laptop security best practice white paper

8/2/2019 Laptop Security Best Practice White Paper

http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 1/10



I . | W h y h a v e a S e p a r at e

L a p t o p S e c u r I t y p o L I c y ?

cp,w-

wId

,,

.mw

.t

w

.I

,z-

,

,

.

cp

.pI

w

wz

.m

It’s time or those respon-sible or IT physical securityto reevaluate their policiesin order to improve the wayend users guard their mobilewindows into the corpora-tion’s data vaults.

I I . | I n d u S t r y r e g u L a t I o n

t o u c h e S n e a r Ly e v e r y

o r g a n I z a t I o n

t

w

.

(,W)

.g

.W

wq,

.t

,w

,,

zw

w.’

:

arbanesxley–

q

-w

-.

hIp–thIp

q

.

gB–tg-B

q,-,-

-

z.

Im–t

q

,

{ { { {



w-

,

.

pcI–w,pcId

w

-

.

caliorniaB1386–kw

BI,w

z

c

,

w.tw

q

c,

.

IT Frameworks Provide Detailed

Direction

cw

q

z.

tIT gover-

nance frameworks

.t

ww:

cBIt4.0–pItg

I(ItgI),cBIt®.z-

.Iz

It

wj.cBIt

,w-

z.

I17799.2005(I27001)–t-

Itz

j,

.t:

,,

,-

,,z

,

,.

It 800-53 – t

I

t“

c

.”I

z-

,

ww

.

A Tree within the Forest

g

w

,’

w

wI

“”

q,u..

, .

I I I . | W h at S h o u L d a L a p t o p

S e c u r I t y p o L I c y

a c c o m p L I S h ?

Security policies are a meanso standardizing security prac-tices by having them codifed(in writing) and agreed to byemployees who read them and

sign o on them.

Ww

,-

z.u

,-

.

{ { { {



“WI

”mc,

,

.“W’’

‘W?d

?’tw

w…”.

“mq

www

”m.BcBIZ,

.“t

ww.I

I

w

”.“

“

’ww.I’

”mB.

mm,tt,

“m

:w?B

’q.W-

:

,ww?”

m

.

“,’“W

.I,

:“W

z-w.” hw

-

wz.t

w,

.

t,

w

.dw.t

.z

,’

,w

q,ww

?W

?

t-

It

fw

zIt.

I v. | S t r I k I n g a b a L a n c e

b e t W e e n W o r k e r

p r o d u c t I v I t y a n d

S e c u r I t y

It-

,

.

j

w

w,,w

.W .mww

f,

:

Work osite when there’s a work crunch

demanding night and weekend hours

Share inormation with distant business

partners

Keep up to date with business transactions

Www?B,ww

It

?

tw

qw’w

.



v. | L a p t o p S e c u r I t y :

W h o I S r e S p o n S I b L e ?

W

,w

,

.c

.W

?“I’w’

w’-“,

,vp

wt.It

.I

z,

,,

—

q”.

A laptop policy should incor- porate the respective roles that acility/security managers, IT managers, supervisors, andemployees play in protectingmobile computers.

,w

?W

w?

Ww

w?w:I’

.

,-

.

twww,

w

w

,,

.

,

.

v I . | t h e r o L e o f t r a I n I n g

w-

.

h-

w

.w

,

-

,

Ww

.p’w

’

.t

j

q

,

.

BJ,ItcpJ

dc.“W

,w

,

.”,

,ww,

w

tz,

ug

.“w

,w

,,-

,--

.”

{ { { {

“The methods that will most eectively minimizethe ability o intruders to compromise inorma-tion security are comprehensive user training andeducation. Enacting policies and procedures simplywon’t sufce. Even with oversight the policies and

procedures may not be eective: my access to Mo-torola, Nokia, ATT, Sun depended upon the willingness o people to bypass policies and proceduresthat were in place or years beore I compromisedthem successully.”

Kevin Mitnick, Founder Mitnick Security Consulting, LLCConvicted Computer Hacker



v I I . | m a n a g e m e n t ’ S r o L e

I n L a p t o p p o L I c y

J,’

ww

.tw

c

w.I,

c’

-

w.,IwJ,

cQ

w

w.w

,/

,,

.B

,

w

.

.

.

v I I I . | L a p t o p S e c u r I t y

p o L I c y c o n S I d e r a t I o n S

‘z’’q.

z

q

.c

:/,,

,,

.

w:

w,w(/

),,,,-

,w,-

,

.tw

.tw

z:-

,,,,

It

.c

w

w.

HIGH SENSITIVITY

LOW SENSITIVITY

LEVEL 3 HIGH / CRITICAL

LEVEL 2 MODERATE /HIGH

LEVEL 1 ROUTINE

HIGH SECURITY

Tracking Software

Disk Swipe Software

Biometrics

MEDIUM SECURITY

Full Disk EncryptionOffline Storage OptionsInsuranceDisbale uneccessary ports

BASIC SECURITY

Cable LockDisabled Admin log onStrong PasswordsAsset tags

RESTRICTED INFORMATION

Strategic plans Online Access Codes

Encryption Keys Credit Card Listings

CONFIDENTIAL DATA

Personnel Records Customer RecordsBudget Data Sensitive Correspondace

INTERNAL INFORMATION

Employee Handbook Telephone Directory

Org Charts Policies and Standards

.

mutI-tIdptpcuItmd



I X . | L a p t o p S e c u r I t y

p o L I c y b e S t p r a c t I c e S

c h e c k L I S t

1. Basic Physical Security 2. Operating System Security

3. Network Security 4. Secure Connectivity 5. Protecting the Data6. Training

1. Basic Physical Security Have users read and sign an acceptable use

policy describing precisely what is and isn’t

acceptable on the company machine

Lock down laptops with a cable lock wherever

you are: oce, home, airport, tradeshow, or

hotel room. I an immovable anchor isn’t avail-

able, loop the security cable around a chair, or

other hard to move object. Keep a spare keyapart rom the one on your keychain. I a reset-

table combination lock is used, change the

combination whenever you suspect someone

has observed you opening it. Register the

key or combination on the lock mg. website

in case you lose it. I you’re responsible or

computers in a acility, use a master key or

master coded combo system to manage lost

key/combo issues.

Lock away PCMCIA/NIC cards i computer is

let unattended on the desktop

Register computer serial #/model # with

mg, & store inormation separately. This will

help recovery i the computer is turned in or

service

I leaving a machine unattended, log out or

turn machine o

Apply a tamper resistant Asset tag or engrave

the machine to aid authorities in recovery.

These could also prevent the resale o the

machine.

Use o a non-descript carry case. Place the

laptop in a padded sleeve inside a backpack or

example.

While traveling, never leave a laptop unat-

tended in a public place

When leaving a laptop in the car, lock the

computer in the trunk using a cable lock to

secure it to a permanent vehicle mount.

Consider Biometrics as an alternative to pass-

words. Fingerprint, retina, and ace scan tech-

nology can speed up access to the computer.

Consider Recovery sotware that allows

computer to “phone home” in case o loss or

thet

I a laptop is lost or stolen, report it immedi-

ately. Time is o the essence to keep thieves

rom intruding on the company network.

2. Operating System Security Use the latest operating system aordable as

new security measures are being added all the

time. Enable auto updates rom the company

network and the Internet when not at the

oce.

Lock or disable all unnecessary ports to limit

access. USB ports are especially vulnerable to

data leakage and unauthorized data transer.

Enable BIOS passwords or added password

protection. Determine i the BIOS (Basic

Input/Output System) password locks the hard

drive so it can’t be installed and accessed in asimilar machine.

Disable boot-up capabilities o other drives.

Disabling the secondary boot drive sequence

hinders the ability to access the system rom a

secondary drive.

Rename the Administrator Account.

Attempting to hack local accounts is a

common method. When renaming, don’t use

the word “Admin” in its name.

Prevent the last user name rom displaying in

the login dialog box

Disable the Inrared port on the machine.

Hackers can read the contents o your machine

rom across the room without you knowing it!

Ensure only one active connected interace

is enabled at a time. For example, i WiFi

is enabled, then other access methods are

disabled. This ensures that devices cannot be

accidentally or intentionally used as bridging

or routing devices between two or more

networks.

Do not let users download third party sotware

and applications or enable unauthorized proto-

cols or services (much as they will want to).

3. Network Security Install and regularly update an Antivirus

product. Enable real time protection by

deault.

Install host-based Adware and Spyware

utilities

Install a host-based rewall to deter intruders

and malicious logic rom entering the system.



Enable all auditing available on the

computer necessary to support the network

environment.

Install VPN technologies to access to the orga-

nization LAN. The VPN should protect and

encrypt at Layer 2, data-link layer.

Use client Patching management sotware toreceive the latest xes to OS and sotware.

Enable encrypted protections on connec-

tions rom untrusted to trusted network

connections.

4. Secure Connectivity Ensure that Antivirus and Firewall sotware

is installed, enabled, and receives regular

updates.

For VPN connectivity, disable split tunneling

or all internet access. Not doing so renders

the VPN vulnerable to attack.

5. Protecting the DataHave in place a password policy that requires

users to create complex passwords between

8-14 characters. Passwords should use at least

3 o the 4 complexity requirements: upper-

case letters, lowercase letters, numbers, and

non alphanumeric characters. Don’t write

passwords down, and don’t share them with

others. See this article or how to create and

remember complex passwords: http://articles.

techrepublic.com.com/5102-1009-6028857.html

Back up and synchronize your les on a

regular basis

Consider using ofine storage products when

traveling. USB drives, RW CD’s, or external

hard drives provide a good back up should

your laptop be unavailable.

Use privacy screens when using your laptop in

public places such as airports or hotel lobby’s.

Use system encryption tools such as EFS

(Encrypting File System) on Windows XP or

encrypting individual les and olders. MAC

OS X users can use FileVault

For the most complete protection o data onthe computer, install whole disk encryption.

For machines with sensitive data, consider

installing Disk Wipe technology that wipes the

hard drive clean in the event o loss or thet.

6. Security Awareness TrainingRaise security awareness-put up posters, put

policies on the company Intranet. Establish

regular communications in company news-

letters and emails about the latest threats

and incidents that could aect your end user

community.

Review your policies at new employee orien-

tation, and with regular awareness training

every 6 to 12 months

Conduct security training classes between 45

to 60 minutes in length and cover topics such

as email, web surng, physical security, and

procedures to ollow while traveling.

Keep employees alert by doing occasional

compliance spot checks and pop quizzes at

sta meetings. Don’t rely solely on your auto-

mated systems.

Give travelers a pre-trip checklist on key secu-rity procedures to ollow to reinorce training.



c o n c L u S I o n

I,

w.I

’,w.

.w

.d’w

w.

wz-

.w

.It/

w

.I

,

.

mw,

m,u-Bg

h“w

w

.hw,

,.p

-

.I”,,“

ww

.

It may seem obvious, but thebest way to protect the data on

a laptop is to prevent it rombeing stolen in the frst place.

p,

.m

,.”

{ { { {

Laptop Security:

As Strong as the Weakest Link

Laptop Lock

Dont’ Leave Laptop unattenDe

authentication

encryption

inciDence

response

security

awareness

training

organization specific

consiDerations

Beware of wifi

compLex

passworDs

antivirus

software

LocaL

firewaLL

os upDates

prevent unauthorizeD

software DownLoaDs



r e f e r e n c e S 1 Privacy rights clearinghouse. http://www.privacyrights.org/ar/ChronDataBreaches.htm

2 Operationalizing Security & Policy compliance. A unied approach or IT, Audit, and operation teams, Qualys

3 Security and Risk Management Strategies “Which Tools Rule or Security Compliance Orchestration” The Barton Group

Sept. 2005

4 Conducting a Security Audit: An Introductory Overview, Bill Hayes May 2003

5 “Firms ready to put leash on laptops” Dallas Morning News, July 2006

6 Take technology out o your security policies to maintain compliance, Mike Mullins, TechRepublic, April 2007

7 Dark Reading, The 10 most overlooked aspects o security, Nov. 29, 2006

8 By addressing data privacy, companies avoid public scrutiny, SearchSecurity.com, Craig Norris and Tom Cadle, March 28

2007

9 Protect what’s precious, Inormation Security, Marcia Savage, Dec. 2006

10 SecurityFocus.com, Laptop Security Part one, preventing laptop thet, Josh Ryder, July 2001

11 SearchCIO.com, Fidelity laptop snau spotlights need or security policies, Shamus McGillicuddy, March 28, 2006

e X a m p L e S o f L a p t o p p o L I c y d o c u m e n t S / a r t I c L e S

http://downloads.techrepublic.com.com/5138-1009-5752939.html

http://labmice.techtarget.com/articles/laptopsecurity.htm

http://www.auckland.ac.nz//security/LaptopSecurityPolicy_print.htm

http://security.berkeley.edu/MinStds/Physical.html

http://www.ltidata.com/knowledgecenter/BBPRoadWarriorv1.pd

http://www3.georgetown.edu/security/10574.html

http://www.southcambs-pct.nhs.uk/documents/Sta_Inormation/Policies/guidelines/Mobile_or_Laptop_

Computer_Acceptable_Use_Policy.pd?preventCache=07%2F07%2F2006+15%3A14

http://www.asu.edu/it/security/s101/

I t S e c u r I t y p o S t e r L I n k Shttp://www.microsot.com/education/SecurityPosters.mspx

http://www.us-cert.gov/reading_room/distributable.html

http://security.arizona.edu/index.php?id=780

a b o u t t h e a u t h o rJason Roberts is the marketing manager or PC Guardian, a manuacturer o computer and data security systems. In his

19 years in management, Roberts has held director positions in eld marketing, training, and operations. He holds a BS in

Business Administration rom Fresno State University.

a b o u t p c g u a r d I a n

PC Guardian is a leading designer and manuacturer o computer security solutions or corporations, educational institutions, and government agencies. Protecting computer assets with patented, award winning products since 1984, PC Guardian

successully serves organizations, including many Fortune 1000 companies, by solving their security needs and ensuring

compliance through innovative products, quality, integrity and commitment to exceptional service and results. For more

inormation, product availability and distribution, please visit us at www.pcguardian.com.





http://www.ltidata.com/knowledgecenter/BBPRoadWarriorv1.pdf








http://www.pcguardian.com/

http://www.pcguardian.com/








http://www.ltidata.com/knowledgecenter/BBPRoadWarriorv1.pdf





laptop security best practice white paper

Documents