Time To Get Physical
If you're really concerned about securing your systems, start with the physical.
- By Joern Wettern
With all the layers upon layers of software-based security, we tend to forget about the vital role of physical security. The fact is, if someone gets physical access to your computer, they can pretty much do whatever they want. All they need to do is reboot from a floppy disk or CD to bypass all the security patches, resource permissions and password protections.
What's more, that same person could replace files on your computer or install programs that record keystrokes or enable remote control. The only thing you may notice is that your computer has shut down and restarted without explanation.
Have you ever been in a small business and noticed a server sitting in an easily accessible place, like behind the receptionist's desk? Never mind what some hacker could do with all that customer and business data, that server is a ripe target for an old-fashioned burglar.
For many small companies, the most effective protection against theft is simple—keep the server behind a locked door or anchor it to a wall or desk using a security cable. This should deter all but the most determined thieves. Businesses with a dedicated server room must adequately secure the room and ensure that important data is stored only on those servers.
If you travel with a laptop computer, a security cable should be an essential part of your luggage. Don't assume that your computer is safe in your hotel room. You'd be surprised—and alarmed—at how easy it is to talk a hotel receptionist into handing out a second room key. Lock up your laptop whenever you step away, even for just a short time.
Physical lockdown is just the first step. You should also secure your PC against those who might try to use it when you're away. Most seasoned users have a screen saver setting that locks the screen after a set period of inactivity. This is a good first step, but it still leaves the computer unprotected for a few minutes until the screen saver kicks in. You can immediately lock your desktop with a keystroke shortcut—simply press the letter L while holding down the Windows key on your keyboard.
To guarantee that unattended systems get locked out, you can purchase a small, USB-based device that automatically locks the screen when the user walks away from the PC. The device has a proximity detector attached to a keychain. Step a certain distance from your computer and it immediately locks the system. You must enter a password to get back in.
Plug in, Plug Out
USB connectors have made portable storage quick and easy. However, they also introduce a new category of security threat. The threat posed by USB devices reinforces the need for equal emphasis on both physical and digital security.
You should establish a clear policy on USB devices that specifies when their use is acceptable and who is authorized to use them. If none of your users need to transport data on USB sticks, you could go one step further and disable the USB ports in the computer BIOS. For more refined control over USB devices, you might centrally monitor and control them across the network with software like Safend Protector (www.safend.com).
A related threat is the Windows "Autorun" feature, which automatically runs a program from a storage device attached to a computer running Windows. By default, Autorun is disabled for removable devices (except CDs and DVDs), but there are ways around this restriction. This means applications may run as soon as a USB device is inserted.
| Encryption Options
If a portable device is lost or stolen, encryption is your last line of defense. When encrypting data on portable devices, be sure to choose the most appropriate technology.
Encrypting File System (EFS): If you're running Windows 2000 or later, encryption is built in. You can encrypt files or folders by selecting a check box in the Properties dialog box. Encryption strength is directly related to the strength of your logon password. There are drawbacks to EFS. You must decide beforehand what to encrypt, and you must plan ahead to ensure that you can recover encrypted files if you lose a user profile or password. Before enabling EFS, make sure you have a viable recovery strategy. If you don't, you may lose access to important data in the event of a hard disk crash or other problems.
File encryption software: If you only have to encrypt files occasionally, look at programs that encrypt files one at a time. Some compression programs, such as WinZIP (www.winzip.com) or PKZIP (www.pkware.com), include this feature. Files encrypted this way remain encrypted even when you move them to a different computer or send them via e-mail. Since you use a separate encryption password for each file, you may have to remember multiple passwords and you must manually encrypt and decrypt each file.
Full-disk encryption software: Products like Safeboot Device Encryption (www.safeboot.com) encrypt your entire hard disk. The obvious advantage is that nobody can access a file without a password. However, most software that encrypts the entire disk leaves data vulnerable while the computer is running.
Comprehensive file encryption software: Programs like Credant's Mobile Guardian (www.credant.com) only encrypt sensitive files and leave other files alone, including Windows program files. This protection is active when the computer is running, and unlike EFS, you don't have to manually select the files or folders to encrypt. Similar programs are available for non-Windows mobile devices.
Hardware-based encryption: Don't be fooled by the "security" of the hard disk password provided on most laptop computers. Most manufacturers don't actually encrypt hard disk contents and a determined attacker can bypass the disk password to access to your data. Some laptop computers, especially those that include a Trusted Platform Module (TPM) chip, do encrypt data. Also, some USB storage devices, like Kingston's Data Traveler Elite, can encrypt data in the USB stick's hardware instead of your computer's memory. While not widely available yet, hardware-based encryption is generally faster than other methods and less vulnerable to software-based attacks. — J.W.
The solution is to disable Autorun. How you'll do this will vary depending on the version of Windows you're using. You can find the most appropriate method by searching Microsoft's Knowledge Base for the words "disable" and "Autorun." If you use Group Policy to manage your network, all you need to do is configure the "Disable Autorun" setting in a Group policy Object (GPO).
Data To Go
Notebook computers and other portable devices pose a special challenge because they often carry confidential data outside company walls. In a busy airport, it takes only a moment for a laptop or PDA to be lost or stolen. And the cost of having confidential data fall into the wrong hands can be much more severe than merely losing hardware. The best (and only) way to protect your data in this instance is to encrypt your data (see "Encryption Options" above).
Whatever threats there are to your servers, client computers, portable devices and network infrastructure, don't forget to consider your organization's physical security. Much of it comes down to simple common sense.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.