Surviving without fences: the crucial seven layers of effective laptop data security

Introduction

These days, there is no fence. Data security used to benefit from the presence of walls or “fences” – the data existed on a server somewhere, with serial terminals attached throughout the building, and that server was behind physical walls, vulnerable mainly to a physical attack alone. Along came the Internet, and now the data was theoretically accessible from anywhere on Earth – a dream for users and a nightmare for IT security. At least there was still the concept of a “virtual perimeter,” where the network border could be heavily guarded to keep the bad guys out.
 
But the fences just keep falling. Mobile data-bearing assets now threaten businesses of every size. Never mind the productivity that these devices enable. Laptops, smart phones, PDAs, memory sticks, thumb drives, and portable hard drives let the data literally walk right out the door. Where’s the perimeter?

Responsible organisations respond with policies and procedures to prevent the breach of data on mobile assets or, in many cases, to prevent the data’s presence entirely. But even these responsible organisations face a very powerful foe: themselves. Employees break policies. They either remain ignorant of the rules or simply circumvent them when rules interfere. This makes non-compliant employees easy to fire.

But it doesn’t get the data back, nor the company’s good reputation.

A lethal combination

Mobility is very appealing. Businesses of all sizes are benefiting from it. Employees love it. Data capacity on mobile data-bearing assets continues to skyrocket. This adds even more convenience and permits even more mobility.

From a security standpoint, however, the startling truth is that mobility and capacity combine to form a truly lethal elixir. A single laptop can, and very often does, contain enough sensitive data to make the head corporate attorney swallow his tie, particularly when one single laptop theft can cause business damages in excess of 129,000 euros. It’s like having a mob of armed nuclear bombs with keyboards running around; all it takes is one “problem.” Most of the time, company management does not even realize the data is on these laptops.

Thieves know this. The naïve enterprise assumes the thieves are as ignorant and foolish as we would all prefer, hoping that somehow thieves do not watch the news nor see the endless headlines reporting breach after data breach. The smart enterprise knows the truth: conservative estimates peg laptop theft in 2008 at one theft every twelve seconds (2.6 million for the year), and thieves are beginning to understand that the profit to be made merely from reselling hardware is the tip of the iceberg.

Even a laptop free of “sensitive customer data” is choc full of dangerous internal data: email, business plans, cached passwords, sales figures, CAD drawings, photos – the list is endless. The “My Documents” folder is a treasure trove on a business hard drive.

Alarming numbers

In 2003, worldwide laptop thefts topped one million, according to the FBI. Other statistics show an FBI estimate of 1.5 million thefts in 2004, a hefty 50% gain. In 2006, the Ponemon Institute conducted a study, surveying 480 United States government agencies, which revealed that 80% had lost data via laptops. A full 10% more could not even say whether they had lost data via laptops. Only 10% of the entire field could definitively say that no data breach had occurred due to laptop loss or theft. Government in the UK isn’t doing any better, with CRN reporting that at least 1,000 mobile data devices have been lost or stolen in the last decade, some of which had millions of data records on them. In 2007, the Ponemon Institute conducted another study, commissioned by Redemtech and entitled "National Survey: The Insecurity of Off-Network Security" (now available at Redemtech's website: www.redemtech.com), which found that:

• 73% of corporations experienced the loss or theft of a data-bearing asset in the last 24 months, yet those same organisations report limited efforts to manage this vulnerability
• 62% of study respondents confirm or are unsure if their off-network equipment contains unprotected sensitive or confidential information
• 70% of data breaches result from the loss of off-network equipment
• Yet 39% of respondents do not view the management of off-network data-bearing equipment a critical component to security

It would be great if the theft of a laptop merely cost another 700 euros out of the IT budget for replacement hardware. Instead, the 2002 Computer Security Institute/FBI Computer Crime & Security Survey estimated the actual financial loss of a laptop theft to be $89,000 USD. The 2003 Annual Computer Crime and Security Survey estimated the average loss even higher, at $250,000 USD. Either way, those 700 euros (cost of hardware) will not cover more than the initial consultation fee from the law firm chosen to handle the liability fallout, let alone cover the actual damages.

Data is extremely dangerous – and costly.

Headlines Daily

Consider some real world examples:

• "More Data Mayhem: MI5 Terrorist Files Disappear After Mini Laptop Is Stolen” (Security ProPortal, October 3, 2008)
• “Central Gov't Suffers 30 Major Security Breaches” (PC Advisor, June 25, 2008)
• “Government Laptop Losses: 600 and Counting” (CRN, March 31, 2008)
• “Lost Laptops, Mobile Devices Account for Most U.K. Data Leaks” (Network World UK, February 26, 2008)
• “1 in 5 People's Data Stolen So Far in 2007” (Tech Radar UK, April 25, 2007)

The list is already long enough to make the staunchest of skeptics cringe, and grows longer by the hour (over 550 incidents since September 2006 are chronicled at MyLaptopGPS.com).

Perhaps the most well-known case overseas is the U.S. Veterans Administration theft that exposed 26.5 million vets in one single theft. The cost? Consider merely the cost to send the notification letter, if it could be printed and mailed, postage and service included, for 0.23 euros: 26,500,000 x €0.23 = €6,095,000

This is €6 million just to send a notification letter after one single laptop theft. Considering the cost of credit monitoring services offered initially, and untold other costs, the VA case easily reaches the multiple billions of euros in overall damage, and all this due to one single laptop computer. Just one.

The 7 crucial components of effective laptop security

Before considering the solution to the gaping security hole that is the laptop computer, it is crucial to understand that "the solution" is not singular. It is not a silver bullet. The solution consists of at least seven layers. Every layer has another layer beneath it. If one fails, another reinforces. A savvy enterprise cannot possibly rely on one single layer of protection and expect to secure its mobile IT assets effectively.

But do the seven layers actually work? The answer is a resounding “yes.” The combination of these layers has yielded a real-world average theft rate 32 times lower than without (0.4% compared to 12.5%), for clients of MyLaptopGPS, a provider of technology that implements several of the layers.

1. Begin with a company-wide security policy. The policy should cover how data is used, what data may and may not be carried on mobile devices, what minimal security requirements must be met, and much more. Then, recognise that the policy, while necessary and quite prudent, is also completely useless when, not "if," the policy is broken. Employees break policies much more frequently than employers would like to admit. That is, a company-wide security policy is necessary but is also insufficient by itself.

2. Extend existing security policies to include all third-party contractors. These parties must comply, or must not set foot in the building. An enormous percentage of high-profile laptop thefts center upon third-party contractors (typically financial auditors or consultants) whose security controls are poor. Even organisations with a sufficient security policy often fail to extend the policy, and its enforcement, to third-party contractors with access to data – a very costly mistake.

3. Stop theft before it happens. Visibly marking mobile assets with a clear indication of the security protecting them, and clearly indicating that the assets are uniquely identifiable, is extremely effective. This is why physical premises security companies put a sign on businesses protected by alarm systems. Most thieves simply move on to easier targets. Unmarked targets are a thousand times more attractive to a thief – and there are plenty available to target. Permanent marking on assets is preferable.

4. Record critical information about assets, starting with the serial number. An overwhelming majority of theft reports to police are severely lacking in information, especially serial numbers. Few organisations, and even fewer individuals, record critical information about property and store it in a safe place, off-site. Police recoveries that actually do occur are stymied by a lack of information – the goods are safely recovered yet cannot be matched with their proper owners.

5. Install covert tracking software. This software is designed to run undetected by a thief. It runs invisibly, silently communicating the machine's position (via the Internet) to a tracking service. This "network footprint" has an added advantage of yielding an actual street address – a discrete, specific location (as opposed to arbitrary coordinates), which is typically required in order to obtain a valid search warrant. Virtually all laptops manufactured today include a built-in WiFi network adapter, making it even easier for a user (and a thief) to connect to the Internet via any one of tens of thousands of available WiFi hotspots. Covert network-based tracking software is a very effective, simple, non-intrusive laptop security layer with the advantage of automatic and silent operation that does not rely on end-user compliance. Corporate IT departments breathe a sigh of relief when security can be implemented without relying on forgetful, dilatory, or even negligent employees.

6. Install covert data destruction and recovery software. This critical software allows the remote, covert destruction of sensitive and private data, as well as the recovery of the data (if no proper backup had been made before the theft), even while the stolen laptop is in the hands of a thief. It is the "Big Red Button" that allows automatic destruction of sensitive information regardless of, or prior to, hardware recovery or the apprehension of a thief by law enforcement. Clearly, if the data is worth a million times more than the laptop hardware, it is absolutely critical to destroy that data when it falls into the wrong hands. Sometimes, organisations fail to properly back up their data, and when the laptop theft occurs the organisation faces the actual loss of data, not just a breach of security. Therefore, it is important to have remote recovery capabilities as well as remote destruction capabilities.

7. Employ other physical and offline digital security solutions. Biometric fingerprint readers (some laptop manufacturers offer them as an access/authentication mechanism), security locks and cables (where feasible), and hard drive encryption are all very helpful measures. Hard drive encryption can be an extremely effective tool to stop, or at least slow, a thief. Unfortunately, it can also slow down the legitimate user of the machine, exacerbating user non-compliance rates that are already sky high. It also lacks the positive identification that the unit has been located and controlled. Thankfully, if employed as merely one of a multitude of security layers, the positive aspects can be reaped without a faulty “silver bullet” mentality.

The clock is ticking

A smart enterprise must recognise that today's technology brings enormous benefits, but enormous threats at the same time. The laptop computer is not only one of the most useful and productive business tools, but it is quite arguably the most dangerous, given its large data storage capability and ease of theft. Beyond recognizing the extreme danger, and the current dismal state of most organisations' security, the responsible enterprise must proactively secure its IT infrastructure before the theft occurs by employing a multi-layered security standard.

Copyright (c) 2008 Tri-8, Inc. NOTICE: An adaptation of material contained in this document, the creative work of Tri-8, Inc., was published by the Bank Fraud & IT Security Report. All rights therein reserved.