The fundamentals of secure remote computing include making sure your users aren't being attacked or spreading viruses and that they have secure connections to the corporate LAN. First, all your laptop users need personal firewalls, which will repel some common attacks. Personal firewalls also can "hide" a PC by not letting it respond to connections or pings, by blocking ports and protocols, by performing host-based intrusion detection, and by designating which applications may access the Internet. Keep in mind that you want a centrally managed firewall; end users should not make any decisions on security--you dictate the policy, they follow it (for more on personal firewalls, see our Buyer's Guide).
We have found that firewalls with application control are better at blocking Trojans than are firewalls that block only ports. That's because Trojans can operate by making outbound connections on common ports. Firewalls alone, however, won't protect against viruses. For this, you need antivirus software, preferably a package that checks often for new signature definitions.
SECTOR SLACK: Say a volume uses a cluster size of 64K, and a user stores several files, each 40K. When Windows 2000 allocates space it gives each file its own cluster, with the space left over being--you guessed it--sector slack.
The next step in securing software is to verify that the laptop user is legit. There are a few options here. One is to force the user to enter a login password upon start-up or after an idle period, in either the OS log-in screen or on BIOS boot. If passwords don't give you a secure feeling, biometric authentication, such as retinal scans, fingerprint or voice analysis, is a possibility. Keep in mind, however, that many biometric devices plug into serial or USB ports and are one more thing for a laptop user to lug around, lose or break. Acer, MicronPC and other vendors offer laptops with fingerprint scanners built in (see InformationWeek's "Fingerprints and Notebooks: Hand in Hand").
Voice analysis seems like a nice option, as many laptops have a microphone port, but can be problematic. In noisy environments, for example, the computer might not pick up the sound, and laryngitis or a bad cold might lead to a frantic helpdesk call.
As for connecting to the corporate network, two words: Use encryption. First, determine what needs to be encrypted. If all your users will do is access Web-based programs, you can get away with HTTPS. You can also encrypt e-mail by using SSL over IMAP or POP3, which makes sending and receiving e-mail over the Internet more secure by encrypting the entire session, from host to e-mail server (for a secure appliance e-mail solution see "In the M2000, Mirapoint Makes a Mighty Message Server"). There are two major forms of e-mail encryption, S/MIME and IMAP/POP3 over SSL, and they serve two different needs. S/MIME encrypts or signs the message, but not the session. IMAP/POP3 over SSL secures the login and session, but on the next hop the data can be transmitted in plain text. IMAP over SSL is very simple and requires no user intervention, but not all client software supports it. If you want all your traffic to be encrypted, or if some of your programs do not support encryption, a VPN is the way to go. Virtual private networks let remote users access internal resources without making these resources publicly accessible. (For more on VPNs, see "Add Some FiberLink to Your VPN Diet.")
The Plot Thickens
In addition, disable split tunneling so that, while the VPN is active, all network traffic flows through the VPN, not just traffic destined for the corporate network. Some VPN clients come bundled or integrated with a personal firewall, which can simplify deployment and management. Most VPN clients support integration with smartcards, USB tokens and biometric devices for certificate handling and authentication.
All these firewall, antivirus, authentication and VPN systems will mean an increased demand on your helpdesk and more software to keep up to date, and each may require separate administration servers and management interfaces. Factor these issues into your cost analysis (for more on securing remote users, see "Telecommuting: Keeping Data Safe and Secure").
Theft has been a reality of life since the first caveman lifted a dino drumstick from his neighbor's fire. Laptops are equally tasty and easy targets. It takes only a second for someone to grab a laptop bag in a crowded terminal, and it's also easy to forget a bag in the overhead luggage bin. Hey, even an agency as anal as the IRS has mislaid 2,332 laptops in the past three years, and it can't rule out private taxpayer information being lost as well
Clearly, losing a laptop can cost more than just the price of the hardware. How valuable is the data on the computer? If it wasn't backed up, many hours of work could be lost. Some laptops also contain private information or sensitive trade secrets worth millions if they fall into the wrong hands.
Protective products from cable locks to motion alarms are available. But no lockdown product will ensure 100 percent theft avoidance; it's merely a deterrent. Most laptops are made out of relatively weak plastic with only small slots for locking devices. We found that a screwdriver can sometimes pry open a case enough to remove the lock. A palm sized butane/propane torch can melt the plastic to weaken it. A laptop with a gaping hole in the side will fetch less than an undamaged one, but the parts can be sold individually, and a thief who's interested only in the data won't care about physical damage. We recommend choosing a laptop that offers a hardened plastic case, like Hewlett-Packard Co.'s OmniBook 6000, which has a magnesium-reinforced body, or one that has a reinforced security slot.
Where And When A poll of 231 IT pros from companies larger than 300 employees showed that, within a work environment, notebooks are most likely to be stolen from a cubicle. Outside work, cars barely edged out airports as the most likely places for theft. (Source: Kensington Data Security Survey)
Buh-ByeOnce a laptop is stolen, there's little you can do to recover it. National registries for stolen laptops aren't universally checked, especially by people buying from online auction sites or at flea markets. The exception to this is if you install theft-recovery software, such as those we evaluate in this article. However, there are limits to how effective these programs are.
And though your hardware might be history, your data could be safe--if it had been encrypted. You can encrypt individual files and folders or you can encrypt the entire disk. Microsoft Windows 2000 and XP users who want to encrypt individual files can use the built-in EFS (Encrypted File System) utility. Simply right-click a file in Windows Explorer and select encrypt. Of course, just because a file is encrypted does not mean it doesn't reside elsewhere on the disk. EFS works on individual files and directories only, not on the entire disk. It does not encrypt temp files and printer spools, nor the swap file. One Microsoft recommendation is to encrypt the temp directory also, but you still can't encrypt the swap file. Guidance Software makes a product called EnCase that is targeted to law enforcement for hard-drive forensic study. Using EnCase, we found in the Windows swap file pieces of a large text file we had encrypted using EFS.
Furthermore, deleting a file does not actually erase it; it just removes the markers defining where the file is stored. Only by overwriting a file is it really deleted. You could overwrite many previously deleted files by defragging your hard disk, and there are programs, like WipeInfo in Norton Utilities or Jetico's BCWipe, that will delete a file and then immediately overwrite every sector it occupied.
The downside of using a file- or folder-based encryption program is that it puts the decision to encrypt in the hands of users, who may forget to encrypt a document after working on it or even leave temp files all over the place. The only way to truly protect data is to use a full-disk-encryption program. The other advantage of full disk encryption is that even deleted files are encrypted, so you don't need to worry about overwriting. Not many of these systems are available, but we examined a few.
You can encrypt files individually, either file by file or whole folders, or encrypt an entire drive. Each method had advantages: When you encrypt individual files with third-party software, you can send them across a network knowing that the files won't be accessible to anyone who does not have the password and the encryption software loaded. Whole-drive encryption, on the other hand, prevents data theft if a computer is stolen. We looked at a trio of disk-encryption offerings: PC Guardian's Encryption Plus Hard Disk, Pointsec Mobile Technologies' Pointsec PC 4.0 and WinMagic's SecureDoc 3.1.
File-level encryption is a well-understood process. Commonly used encryption schemes include AES (Advanced Encryption Standard), Blowfish and 3DES with keys varying from 56 to 256 bits in length, and all sorts of single-file and folder-encryption products are available, including some shareware and freeware. Some encryption products require you to decrypt the data with the same computer (or key) with which it was encrypted. Other products let you encrypt/decrypt with a password. The user's needs should determine which method you use.
A huge number of file- and folder-encryption programs are on the market, with little differentiation, so we decided to take a look at two: Microsoft EFS because it's built into Windows 2000 and up, and PC Guardian's Encryption Plus File. You'll find our evaluation of these products here.
To protect temporary files, swap files and printer spools, you need to encrypt the entire drive. Because the entire file system is encrypted, including the OS, drive-encryption software must load before the OS. Normally, after you power on a computer and it goes through its memory test, the boot loader will load the OS. When you install drive encryption software, it modifies the boot loader to run instead of Windows on boot. The encryption software then authenticates the user, and, on success, loads Windows. This is a much more complicated procedure than simple file or folder encryption--the point of these products is to protect the data from a thief who gets his or her hands on the hard drive, not to secure the data when copied or transmitted.
The three drive-encryption products we evaluated load on bootup, request a user name/password login or token, and then perform on-the-fly decryption and load the OS. Because the OS is encrypted, users must enter the decryption key (password or token) to boot the system. If they forget the password, an administrator can override the user's password.
Files remain encrypted on the drive. However, they are in the clear when sent over the network or copied to a removable disk or unencrypted partition/drive. When we analyzed the disk after encryption, the entire drive was encrypted except for some bootstrap code. Some features to look for are multiuser support, recovery keys, administrator overrides, centralized management and integration with PKI (public key infrastructure) and tokens, in addition to user name/password authentication.
Also, there is a difference between full-drive encryption and virtual-drive encryption. Software that performs virtual-drive encryption creates a single large encrypted file on a disk, and is presented to Microsoft Windows as a logical mountable drive. It acts like a container.Emulation software (such as VirtualPC on the Apple Macintosh) and disk-image files have been doing this sort of thing for years. However, these virtual drives offer the same level of protection as folder-level encryption--in other words, the swap file and temporary files are unencrypted. Be careful: Sometimes the product marketing won't make this distinction clear.
Winmagic secureDoc 3.1
SecureDoc encrypts drives with DES, 3DES and AES. It also lets you encrypt individual floppy disks with the same encryption key or a key shared among a few people. We were able to encrypt two floppy disks with two different keys. The advantage here is you can protect and hide data from multiple departments within your organization. This is a unique feature--none of the other vendors supports removable drive encryption--and is enough to make SecureDoc our Editor's Choice.
Disks can be encrypted and shared among a group, which is a common activity, or reserved for the lone user. In addition, you can store the encryption key on the floppy disk instead of the hard drive, thus requiring the floppy in addition to user name/password and acting as a token. Another feature supported is locking down the removable drives. We were able to prevent the user from accessing the floppy drive, though the efficacy of this feature comes into question when you consider that the files can be uploaded easily off the computer via HTTP or FTP.
SecureDoc 3.1 Disk Encryption Software, $159 (individual license). WinMagic, (905) 502-7000, (888) 879-5879. http://www.winmagic.com
Pointsec Mobile Technologies Pointsec PC 4.0
Pointsec has fewer features than SecureDoc, but still offers a lot of options. Encryption is done via Blowfish or CAST, and the product lets you create multiple users and groups, and offers smartcard integration. Like all the products we evaluated, there is support for the administrator to generate a one-time login password in case the user forgets his or her password and needs to change it.
Users can be granted or denied access to individual partitions. And Pointsec PC can't encrypt removable media. The initial encryption process (after installing the product) runs in the background while Windows is loaded. This means users can continue to work as a drive is being converted to an encrypted format. SecureDoc offers this capability; PC Guardian's product does not. Seeing as it took us several hours to encrypt a 9-GB drive, this is a useful capability.
Pointsec PC 4.0, $42,580. Pointsec Mobile Technologies, (925) 256-2500, (800) 579-3363. http://www.pointsec.com
PC Guardian Encryption Plus Hard Disk
This product was the simplest to use and administer, but it is less feature-rich than its competitors. The program is limited to one user login/password per machine. There is no support for tokens or PKI integration, and the product will encrypt only the primary hard drive. It does, however, offer master password capabilities, custom installer-package creation and one-time password overrides. This product seems best suited for individuals and smaller departments, especially those that want an easy-to-configure package. For large installations that require good key management, multiple users and PKI, the other products would be a better choice.
Encryption Plus Hard Disk, $99.95 per seat (50 seat minimum). PC Guardian, (415) 459-0190, (800) 288-8126. http://www.pcguardian.com
R E V I E W
Disk Encryption Software
Products Reviewed: PC Guardian Notebook Guardian | Kensington Technology Group Sonic Lock Motion-Detecting Alarm | Kensington Technology Group Notebook ComboSaver | Targus Defcon 1 Ultra
Lockdown devices are designed to deter, not prevent, theft. These products fall into two main categories: traditional steel-cable kits and motion-activated siren alarms. We tested both types. PC Guardian's Notebook Guardian (both the standard and ultra models) and Kensington Technology Group's ComboSaver are steel-cable kits. Targus' Defcon 1 Ultra and Kensington's Sonic Lock are alarms. Most notebooks have a security slot on its side, known as the Kensington lock after the company that patented it, and all the products we tested lock to the laptop via this slot.
The cables are made out of multiple strands of thin, hardened steel, bundled and twisted together, and encased in a plastic coating. Even the heaviest kit weighs barely one pound, but remember, the more steel in the cable, the harder to cut through. There are several options for the locking mechanism, including combination, keyed lock and keyed lock with a master key. The locks come with two keys, and there are no override capabilities for a combination lock.
The motion-alarm devices are easier and quicker to disable, but they require more preparation work for the thief. Also, if the thief fails to act quickly enough, the alarm will attract more attention than a cut cable--these products emit a 100-dB siren when jostled. Of course, there is a strong possibility of false alarms, and we all know how people ignore car alarms. And the thief could place a hand over the speaker, greatly diminishing the volume. There is a 4- to 8-second delay between the time the device detects movement and the time it goes off, giving a legitimate user time to enter the combination. You need to replace the batteries every few months.
We pitted these devices against one another to determine which one we could discreetly disable more quickly. We considered 30 seconds with little noise enough time to steal a laptop without being noticed. This was, of course, assuming the device was secured to a desk in an office--it takes only a second or two to grab a laptop bag in public. Following this logic we awarded our Editor's Choice for lockdown devices to PC Guardian's Notebook Guardian Ultra because it was so difficult to cut through.
PC Guardian Notebook Guardian
PC Guardian sent us two versions of its Notebook Guardian product, standard and ultra.
Both devices are simple steel cable kits, but the ultra model is twice as thick as the standard. Strangely, both models list for $59.95. It took us about 27 seconds to break the standard version, but more than 15 minutes to cut through the ultra model.
Notebook Guardian Ultra and Standard, $59.95. PC Guardian, (800) 288-8126, (415) 459-0190. http://www.pcguardian.com
Kensington Technology Group Sonic Lock Motion-Detecting Alarm
Kensington's Sonic Lock is meant to be attached to a laptop bag, but it has an adapter so it can be connected to a laptop as well. The device has a three-digit combination for the lock and a separate combo for the alarm. This lock failed the dunk test: We were able to silence the alarm by submerging it into a cup of water. Also, oddly, the battery cover isn't protected. Using an electric screwdriver, we were able to remove the batteries before the alarm went off, in just under 4 seconds.
Sonic Lock Motion-Detecting Alarm, $39.99. Kensington Technology Group, (888) 750-2343, (650) 572-2700. http://www.kensington.com
Kensington Technology Group Notebook ComboSaver
Kensington's product uses a three-digit combination (from 0 to 999) instead of a key. The advantage here is you don't have to worry about managing keys. The disadvantage is there's no way to override the lock if you forget the combination. It took us about 25 seconds to cut through the steel cable using a small cable cutter.
Notebook Combo Saver Security Cable, $39.99. Kensington Technology Group, (888) 750-2343, (650) 572-2700. http://www.kensington.com
Targus Defcon 1 Ultra
The Defcon 1 Ultra sports a four-digit combination lock, and its batteries are protected--you need to unlock the device to access the battery compartment. However, the Defcon 1 failed the dunk test. The cable is also very thin--one quick snip was all that was required to cut it. It took us about 3 seconds to disable this device, and a total of 20 seconds to break and remove the lock and walk away with the laptop.
Defcon 1 Ultra, $49.99. Targus, (714) 765-5555, (877) 482-7487. http://www.targus.com
R E V I E W
Products Reviewed: Stealth Security Stealth Signal | Absolute Software Corp. ComputracePlus | zTrace Technologies zTrace Gold 5.0
Computer-tracking services are designed to help recover stolen or missing desktops and laptops. An invisible software agent is loaded on every machine. The computer will send status queries to a central server at set intervals, such as every hour or day. This is all based on IP connections, not a GPS (Global Positioning System) or other physical transmitting device. In other words, it's not LoJack for laptops. And unlike LoJack, there's no money-back guarantee that a machine will be recovered. A smart thief who knows what he or she is looking for could disable these products, as could a low-level format. However, the software is usually hidden well enough that its presence isn't obvious, and most thieves won't look for or notice it.
You alert the tracking service when a machine is stolen, and it puts the computer into recovery mode. In this mode, the software will send status reports more frequently, and on every start-up. The information sent includes machine name, IP address and system details, such as drive space and memory.
You should contact local law enforcement immediately upon realizing the theft. The tracking company cannot contact law enforcement without a police report, and without the police report, the police cannot obtain a search warrant. With luck, the thief will log onto the Internet, letting the stolen computer contact the tracking company's servers. This will inform the tracking service of the thief's IP address and ISP. The police can then request information from the ISP that'll track the user to a particular connection point. This process takes time--a faster method would be to track a phone number to an address. A computer with a modem will attempt to call a toll-free number, connecting to the tracking service's NOC. The NOC can use caller ID to find out the thief's phone number. Caller ID blocking and unlisted numbers do not work when calling a toll-free number. The police can use this information to obtain a search warrant and recover the computer. You do not need to fill out a police report to enable recovery mode, which can be a relief if the computer was just "borrowed" by another employee and not stolen.
We looked at services from Absolute Software, Stealth Security and zTrace. We "stole" a laptop and activated the recovery services (without involving the police, of course). Our Editor's Choice is Stealth Security's Stealth Signal because of its support of Apple's Mac OS and its pit-bull-like tracking. Of course, the efficiency of your police department will have a lot to do with recovery time.
Stealth Security Stealth Signal
While all of the vendors support Microsoft Windows 95 and up, Stealth Signal is the only product to also support Mac OS X, and the company provides some aggressive tracking capabilities.
Once a machine receives a stolen signal, it reports back more frequently and on every boot. It will also continually attempt to dial through the modem into the NOC, even while on a broadband connection. Using a public-records search, the Stealth Signal recovery team was able to pinpoint the street address where the stolen machine was located. Stealth Signal avoided showing up as an Internet program when we installed ZoneAlarm personal firewall, which detects programs trying to connect to the Internet; this means that, even with ZoneAlarm installed, the thief can't see the program running.
Stealth Signal: The All in One Computer Security System, starts at $45 per machine, per year. Stealth Security, (888) 840-9095. http://www.stealthsignal.com
Absolute Software Corp. ComputracePlus
Absolute Software's CompuTrace software has more uses than just recovery software. When you bundle on AbsoluteTrack, it becomes an outsourced asset-tracking and inventory-management product. Computrace functions well on its own, but if you're looking for asset management and recovery as well, this is the service to get. However, the flip side is that this added functionality makes the Web-based management a bit harder to navigate; Stealth Signal and zTrace were simpler to set up.
We were pleased with Computrace's tracking capabilities. The modem dialing into the NOC wasn't on by default; we had to request for it to be activated. Even then, the modem dialed as we were talking on the phone. Computrace also offers format protection in that it can simulate booting directly off the floppy. When the PC starts up, it uses the tracking software as a boot loader. From there, it tries to load the operating system off the floppy, CD or hard drive. Unfortunately our test machine's CD-ROM was not supported, and a reformat (via the WinXP CD installer) blew Computrace away. Like Stealth Signal, Computrace didn't show up in ZoneAlarm.
ComputracePlus, $49.95 per machine, per year. Absolute Software Corp., (800) 220-0733. http://www.absolute.com
zTrace Technologies zTrace Gold 5.0
zTrace has an additional-cost add-on, zControl, that makes this software quite powerful. In addition to normal tracking capabilities, zControl lets you specify options--such as remotely deleting, hiding, encrypting and uploading files, as well as locking the computer. This is a great feature that isn't offered by the other vendors. We were not able to test the modem dial-in capabilities--zTrace said that feature is reserved for real thefts only. However, the company claims the software will call back when detecting a user-initiated modem connection. The zTrace Web-based management is the simplest to use among the products tested, but it's still a bit tricky to see information about several groups of machines simultaneously. The client software also showed up in ZoneAlarm, and as such could be denied access. Although you can configure ZoneAlarm to allow zTrace without warning, if a thief initially installed ZoneAlarm, he or she will be alerted to zTrace's presence.
zTrace Gold 5.0, $49.95 per machine, per year. zTrace Technologies, (781) 891-1328, (877) 987-7223. http://www.zTrace.com
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Write to him at [email protected].
R E V I E W
Securing a laptop against tampering and theft is tough, to say the least. For total protection, you need to load personal firewall, tracking and antivirus software; encrypt communications; and use authentication, drive encryption, remote backup and physical lockdown systems. That's at least seven pieces of software and two pieces of hardware to support, and if a user gets on a plane without (or worse, loses) his or her keys or tokens, say goodbye to several days of productivity.
It takes only a few seconds for a laptop to go from asset to liability. Physical lockdown cables and alarms are good deterrents, but they won't stop a determined thief, especially in a crowded public place. Assuming that laptops will be stolen, using tracking software and drive-level encryption programs will help protect and possibly recover lost data. Encrypting the entire drive will protect copies of documents that end up in temp, spool and swap files, a benefit you don't get from individual file/folder encryption. Recovery services can only work if a stolen laptop is reconnected to the Internet--they won't do much if the laptop is sold for parts.
Remote users connecting to the corporate LAN also need to be protected--you don't want a telecommuter introducing viruses into the network. This is where hostile-code blockers, such as firewalls, host-based IDSs (intrusion-detection systems) and antivirus software, come into play. It's important that these programs remain up to date with the latest definition files.
Our Editor's Choice award in the disk-encryption software category goes to WinMagic's SecureDoc 3.1, which lets you protect and hide data from multiple departments within your organization. Stolen proprietary data is the biggest liability for most companies, and disk encryption reduces the risk that your company's private intellectual property will become public. Among lockdown devices we give top honors to the ultra model of PC Guardian's Notebook Guardian, which took us more than 15 minutes to cut through. Stealth Security's Stealth Signal, with its expanded OS support and tenacious tracking, wins our Editor's Choice award in the recovery-services category.
Microsoft Encrypted File System, Included in Windows 2000 and XP. Microsoft Corp.: (800) 936-5200, (425) 882-8080; www.microsoft.com
Microsoft's EFS is built into Windows 2000 and XP. Encrypted File System is a bit of a misnomer because the file system is not encrypted. Instead, you right click to select individual files and directories to be encrypted. However, you can't transmit files in encrypted form. We encrypted a file and sent it via FTP to a remote server. It was in clear text on the remote side.
Also, you can't encrypt an entire drive, so you get this weird hybrid of a drive encryption model with the interface of a file/folder encryption program.
PC Guardian Encryption Plus File Encryption Plus Folders, $99.95 PC Guardian: (800) 288-8126, (415) 459-0190; www.pcguardian.com
To test PC Guardian Encryption Plus File we had the software encrypt a single large text file, then rebooted and ran Guidance Software's EnCase, a low-level hard-drive analyzer. In addition to the encryption, the original file was overwritten with null characters (normal file deletion merely says the file can be overwritten but doesn't actually delete the file). However, parts of the original file turned up in the swap file. Data also can show up in temp files and printer spools.
Although this method forces you to choose which files to encrypt, these files will copy or transmit in encrypted form. PC Guardian makes a few varieties of this product line, including products that encrypt all files in a folder, e-mail, and even CD-ROMs.