Security Advisor

Protect Yourself

When you’re on the road, consider yourself (and your laptop) under the constant threat of attack. Be prepared.

Recently I was attacked while on a business trip. It happened as I was leaving an opera performance. (Even geekoids have to get culture sometimes.) I’d like to say that my lessons in self-defense paid off and, like Jackie Chan, I deftly drop-kicked my assailant; or, like Stallone’s Carter I decked him and then proceeded to punch the dust out of him; or, like Indiana Jones I simply pulled out my hand gun and blew him away. The truth is, I did none of the above. Instead, I did what I had to to get away.

Yeah, I’m fine. Like the saying goes, nothing wounded but my pride. And, after all, some good has come of it. This month’s sermon, er, column is supposed to focus on securing laptops. And it will. But I want you to understand that securing computers that travel is more than technical truisms and Windows 2000 configuration. Securing data as it travels outside your enclave on portable computing devices has two facets: the security of the laptop and its data and the security of the person who carries it.

First Things First
I know you’re eager to adopt strong security policies for your crew of road warriors, and those of you who travel are anxious to know what they are. However, as travelers there are personal safety rules we should follow first. And, as employers, there are instructions, warnings and advice we should be giving our employees. Indeed, we should prioritize the personal safety of our employees higher than that of their laptops. As you prepare your travelers for battle, make sure you give them personal safety rules and tools. I’m not saying you should force self-defense classes on all employees (although that couldn’t hurt), but I am saying all employees should be briefed on how to keep themselves from harm. Oh, I know they don’t want to hear a list of do’s and don’ts — the company isn’t their mother; but I think you can find a way to put the information out there. And where can you get some good traveler’s advice? How about the U.S. National Counter Intelligence Center (NACIC)? This organization works to identify and counter foreign intelligence threats to U.S. national and economic security. It seeks to coordinate the efforts of the FBI, CIA, DIA, NSA, Office of the Secretary of Defense, military services, and departments of State and Energy and draws its employees from these organizations.

NACIC produces a little pamphlet entitled, “Your Passport to a Safe Trip Abroad.” You can obtain any number of copies by visiting its Web site at www.nacic.gov. Most of the information is relevant to travel in this country as well. Also on the site is a link to the State Department’s “Consular Information Sheets” (http://travel.state. gov/travel_warnings.html). These pages include information on the location of U.S. embassies or consulates, health conditions, minor political disturbances, and crime and security information. It offers an excellent resource when you do leave the country.

Tip
The NACIC site also provides information on information warfare videos. These are case studies of hacking events. The current one, “Solar Sunrise,” documents hacks into military sites during the Gulf War and is available from FilmComm Inc. You can purchase a copy for $12.28 by calling (800) 944-9134. I’ve seen this video — be sure to get a copy and use it in your security-awareness sessions.

In addition, the NACIC booklet has some “handy” safety tips, including a few jewels like the following on surviving an airplane crash:

  • “Never release your seatbelt until the plane comes to a complete stop and you have observed your surroundings. If you find yourself upside down, releasing your seatbelt could prove hazardous.”

  • Or, “If the plane breaks apart, consider using the new holes as exits.”

  • And my personal favorites — “Don’t wear high heels — they might puncture escape slides,” and, “Don’t wear nylons — the heat may fuse them to the skin of your legs.” Finally, justification for blue jeans and running shoes!

Evaluate the Threat
No, I don’t think that someone lies in wait to steal my laptop; but I do believe if given the opportunity, someone would. No, I don’t believe I’ll be accosted and asked to surrender it either — well, at least not anytime soon. I also believe that every CEO and any other high-level executive may have someone plotting to steal their laptop. The difference here is one of risk, and there are two.

First, laptops are easy to take and, like car stereos in the ’70s, are perceived as hot items that can easily be changed into cash.

Second, laptops are likely to carry sensitive documents that can be mined for competitive information. The reason we travel with laptops is so we can do our jobs while we’re on the road. The reason our competitors might wish to steal them is to get that information. Why bother infiltrating the castle when the king constantly travels with the jewels?

The question becomes not should you take some steps to secure information that travels on laptops, but how far should you go? If you think some of the steps here go a little far, stop and examine for whom you’re designing security standards and what your experiences have been. Just as you design your network perimeter security based on your knowledge of the raw and wild nature of the citizens of the Net and the type of data you’re securing, you should base your preparations for travelers with your eyes open to knowledge of industrial espionage; information warfare; street crime; and casual, “oh-I’d-like-to-have-one-of-those-so-I-think-I’ll-take-it” ethics of the 21st century.

Give Them Weapons of Choice
Protecting your people and your data doesn’t just require you to provide instructions on avoiding city streets at night. You must arm your road warriors with weapons they can use to fend off technical attacks. Two basic types of protection are available.

Personal firewalls and intrusion-detection programs can be used to protect data exposed when linking to the Internet. Remember, to the traveler, the laptop is both the PC and the boundary between friend and stranger. You wouldn’t think of doing without basic perimeter defenses back at the office, so why would you ignore it now? I’m not advocating making everyone carry a firewall appliance — such as the ones from SonicWALL (www.sonicwall.com) or NetScreen Technologies (www2.netscreen.com) — although that’s my personal choice.

Software-based products exist, so I list a few here. For support purposes, you’re better off standardizing one, providing it free of charge to anyone who asks, and demanding its use by travelers and telecommuters. Some of these items even offer rudimentary intrusion detection, providing reports on just what an attacker is looking at. Jammer from Agnitum (www.agnitum.com) is a software-based intrusion-detection product that notifies you of attacks, alerts you to attempts to change registry entries, and detects and cleans Trojan installations. Some good software-based personal firewalls are Norton Internet security (www.symantec.com); ZoneAlarm, which is free from Zone Labs (www.zonelabs.com); McAfee’s ConSeal PC Firewall (www.signal9.com); and BlackIce Defender from Network ICE Corp. (www.networkice.com).

I suggest you read firewall reviews (you can find some at www.grc.com) and thoroughly test the product before standardizing a personal firewall.

Dress Them in Protective Gear
Next time you have a few minutes at the airport, see if you can pick out who’s carrying the laptops you’d like to steal. Do you imagine hidden treasures in the old lady’s purse or the fat man’s duffel? No, you probably look for the leather laptop bag carried by the well-dressed business executive.

Now, I don’t want you to sacrifice padding, locking cases and waterproof protection that some laptop bags may offer. Nor do I suggest that your users pack their laptops in their luggage, I’m just recommending that — when possible — they not make it all that obvious. Specially outfitted backpacks, those designed to carry laptops, make a good choice.

Good Old-Fashioned Padlocks and
Modern Motion Sensitive Alarms
Locks and alarms should be standard issue. For less than $100 you can purchase lightweight cables, combination locks and motion-sensitive alarms. These products won’t keep the determined theft from grabbing the box, but he’d have to plan the attack. Combinations and loud noises will go a long way toward securing laptops from snatch-and-grab attacks.

Power Stripping
Got your attention, didn’t I? Power surges, incompatible power supplies and digital phone systems won’t allow others to have your users’ data, but they may make it unusable and even force you into shopping for a new laptop. Small, lightweight surge protectors are readily available, as are modem devices that detect whether a phone line is safe or not.

Many of these products are for sale at computer superstores and online retailers.

Exercise Native Strength
We all know that seatbelts save lives. But how many of us wear them? A lot more than used to. Why? Because of national, regional and local campaigns (and laws) to get people to act on that knowledge and to use a simple device that already exists in their automobiles.

Laptops don’t have seat belts, but we usually ignore their safety devices as well. Don’t. There are several security features of Windows 2000 that can protect data on the road; learn how to use them.

Win2K’s Encrypting File System (EFS) allows authorized users (any user with an account on a Win2K system) to encrypt their own files. Files can’t be opened and read, even by other authorized users with Read permission on the file. The advantage here is twofold. First, honest users won’t “accidentally” or casually read files. To read the file, they’d have to either log on as you or as the Recovery Agent. A Recovery Agent account exists to restore the loss of encrypted files due to loss or corruption of encryption keys. A malicious user can boot to another OS and invalidate carefully constructed file permissions, but encrypted files remain encrypted and aren’t available to them. To properly use EFS:

  • Private keys should be backed up.

  • Encrypted files should never be moved to FAT folders (since encryption requires the NTFS file system, files would be decrypted before being placed in FAT). Only the owner of the encrypted file can move it to a location where it would become decrypted.

  • Encrypted files can be backed up by the Win2K backup program. (Don’t use a third-party backup for encrypted files until the backup software has been upgraded to provide this feature). Backed up encrypted files can be copied to FAT volumes and will remain encrypted. Only the encrypted file owner can open the restored encrypted file.

  • Encrypted files shouldn’t be accessed across the network — unless you’ve provided other protective mechanisms. The file will be decrypted and travel over the wire in cleartext.

  • Folders should be marked for encryption — so that merely placing files in the folder will encrypt them. Encryption and decryption are transparent.

  • The temp folder should also be encrypted, or else working with encrypted files may store unencrypted files there.

  • To properly manage EFS for multiple users, install certificate services and replace self-signed EFS certificates with Enterprise CA-issued certificates. Create a Recovery Agent group and policy. The danger with self-signed certificates is the possibility of data loss if user and Recovery Agent keys are lost or corrupt. There’s no ability to add additional Recovery Agents or replace the default Recovery Agent (Local Administrator account on a stand-alone system, Domain Administrator in the domain).

  • An encrypted file can be deleted. Use NTFS access permissions to manage file access and don’t forget to deny Delete capabilities to anyone but the owner of the file.

Virtual Private Networks
If road warriors need to phone home (back to the office) to share data, insist on the establishment of a VPN tunnel. Setting up a VPN server using Routing and Remote Access Services in Win2K is a piece of cake. Client services come built in to Win2K Professional, Windows NT and Windows 9x systems. Make sure to load service packs and hotfixes and teach users how to use the tunnel. Policies on the server side can restrict the who-what-where-when-why of connection, so set the encryption strength and limit network access.

NTFS
It seems silly to bring this up five years after it was introduced, but I’ve found many still don’t understand how to use NTFS permissions properly to control access. Even more important, there are differences in Win2K and NT NTFS permissions — so even those who’ve used NTFS in the past need a refresher course.

Part of the philosophy behind NTFS is the concept of discretionary access — the owners of the files can set permissions on them. While most administrators, myself included, prefer to set file permissions for our users, folks on the road are far away from our support. They need to (and will be able to) change file permissions on the files they create — so how about training them how to do so properly? You can set systems file permissions, or keep those installed by default, and protect them with Group Policy and/or Security Analysis and Configuration. But remember, users, or users’ bosses, are the closest to knowing what should be protected in a given realm. Ask them.

Security Templates and Group Policy
Use Security Configuration and Analysis to create a special template for your travelers. Carefully review the existing templates and modify one to suit your security policy. Some recommendations:

  • Set additional restrictions for anonymous connections. Don’t allow enumerations of SAM accounts and shares.

  • Include a message text for users logging on.

  • Rename the Administrator and Guest accounts.

  • Don’t allow installation of unsigned driver installation behavior.

  • Don’t allow installation of unsigned non-driver installation behavior.

  • Use event logs.

  • Retain security logs for longer than seven days.

  • Bump up the size of the logs.

  • Add registry keys, key settings, file folders and permissions settings as appropriate to your customized systems.

If this laptop is a member of a Win2K domain, you can further customize traveling laptop security by placing all laptops in special Road Warrior Organizational Units and creating a Group Policy for these users. You can import this custom security template into the GPO for the OU and further enhance security using other Group Policy settings.

Supplement this enterprise Group Policy by creating a local Group Policy. When users are on the road and can’t get domain-wide GPO updates, the local Group Policy will ensure appropriate settings are maintained. Don’t forget to set Group Policy items that prevent updating of Group Policies when users log in online. Import the security template into the local Group Policy. Other sections of local Group Policy, such as administrative templates, can be used to limit user choices. You’ll want to investigate things like removing access to the Control Panel, preventing users from resetting Internet Explorer configurations, and so on. To manage local Group Policy from the RUN window (Start | Run), enter:

mmc c:\winnt\system32\gpedit.msc

This opens the two nodes of configuration: computer and user. Take a sharp look at administrative templates and set your controls wisely.

Disable Infrared Data Association
IrDA provides the ability to transfer files via infrared — with no cables, NIC cards or 3.5-inch disks required. It’s the best of things, and the worst. It’s good because many files are too large for 3.5-inch disks and many travelers don’t carry floppy drives. It’s bad because copying files to another laptop doesn’t require the person copying the file to have any permission on the receiving machine. The receiver does get a warning window that asks if he or she wants a file from the sender, but it’s a simple OK-type choice. If users don’t understand or are working quickly, they might click OK to get rid of the message and receive a Trojan horse or virus without warning. To prevent this, visit the Wireless Link applet in Control Panel and uncheck the line, “Allow others to send files to your computer using infrared communications.” If it becomes necessary to copy a file, it’s easy to enable infrared through the same applet.

A Few Travel Tips from the NACIC

Getting ready for your trip:

  • Confirm lodging and travel reservations.
  • Obtain travelers checks.
  • Leave a copy of an itinerary with a relative or close friend.
  • Take information on your health coverage.
  • Learn about the places you plan to visit. Familiarize yourself with local laws and customs.
  • Make sure you have all official documents (driver’s license, passport and so on).
  • Designate someone your family can call in case of an emergency.
  • Carry an extra pair of eyeglasses and extra necessary medication (along with a copy of the prescription and the generic name of the drug) in your carry-on luggage. Keep medications in original containers.
  • Avoid inviting crime by dressing inconspicuously and blending into your environment. Avoid the appearance of being wealthy. Consider not taking, or not wearing, any jewelry.
  • Use a closed nametag, one that keeps personal information concealed from casual observation.
  • Don’t display company logos on your luggage.
  • Make copies of your driver’s license, credit cards and passport. Keep this information separate from the originals (this can speed the replacement process should documents be lost or stolen).
  • Also take personal and medical information such as phone number of relatives, insurance policy numbers and phone numbers of credit card companies to report loss or theft.

During your trip:

  • Never leave your wallet, purse or luggage unattended.
  • Know the location of emergency exits.
  • Don’t agree to carry a package for a stranger.
  • Keep your distance from unattended luggage.
  • Exit the airport as soon as possible.
  • Travel in a group whenever possible.
  • Be conscious of surroundings and avoid areas that you believe may put you at personal risk.
  • Don’t flash large sums of money.
  • Be alert for surveillance — who’s paying attention to you?

Train Everyone
If you’re going to do battle, train your troops and keep them in training when they’re not on the battlefield.

Security is everyone’s business. You can’t possibly protect your children from the big, bad world unless you help them protect themselves. Give them everything from security awareness (what can happen out there) to the how-to of using the tools and weapons you’ve so thoughtfully supplied. After all, what good is a firewall and intrusion-detection system if users turn it off because they’re annoyed by all of those warning notices and beeps? Of what use is file encryption if users leave their systems logged on?

Require users to take normal precautionary measures like the following:

  • Locking laptops to hotel room furniture when leaving the room.

  • Carrying laptops in carry-on luggage.

  • Sliding laptops under the airplane seat rather than putting them in the overhead compartments.

  • And consider asking them to make the following extra precautions as much a part of their daily routine as deodorant and happy hour:

  • Locking laptops to podiums during presentations.

  • Not leaving laptops unattended in conference rooms or hotel meeting rooms.

  • For extra security, moving sensitive documents entirely from the laptop onto a 3.5-inch disks or Zip drive and keeping it on their person at all times. Files won’t fit on removable media? Teach them how to remove the laptop hard drive to keep with them at all times.

  • Reporting incidents involving attempts at computer access or theft.

  • Inquiring about data ports in hotel and meeting rooms. Many hotels use digital phone systems, so travelers should request an analog port. Better yet, purchase them a device that can detect the nature of the port and only use “safe” ports.

  • Purchasing and using protective computer cases. Cases should provide padding and be moisture-proof.

  • Purchasing protective computer cases that are easy on the back. Invest in cases that can roll.

  • Logging on using a domain account. Cached logons will allow this. Encrypted file keys are kept in user profiles; files encrypted with a local logon account won’t be accessible to the user’s domain account.

  • Using virus software and keeping it updated. (You may offer this service through a connection to corporate lines if licensed to do so and make the updates transparent to the user.)

  • Keeping systems patched.

  • Whenever possible, not leaving the computer in a hotel room. When they must, they should lock it and set alarms.

  • If possible, placing sensitive data on a 3.5-inch disk, not on the computer, and keeping the disk separate from the systems.

  • When it’s not possible to take the computer, locking it to something in the hotel room. The traveler should also remove the hard drive and carry it or keep it in the hotel safe.

If you and your fellow road warriors can follow these simple rules, you should be able to make the next trip a safe one. I hope I’ve stimulated some thoughts that’ll help you develop your computer security and travel policies in a manner that’ll protect not only traveling data, but travelers as well.

Meanwhile, if someone who mumbles, “Your laptop or your life,” accosts me on the street, I’m throwing my laptop in one direction and running in the other.

comments powered by Disqus
Most   Popular