LAPTOP SECURITY(2816 total words in this text) (1807 Reads)  Laptop security can be broken down into three phases: physical security, access control/authentication and tracking/recovery. But the biggest challenge may be changing users' attitudes and habits.
It's been more than a year since an unattended laptop disappeared from the U.S. Department of State's Washington, D.C., headquarters. Two top-level administrators were fired and four others received career-ending reprimands for losing a notebook computer that contained sensitive nuclear weapons proliferation data. Despite an intensive investigation and a $25,000 reward, the FBI has been unable to recover the missing laptop.
The State Department administrator who had his laptop stolen in a crowded conference room was doing nothing different than what thousands of executives do every day-hauling a notebook computer from appointment to appointment. But these portable devices-rich in computing power and communications capabilities, and often loaded with sensitive data-are big targets to opportunistic thieves and industrial spies.
Laptop theft is a huge problem, according to security industry and insurance company statistics. Safeware (www.safeware.com), an Ohio-based insurance firm specializing in PC policies, reports that nearly 320,000 laptops valued at $800 million were stolen in 1999, a 5 percent increase over the previous year. The trend is mirrored by the expansion of the laptop security market, with some manufacturers reporting 40 to 50 percent annual growth rates.
"Criminals are definitely targeting laptop systems, especially systems that cost more than $3,000," says Brian Haase, a commercial marketing manager for Safeware. Hasse says that in 1999, notebook computers accounted for 88 percent of all of Safeware's total computer theft claims, compared to 53 percent in 1997.
As in most computer-related crimes and security breaches, insiders-regular staff, temporary workers and contractors-are at least partially responsible for many notebook computer thefts. "About 40 percent of the systems stolen occur when a person is in the office," says Courtney Celi of lock manufacturer Kryptonite (www. kryptonitelock.com). "Many times it's co-workers who are taking the computers."
Few bandits are interested in the digital treasures contained on the laptop hard drives; they just want the quick profit from selling the devices on the black market. There are plenty of buyers out there searching for the power and convenience of a laptop at a bargain basement price.
If anything, the software loaded on a stolen device enhances the machine's value, while the personal and business files have little practical use to end recipients. This is not to say that industrial spies and enterprising thieves do not seek out the digital bounty held in these portable boxes. Should a notebook bandit sneak off with the right laptop, he could find himself in possession of proprietary secrets, confidential product development information or sensitive financial data. The value of the information depends on how much the victim's corporate rivals are willing to pay for a competitive advantage, or how much the thief can extort for the information's return.
One of the biggest non-technical problems involved in securing laptops is the mindset of the laptop owners themselves. It's common for CEOs and other corporate higher-ups to assume their communications and files aren't interesting to anyone but themselves-and, therefore, why go to extreme measures to protect them?
While there's no changing the elements that make laptops easy to steal-and while altering CEOs' mindsets may prove even more difficult-there are several ways to physically and electronically secure these devices. Locking down the laptop can be approached in three phases: pre-theft physical security; post-theft access control to protect against unauthorized access to sensitive files and information; and post-theft tracking devices that help in recovery.
Physical Security
Vendors have crafted a variety of physical security devices that diminish the threat of laptop thefts. Many of these products tie a system down to a heavy object, such as a desk or workstation, so a thief can't simply pick it up and walk away. Others manufacturers offer alarms and sensors for alerting users that someone is tampering with their notebook computers. These devices are designed to stop the opportunistic thief: someone who is not a criminal, but seizes on the chance to get a free laptop.
Cable locks. Retailing for $40 to $50, laptop cable locks are similar to the locks used on bicycles. A steel clip provided by the manufacturer is installed on a security slot, either on the back or side of the laptop. A steel cable is threaded through the clip and wrapped around an immoveable object, such as a desk leg or support pole. If the laptop does not contain a security slot or the desk does not provide a location for suitable anchorage, special adhesive pads containing an anchorage slot are available. The two ends of the cable are secured with a padlock.
Different versions of cable locks are manufactured by Anchor Pad International (www.anchorpad.com), Kensington (www.kensington.com), Computer Security Products (www.computersecurity.com), PC Guardian (www.pcguardian.com), Targus Group International (www.targus.com) and Kryptonite, among others.
While inexpensive and easy to use, many cable locks are easily defeated with tools from any hardware store. "Any thief with a bolt cutter can break the cable and then walk off with a laptop system," says PC Guardian president Noah Groth.
Cable locks are most effective when used in the office or home, where computers are rarely moved. But laptop owners still have to use them if they're to have any effect. Laptop thieves often target conventions and conferences because laptop owners feel comfortable in a group of their peers, particularly in instances when they're using the same conference room for two or three days straight.
Even if the conference center or convention floor has a convenient place to attach a cable lock, users have a tendency to use the locks less and less the longer they're in any one location. Maybe they'll use them during coffee or bathroom breaks during the first day or two, but as they get more comfortable with their surroundings, they tend to get lax. This is when opportunistic thieves make their rounds. The lesson is, it's important to help users make laptop locking a routine part of setup and operation-as routine as plugging it in and booting it up.
Alarms and motion detectors. These devices are more sophisticated physical security measures that alert owners when someone tampers with or tries to move a laptop. Products range from simple motion detectors, to sensors that detect the unplugging of cables, to high-pitch sirens that sound similar to car alarms.
An alarm system offered by TrackIT (www.trackitcorp.com) is basically a proximity device. A transmitter installed in or attached to the laptop case maintains continuous radio contact with a mobile receiver carried by the user. If the laptop is moved beyond a set distance from the user, an alarm sounds on the laptop and the mobile unit alerts the owner.
Targus offers the Defcon family of alarm units, which are basically cable locks with alarms. Defcon I is a sensor circuit that sounds an alarm if anyone breaks the security loop on the laptop or cuts the cable lock. Defcon III is essentially the same unit, except it emits a warning tone when the notebook is moved slightly and a louder alarm if movement continues.
Minatronics (www.minatronics.com) has developed a fiber optical alarm system that acts similar to Targus's cable sensor. A fiber optic cable is passed through a security tab or any available opening on a laptop and is anchored to a stationary monitoring unit that sends continuous light pulses through the line. An alarm sounds immediately if the pulses are interrupted.
Where cable locks are designed to stop the opportunistic thief, alarms and motion detectors are intended to make a laptop bandit so conspicuous that he or she aborts the crime. Since thieves don't want to draw attention to themselves, they'll likely drop a computer rather than risk getting caught. Sure, the laptop will probably sustain some damage in the process of being discarded, but at least its digital contents won't be compromised.
Access Controls and Authentication Applications
While cable locks and motion detectors will deter physical theft, owners must still consider barriers to disable or make their laptop inaccessible should it fall into the wrong hands. Most laptop computers were designed with basic access control features, including an easily defeated BIOS password system (for a technical discussion, see www.heise.de/ct/english/98/08/194). But these password systems have limited effectiveness, since users will often choose easily cracked PINs and will not perform proper maintenance. On the other hand, organizations with stringent security policies are often burdened by the increased number of calls to their help desks by users who forgot their constantly changing and difficult-to-remember laptop passwords.
Traditionally, multiple form-factor authentication applications have been confined to high-security desktop client/server networking environments and, more recently, in single workstation/multiple user environments (such as hospital nursing stations or manufacturing floors). Today, several applications combining "something you have" with "something you know" have been ported to the laptop environment.
Smart cards are still used sparingly in laptop environments. Few, if any, laptops have built-in smart card readers, though vendors such as SPYRUS (www.spyrus.com) manufacture portable serial port readers. More conveniently, digital certificates and other identifying credentials can be stored on Universal Serial Bus (USB) tokens from vendors such as SPYRUS, Rainbow Technologies (www.rainbow.com) and Aladdin Knowledge Systems/eSafe (www.ealaddin.com). While older laptops may not be USB-compatible, most notebooks (and PCs) manufactured after 1998 include USB ports.
Authentication tokens such as the Secur-ID from RSA Security (www.rsasecurity. com) and the DigiPass line from Vasco (www.vasco.com) are common in remote- access environments. (Similar remote log- in tools are offered by CRYPTOCard (www. cryptocard.com).) These tokens remotely synchronize with back-office authentication servers (RSA's is called the ACE/ Server) to provide users with one-time passwords. However, while ideal for secure network authentication from a laptop or other portable computer, these devices do little to secure the laptop's otherwise unprotected hard disk from the peering eyes of a dedicated adversary.
Biometrics provides another means for blocking access by only allowing users who authenticate their identity with their physical characteristics, such as fingerprints, voice patterns or retina scans. All biometrics systems work basically the same way: A user scans his or her identifier with a capture device, which stores the pattern in a database. To access data, the user presents his or her identifier, and the biometrics system will grant him or her access if it matches the stored pattern. Unlike passwords or tokens, biometrics identifiers are extremely difficult to duplicate, crack or exploit through a replay attack.
The first biometrics units were expensive and designed primarily for desktops, but the expanding security market and improved technology has made the technology affordable for portable devices. Using scanners hooked into peripheral or USB ports, built-in laptop microphones and even laptop cameras, finger-, face- and voice-recognition biometric vendors have made strong in-roads into the laptop authentication market. For instance, the U.are.U security system, manufactured by Digital Persona (www.digitalpersona.com), uses a USB-compatible sensor to capture fingerscans.
Perhaps the most interesting biometric applications for laptops combine multiple biometrics for added security. For example, Keyware's Layered Biometric Verification (LBV) system (www.keyware.com) combines spoken passphrases with optional fingerscanning. The beauty of LBV is that it operates in "thin-client mode," eliminating the need for client-side readers or software to store credentials and protocols. Using the LBV toolkit, developers can customize a Java- or ActiveX-based applet, which is presented to users requesting access via a Web browser to a secured page or application. Once enrolled, the user enters his or her ID/passphrase and, using the built-in microphone on most laptops, speaks a designated passphrase. The toolkit will extract voice-print minutia from the passphrase and transmit it along with the ID/PIN to the NT-based LBV authentication server. The server then compares the data to stored credentials, and permits or denies access to the requested page or file. The toolkit's applet can be configured to sense whether or not the client has a fingerprint reader installed, and if so, to require fingerprint verification by itself or in conjunction with a voiceprint.
Other systems combine a single biometric with a hardware device. Trinity, a system produced by American Biometric Company (www.abio.com), offers optional packages that bundle biometrics with smart cards, tokens and password applications for multifactor authentication. Ethentica (www.ethentica.com) offers a fingerprint verification system on a swappable Type II PCMCIA card, called the Ethenticator MS 3000.
While two-factor authentication applications are designed to keep the bad guys out, data encryption systems protect information stored on computers should other access control mechanisms be defeated.
In addition to traditional data encryption and digital signature software from companies such as PGP Security (www.pgp.com), F-Secure (www.f-secure.com), RSA Security and PC Guardian, several vendors are offering notebook encryption hardware via PCMCIA cards. For instance, Global Technologies Group (www.gtgi.com) offers the CryptCard, a Type II PCMCIA card with Triple-DES hard-disk encryption capabilities In addition, OS-specific encryption applications, such as the Windows 2000 Encryption File System (EFS), are growing in popularity in laptop environments.
Tracking Systems
Luck, until recently, was the determining factor in recovering stolen laptops. Thieves could unload or use machines with near impunity because there was little chance of getting caught. But a new generation of technology is providing users with the ability to track stolen notebook computers. Similar to the LoJack vehicle retrieval system, alarm and tracking software residing in an undetectable file on the hard drive will periodically contact a monitoring service via the Internet. The service verifies the missing computer's location, which is generally sufficient for police to obtain a search warrant.
Through its monitoring center, CompuTrace (www.computrace.com) routinely updates its security application running on subscribers' laptops with new call-in schedules. Should a machine be reported stolen, the system will be programmed to increase the time between calls, which allows for a faster trace and recovery. Similarly, Lucira Technologies (www.lucira.com) markets Secure PC, an application that traces stolen laptops once they're connected to the Internet. The company's monitoring center will notify the local police of the laptop's location and even provide them with a map. The company plans to improve future versions by offering data and file retrieval without the thief's knowledge. It will not, however, wipe the hard drive clean.
Cyber Angel, by Computer Sentry Software (www.sentryinc.com), provides both monitoring and retrieval capabilities. Should anyone attempt to access the Internet with the laptop, Cyber Angel will immediately alert the owner via fax or e-mail. The CSS operations center will use the initial notification to trace the laptop's location. After the alert, the program locks the modem port to prevent access to a corporate LAN, the Internet or other remote operations. An optional software module can also lock out the keyboard and mouse, making the machine virtually useless.
The recovery rate with these tracking and locator systems is about 90 percent when police lend their assistance, industry experts say. However, each jurisdiction places a different priority on stolen computers, and some police departments may not want to allocate resources to recover a single machine. Even with the help of authorities, recovery is a slow process-averaging about three months. "We have had a few cases where the system shows up in a week or two and somewhere the process took six months, but most of time we get them back in two to three months," says CSS president Bradley Lide.
Security Starts With the Users
Security products provide effective theft deterrents and access controls, but ultimately it's up to the individual users to prevent laptop theft. Users need to be particularly careful in public locations, such as airports, hotels and conference centers, and take appropriate steps to ensure someone doesn't try to snatch their machine.
When traveling, owners should keep their notebooks in bags sporting bright colors or large tags. Since thieves don't want to draw attention, they will often avoid stealing bags that stand out.
Unfortunately, few laptop users exercise such caution. Industry experts say organizations need to do a better job of educating their laptop users about physical security. "Laptop security is an issue that has been percolating from the bottom up in large enterprises," says Kryptonite's Courtney Celi. "MIS departments usually have a pretty good understanding about the potential problems, but it isn't a top concern for management-although it has been getting better after the recent high-profile cases."
Organizations should determine the appropriate security levels for different employees. A $50 physical cabling device is a no-brainer for all users. Stronger access controls, authentication and file encryption would be appropriate for managers who store confidential information on their machines. And, depending on the value of the data on the hard drive, an organization may want to explore using a tracking service.
Regardless of the approach, the security method chosen by an organization must blend into the users regular routine. Surveys have found that laptop users will not use security systems that inconvenience them.
Despite the progress in security products and applications, the threat of laptop theft continues to grow. Telecommuting, wireless Internet access and business travel will continue to put laptop computers within arms' reach of would-be thieves. Physical and electronic security systems are no guarantee of absolutely protecting a notebook computer from theft, but they will decrease the odds of it happening. </div> | 
