits — a mainframe computer or its terminals didn’t get up and walk around or get lost or stolen,” said Dave Morrow, chief security and privacy officer at Electronic Data Systems, who oversees security for the company’s managed laptop services used by federal agencies such as the Navy-Marine Corps Intranet. “But with laptops, BlackBerrys, iPods and iPhones, there is no definable edge to the network, and most people don’t understand what kinds of sensitive data they have.”

So how does one go about securing laptops?

Inherent insecurity
Losses of laptops containing sensitive data regularly make headline news. In July, a Transportation Department laptop containing personal information on 133,000 Florida residents was stolen from a car in the Miami area.

In January, a Veterans Affairs Department medical center in Birmingham, Ala., lost an external hard drive containing data on 250,000 veterans and 1.2 million health care providers. A Justice Department inspector general audit issued in February found that the FBI lost 2.6 laptops per month during a 44-month period, with at least 10 of the missing laptops containing sensitive or classified information. In May, the Energy Department reported 1,415 laptops missing during a six-year period, about 2 percent of its total inventory.

This article is not about those losses, however. The fact is that laptops will be lost or stolen — as will other mobile devices. Safeware Insurance Agency estimates that 600,000 laptops are stolen or lost annually, with other estimates running as high as one in 10 laptops stolen. And the losses aren’t limited to laptops. According to In-Stat, a business unit of Reed Business Information, 8 million cell phones will be lost this year.

It is possible, however, to reduce the number of laptops that go missing. For example, according to the DOJ IG report, the FBI lost only one-third as many laptops per month in the most recent audit period compared to one conducted in 2002.

“Major breaches of data inevitably make the news; people’s information is potentially put in the hands of ID thieves,” said Robert Siciliano, chief information officer at IDTheftSecurity.com. “People lose their jobs, their reputations, and it makes a big mess that could be prevented just by taking simple proactive and preventive measures.”

So, let’s take a look at steps to take to minimize these losses and reduce the impact when losses do occur.

Knowing what is there
Over the years, a number of best practices have developed regarding laptop security.

Many of these are recognized in the Office of Management and Budget guidelines released in June, “Protection of Sensitive Agency Information” (GCN.com, Quickfind 83) and the July 2007 publication from OMB and the Homeland Security Department titled “Common Risks Impeding the Adequate Protection of Government Information” (GCN.com, Quickfind 829).

Agencies must follow standards and guidance published by the National Institute of Standards and Technoloy, said OMB spokeswoman Andrea Wuebker. “OMB encourages agencies to contemplate and incorporate best practices regarding prevention of loss and theft of federal information.”

The first step is to have a good idea of exactly what mobile assets an organization has.

“It begins with accountability,” Siciliano said. “Too often, there are laptops being lost or stolen, and possession of them has not been properly accounted for.” As audits routinely show, it is often not even known when a laptop went missing or who had control of it. It just can’t be located right now. An organization must keep an inventory of who has possession of all the laptops and track when they change hands. Policies are required to ensure that oversight of the inventory doesn’t drop off when an employee leaves or is transferred.

“There needs to be a master list and redundancy as to who is paying attention to that list and who is checking up on it,” Siciliano said. But knowing who has the hardware is only the beginning. Even more critical is the data it contains, and Morrow said that users and managers are often clueless as to what is on the laptop.

“While I worry about the physical hardware, I worry much more about the data on the system,” Morrow said. “It might be a $1,500 laptop that gets stolen, but it may have sensitive data that will cost $10 million to remediate.”

The biggest risk
Proper asset management detects when a laptop is missing but doesn’t prevent loss in the first place. No policy or standard replaces the need for vigilance by users. “OMB recognizes job-specific training is necessary for a risk-based approach to security,” Wuebker said. “The memorandum [Common Risks...] requires federal agencies to train employees regarding their respective responsibilities relative to safeguarding federal information on fixed and removable media, including personally identifiable information, and the consequences and accountability for violation of these responsibilities.”

Several agencies issue their own brochures giving best practices for laptop security including common-sense tips such as not leaving the laptop visible on the seat of a car, locking the laptop in a cabinet or desk when left in the office and using a cable to lock the computer to a pipe or table leg.

Low profile
At the airport, travelers should let the line clear ahead of them before putting a laptop into the X-ray machine. You should carry the computer in a plain padded case or put inside a backpack or regular briefcase rather than carrying it around in what is clearly a laptop case, especially one bearing the manufacturer’s logo. When sitting in a restaurant or other public space, the laptop should remain in contact with the user so it doesn’t get accidentally left behind. If it is placed on the floor, it should at least be between one’s feet. Users also need to make sure they don’t give others access to their portable devices.

“Social engineering [employee negligence] is the biggest mistake,” said Kevin Kalinich, manager of professional risk solutions at Aon Financial Services Group. “Say ‘no’ to unauthorized requests for information and access, including access to offices, cars and any other location where a laptop might be.”

Central control
Vigilant employees are also a good safeguard against many laptop thefts but not a complete solution.

“Carelessness is one of the biggest problems I see,” Morrow said. “People don’t think of their laptop as something people would want to steal.”

The ideal solution, therefore, is to restrict what users can load onto their laptops. If an employee needs to access a database, that data should only be available through a secure connection, rather that loading the entire database onto the laptop. But sometimes there are valid reasons to have a full database loaded on the computer. For example, an auditor visiting a site may need to copy and review data from the target agency’s files.

Then there are the caches and hidden files that the user doesn’t even know exist. “Most managers think that sensitive information is stored away safe and secure on servers,” said security consultant and author Kevin Beaver at Principle Logic. “That’s a dangerous misconception; you could randomly pick any given laptop in any organization and using the right tools, find sensitive information on the local drive in a matter of minutes.”

Kalinich advises implementing centralized policies that take security controls out of the control of users but push updates to the mobile devices as needed.

“Enterprisewide solutions must be implemented, which include a policy-based mobile data security and management solution that protects data on all kinds of portable devices, not just laptops,” Kalinich said. “It takes a large portion of the responsibility out of the hands of the individuals and places it in the capable hands of the IT professionals.”

Portable devices should also be automatically backed up to the servers. This doesn’t prevent data getting into the wrong hands, but it does prevent the loss of that data to the agency and having to spend time recreating or reloading the data.

“That way you are not sunk if your laptop goes missing or breaks,” Morrow said. “None of this is rocket science — it is stuff we have been talking about for years and years, just applied to a different venue.”

1 2 3 >> Next

More news on related topics: Communications / Networks, IT Security, Hardware, IT Management



GCN Popup