Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Day 15 - Containing the Damage From a Lost or Stolen Laptop

Published: 2008-10-15
Last Updated: 2008-10-16 02:44:12 UTC
by Rick Wanner (Version: 1)
2 comment(s)

 

With disks becoming increasingly large and ridiculously cheap, data is becoming more and more mobile. The ramifications of the loss of that data can be huge. In the recent past there have been large losses of personal and private information in virtually every sector as a result of the loss or theft of laptops. I myself recently received a letter from a banking institution informing me that a laptop computer containing mortgage information had been stolen from the bank that provides my mortgage. To dispell my fears they have added a note to my file at all the credit bureaus. I would rather they would have protected the information properly in the first place.

 

Which brings us to the question of the day...What can be done to contain the damage of a lost or stolen laptop?

Suggestions will be summarized throughout the day!

Thanks to all who responded. The responses seemed to fit into three general categories.

Encryption:

Mark..."There's a simple solution, properly implemented full disk encryption on all laptops and all removable media. Lose the laptop and lose nothing but the laptop with no worries. With the enterprise solutions available today, it's a lot easier and significantly cheaper than it was a few years ago."

Dan..."We use full disk encryption for all laptops used at the Hospital (Hospital-owned and privately-owned)...Under many state laws, the loss of encrypted data on a laptop is not considered to be a breach of private information, provided the encryption/decryption key is not also exposed."

Parth..."BitLocker / EFS / Hardware authentication assisted EFS [point 1.]

Thank you Microsoft (for once) - Data Encryption Toolkit for Mobile PCs Guide - http://www.microsoft.com/downloads/details.aspx?FamilyId=1A99576A-FE67-418F-88B1-81E2055FE977&displaylang=en

Also many OEM's offer laptop tracking capabilities we use it in case of L1 (Chief [Department here])

FOR all IT Dept. and / or people with good enough computer knowledge - TrueCrypt and a 40 / 80 Gig partition to store all their data on. Also having an option to enroll into this and helping user get educated and acquainted with TrueCrpt for storing data. "

Drew..."One way to contain damage is to encrypt the drive. The product should to a full partition encryption with a boot-sector replacement that PREVENTS the OS from booting without first getting through the onboard boot agent. These agents usually require a separate password, but some integrate with token FOBs (recommended for 2nd factor). Utilizing encryption after the OS boots is preferable to no encryption of protected data, but can ultimately be defeated through memory analysis, product and OS weaknesses."

Drew..."We also recommend to our users to keep critical business data stored encrypted on removable media, like a USB drive with AES encryption...The guidelines specify to carry the thumbdrive separately from the laptop bag to discourage loss via casual theft."

GaryK..."We use a several different methods. Our primary one is using...encrypted harddrives. After 10 unsuccessful attempts at login, the drive is the locked and cannot be accessed without punching in the insanely long master key."


Laptop tracking/phone home:

Micheal..."While not directly related to containing the damage, there are a couple of opensource (and therefore free) lojack systems available. One such one is from the University of Washington, found at http://adeona.cs.washington.edu/

It purports to have features such as taking pictures of the person using the laptop (Mac OSX for now, hopefully they'll start supporting Windows). It isn't particularly stealthy right now, but it seems to work."

Drew..."Speaking of... We also recommend a phone-home feature on our laptops... This enables the org track a laptop listed as stolen historically, what IP it has, and sometimes perform geo-location. The client should have the ability to reverse-resolve a NAT'd IP by querying a known server on the Internet (like the tracer server). Procedures should be established, verified, and tested to contact and engage law enforcement in a collection action using this system."

GaryK..."there should also be a way to track stolen laptops. This feature should be an "addon" feature to squelch any concens about trageting people while traveling. "

Data restriction

GaryK..."Typically laptops with critical information SHOULD stay at one location and not move too much. Why carry all that information around? Its like having carrying your life saving around in a gym bag. It simply makes no sense. Its better to have a server with the critical info available for corporate people to access than to carry that info around."

Parth..."Also having company data bank ...by allowing user to login to company website (two factor authentication) and allowing them access to their *authorized* data. For this we have pushed out GP that saves all data on the data bank and not locally on the laptop. "

Other ideas:

Elton..."a recent update from the UK Government Centre for the Protection of National Infrastructure at http://www.cpni.gov.uk/WhatsNew/3692.aspx
"How to protect Information Assets from theft and exfiltration by Third Parties and Contractors"

Parth..."Hardware based authentication (Bio and / or smartcards)."

 

 

 

-- Rick Wanner - rwanner at isc dot sans dot org

 

2 comment(s)

Adobe Flash 10 Released

Published: 2008-10-15
Last Updated: 2008-10-15 19:21:37 UTC
by Mari Nichols (Version: 1)
0 comment(s)

Several readers have let us know that the Adobe Flash version 10 was released today.  One of the big advantages of new version seems to be the bug fix with interoperability with Firefox.   You can read about it here.  

As far as the security features, they discuss this on one of their dev pages.  Be sure to take a gander as some of the security changes require action on your part.  Adobe says..... "Some of these changes may require existing content to be updated to comply with stricter security rules. Other changes introduce new abilities that were previously unavailable or restricted by security rules."

You can get the download for version 10.0.12.36 here.

Mari Nichols  iMarSolutions

 

Keywords: Adobe Flash 10
0 comment(s)
Diary Archives