laptopsecurity-sirtroundtablemay2008
DESCRIPTION
laptop laptopTRANSCRIPT
Laptop SecuritySIRT IT Security Roundtable
Harvard TownsendIT Security [email protected] 2, 2008
Laptops are risky business…
2
Agenda
Physical security Protection while traveling Information security Recording identification information Tracking and Recovery software Wireless security
Public WiFi hotspots Home wireless VPN service
Useful freeware tools demo’d throughout USB thumb drive security 3
4
Physical Security – Theft Prevention
Never leave unsecured laptop unattended Lock your doors (reshall room, apt., office) Lock it in a cabinet Use a locking security cable
Room/office Hotel room Public locations Conferences, training sessions Cost $15-$50, combination or key lock
Use strong password on all accounts
5
Traveling
Don’t let it out of your sight when you travel Be particularly watchful at airport security
checkpoints Always take it in your carry-on luggage
Never put it in checked luggage Use a nondescript carrying case Be careful when you take a nap in the airport Don’t leave it in view in your vehicle
Don’t trust the trunk - remember the quick release lever inside the vehicle?
6
Information Security DON’T store confidential data on mobile
devices If you must, encrypt it
Whole-disk encryption best File or folder encryption reasonable Demo TrueCrypt (open source, Win/Linux/Mac –
http://www.truecrypt.org ) Beware of managing encryption keys Work with temporary copies on the laptop – keep
original file(s) on secure server Backup data regularly
Imaging is a lovely tool Diligently manage the security of the device
(patches, antivirus software, firewalls, etc.)
Finding Confidential Data
Don’t assume you don’t have any confidential data on your laptop
“Spider” from Cornell useful for finding confidential datahttp://www.cit.cornell.edu/security/tools
Searches files for SSNs and credit card numbers
Lots of false-positives but still very useful
7
Preventing Recovery of Deleted Files
Deleted files easily recovered Even after you empty the Recycle Bin
“Eraser” freeware tool to securely delete files (http://www.heidi.ie/eraser/) “Erase” Recycle Bin “Erase” a file instead of delete it “Erase” free space on hard drive “Erase” a USB flash drive
“Media Sanitization” when disposing media8
Record Identification Information
Record make, model, serial number Take pictures of it Label it with ownership and contact info
Engrave cover Tamper-proof asset tag Write on it with permanent marker Distinctive symbols, art
Record network “MAC addresses”9
10
How To Find Your MAC AddressIn Microsoft Windows XP/Vista
Get a Command Prompt window Select Start, then Run, then type cmd.exe
In the command prompt window, typeipconfig /all
Look for the “Physical Address”, which is the MAC address
For other operating systems, seehttp://www-dcn.fnal.gov/DCG-Docs/mac/index.html
11
MAC address
12
Tracking & Recovery Software
If stolen, the computer contacts the company who traces it and contacts law enforcement to recover it
Computrace LoJack for Laptops from Absolute Software (www.absolute.com) is an example
Pre-installed in BIOS on many laptops Dell HP
Have to buy the license to activate Costs about $30-$50 per year
13
Wireless Safety
K-State, home, hotels, public “hot spots” Rule of thumb – FEAR WIRELESS! K-State information:
http://www.k-state.edu/infotech/networks/wireless/
General wireless security:http://www.onguardonline.gov/wireless.html
Wireless terminology:http://www.onguardonline.gov/wireless.html#glossary
14
Wireless Safety
Use encryption WEP (weak) WPA (strong -
coming to campus soon)
VPN
Don’t work with sensitive data in public hot spot
15
Wireless Safety
Securing wireless at homehttp://www.k-state.edu/infotech/news/tuesday/archive/2006/10-24.html#sectip
Use strongest encryption possible – WPA2 Restrict access to specific computers by
MAC address Change default settings
Admin password for configuration interface SSID Do not broadcast SSID
16
Default SSID
No Encryption
17
Default SSID
Default SSID
StrongEncryption
WeakEncryption (WEP)
18
19
20
Virtual Private Network (VPN)
Encrypts all network traffic between your computer and the K-State border
Makes your computer appear to be on campus to get access to restricted resources
Does NOT necessarily encrypt everything that goes to the Internet (“split tunneling”)
Also does not encrypt traffic on campus
21
22
Virtual Private Network (VPN)
Must install “VPN Client” software Information and software available at:
http://www.k-state.edu/infotech/networks/vpn/
Cannot use it on campus yet (to secure your wireless, for example); will be able to soon.
If can get to Internet but not K-State, modify the “Transport” configuration: Enable Transparent Tunneling IPSec over TCP
23Disconnected Connected
USB Flash Drive Security
No confidential data! Too easy to lose, easy target of theft
Don’t use it as a backup device “Erase” files so they aren’t recoverable Encrypt files on it with TrueCrypt or - Encrypted USB flash drives
Ironkey very popular - https://www.ironkey.com/
View demo?
24
25
More Information…
K-State’s “Mobile Device Security Guidelines:http://www.k-state.edu/infotech/security/mobile.html
What’s on your mind?
26