{"id":8879,"date":"2007-03-29T10:01:00","date_gmt":"1999-11-29T20:00:00","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=8879"},"modified":"2007-03-29T10:01:00","modified_gmt":"1999-11-29T20:00:00","slug":"taoiseachs-office-laptop-stolen","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=8879","title":{"rendered":"Taoiseach&#8217;s Office Laptop Stolen"},"content":{"rendered":"<p>The Irish Independent is <a href=\"http:\/\/www.unison.ie\/irish_independent\/stories.php3?ca=9&amp;si=1801630&amp;issue_id=15420\" target=\"_blank\" rel=\"nofollow\">reporting<\/a> (free sign-up required) that a laptop was stolen from the constituency office of the Taoiseach (the prime minister of Ireland).<\/p>\n<p>This story reinforces how important it is to implement roaming device security.\u00a0 I&#8217;ve talked about this sort of thing over and over before but here we go again &#8230;<\/p>\n<p>First, let&#8217;s get something out of the way.\u00a0 Security is the opposite of usability.\u00a0 You must find the right balance between the two.\u00a0 This is not usually a one-size-fits-all policy.\u00a0 I&#8217;m not saying that you should treat every person\/computer differently.\u00a0 That&#8217;s the sort of madness that only over zealous (in)security offices come up with.\u00a0 Create a set of polices that cover a reasonable number of scenarios and clearly document and communicate them.<\/p>\n<p>Physical security cannot be guaranteed for roaming devices, even in your own office.\u00a0 I&#8217;ve known a finance company in London where burglars dressed as cleaners walked past a dozing security guard and walked away with every laptop they had time to find.\u00a0 You can try to use security cables but these can be cut by someone who is prepared.\u00a0 This might not include the casual burglar but anyone targeting your data <em>will be prepared.\u00a0 <\/em>Don&#8217;t think this is realistic?\u00a0 Hah!\u00a0 Aren&#8217;t you naive!\u00a0 If your business data is valuable to you then it&#8217;s way more valuable to your competitors.\u00a0 I&#8217;m not saying you need to lock down every roaming device but you might want to consider it for those with critical data.<\/p>\n<p>Any roaming device with sensitive data that cannot be physically secured should be encrypted.\u00a0 Let&#8217;s look at that sentence:<\/p>\n<ul>\n<li>A roaming device is not just laptops.\u00a0 There are laptops, tablet PC&#8217;s, PDA&#8217;s and mobile\/cell\/handy phones.\u00a0 Each of these is capable of storing sensitive data.\u00a0 We often think of securing laptops and tablets but we rarely consider the device that is most likely to be not only used by directors, government ministers, etc (the mobile phone or PDA) and is also most likely to be stolen or lost.<\/li>\n<li>Sensitive data &#8230; ask a user if they have sensitive data on their PDA or laptop and they&#8217;ll say &quot;No &#8230; I just use it for email&quot;.\u00a0 That there is the most sensitive data.\u00a0 Look at the major corporate lawsuits or political scandals these days and what documentation is being used?\u00a0 Email.\u00a0 What is the only IT business\u00a0application that senior management use?\u00a0 Email.\u00a0 What is used to share most valuable documentation?\u00a0 Email.\u00a0 Anyone using a laptop or PDA for email (which is 99% likely these days) will have a local replica of their inbox and will likely have the attachments (at least the most valuable ones) on local storage..\u00a0 This must be secured.<\/li>\n<li>Passwords are not a long term security solution against a determined attack.\u00a0 If you store files on a machine and secure them or the machine with passwords, PIN&#8217;s, etc, then you can gain access with a few easy steps.\u00a0 Some manufacturers include biometrics but that&#8217;s just another password.\u00a0 A TV show even documented how to bypass this security method.\u00a0 The only solution is to encrypt the data with a strong algorithm to make it unreadable to unauthorised users.<\/li>\n<\/ul>\n<p>There&#8217;s two approaches to encryption:<\/p>\n<ul>\n<li>Encrypt the files: Using something like EFS in Windows.\u00a0 This usually requires some effort on the part of users.\u00a0 It will not secure mail.\u00a0 I don&#8217;t like it because of the reliance of effort on the part of users.\u00a0 I prefer things to be completely automated.<\/li>\n<li>Encrypt the hard disk:\u00a0 This encrypts the entire contents of the mobile device.\u00a0 This is my favoured approach.\u00a0 Access to the device is secured by physical token or a passphrase.\u00a0 There is no bypass like with traditional password protection because the data itself is encrypted.<\/li>\n<\/ul>\n<p>There&#8217;s plenty of encryption solutions available.\u00a0 Some versions of Windows Vista include BitLocker for complete disk encryption.\u00a0 It&#8217;s OK if you have the right versions and don&#8217;t want to implement a management solution, i.e. for ad-hoc device security.\u00a0 The downsides are lack of centralised policy, management, passphrase recovery and it requires that you know before you build the machine that you want to encrypt the hard disk because it requires a dedicated partition 0.<\/p>\n<p>I prefer a dedicated solution that will offer centralised deployment, policies, passphrase recovery and cross platform security:<\/p>\n<ul>\n<li>Centralised Deployment: From a console, you can deploy your agent to targeted devices.<\/li>\n<li>Centralise Policies: You can deploy a preset collection of well defined and managed policies to devices.<\/li>\n<li>Passphrase Recovery: What do you do when your boss calls at midnight from Tokyo saying that he forget his passphrase and needs access to his laptop for a business deal?\u00a0 If you can&#8217;t reset their passphrase using\u00a0 across-verification method then you shouldn&#8217;t count on being around for much longer.<\/li>\n<li>Cross platform support: Remember that you need to secure all mobile devices, not just laptops.\u00a0 Using a single solution will simplify deployment and management while minimising mistakes.<\/li>\n<\/ul>\n<p>I like <a href=\"http:\/\/www.safeboot.com\/\" target=\"_blank\" rel=\"nofollow\">Safeboot<\/a> for this sort of thing.<\/p>\n<p>Don&#8217;t forget document security!\u00a0 We often focus on device security.\u00a0 Have you heard of a sales person or manager who is leaving who is caught email sensitive documents to their future employer or a personal email account?\u00a0 I have seen it personally &#8230; a few times.\u00a0 No amount of folder permissions or encryption will stop this because these people need access to these files to do their jobs.\u00a0 Could you put them on gardening leave when they hand in their notice?\u00a0 Sure &#8230; but if they&#8217;re clever they&#8217;ll have copied the data before they told their employers about their intentions.\u00a0 The solution here is to implement file level encryption or authentication using something like <a href=\"http:\/\/www.microsoft.com\/windowsserver2003\/technologies\/rightsmgmt\/default.mspx\" target=\"_blank\" rel=\"nofollow\">Windows 2003 Rights Management Services<\/a>.\u00a0 This solution will use a PKI to place encryption on documents or emails so that unauthorised internal or users cannot read or modify (depending on the security put in place) the document or email.\u00a0 This secures you against employees copying data externally or deliberate\/accidental leaks.<\/p>\n<p>Given enough time with mobile devices on your network, some of them are going to be stolen or lost.\u00a0 You might have a scenario where a sneaky or unhappy employee tries to copy\/leak sensitive data.\u00a0 If you implement the above solutions then you&#8217;ll be able to sit back and watch things, knowing that your organisation is safe.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Irish Independent is reporting (free sign-up required) that a laptop was stolen from the constituency office of the Taoiseach (the prime minister of Ireland). This story reinforces how important it is to implement roaming device security.\u00a0 I&#8217;ve talked about this sort of thing over and over before but here we go again &#8230; First, &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=8879\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Taoiseach&#8217;s Office Laptop Stolen&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8879","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/8879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8879"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/8879\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}