Protecting laptop computers

In Section 6 of this manual, I described how to implement security for SMB desktop computers. Rather than repeat everything again--there are many similarities between desktop and laptop security--I'll simply identify differences in certain vulnerabilities and the controls for mitigating associated risk.

The need for physical security is the same for both laptops and desktops. However, the controls necessary to ensure a laptop isn't lost or stolen extend beyond office access safeguards.

Employees are usually assigned laptops so they can work at home or on the road, moving laptops containing sensitive information outside the protective physical controls of a company facility. So business laptop users must assume primary responsibility for physically securing their systems.

A useful administrative control to ensure employees understand acceptable laptop protection is a laptop policy, containing the company's position on the following:

• Leaving laptops unattended in public places
• Taking laptops on vacation
• Leaving laptops in vehicles
• Changing the organization's standard screen-saver configuration
• Types of information stored on the laptop
• Non-employee use of the laptop
• Encryption of sensitive data
• The employee's overall responsibility for doing what is reasonable and appropriate to prevent loss, theft, or other unauthorized use of the laptop

Before issuing a laptop to an employee, the IS department should ask the employee to read and sign a copy of the policy. Further, violations of the policy should include consistently applied sanctions.

In many cases, laptop users need remote access to information stored in the company data center. (We'll discuss safe methods of access in a future section.) Even though laptops are expected to run the same client-based protective software as desktops, their operation outside a general network perimeter make them more vulnerable to attack.

There are several security considerations when designing remote access. However we'll focus on only two here: preventing network infection by a compromised laptop and preventing a compromised laptop from leaking sensitive information.

I've helped with or directed several enterprise malware attack recovery efforts. In about one half of these instances, laptops were the source of a worm or other malware that spread across the network. Anti-malware, host-based IPS, and other client defenses are not enough to protect against the barrage of nasties encountered when accessing the Web from a coffee shop, hotel, or even a home network. The best way to protect laptops in these situations is use of a personal firewall.

Personal firewalls usually come with anti-malware and Internet defense suites, like Symantec's Norton Internet Security 2008 or McAfee's Total Protection Service (SaaS). When properly configured, they not only prevent unwanted connections and other behavior coming from the outside. They also stop malware already on a laptop from spreading to the network the next time the user connects. Finally, a personal firewall can stop a laptop from connecting with a remote server, controlled by cybercriminals, for the purpose of controlling the laptop or retrieving data.

Personal firewalls can be an optional for systems which never leave the safety of the company's network control framework. But they are a requirement for traveling laptops.

No laptop security design is complete without encryption. Under no circumstances should a laptop venture out into the world unless it's full disk--or at least the areas containing sensitive information--is rendered inaccessible via an encryption solution.

No, password protection is not enough. Remember, most attempts to recover data from a laptop are made by someone in physical possession of it. Within a very short time, an attacker can by-pass even the strongest password protection and access unencrypted information on the laptop's drive.

Disk encryption is a big topic, too big not to have it's own section in the SMB manual. So I'll dive into the world of disk encryption in Section 8.