I’d like to give my readers a description of some basic things you can do in order to protect your laptop.
The first thing you can do is to itemise the risks that concern you. Here’s my risks list:
- Theft / Loss – I am worried that I will leave my laptop somewhere that I cannot return to, or that it will be stolen from me by force or guile. My laptop is my main machine, and contains customer data (in email) and source code for some of the software I have written.
- Physical Damage – I worry that my laptop will be damaged – either in its regular laptop bag, or if I board a flight during one of the occasional security crack-downs that will require me to entrust my laptop to the tender mercies of baggage handlers (see item 1, and references to news stories about losses at Heathrow).
- Wireless snooping – when out and about, I occasionally use wireless networks, and I would be really upset if someone were to get customer records, or that source code I’m so proud of, simply by watching what I send through the ether.
- Network intrusion – either by wireless or regular networking – I’d really like to prevent people from coming in to my machine using the “vulnerability of the month”.
So, what are my mitigations?
- Good backups. Every night, I update my set of incremental images of the data on my laptop; every week, I merge the incrementals into a complete image. Every month, I take time to restore from an image to ensure that the backups continue to be good. Every week, I burn a set of backups to physical media and put them in the safe; every month, I take them to the safety deposit box (and swap out the old ones). This helps with parts of all the risks above.
- An insurance policy. When traveling, or at home, I ensure that I have sufficient insurance to replace the contents of my laptop. This allows me to confidently replace my laptop in the event of theft, loss or physical damage – and the backups get me back up and running.
- Drive / Folder / File encryption. Currently, I use a combination of EFS and SYSKEY – components inside of Windows – to ensure that my laptop is useful only to me, even if somebody steals it. Most laptop thefts, I believe, are carried out purely for the price of the hardware, and the stolen laptops are re-imaged as soon as possible – but I should never trust anything to the assumption that I won’t have the bad luck of having my laptop stolen by someone who really wants my company and customer secrets. This protects against much of the worry of theft / loss. You can buy products that will encrypt your entire drive, requiring either a passphrase or a hardware key to be provided every time the system boots. This is easier to check on.
- Auditing of drive contents. Okay, so this isn’t one I actually do – but I would start from the assumption, if my laptop was stolen or lost, that everything is on it – financial data, customer information, source code, business intelligence. In a true corporate environment, you should assume (sadly) that your users will not only not know what is on their laptop, but will mislead you into thinking that their laptop contained nothing of importance. Even if all you do is a “dir /s/a > \\server\share\logfile.txt” on their laptops every time they log on, you should have some record that will allow you to definitively state whether important data was on a stolen laptop.
- Regular patching. I set auto-update to download and notify me, rather than to immediately install, any security patches that are released. This is something I can do, only because I stay on top of news about security vulnerabilities. I’m toying with the idea of simply automatically installing patches. It’s been a very long time since I used to advise people “never be the first on your block to install a patch or a service pack”. I enable Microsoft Update, as opposed to Windows Update, to ensure that I get updates to Microsoft Office and other Microsoft applications. I also go hunting for updates at other vendor sites for software and hardware that I have installed.
- VPN and firewall. When at home, I’m behind a firewall that doesn’t allow traffic in to my laptop, and doesn’t allow much in the way of traffic out. When on the road, as soon as I connect to the wireless network, I also connect to my Virtual Private Network (VPN). The VPN is configured to always encrypt, so there’s no option for snooping, and because the default route for all traffic now goes through the VPN, I am still effectively behind that good sturdy firewall.
- Always off. I keep my laptop turned off where possible – either Hibernated or Shutdown. When the laptop is on, I leave the network (wireless or wired) unplugged or turned off where possible.
So, what’s the absolute minimum? 1, 2, 4, 5 – but then again, that’s really not enough. I think they’re all part of the “absolute minimum”. Ask yourself the same “what’s my risk?” question – always ask that question when faced with a security debate – and see what you come up with as an absolute minimum.
I’d love to hear what you come up with.