The personal data of every citizen of a small country consisting of SSN or ID number as well as passport reference, name, address, date of birth, phone, email, credit card and bank account numbers, utility and driving license details and a dozen other items of information require less than the storage capacity available on a single DVD-ROM disk. With the data listed here one can impersonate a person, send out mail shots (electronic, telephonic and paper), use credit cards to effect purchases or perform demographic analysis on the data. Most of the information listed above can be sold to hackers and spammers for good money if one knows where to go. While a DVD-ROM disk is a medium familiar to many, it is not the most compact. Eight times the storage capacity of a DVD-ROM can now be stashed on a USB pen drive having an area of less than 4 square centimeters. And such pen drives are not lab animals; you can go and buy one today. Electronic data has no weight and takes up no space. A USB pen drive which is empty looks identical to one which is packed solid. Transferring all the data from its original repository to a USB pen drive takes a few minutes, is silent and, above all, leaves the original copy unaltered.
Compare this to a situation in which someone wants to take the same information stored on paper. If one takes the originals then these will probably be missed sooner or later. On the other hand, if one decides to photocopy the originals, the repeated visits to a copy bureau will cause suspicion. This actually happened when McLaren were caught red handed copying Ferrari documents. If one owns the photocopiers, toner, paper and the time necessary to duplicate a million or so paper documents, transporting copying and eventually analyzing them is a huge challenge necessitating both man and machine.
In large organizations, access to the computer area should be restricted to authorized personnel only and the best in mechanisms that deter as well as clamp down any attempts at illegal access to the systems should be implemented. While it is understood that many small and medium sized operations as well as “normal” computer users do not have the resources to implement the security described above, computer data should, at least, be afforded the same level of care and security given to other items of high value within the boundaries of a house or office. And because, unlike practically every other object, data can be replicated with such ease, additional protective measures should be implemented. To the entities and individuals mentioned above, one must also include commuters. These are people who own a single notebook computer which they lug with them all over the place. Commuters have the highest risk of having their computer (and therefore the data on it) stolen.
The key to successfully protecting the data residing within a computer is to apply the law of least exposure. This law states that the less accessible the data on a computer is, the more secure it is. Therefore all measures that limit access to the data should be applied. What follows are tips one could use to safeguard data.
In today’s connected world, the need to hold data outside the confines of a properly secured and controlled area should be questioned. For example, rather than make a copy of the data when working from home or while on the road, one should consider hooking via a secure channel to the work computer. Therefore if the notebook is stolen, no data would actually end up being taken. Other than the physical cost of the device itself no additional loss would be registered. In this scenario it is important that passwords needed to access the central computer are not saved or written as this would beat the entire purpose of using this approach. This solution is now within reach of practically anyone who commutes. With always-on internet at the home or office becoming the norm as well as internet access from practically anywhere a reality, the communication channel exists. What remains is the security element and this can be catered for by a basic low-end firewall / router combo with built-in VPN capabilities.
Irrespective of how or where data is stored and how it is accessed, access to all computers should be via a log in screen. The minor inconvenience to a legit user having to type in a password on computer boot up translates into a hurdle to a thief. A weak password (or one which has been written down on the computer itself) is as good as no password. Such a simple security measure will differentiate between a thief who stole a computer for its intrinsic value and one who’s after its contents. The foremost would give up and reinstall it from scratch thereby erasing all prior content. A screen saver that automatically locks the computer after a reasonably short period of time ensures that the computer will not be accessible for long after its owner moves away—although locking a computer when leaving the computer unattended for any duration is a great and easy habit to get into.
Different passwords should be used to access different functions. Using a single password for everything means that if the password restricting access to one area is compromised the entire system falls. One reason why this can happen is due to poor programming. There are programs and devices that excel at the task they are primarily designed to perform, but fail miserably on security measures. For example, these badly designed programs do not encrypt passwords. This means that a hacker can get to the password securing the item by looking up a registry entry or a text file. In the case of web sites, if the same password is used throughout and one site is hacked than a hacker can potentially gain access to other sites. Hackers have a tendency to add successful username / password combinations to their hack dictionary. They use the information in such dictionaries to try to break into new systems. The one-password-opens-all scenario also implies that if a computer becomes infected by a key logger, the hacker would be able to figure out the password granting access to everything from just a single password. Key loggers are malicious programs that transmit every keystroke typed into the computer to their master.
The function to memorize passwords is another area that should be given considerable consideration especially with commuters. If a hacker gains control of a computer, he may be able to compromise its login screen and will be able to impersonate the legitimate user. All those features and facilities available to the owner now become available to the thief. For example, if one had memorized passwords to access sensitive web sites the hacker would find them pre-programmed and need not have to figure them out. Take it on from there…
The data is stored within a computer’s hard disk, or on removable media such as USB drives, optical media and backup tapes. Data thieves prefer to pry open computers and remove their hard disks rather than walk away with the entire system unit. This is because hard disks are smaller, lighter and easier to conceal. In fact there is an increase in the number of cases wherein thieves walked away with only the media leaving the opened computers and other valuable hardware behind. To counteract against this one should encrypt the individual files or, even better, encrypt the entire hard disk. As long as the encryption mechanism is up to standard and the passwords are not easy to determine, the data is inaccessible. This type of protection can also be applied to removable data storage devices.
Having a frequently updated security solution made up of firewall, antivirus and spam blocker is a must. Ideally one should have a computer to surf the net and chat and have fun and a computer for work. If this is not possible, one should then have a log in for work related matters and different one for personal activities. Switching between different users is dead easy thanks to the latest generation of computer operating systems and does not even necessitate closing running programs when switching from one computer account to the other. Allowing young children to surf off a work computer is bad. The “fun” computer should have restricted functionality that prevents the installation of new programs as well as limit access to the computer’s resources. Above all, discipline, maturity and common sense (these are the reasons why young children should not use work computers) are mandatory. All too-good-to-be-true situations are exactly that. Accepting something without having read what it does and opening everything that comes via email or chat is a recipe for problems.
Is this dooms day scenario simply ink on paper? Are the statements made here “things that will not happen to me”? Absolutely not. Sooner or later the inevitable will happen; and with the amount of time sitting in front of a computer on the increase, this will probably be sooner rather than later. Even the best of us will, one day lower our guard and will do something we’ll regret. Hopefully some of the other controls mentioned here will counteract that thoughtless action.
If the computer holds third party data and therefore other individuals stand to lose if the data is compromised than there is even more responsibility on the data holder to ensure that the data is safeguarded and to ensure that it does not become available to unauthorized third parties. Richard Thomas, the British Information Commissioner, wants to pass legislation that would make doctors and hospital employees liable if they leave a laptop containing patients’ records in their car and the laptop is stolen. He claimed that “it is hard to see that this is anything but gross negligence”. If Mr. Thomas gets his way, this action would attract criminal penalties and offenders could be fined up to £5,000 in a magistrates’ court or unlimited sums in the Crown Court. Cases in which individuals or groups have sued companies over data leaks are on the increase.
And don’t leave your notebook in your unattended vehicle.
Tags: Data , Encryption , Commute , Liability , Hacking , OnNeutral
This work is licensed under a Creative Commons Attribution-No Derivative Works 3.0 License.