laptop security sirt it security roundtable harvard townsend it security officer harv@ksu.edu may 2,...

Laptop SecuritySIRT IT Security Roundtable

Harvard TownsendIT Security Officerharv@ksu.eduMay 2, 2008

Laptops are risky business…

2

Agenda

Physical security Protection while traveling Information security Recording identification information Tracking and Recovery software Wireless security

Public WiFi hotspots Home wireless VPN service

Useful freeware tools demo’d throughout USB thumb drive security 3

4

Physical Security – Theft Prevention

Never leave unsecured laptop unattended Lock your doors (reshall room, apt., office) Lock it in a cabinet Use a locking security cable

Room/office Hotel room Public locations Conferences, training sessions Cost $15-$50, combination or key lock

Use strong password on all accounts

5

Traveling

Don’t let it out of your sight when you travel Be particularly watchful at airport security

checkpoints Always take it in your carry-on luggage

Never put it in checked luggage Use a nondescript carrying case Be careful when you take a nap in the airport Don’t leave it in view in your vehicle

Don’t trust the trunk - remember the quick release lever inside the vehicle?

6

Information Security DON’T store confidential data on mobile

devices If you must, encrypt it

Whole-disk encryption best File or folder encryption reasonable Demo TrueCrypt (open source, Win/Linux/Mac –

http://www.truecrypt.org ) Beware of managing encryption keys Work with temporary copies on the laptop – keep

original file(s) on secure server Backup data regularly

Imaging is a lovely tool Diligently manage the security of the device

(patches, antivirus software, firewalls, etc.)

Finding Confidential Data

Don’t assume you don’t have any confidential data on your laptop

“Spider” from Cornell useful for finding confidential datahttp://www.cit.cornell.edu/security/tools

Searches files for SSNs and credit card numbers

Lots of false-positives but still very useful

7

Preventing Recovery of Deleted Files

Deleted files easily recovered Even after you empty the Recycle Bin

“Eraser” freeware tool to securely delete files (http://www.heidi.ie/eraser/) “Erase” Recycle Bin “Erase” a file instead of delete it “Erase” free space on hard drive “Erase” a USB flash drive

“Media Sanitization” when disposing media8

Record Identification Information

Record make, model, serial number Take pictures of it Label it with ownership and contact info

Engrave cover Tamper-proof asset tag Write on it with permanent marker Distinctive symbols, art

Record network “MAC addresses”9

10

How To Find Your MAC AddressIn Microsoft Windows XP/Vista

Get a Command Prompt window Select Start, then Run, then type cmd.exe

In the command prompt window, typeipconfig /all

Look for the “Physical Address”, which is the MAC address

For other operating systems, seehttp://www-dcn.fnal.gov/DCG-Docs/mac/index.html

11

MAC address

12

Tracking & Recovery Software

If stolen, the computer contacts the company who traces it and contacts law enforcement to recover it

Computrace LoJack for Laptops from Absolute Software (www.absolute.com) is an example

Pre-installed in BIOS on many laptops Dell HP

Have to buy the license to activate Costs about $30-$50 per year

13

Wireless Safety

K-State, home, hotels, public “hot spots” Rule of thumb – FEAR WIRELESS! K-State information:

http://www.k-state.edu/infotech/networks/wireless/

General wireless security:http://www.onguardonline.gov/wireless.html

Wireless terminology:http://www.onguardonline.gov/wireless.html#glossary

14

Wireless Safety

Use encryption WEP (weak) WPA (strong -

coming to campus soon)

VPN

Don’t work with sensitive data in public hot spot

15

Wireless Safety

Securing wireless at homehttp://www.k-state.edu/infotech/news/tuesday/archive/2006/10-24.html#sectip

Use strongest encryption possible – WPA2 Restrict access to specific computers by

MAC address Change default settings

Admin password for configuration interface SSID Do not broadcast SSID

16

Default SSID

No Encryption

17

Default SSID

Default SSID

StrongEncryption

WeakEncryption (WEP)

18

19

20

Virtual Private Network (VPN)

Encrypts all network traffic between your computer and the K-State border

Makes your computer appear to be on campus to get access to restricted resources

Does NOT necessarily encrypt everything that goes to the Internet (“split tunneling”)

Also does not encrypt traffic on campus

21

22

Virtual Private Network (VPN)

Must install “VPN Client” software Information and software available at:

http://www.k-state.edu/infotech/networks/vpn/

Cannot use it on campus yet (to secure your wireless, for example); will be able to soon.

If can get to Internet but not K-State, modify the “Transport” configuration: Enable Transparent Tunneling IPSec over TCP

23Disconnected Connected

USB Flash Drive Security

No confidential data! Too easy to lose, easy target of theft

Don’t use it as a backup device “Erase” files so they aren’t recoverable Encrypt files on it with TrueCrypt or - Encrypted USB flash drives

Ironkey very popular - https://www.ironkey.com/

View demo?

24

25

More Information…

K-State’s “Mobile Device Security Guidelines:http://www.k-state.edu/infotech/security/mobile.html

What’s on your mind?

26