I have often said that encryption is like the anti-virus of twenty years ago, just without Doctor Solomon’s socks (that comment in of itself shows my age and when I first started in IT!). What I mean by that is twenty years ago when viruses first started to appear in their hundreds, anti-virus products started to appear in earnest. Not everyone bought or licensed an anti-virus package because they were expensive and the threat was also somewhat small. When it was licensed in the enterprise it was normally a low cost “detection” package that was rolled out onto the desktop with only a few of the expensive “removal packages” in the IT department to carry out the actual disinfection. Home use of anti-virus was virtually unheard of.
Roll forward nearly two decades and anti-virus is everywhere. It is on your computer when you first buy it, it is on every corporate machine (even the OSX environments) and there are even free versions. Everyone, everywhere has an anti-virus package, and only the most foolhardy or ignorant won’t have one installed (although it won’t take long before a trashed disk from a virus or malware will persuade them!).
This is not unlike the case today with encryption. I have come across many small to medium sized organisations that do not have any kind of encryption on any portable device, let alone their laptops, and home use is virtually non existent amongst my friends and colleagues (my peers in the info sec industry are obviously a little more ahead of the game!) I do believe we are in the middle of a sea change however, but it is a slow, organic change similar to the anti-virus evolution.
I know there are many “encryption” companies out there that do a basic full disk encryption (FDE) package, but off the top of my head I can only name four:
- Symantec (PGP)
- TrueCrypt (Open Source)
- BitLocker (Microsoft)
- FileVault (Apple)
For the average user, and indeed many businesses, that is not a huge choice. Even companies that have Windows 7 and Lion installed, the encryption element itself is not automatically turned on, and with Apple there isn’t even any kind of centralised key management (unless, of course, you wish to trust Apple with the keys to your kingdom).
For me, it is simple; encryption must be a part of the full IT procurement cycle. It needs to be budgeted for in the lifecycle of any computer purchase, and in the case of the enterprise, key management needs to be as normal and as natural as Active Directory management. (That same rigour then needs to be applied to removable media as well). Education in the proper use of it is essential (when a laptop is running or suspended it is effectively unencrypted, when it is switched off it is encrypted), and the inclusion of desktops is essential. After all, hard disks get stolen or sent to the disposal company accidentally without being wiped…
Home use also needs to be targeted – only when encryption capabilities are as ubiquitous as anti-virus will a change occur in the way we use computers both at home, schools and work, because users will demand it. The theft of computers from homes opens up all kinds of issues regarding credit card, password and identity theft.
As with all of the things in this list, encryption is not a panacea, but it is an important tool that needs to become as natural to use as a knife and fork, or perhaps more appropriately, as acceptable as anti-virus. What price must be paid in lost data before encryption becomes the rule, rather than the exception?
I will explore this in more detail in a later post or presentation, but I have just had a very engaging conversation regarding what we all lose when we think too much about security. My colleague was expounding the joy of sharing free wifi amongst his neighbours when of course I (in my role as the security chappy) immediately informed him of the number of cases of people being arrested because someone was downloading illegal content from their unsecured wifi connection (see http://bit.ly/yiy8QW as an example, albeit in the USA although Google gives plenty of other examples), and confidently informed him they securing his wifi was the only sensible course of action.
His response was robust and convincing, and initially threw me off guard; ” I would prefer to share my wifi amongst my community than to close it off against the tiny chance of it being abused”. He then summed it up in terms that really made sense to me; “I prefer to actively engage with these kinds of risks than to isolate myself from them and lose the multitude of benefits it brings me”. Initially I couldn’t accept this. Why on earth is someone willing to open themselves to these kinds of risks, where even the hint of wrong doing can ruin a persons life? Then I realized I deal with this in exactly the same way in my day job; risk acceptance.
Everybody’s attitude to risk is different. Indeed every company and every senior management team has a different attitude to risk, and the line that is drawn between an acceptable and an unacceptable risk is a moveable feast, even within the same organisation. My colleagues attitude is that of a risk happy organisation, mine is that of a risk averse organisation.
And to think, I had never considered myself risk averse until today!
Why is the humble lock lead the first item in my top ten? Many people would complain it is a pain in the backside to use day after day, that it can’t provide that much protection given the tiny connection to the laptop in the small rounded rectangular hole, and the cable must be pretty easy to curt through, so why bother?
Let us look at the two main aspects of lock leads, namely the physical aspect (how strong, reliable etc) and also the deterrent aspect (will it put people off?).
1. The Physical
There are good quality, well made lock leads and there are bad quality, poorly made lock leads. Make sure you choose the right one. How do you choose? Look for recommendations, and also purchase range of them and try them out yourself. Some can be opened with a rolled up business card, and some can be snapped off with a sharp turn of the barrel using a pair of pliers. My current favourite is the Compu-Lock lead, http://www.compu-lock.com (I have no business or personal interest in the success of this company but the lead they produce meets many of there criteria I lay out in this article). You of course may fall to one of the other major manufacturers.
The cable itself (at least in a good one) is made of stranded hardened steel (allowing flexibility with strength) and covered in a durable plastic coating that also provides initial protection from cutting (such as with pliers). The construction is very similar to a bike lock albeit thinner, and although it can be cut it takes some considerable effort with hand tools. I have tested this with a lower specification cable, cutting through it in just under two minutes with a pair of snips; it took a considerable amount of effort and grunting to do so, and I was still left with a “tail” attached to the laptop. The better specification cables will take significantly longer.
The lock itself is also important. Kensington came under fire some years ago (somewhat unfairly) when many of their locks were shown to be susceptible to Bic biro barrels and rolled up business cards being forced into the key hole to take the shape of the key and subsequently open the lock in a matter of seconds. This problem went beyond laptop locks and affected other barrel lock manufacturers for bikes etc.. Although the problem has been solved, I still feel wary of these types of lock, albeit without foundation! As an enterprise you will want a lock that provides master keys specific to your organization, something that is not always easy to find, especially in the lower end of the market.
Finally, the fit is important. Many locks will connect with the laptop but then be loose. Some try and overcome this with rubber flanges which is ultimately useless. the problem a loose lock poses is that if the gap is big enough to get a hacksaw into you can attack the pin(s) that lock it, or even worse get a good grip and twist the barrel to break the pins. The better locks will have an adjustment mechanism that ensures the barrel is tight against the laptop meaning there is significantly less leverage and no gap to cut through.
2. The Deterrent
So you have the Rolls-Royce of locks in your possession… there are a numbers of things to bear in mind to ensure its effectiveness.
Firstly, you have to use it! Time after time I see them looped into a desk and then not connected to the laptop. FAIL on all counts. Use it all day, every day; in the office, hotel room, client site, even in the boot of your car if you have to leave it in there for whatever reason (avoid this last one at all costs though!).
Secondly, given it will not put off a determined attack, it should not be left overnight in your office for instance. Their primary use is as a casual theft deterrence; any thief in a time pressured situation (perhaps during a fire evacuation drill?) will not bother with the laptop that is locked and move very quickly onto the one that isn’t. If somebody has the luxury of thirty, undisturbed, minutes in the middle of the night they may think differently as well as be equipped for it! Always take your laptop home; if nothing else it is a very effective contributor to your company’s BCP initiative!
Finally, having the lock leads helps keep you in a security mindset (hopefully without becoming paranoid!). It is a constant visual reminder of the need for security, and if it reminds you to lock your screen every time you step away for a coffee then you have doubled the value of the lead straight away.
In conclusion, the lock lead has to be one of the most simple, best value and effective data loss prevention tools available. It’s use will significantly reduce the potential for theft of not only the physical device, but the cost of replacing the laptop, the data, the time in getting everything back and potentially a front page spread in a national newspaper;” Company X loses One Million Public Records“.
Surely £25 is worth avoiding that?
It occurred to me while I was preparing to give a security briefing to a number of internal teams that fundamental security is not difficult. There are a number of simple activities or tasks that if carried out correctly, will significantly reduce the the potential for data loss, data breaches, security weaknesses and incidents. After a bit of scribbling in my book I boiled it down to ten things (or actually made it up to ten as I originally only cam up with seven, but every “list” needs to be either three, five or ten!). Many of them can even be driven by the individuals themselves rather than the organisations they work for; perhaps a version of BYOD called BYOS, or Bring Your Own Security. I think that in itself is a good topic for conversation!
Over the course of the next few weeks I will post each one (or two if they are related) of these activities, but in summary they are:
- Lock Leads
- Screen Privacy Filters
- Removable Media
- Collaboration Tools
- Mobile Devices
- Social Engineering
- Background Checks
- ID Badges
- Escalation & Education
I am sure there are more, and I have the feeling these posts will form the basis of a presentation later on in the year! However, the fundamental aspect of all of this is that basic security is not difficult. it doesn’t require thousands of pounds on DLP solutions, security guards and endpoint solutions (although they all help add layers of defense of course), it just needs to focus initially on a few effective measures that can me implemented across an organization quickly, easily and in the grand scheme of things, at great value.
In the process of writing these up I hope to explore both their effectiveness and ease of use; I will also challenge some preconceptions, including my own, on the ease in which they can be implemented and more importantly, adopted buy individuals in a BYOS environment.