Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/7/2007
10:00 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Assume Your Laptop Will Be Stolen

IT and end users should plan for the worst when it comes to portable data and computing

Another wave of laptop thefts and losses is causing major headaches for enterprises this week. But experts say that in the end, technology can only solve part of the problem. (See Merrill Lynch ID Theft May Affect 33,000 and VeriSign Worker Fired After Laptop, Employee Info Are Stolen.)

Enterprises face plenty of potential downsides when a laptop's lost: public embarrassment, fines, a decline in share price, loss of customers, and damage to the brand name. But none of these possible penalties has stopped employees from losing their laptops -- as the latest headlines will attest. (See Recent Incidents of Data Loss and Boeing Rep Speaks Out on Laptop Thefts & Security.)

In addition to Merrill Lynch and VeriSign, other organizations have checked in during the last 10 days with these losses:

  • August 4: A computer was stolen from Kellogg Community Federal Credit Union with customers' Social Security numbers, names, and addresses.

  • August 3: Computers were stolen from Capital Health, including medical insurance cards, names, addresses, and hospital admission data of 20,000 patients.

  • August 2: Accounting firm E.ON reported a stolen laptop with employees' SSNs, birthdates.

  • August 2: Two hard drives were stolen from the University of Toledo. The devices contain student, staff SSNs, names, and grades.

  • July 28: A laptop was stolen from Yuba County Child Support Services in California with 70,000 names and SSNs.

New disclosure laws make such headlines a lot more common. Employees leave laptops in plain sight in parked cars, or set their computer bags down in an airport and forget to collect them again. Thieves and hackers target those with the telltale shoulder bags.

While security pros don't discourage continuous training and reinforcement of data handling and laptop policies, they also recognize the limits of "best practices" when protecting laptops, enterprise data, and the hapless user. Negligence can arise out of a moment's distraction, or from fatigue, illness, or inebriation -- all facts of life on the road or outside the office. (See How to Protect Your Precious PC Data: From Physical Security to Encryption.)

What can enterprises do? "A combo of technical and administrative controls will protect you from loss, but also help you keep your legal and regulatory obligations to protect customer data," said Eric Latalladi, CTO for JB Hanauer & Co., a financial services company in Parsippany, N.J.

By that, he means using server-centric applications wherever practical, which keeps company data off laptops.

But Latalladi also encouraged companies and IT departments to assume upfront that any given laptop will be lost or stolen. "Take the backwards approach and consider what data resides on your laptops, how people use them," and how a hacker or identity thief might exploit it, he said. "Work backwards to figure out ways to make it un-usable by unauthorized third-parties."

That could mean using biometrics-based authentication, or some of the auto-destruct software that corrupts a hard drive when improperly accessed.

Technology's a piece of the data theft prevention model, but there's an important policy and administrative piece too. "People also need to normalize data with regard to SSNs, dates of birth, mothers' maiden names on laptops," Latalladi said. "There's no useful function for that stuff to reside in a localized manner on a laptop. The applications don't need it." IT can create and enforce policies to prevent that sort of sensitive data from being copied or carried off premises.

There's also the encryption piece. "Laptops and PDAs are as common as toasters and blenders," said Steve Stasiukonis, VP and founder of penetration testing firm Secure Network Technologies, East Syracuse, N.Y.

He says most of his clients recognize they have to do something a little more potent than a simple logon and password to access laptop data. "My customers know that full-disk encryption is a necessity if they have anything that leaves the office or goes into the field," Stasiukonis said. "They're all worried about recovering data in the event they have to get a machine back to its original state."

Stasiukonis also walks the walk. "I do full-disk encryption on my laptop and carry the [encryption] key on a separate device."

There are plenty of other familiar tactics to safeguard laptop computers:

  • Cabling, locks, and tie-down brackets secure a laptop to a desk or work area. Some even have alarms that sound if the machine is picked up or jarred.

  • Laptop lockers can be used in offices and cars; mobile carts that double as workstations and storage vaults are also on the rise.

  • Tagging external casings or internal components with tamper-proof plates makes it possible to add a barcode or serial number to each PC for inventory and tracking.

  • Tracking and auditing tools can transmit usage data in the event a stolen laptop connects to the Internet, or if an authorized user is engaged in suspicious computing activities.

As Latalladi observes, if you've got dozens of laptop users, eventually someone's going to lose one. There are plenty of technical options to calm IT staff, senior executives, and shareholders when it does occur. "Some kind of technical solution means everyone's going to be a lot more comfortable when a laptop gets lost."

— Terry Sweeney, Special to Dark Reading

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.