Basic Security
Choose a secure operating system and lock it down
An operating system that is secure and offers a secure logon, file level security, and the ability to encrypt data should be used. A password is considered a single-factor authentication process, but for enhanced security, commercial products can be used that change the access to a two-factor authentication. This can be achieved, for example, by using a password and an external device that must be plugged into the USB port. If such a device is used, it should meet federal standards.
Enable a strong BIOS password
The basic input/output system (BIOS) can be password protected. Some laptop manufacturers have stronger BIOS protection schemes than others. In some models, the BIOS password locks the hard drive so it cannot be removed and reinstalled into a similar machine.
Asset tag or engrave the laptop
Permanently marking (or engraving) the outer case of the laptop with a contact name, address, and phone number may greatly increase the likelihood of it being returned if it is recovered by the authorities. A number of metal tamper-resistant commercial asset tags are also available that could help the police return the hardware if it is recovered. Clearly marking the laptops may deter casual thieves.
Register the laptop with the manufacturer
Registering the laptop with the manufacturer will flag it if a thief ever sends the laptop in for maintenance. The laptop's serial number should be stored in a safe place. In the event the laptop is recovered, the police can contact you if they can trace it back to your office.
Physical Security
Get a cable lock and use it
Over 80% of the laptops on the market are equipped with a Universal Security Slot (USS) that allows them to be attached to a cable lock or laptop alarm. While this may not stop determined hotel thieves with bolt cutters, it will effectively deter casual thieves who may take advantage of users while their attention is diverted. Most of these devices cost between $30 and $50 and can be found at office supply stores or online. However, these locks only work if tethered properly to a strong, immovable, and unbreakable object.
Use a docking station
Many laptop thefts occur in the office. A docking station that is permanently affixed to the desktop and has a feature that locks the laptop securely in place can help prevent office theft. If a user is leaving the laptop overnight or for the weekend, a secure filing cabinet in a locked office is recommended.
Lock up the PCMCIA NIC cards
While locking the laptop to a desk with a cable lock may prevent laptop theft, a user can do little to keep someone from stealing the Personal Computer Memory Card International Association (PCMCIA) Network Interface Card (NIC) or modem that is inserted into the side of the machine. These cards can be removed from the laptop bay and locked in a secure location when not in use.
Use a personal firewall on the laptop
Once users connect to the Web from home or a hotel room, their data are vulnerable to attack, as firewall protection provided in the office is no longer available. Personal firewalls are an effective and inexpensive layer of security that can be easily installed. It is recommended that a third-party personal firewall be used to secure workstations.
Consider other devices based on needs
Since laptop use has become common, as has laptop theft, a variety of security-enhancing devices are now available. Motion detectors and alarms are popular items, as are hard drive locks. Biometric identification systems are also being installed on some laptop models, which allow the fingerprint to be the logon ID instead of a password. Cost, utility, and risk need to be taken into account when considering additional devices.
Preventing Laptop Theft
No place is safe
Precautions need to be taken with a laptop regardless of location, as no situation is entirely without risk. As discussed previously, the laptop should always be secured by using a cable lock or secure docking station.
Use a nondescript carrying case
Persons walking around a public place with a leather laptop case can be a target. A formfitting padded sleeve for the laptop carried in a backpack, courier bag, briefcase, or other common nondescript carrying case may be safer. If a person is traveling in airports and train stations, small locks on the zippers of the case (especially backpacks) can be used (when not passing through security checkpoints) to prevent a thief from reaching into the bag.
Beware of distractions
Business travelers often use cell or pay phones in airports, restaurants, and hotel lobbies. Care needs to be taken that a laptop set down on the floor or a nearby table is not stolen while someone is engrossed in a telephone conversation.
When traveling by air
Sophisticated criminals can prey on travelers. When carrying a laptop, travelers need to use caution to safeguard it. When a person sets a laptop bag down for a minute to attend to other things, there may be a risk of theft. Always be aware of your surroundings because a thief could be waiting for that moment of distraction to grab a laptop (or other valuables).
When traveling by car
When transporting a laptop, it is safer to rent a car with a locking trunk (not a hatchback/minivan/SUV). Regardless of vehicle type, laptops should never be visible from outside of the car. Even when the laptop is in the trunk, the cable lock can be used to secure the laptop to the trunk lid so it cannot be taken easily.
While staying in a hotel
The hazards of leaving valuables in hotel rooms are well documented, and professional thieves know that many business travelers have laptops that can be resold. If a user keeps the laptop in the hotel room, it can be securely anchored to a metal post or fixed object.
Make security a habit
People are the weakest link in the security chain. If a person cares about the laptop and the data, a constant awareness of potential risks will help keep it safe. The laptop should always be locked up when it is not being used or is in storage. (A cable lock takes less time to install than it does for the PC to boot.) Use common sense when traveling and maintain physical contact with the laptop at all times. If a person is traveling with trusted friends or business associates, take advantage of the buddy system to watch each other's equipment.
Protecting Sensitive Data
Use the New Technology File System (NTFS) (proprietary to Windows operating systems)
Assuming a user has Windows NT/2000/XP on the laptop, use the NTFS to protect the data from laptop thieves who may try to access the data. File Allocation Table (FAT) and FAT32 file systems do not support file-level security and provide hackers with an opening into the system.
Disable the guest account
Always double check to make sure the guest account is not enabled. For additional security, assign a complex password to the account and completely restrict logon times. Some operating systems disable the guest account by default.
Rename the administrator account
Renaming the administrator account will stop some hackers and will at least slow down the more determined ones. If the account is renamed, the word 'Admin' should not be in the name. Use something innocuous that does not sound like it has rights to anything. Some computer experts argue that renaming the account will not stop everyone, because some persons will use the Security Identifier (SID) to find the name of the account and hack into it. The SID is a machine-generated, nonreadable binary string that uniquely identifies the user or group.
Consider creating a dummy administrator account
Another strategy is to create a local account named 'Administrator'; then give that account no privileges and a complicated 10+ digit complex password. If a dummy administrator account is created, enable auditing so a user knows when someone has tampered with it.
Prevent the last logged-in user name from being displayed
When a user presses CTRL+ALT+DEL, a login dialog box may appear that displays the name of the last user who logged into the computer. This can make it easier to discover a user name that can later be used in a password-guessing attack. This action can be disabled by using the security templates provided on the installation CD-ROM or via Group Policy snap-in. For more information, see Microsoft KB Article Q310125.
Enable EFS (Encrypting File System) in Windows operating systems
Some operating systems ship with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a hacker from accessing the files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on folders, not just files. All files that are placed in that folder will automatically be encrypted.
Disable the infrared port on a user laptop (if so equipped)
Some laptops transmit data via the infrared port on the laptop. It is possible for a person to browse someone else's files by reading the output from the infrared port without the laptop user knowing it. Disable the infrared port via the BIOS, or, as a temporary solution, simply cover it up with a small piece of black electrical tape.
Back up the data before a user leaves
Many organizations have learned that the data on the computer is more valuable than the hardware. Always back up the data on the laptop before a user does any extended traveling that may put the data at risk. This step does not have to take a lot of time, and a user can use the built-in backup utilities that come with the operating system. If the network does not have the disk space to back up all of the traveling laptop user's data, consider personal backup solutions including external hard drives (flash sticks), CD-Rs, and tape backup-all of which can also be encrypted.
Consider using offline storage for transporting sensitive data
Backing up the hard drive before users leave can help them retrieve the data when they return from a trip, but it does not provide an available backup of the data when they are out in the field. Several vendors offer inexpensive external storage solutions that can hold anywhere from 40 MB to 30 GB of data on a disk small enough to fit easily into the pocket. By having a backup of the files users need, they can work from another PC in the event that their laptop is damaged or missing. Most of these devices support password protection and data encryption, so the files will be safe even if a user misplaces the storage disk. When traveling, users should keep these devices with them, not in the laptop case or checked baggage. For additional security, lock or encrypt the files and have them sent by a courier service to the destination hotel or office.
|