laptop security best practice white paper
TRANSCRIPT
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 1/10
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 2/10
I . | W h y h a v e a S e p a r at e
L a p t o p S e c u r I t y p o L I c y ?
cp,w-
wId
,,
.mw
.t
w
.I
,z-
,
,
.
cp
.pI
w
wz
.m
It’s time or those respon-sible or IT physical securityto reevaluate their policiesin order to improve the wayend users guard their mobilewindows into the corpora-tion’s data vaults.
I I . | I n d u S t r y r e g u L a t I o n
t o u c h e S n e a r Ly e v e r y
o r g a n I z a t I o n
t
w
.
(,W)
.g
.W
wq,
.t
,w
,,
zw
w.’
:
arbanesxley–
q
-w
-.
hIp–thIp
q
.
gB–tg-B
q,-,-
-
z.
Im–t
q
,
{ { { {
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 3/10
w-
,
.
pcI–w,pcId
w
-
.
caliorniaB1386–kw
BI,w
z
c
,
w.tw
q
c,
.
IT Frameworks Provide Detailed
Direction
cw
q
z.
tIT gover-
nance frameworks
.t
ww:
cBIt4.0–pItg
I(ItgI),cBIt®.z-
.Iz
It
wj.cBIt
,w-
z.
I17799.2005(I27001)–t-
Itz
j,
.t:
,,
,-
,,z
,
,.
It 800-53 – t
I
t“
c
.”I
z-
,
ww
.
A Tree within the Forest
g
w
,’
w
wI
“”
q,u..
, .
I I I . | W h at S h o u L d a L a p t o p
S e c u r I t y p o L I c y
a c c o m p L I S h ?
Security policies are a meanso standardizing security prac-tices by having them codifed(in writing) and agreed to byemployees who read them and
sign o on them.
Ww
,-
z.u
,-
.
{ { { {
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 4/10
“WI
”mc,
,
.“W’’
‘W?d
?’tw
w…”.
“mq
www
”m.BcBIZ,
.“t
ww.I
I
w
”.“
“
’ww.I’
”mB.
mm,tt,
“m
:w?B
’q.W-
:
,ww?”
m
.
“,’“W
.I,
:“W
z-w.” hw
-
wz.t
w,
.
t,
w
.dw.t
.z
,’
,w
q,ww
?W
?
t-
It
fw
zIt.
I v. | S t r I k I n g a b a L a n c e
b e t W e e n W o r k e r
p r o d u c t I v I t y a n d
S e c u r I t y
It-
,
.
j
w
w,,w
.W .mww
f,
:
Work osite when there’s a work crunch
demanding night and weekend hours
Share inormation with distant business
partners
Keep up to date with business transactions
Www?B,ww
It
?
tw
qw’w
.
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 5/10
v. | L a p t o p S e c u r I t y :
W h o I S r e S p o n S I b L e ?
W
,w
,
.c
.W
?“I’w’
w’-“,
,vp
wt.It
.I
z,
,,
—
q”.
A laptop policy should incor- porate the respective roles that acility/security managers, IT managers, supervisors, andemployees play in protectingmobile computers.
,w
?W
w?
Ww
w?w:I’
.
,-
.
twww,
w
w
,,
.
,
.
v I . | t h e r o L e o f t r a I n I n g
w-
.
h-
w
.w
,
-
,
Ww
.p’w
’
.t
j
q
,
.
BJ,ItcpJ
dc.“W
,w
,
.”,
,ww,
w
tz,
ug
.“w
,w
,,-
,--
.”
{ { { {
“The methods that will most eectively minimizethe ability o intruders to compromise inorma-tion security are comprehensive user training andeducation. Enacting policies and procedures simplywon’t sufce. Even with oversight the policies and
procedures may not be eective: my access to Mo-torola, Nokia, ATT, Sun depended upon the willingness o people to bypass policies and proceduresthat were in place or years beore I compromisedthem successully.”
Kevin Mitnick, Founder Mitnick Security Consulting, LLCConvicted Computer Hacker
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 6/10
v I I . | m a n a g e m e n t ’ S r o L e
I n L a p t o p p o L I c y
J,’
ww
.tw
c
w.I,
c’
-
w.,IwJ,
cQ
w
w.w
,/
,,
.B
,
w
.
.
.
v I I I . | L a p t o p S e c u r I t y
p o L I c y c o n S I d e r a t I o n S
‘z’’q.
z
q
.c
:/,,
,,
.
w:
w,w(/
),,,,-
,w,-
,
.tw
.tw
z:-
,,,,
It
.c
w
w.
HIGH SENSITIVITY
LOW SENSITIVITY
LEVEL 3 HIGH / CRITICAL
LEVEL 2 MODERATE /HIGH
LEVEL 1 ROUTINE
HIGH SECURITY
Tracking Software
Disk Swipe Software
Biometrics
MEDIUM SECURITY
Full Disk EncryptionOffline Storage OptionsInsuranceDisbale uneccessary ports
BASIC SECURITY
Cable LockDisabled Admin log onStrong PasswordsAsset tags
RESTRICTED INFORMATION
Strategic plans Online Access Codes
Encryption Keys Credit Card Listings
CONFIDENTIAL DATA
Personnel Records Customer RecordsBudget Data Sensitive Correspondace
INTERNAL INFORMATION
Employee Handbook Telephone Directory
Org Charts Policies and Standards
.
mutI-tIdptpcuItmd
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 7/10
I X . | L a p t o p S e c u r I t y
p o L I c y b e S t p r a c t I c e S
c h e c k L I S t
1. Basic Physical Security 2. Operating System Security
3. Network Security 4. Secure Connectivity 5. Protecting the Data6. Training
1. Basic Physical Security Have users read and sign an acceptable use
policy describing precisely what is and isn’t
acceptable on the company machine
Lock down laptops with a cable lock wherever
you are: oce, home, airport, tradeshow, or
hotel room. I an immovable anchor isn’t avail-
able, loop the security cable around a chair, or
other hard to move object. Keep a spare keyapart rom the one on your keychain. I a reset-
table combination lock is used, change the
combination whenever you suspect someone
has observed you opening it. Register the
key or combination on the lock mg. website
in case you lose it. I you’re responsible or
computers in a acility, use a master key or
master coded combo system to manage lost
key/combo issues.
Lock away PCMCIA/NIC cards i computer is
let unattended on the desktop
Register computer serial #/model # with
mg, & store inormation separately. This will
help recovery i the computer is turned in or
service
I leaving a machine unattended, log out or
turn machine o
Apply a tamper resistant Asset tag or engrave
the machine to aid authorities in recovery.
These could also prevent the resale o the
machine.
Use o a non-descript carry case. Place the
laptop in a padded sleeve inside a backpack or
example.
While traveling, never leave a laptop unat-
tended in a public place
When leaving a laptop in the car, lock the
computer in the trunk using a cable lock to
secure it to a permanent vehicle mount.
Consider Biometrics as an alternative to pass-
words. Fingerprint, retina, and ace scan tech-
nology can speed up access to the computer.
Consider Recovery sotware that allows
computer to “phone home” in case o loss or
thet
I a laptop is lost or stolen, report it immedi-
ately. Time is o the essence to keep thieves
rom intruding on the company network.
2. Operating System Security Use the latest operating system aordable as
new security measures are being added all the
time. Enable auto updates rom the company
network and the Internet when not at the
oce.
Lock or disable all unnecessary ports to limit
access. USB ports are especially vulnerable to
data leakage and unauthorized data transer.
Enable BIOS passwords or added password
protection. Determine i the BIOS (Basic
Input/Output System) password locks the hard
drive so it can’t be installed and accessed in asimilar machine.
Disable boot-up capabilities o other drives.
Disabling the secondary boot drive sequence
hinders the ability to access the system rom a
secondary drive.
Rename the Administrator Account.
Attempting to hack local accounts is a
common method. When renaming, don’t use
the word “Admin” in its name.
Prevent the last user name rom displaying in
the login dialog box
Disable the Inrared port on the machine.
Hackers can read the contents o your machine
rom across the room without you knowing it!
Ensure only one active connected interace
is enabled at a time. For example, i WiFi
is enabled, then other access methods are
disabled. This ensures that devices cannot be
accidentally or intentionally used as bridging
or routing devices between two or more
networks.
Do not let users download third party sotware
and applications or enable unauthorized proto-
cols or services (much as they will want to).
3. Network Security Install and regularly update an Antivirus
product. Enable real time protection by
deault.
Install host-based Adware and Spyware
utilities
Install a host-based rewall to deter intruders
and malicious logic rom entering the system.
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 8/10
Enable all auditing available on the
computer necessary to support the network
environment.
Install VPN technologies to access to the orga-
nization LAN. The VPN should protect and
encrypt at Layer 2, data-link layer.
Use client Patching management sotware toreceive the latest xes to OS and sotware.
Enable encrypted protections on connec-
tions rom untrusted to trusted network
connections.
4. Secure Connectivity Ensure that Antivirus and Firewall sotware
is installed, enabled, and receives regular
updates.
For VPN connectivity, disable split tunneling
or all internet access. Not doing so renders
the VPN vulnerable to attack.
5. Protecting the DataHave in place a password policy that requires
users to create complex passwords between
8-14 characters. Passwords should use at least
3 o the 4 complexity requirements: upper-
case letters, lowercase letters, numbers, and
non alphanumeric characters. Don’t write
passwords down, and don’t share them with
others. See this article or how to create and
remember complex passwords: http://articles.
techrepublic.com.com/5102-1009-6028857.html
Back up and synchronize your les on a
regular basis
Consider using ofine storage products when
traveling. USB drives, RW CD’s, or external
hard drives provide a good back up should
your laptop be unavailable.
Use privacy screens when using your laptop in
public places such as airports or hotel lobby’s.
Use system encryption tools such as EFS
(Encrypting File System) on Windows XP or
encrypting individual les and olders. MAC
OS X users can use FileVault
For the most complete protection o data onthe computer, install whole disk encryption.
For machines with sensitive data, consider
installing Disk Wipe technology that wipes the
hard drive clean in the event o loss or thet.
6. Security Awareness TrainingRaise security awareness-put up posters, put
policies on the company Intranet. Establish
regular communications in company news-
letters and emails about the latest threats
and incidents that could aect your end user
community.
Review your policies at new employee orien-
tation, and with regular awareness training
every 6 to 12 months
Conduct security training classes between 45
to 60 minutes in length and cover topics such
as email, web surng, physical security, and
procedures to ollow while traveling.
Keep employees alert by doing occasional
compliance spot checks and pop quizzes at
sta meetings. Don’t rely solely on your auto-
mated systems.
Give travelers a pre-trip checklist on key secu-rity procedures to ollow to reinorce training.
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 9/10
c o n c L u S I o n
I,
w.I
’,w.
.w
.d’w
w.
wz-
.w
.It/
w
.I
,
.
mw,
m,u-Bg
h“w
w
.hw,
,.p
-
.I”,,“
ww
.
It may seem obvious, but thebest way to protect the data on
a laptop is to prevent it rombeing stolen in the frst place.
p,
.m
,.”
{ { { {
Laptop Security:
As Strong as the Weakest Link
Laptop Lock
Dont’ Leave Laptop unattenDe
authentication
encryption
inciDence
response
security
awareness
training
organization specific
consiDerations
Beware of wifi
compLex
passworDs
antivirus
software
LocaL
firewaLL
os upDates
prevent unauthorizeD
software DownLoaDs
8/2/2019 Laptop Security Best Practice White Paper
http://slidepdf.com/reader/full/laptop-security-best-practice-white-paper 10/10
r e f e r e n c e S 1 Privacy rights clearinghouse. http://www.privacyrights.org/ar/ChronDataBreaches.htm
2 Operationalizing Security & Policy compliance. A unied approach or IT, Audit, and operation teams, Qualys
3 Security and Risk Management Strategies “Which Tools Rule or Security Compliance Orchestration” The Barton Group
Sept. 2005
4 Conducting a Security Audit: An Introductory Overview, Bill Hayes May 2003
5 “Firms ready to put leash on laptops” Dallas Morning News, July 2006
6 Take technology out o your security policies to maintain compliance, Mike Mullins, TechRepublic, April 2007
7 Dark Reading, The 10 most overlooked aspects o security, Nov. 29, 2006
8 By addressing data privacy, companies avoid public scrutiny, SearchSecurity.com, Craig Norris and Tom Cadle, March 28
2007
9 Protect what’s precious, Inormation Security, Marcia Savage, Dec. 2006
10 SecurityFocus.com, Laptop Security Part one, preventing laptop thet, Josh Ryder, July 2001
11 SearchCIO.com, Fidelity laptop snau spotlights need or security policies, Shamus McGillicuddy, March 28, 2006
e X a m p L e S o f L a p t o p p o L I c y d o c u m e n t S / a r t I c L e S
http://downloads.techrepublic.com.com/5138-1009-5752939.html
http://labmice.techtarget.com/articles/laptopsecurity.htm
http://www.auckland.ac.nz//security/LaptopSecurityPolicy_print.htm
http://security.berkeley.edu/MinStds/Physical.html
http://www.ltidata.com/knowledgecenter/BBPRoadWarriorv1.pd
http://www3.georgetown.edu/security/10574.html
http://www.southcambs-pct.nhs.uk/documents/Sta_Inormation/Policies/guidelines/Mobile_or_Laptop_
Computer_Acceptable_Use_Policy.pd?preventCache=07%2F07%2F2006+15%3A14
http://www.asu.edu/it/security/s101/
I t S e c u r I t y p o S t e r L I n k Shttp://www.microsot.com/education/SecurityPosters.mspx
http://www.us-cert.gov/reading_room/distributable.html
http://security.arizona.edu/index.php?id=780
a b o u t t h e a u t h o rJason Roberts is the marketing manager or PC Guardian, a manuacturer o computer and data security systems. In his
19 years in management, Roberts has held director positions in eld marketing, training, and operations. He holds a BS in
Business Administration rom Fresno State University.
a b o u t p c g u a r d I a n
PC Guardian is a leading designer and manuacturer o computer security solutions or corporations, educational institutions, and government agencies. Protecting computer assets with patented, award winning products since 1984, PC Guardian
successully serves organizations, including many Fortune 1000 companies, by solving their security needs and ensuring
compliance through innovative products, quality, integrity and commitment to exceptional service and results. For more
inormation, product availability and distribution, please visit us at www.pcguardian.com.