July 30, 2006 Consider the "human factor" LAPTOP THEFTS JEOPARDIZE ALL JOHN GLENN, MBCI Certified Business Continuity Planner *** This article revised July 31, 2006, adding remarks from Chas. McCubbin of C.S. McCubbin & Company. *** A recent spate of thefts of notebook/laptop computers should have Business Continuity planners and InfoTech security gurus running to check plans, policies, and procedures. Within the last few months, * Government officials in New York are warning 540,000 injured state workers that an outside contractor has lost a computer containing their personal data, including the employees' names, addresses and Social Security numbers. [1] * The U.S. Department of Veterans' Affairs was involved in a situation where a laptop containing the personal information of roughly 26.5 million individuals was stolen from a worker's home. That machine was later recovered. [2] * A laptop containing the customer records of approximately 65,000 individuals, including debit card, credit card and Social Security data, was stolen from the YMCA's locked administrative offices in Providence, R.I., sometime in May. The laptop contained the personal information of members of the Greater Providence YMCA, as well as customer information from some of the facilities overseen by that organization, including branches in both Rhode Island and Massachusetts. [3] * Financial services giant Fidelity Investments confirmed that a laptop containing the personal information of almost 200,000 Hewlett-Packard employees was stolen from its property. The Boston-based retirement investment specialists said that the laptop specifically contained the personal data of some 196,000 participants in HP's retirement plans that had been put on the machine for a meeting. [4] * Advisory firm Ameriprise Financial announced on January 25 that financial data of some 158,000 clients and 68,000 advisers was compromised when a company laptop was stolen from an employee's car. A file stored on the laptop contained the clients' names and internal Ameriprise Financial account identification numbers, but not their Social Security numbers, addresses, phone numbers or dates of birth. But it did contain the Social Security numbers of the advisers. [5] NOTHING NEW According to EuroTracking (http://www.eurotracking.co.uk/), a UK-based organization, * A computer is stolen every 41 seconds * 1 out of 14 laptops is stolen * 1 out of every 12 laptops is stolen at an airport * 96% of stolen computers are never recovered * 70% of computer crime consists of "inside jobs" * 89% of UK Business suffered some form of Computer Crime Back in July of 2003 - about 1,000 days ago - California passed SB 1386 which, I predicted, would soon go national. It did not, but now, thanks to the multitude of data thefts, a national law may be in the making. This scrivener's thoughts at the time are buried on this site at http://johnglennmbci.com/1386.html in an article titled "Almost everyone wins With California's SB 1386" The California statue can be read at http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351- 1400/sb_1386_bill_20020926_chaptered.html . The bill requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." That's a pretty tall order, and as I read the bill back then, it seemed to me that if an organization did business with a California resident it fell under the bill. Likewise, if a company had a presence in California, all of its customers - regardless of the customer's state of residence, were covered. But I'm not a lawyer and I don't play one on TV. I advised my employer du jour since it has offices in the Golden Bear State. As a Business Continuity planner, I ask myself: Why is this information going out of a secure setting? What can I do or recommend to prevent sensitive data exposure if a computer is lost or stolen? The information was lost when a notebook (nee' laptop) computer was "acquired" by someone talking advantage of an opportunity. Computers with sensitive information should be tightly controlled. If the assignee fails to maintain security on the device, then there's no control. What can be done? There are a number of options, ranging from "useless" to "defeating mobility." The least expensive option is to create a Policy that requires hands-on security. Since it seems obvious that most reasonable organizations already have such a policy, it stands to reason that the policy is being ignored. This is a case were a policy and procedure won't accomplish much other than perhaps to advertise a penalty for violation. That, however, requires ruthless implementation across the board. If a new hire is fired and a senior exec is only admonished . . . Another option is thin client. This means that all the data and the application to run the data is on a server somewhere in a secure (locked door, special code or card for entry) facility in the organization. That reduces mobility somewhat since a machine has to physically launch applications and find relevant data each time some information is needed. And security still is if'fy. If an option can be added to an application that allows saves only to a server, and if the latency can be tolerated, then even a standard computer might be satisfactory. DUMB TERMINALS AND DONGLES It's been a long time since I heard or used the term "dongle."[6] But it's also been awhile since I used a dumb terminal such as a VT100. The "dumb terminal" is back with a vengeance, tied to the "thin-client" craze. A "thin-client" is described by Wikpedia [7] as "a computer (client) in client- server architecture networks which has little or no application logic, so it has to depend primarily on the central server for processing activities. The word 'thin' refers to the small boot image which such clients typically require - perhaps no more than required to connect to a network and start up a dedicated web browser or 'Remote Desktop' connection such as X11, Citrix ICA or Microsoft RDP. "In contrast, a thick or fat client does as much processing as possible and passes only data required for communications and archival storage to the server." The problem with the thin-client arrangements, as I see it, is that there may be times when "unique-to-user" applications need to be installed on the local (client) system. Then there are security issues. If the client's server is looking for a "stored-in-the-machine" message and perhaps a hackable password, a miscreant could still access the server data with minimal effort. Enter the dongle. Connect a dongle about the size of a Bluetooth USB adaptor to a key ring with a retractable cord. With the dongle plugged in, the server recognizes the client. Sans dongle, the server can't identify the client and won't "serve" up any information or applications. The dongle, being at the end of a cord on a key ring which is attached to the user's clothing, has to be removed if the user leaves the computer (desktop or notebook). That does not preclude a fool from defeating a foolproof system, but it's better than depending solely on a password. With a little programming effort - by someone other than this scrivener, if you please - a "dynamic password" security could be implemented. Rather than force a user to change a password every so often - a real pain: "Let's see, did I use this combination before?" - let the server select one of perhaps a dozen or more questions for the person trying to sign on. The user, when assigned the computer, would provide the answers to all the questions. The server would then ask a password question and then compare the user's answer with the answer stored in the user's area of the server's database. Depending upon the level of information sensitivity, two or more password "challenges" might be in order. This would be coupled with a "lack of activity" timeout - if there is no keyboard or pointer activity within a short period (seconds), the client - server connection is broken. The advantage of the password challenge over the dongle is that the user cannot disconnect the dongle from his or her clothing, leaving the dongle plugged in, to go out for a short break. The password "lack of activity" timeout - based on the old ACK-NAK or ping methodology - assures that even if the most careless user walked away without terminating the client - server connection, the chance of unauthorized computer use would be minimized. Besides not being a lawyer (ibid.), I also am not a computer guru, but as a Business Continuity planner, I am smart enough to have these ideas vetted by people who really know the data business. Nothing in the preceding is rocket science, but it is the result of playing the "what if" game all planners should know and love. According to Dodi Glenn, Senior Software Test Engineer, Sunbelt Software (http://www.sunbeltsoftware.com/) who also is my #2 Son and the family "geek," there are a number of security options, including a USB Wireless Security Lock (http://www.thinkgeek.com/gadgets/security/698d )which, according to the blurb on the ThinkGeek URL "is a simple yet effective means to ensure computer access is limited to an authorized user. Each kit is composed of a USB receiver dongle connected to the computer, and a battery-powered access transmitter, which is to be carried by the authorized user. When the user moves more than 2 meters away from the computer, the security dongle will disable access to the computer until the user carrying the transmitter has returned within the vicinity of the computer." Dodi, who maintains his own URL at http://www.powertoexcel.net/news.php, adds "don't forget biometrics (fingerprint, retinal, etc.). This can be a secondary security measure. "In addition, I carry a USB keychain provided by Authenex. This USB key allows me to encrypt data (virtually anything) with a secure password. Without the password AND the USB key, one can not decrypt the file. I believe it is using 128-bit Advanced Encryption Standard (AES) [8] method. "Combined with a secure (16 characters or longer) Windows password, a fingerprint scanner, and my USB token, I feel fairly safe with the data on the laptop. "There is also a program which is sort of the "LowJack" for computers called CompuTrace. It hides in the BIOS/Memory of the computer and when needed can be activated by CompuTrace to find out where the laptop is located at. Once the thief connects to the internet, CompuTrace works with law enforcement to find the laptop." CompuTrace is a subscription service offered via a number of companies in the US and elsewhere. The problem is, by the time the computer is traced, the information on the computer, or accessed via the computer, is already in the "wrong" hands. Dodi's suggestions are worth considering, but they still don't deal with the human problem; the computer user who walks away from a connected machine. The only way this non-InfoTech scrivener sees is the quick timeout-and-disconnect utility resident on the server, which probably supplies the greatest Return On Investment (ROI). Charles McCubbin, C. S. McCubbin, & Co. (http://www.cmccubbin.com/) principal, has his own ideas on computer theft. By the numbers, McCubbin offers the following: 1. Dongels are really old fashioned, and do have the physical security problem of being lost. Much better technology exists that, when combined with thin clients, can significantly reduce security holes. 2. Most systems let the user copy materials/data to local system. Disable this practice. 3. Current password technology, even Microsoft, uses the CHAP (Challenge and approve) system. The user is challenged for login name, then password, best systems, requiring Orange and Red book certification, do not send or present both together, eliminating the benefit of knowing one and guessing the other. 4. Biological keys. Notice that Dell now is selling computers which require some biological input, i.e. a thumbprint, to be used. 5. Delay access. Criminals are opportunistic. They will take the easy stuff and leave the hard to get stuff. Always picking the low hanging fruit. Add password at boot; Windows login, and application access. Combined with bio-security, it takes too long. 6. Education. Most employees don't know their responsibility, or the company policy on corporate data. They don't exercise critical thinking when someone asks for their password. Just because they say they are from the help desk doesn't mean they are from the help desk. Educate the user on procedures, and policy as well as social engineering. 7. Enforce policy. Too many companies have a policy but fail to enforce it. I ran a network where the biggest offenders were the executives who wrote and approved the policy. But they waived it for themselves. I have also seen companies waive the breaking of security policy for the better employee, the key or star employee. 8. Cost. Companies will pay for added servers to increase their business but spend less on security than paper towels in the bathrooms. After all, we don't have anything that anyone else would want; or they will never attack us, we're just so small. 9. Finally, and this is not a “give up and get out” but most laptop thefts are done for the laptop, not the data. The thief wants to hock the laptop for money, nothing more sinister than that. They don't know what they have, and usually will not care if they did know. 10. The bottom line is that people are aware only while they perceive a danger to themselves or their close family. They quickly become non-vigilant as soon as nothing happens to reinforce the need. McCubbin adds that “more could be done, and should be done but will not be done until we overcome sloth, gluttony, and perhaps a few other sinful shortcomings of humanity.” No matter what combination of measures are used - encryption, multiple random passwords, server disconnects, and high-end biometrics - the problem must be addressed as a work-around for the human factor. Computers "disappear." Computers are hacked. Sensitive information is too easily available, yet the means to provide better protection for the data are available today. It may take a national version of California's SB 1386 to convince organizations that it is in their financial well-being to provide better data security, but until then, smart management will more forcefully to increase the level of security - both electronically and physically. END NOTES: 1. http://www.eweek.com/article2/0,1895,1994416,00.asp 2. http://www.eweek.com/article2/0,1895,1983738,00.asp 3. http://www.eweek.com/article2/0,1895,1972653,00.asp 4. http://www.eweek.com/article2/0,1895,1942049,00.asp 5. http://www.eweek.com/article2/0,1895,1916087,00.asp 6. A small device that plugs into a computer and serves as an adapter or as a security measure to enable the use of certain software (http://www.m-w.com ) 7. http://en.wikipedia.org/wiki/Thin_client 8. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others at http://JohnGlennMBCI.com/ may be sent to Planner @ JohnGlennMBCI . com (c) 2006, John Glenn MBCI