Getting a grip

 

Connecting state and local government leaders

As long as there are mobile computing devices, some of them will be lost. But the right technologies and policies can help you hold on to more of them and minimize the fallout when one goes missing.

Experts have an adage: 'Security is a journey, not a destination.' But when the data itself goes on a journey ' riding on laptop PCs and BlackBerrys ' the destination could be misery for the systems administrator when those devices vanish.'In the mainframe world, we used to know the limits ' a mainframe computer or its terminals didn't get up and walk around or get lost or stolen,' said Dave Morrow, chief security and privacy officer at Electronic Data Systems, who oversees security for the company's managed laptop services used by federal agencies such as the Navy-Marine Corps Intranet. 'But with laptops, BlackBerrys, iPods and iPhones, there is no definable edge to the network, and most people don't understand what kinds of sensitive data they have.'So how does one go about securing laptops?Losses of laptops containing sensitive data regularly make headline news. In July, a Transportation Department laptop containing personal information on 133,000 Florida residents was stolen from a car in the Miami area.In January, a Veterans Affairs Department medical center in Birmingham, Ala., lost an external hard drive containing data on 250,000 veterans and 1.2 million health care providers. A Justice Department inspector general audit issued in February found that the FBI lost 2.6 laptops per month during a 44-month period, with at least 10 of the missing laptops containing sensitive or classified information. In May, the Energy Department reported 1,415 laptops missing during a six-year period, about 2 percent of its total inventory.This article is not about those losses, however. The fact is that laptops will be lost or stolen ' as will other mobile devices. Safeware Insurance Agency estimates that 600,000 laptops are stolen or lost annually, with other estimates running as high as one in 10 laptops stolen. And the losses aren't limited to laptops. According to In-Stat, a business unit of Reed Business Information, 8 million cell phones will be lost this year.It is possible, however, to reduce the number of laptops that go missing. For example, according to the DOJ IG report, the FBI lost only one-third as many laptops per month in the most recent audit period compared to one conducted in 2002.'Major breaches of data inevitably make the news; people's information is potentially put in the hands of ID thieves,' said Robert Siciliano, chief information officer at IDTheftSecurity.com. 'People lose their jobs, their reputations, and it makes a big mess that could be prevented just by taking simple proactive and preventive measures.'So, let's take a look at steps to take to minimize these losses and reduce the impact when losses do occur.Over the years, a number of best practices have developed regarding laptop security.Many of these are recognized in the Office of Management and Budget guidelines released in June, 'Protection of Sensitive Agency Information' (GCN.com/83) and the July 2007 publication from OMB and the Homeland Security Department titled 'Common Risks Impeding the Adequate Protection of Government Information' (GCN.com/829).Agencies must follow standards and guidance published by the National Institute of Standards and Technoloy, said OMB spokeswoman Andrea Wuebker. 'OMB encourages agencies to contemplate and incorporate best practices regarding prevention of loss and theft of federal information.'The first step is to have a good idea of exactly what mobile assets an organization has.'It begins with accountability,' Siciliano said. 'Too often, there are laptops being lost or stolen, and possession of them has not been properly accounted for.'As audits routinely show, it is often not even known when a laptop went missing or who had control of it. It just can't be located right now. An organization must keep an inventory of who has possession of all the laptops and track when they change hands. Policies are required to ensure that oversight of the inventory doesn't drop off when an employee leaves or is transferred.'There needs to be a master list and redundancy as to who is paying attention to that list and who is checking up on it,' Siciliano said.But knowing who has the hardware is only the beginning. Even more critical is the data it contains, and Morrow said that users and managers are often clueless as to what is on the laptop.'While I worry about the physical hardware, I worry much more about the data on the system,' Morrow said. 'It might be a $1,500 laptop that gets stolen, but it may have sensitive data that will cost $10 million to remediate.'Proper asset management detects when a laptop is missing but doesn't prevent loss in the first place. No policy or standard replaces the need for vigilance by users.'OMB recognizes job-specific training is necessary for a risk-based approach to security,' Wuebker said. 'The memorandum [Common Risks...] requires federal agencies to train employees regarding their respective responsibilities relative to safeguarding federal information on fixed and removable media, including personally identifiable information, and the consequences and accountability for violation of these responsibilities.'Several agencies issue their own brochures giving best practices for laptop security including common-sense tips such as not leaving the laptop visible on the seat of a car, locking the laptop in a cabinet or desk when left in the office and using a cable to lock the computer to a pipe or table leg.At the airport, travelers should let the line clear ahead of them before putting a laptop into the X-ray machine. You should carry the computer in a plain padded case or put inside a backpack or regular briefcase rather than carrying it around in what is clearly a laptop case, especially one bearing the manufacturer's logo. When sitting in a restaurant or other public space, the laptop should remain in contact with the user so it doesn't get accidentally left behind. If it is placed on the floor, it should at least be between one's feet. Users also need to make sure they don't give others access to their portable devices.'Social engineering [employee negligence] is the biggest mistake,' said Kevin Kalinich, manager of professional risk solutions at Aon Financial Services Group. 'Say 'no' to unauthorized requests for information and access, including access to offices, cars and any other location where a laptop might be.'Vigilant employees are also a good safeguard against many laptop thefts but not a complete solution.'Carelessness is one of the biggest problems I see,' Morrow said. 'People don't think of their laptop as something people would want to steal.'The ideal solution, therefore, is to restrict what users can load onto their laptops. If an employee needs to access a database, that data should only be available through a secure connection, rather that loading the entire database onto the laptop. But sometimes there are valid reasons to have a full database loaded on the computer. For example, an auditor visiting a site may need to copy and review data from the target agency's files.Then there are the caches and hidden files that the user doesn't even know exist.'Most managers think that sensitive information is stored away safe and secure on servers,' said security consultant and author Kevin Beaver at Principle Logic. 'That's a dangerous misconception; you could randomly pick any given laptop in any organization and using the right tools, find sensitive information on the local drive in a matter of minutes.'Kalinich advises implementing centralized policies that take security controls out of the control of users but push updates to the mobile devices as needed.'Enterprisewide solutions must be implemented, which include a policy-based mobile data security and management solution that protects data on all kinds of portable devices, not just laptops,' Kalinich said. 'It takes a large portion of the responsibility out of the hands of the individuals and places it in the capable hands of the IT professionals.'Portable devices should also be automatically backed up to the servers. This doesn't prevent data getting into the wrong hands, but it does prevent the loss of that data to the agency and having to spend time recreating or reloading the data.'That way you are not sunk if your laptop goes missing or breaks,' Morrow said. 'None of this is rocket science ' it is stuff we have been talking about for years and years, just applied to a different venue.'XXXSPLITXXX- The first is that all portable devices should use full disk encryption, making it harder for the data to be deciphered.Kevin Kalinich, manager of professional risk solutions at Aon Financial Services Group, recommends using a timeout function that requires reauthentication after 30 minutes of inactivity, as well as using a BIOS password and a biometric device. He said sensitive database extracts should be logged, and its erasure should be verified within 90 days, if the data is no longer in use.There are also several options for wiping the data from a hard drive when it does go missing. Typically these involve erasing the encryption key on the laptop after a series of failed log-ins, or in response to a command from headquarters.Robert Siciliano, chief information officer at IDTheftSecurity.com, recommends Tri-8's mylaptopGPS service. This has three parts ' a permanent identification label to deter theft, tracking of the missing laptop to the IP address it is logged on to, and remote removal and deletion of sensitive files.EDS is looking at using a product from Absolute Software, called LoJack for Laptops, which also traces stolen laptops over Internet connections and destroys data on command or according to policy ' for instance, if the computer hasn't connected to the agency network within a certain time period. A similar product ' SureFind ' is offered by Oakley Networks. This system can verify whether or not data on a stolen laptop has been viewed and erase any sensitive data, once the missing laptop is connected to the Internet.SecureTrieve's SecureTrieve Pro offers similar features.Targus Group International makes a variety of cables and other devices to lock laptops, iPods, mice and keyboards. For higher protection, its DEFCON 1 Ultra Notebook Computer Security System comes with a 95 decibel alarm that sounds when the laptop is moved.XXXSPLITXXX- The Centers for Disease Control and Prevention disclosed that 22 laptop PCs ' containing Defense Department personnel information ' were stolen from a contractor facility. A Labor Department laptop with information on more than 1,100 individuals was lost. An Internal Revenue Service employee had a laptop stolen from his vehicle. A Marine Corps employee lost a thumb drive containing personnel records on more than 200,000 enlisted Marines. Eight laptops holding Centers for Medicare and Medicaid Services beneficiary and supplier information were stolen from a contractor's office. An IRS employee reported that a laptop with taxpayer information was stolen. A Social Security Administration employee lost a flash drive containing case information on six people. A Veterans Affairs Department analyst brought home a laptop with identity data on more than 26 million veterans and spouses. The laptop was subsequently stolen. CMS reported that a contractor lost a laptop with more than 49,000 personnel records. A Transportation Department laptop containing personal information on 133,000 Florida residents was stolen from a car in the Miami area. The Treasury Inspector General for Tax Administration reported that approximately 490 IRS laptops have been lost since 2003, many because of improper storage procedures. While riding a motorcycle, a Navy recruiter lost a laptop containing data on more than 30,000 applicants. The Census Bureau reported losing 672 laptops since 2001, of which 246 contained some personal data. The Army's Accessions Command in Fort Monroe, Va., reported that a laptop with personal information on 4,600 scholarship applicants for the Reserve Officer Training Corps was missing. The VA medical center in Birmingham, Ala., lost an external hard drive containing data on 250,000 veterans and 1.2 million health care providers. The Justice Department IG issued an audit showing that the FBI had lost 2.6 laptops per month during a 44-month period. The Energy Department reported 1,415 laptops missing during a six-year period, about 2 percent of its total inventory. The Government Accountability Office found that NASA could not account for more than $94 million worth of office equipment, including many computers.

'With laptops, Blackberrys, iPods and iPhones, there is no definable edge to the network, and most people don't understand what kinds of sensitive data they have.' ' Dave Morrow, EDS

WPN Photo by Jaime R. Carrero







Inherent insecurity













Knowing what is there

















The biggest risk






Low profile





Central control

















In addition to routine security policies, there is also an assortment of technologies that are designed to keep data from getting into the wrong hands.












Reported mobile device loss in the federal government, 2006-2007

February 2006:

February 2006:

February 2006:

March 2006:

March 2006:

April 2006:

May 2006:

May 2006:

June 2006:

July 2006:

June 2006:

August 2006:

Sept 2006:

November 2006:

January 2007:

February 2007:

May 2007:

June 2007:

NEXT STORY: The other side of security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.