Encryption tips: How to secure a laptop

RELATED CONTENT Risk management strategies Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Preventing password fatigue with single sign-on (SSO) authentication Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security Benefits of ISO 27001 and ISO 27002 certification for your enterprise Cut down on calls to help desk with cybersecurity awareness training Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition What are USB flash drive security best practices?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

From time to time, my firm is asked to test the security of a laptop build -- perhaps the organisation intends to migrate to a new version of Windows or has simply designed a new standard configuration. The first check should be to see whether a BIOS password, which provides access control to prevent unauthorized changes to a system's hardware settings, has been set. The password poses a small hurdle to the would-be attacker, one that is usually overcome fairly simply by a bit of jiggery-pokery on the motherboard or by removing the hard disk and putting it in a another system.

A hard-disk password, used to protect the contents of a hard drive from unauthorised access, is more difficult for an attacker to crack; it often requires specialist assistance, and is therefore a considerably more effective defensive measure. Unless, that is, the hard-disk password is the same as the BIOS password, in which case the problem is solved.

Despite the increased security for laptops that either or both of these passwords can provide, most corporate laptops fail to utilise either form of power-on password, probably because of the anticipated support costs of all those forgotten passwords! Still, with no secondary password in place, all a thief needs to hack into a notebook is a Windows username and password, which for an educated attacker is easy to obtain with the help of any number of freely available tools.

There is one simple solution to protect laptops: encryption. Full-disk encryption provides the laptop user with the facility to protect everything with one easily remembered passphrase (much simpler to manage and remember than a complex password), which is entered immediately the laptop starts up. If an attacker attempts to access the laptop or even removes the hard drive to install in another computer, he or she will be unable to read anything from the hard drive without knowing the passphrase.

Full-disk encryption also provides the IT support people with a legitimate "backdoor" into the laptop, in case the user's passphrase is forgotten or if the member of staff leaves the organisation under a cloud. For example, multiple passphrases can be configured for each encrypted drive, so IT support could have one passphrase and the user another (of his or her choosing). Alternatively, some encryption products support a challenge-response passphrase reset option, which present personally identifiable questions to the user for authentication.

Products such as PGP Corp.'s Whole Disk Encryption for Enterprises lock down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system files, and swap files. Encryption runs as a background process that is transparent to the user, automatically protecting data without requiring the user to take additional steps.

Some companies might have resisted encryption in the past on the grounds of complexity or performance degradation. But improvements in both hardware and software mean that encryption is now much easier to manage, and has no perceptible effect on system performance. Furthermore, extensive press coverage of many embarrassing data loss incidents involving unencrypted laptops and USB sticks has highlighted the benefits of this approach, and convinced most of the doubters.

About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.