Previous Table of Contents Next


Computer Theft

Portable computers are eminently vulnerable. They disappear from parked cars, hotel rooms, private homes, and office desktops. Despite their small size, they are quite visible in airports and hotel lobbies and often conspicuous in carrying cases emblazoned with manufacturers’ logos. The current street value of a 486 chip is $300. The value of a laptop complete with software is considerably higher. Stealing and reselling portable computers does not require technology genius. It is generally no more difficult than snatching a purse and much more likely to be profitable. If the information on the portable computer proves to be valuable, that is an added bonus — it can be easily transferred to diskettes and sold separately.

Protecting laptops from theft is not difficult. Users should carry an inconspicuous travel case and never leave it unattended while checking in or using the phone. A laptop should not be packed in checked luggage. It should not be left in a hotel room. If the laptop must be left, it should be locked to an immovable object or at least stored out of sight in a suitcase.

Theft of Information

Personal computer operating systems put little or no emphasis on user access controls because they were designed for single user operation. That generally means that any information on the computer is accessible to whomever has possession of it. The degree of protection afforded the information on the computer should be commensurate with the value of that information. A quality password control software package may be sufficient. For more valuable information, a token and password system may be appropriate. For highly confidential information, a token and password system with encryption to further protect critical files may be appropriate. However, there may be export compliance issues associated with the use of encryption. Users should be protected for the worst-case scenario. If a user only occasionally has sensitive information on the laptop, appropriate controls should be consistently used for that information so the protection is adequate when it is needed.

The laptop or notebook computer will likely need to be repaired at some point, and that task will most likely be done by a third party. If the user cannot remove sensitive files before the laptop is repaired, any information that is in readable form will be vulnerable to disclosure during the repair process. This should be taken into consideration when selecting a vendor to perform the repairs.

Malicious Code

Viruses are a very real threat. File and data contamination can render vital information unfit for use when and where it is needed. The most rigorous safe computing practices will not guarantee a clean system. Use of a quality virus protection software package is essential — particularly because most data transfer is likely to be done by diskette.

Malicious code is not the only danger to the integrity of files and data. Even simple errors can cause critical business information to be lost or inaccessible when it is needed. Critical files should be backed up. Users should carry a system diskette. Regular backups of important files should be performed, and backup media should be protected with safeguards appropriate for the information they contain.

Eavesdropping

It is easy for another passenger on a plane or in a crowded air terminal to see what a user is doing. The potential loss from information exposure can far exceed the productivity gains from portable computing. If a user is dealing with sensitive information, it should be dealt with privately.

Similarly, the ability to communicate over phone lines and by cellular and RF modems does not mean that it is appropriate to do so. Public phone systems and the airways are not secure. If users must transmit sensitive data over public networks, encryption should be used. It is also wise for users to keep in mind that portable computers using remote login mechanisms may be broadcasting login sequences to a public audience. The information protection program should take that into account.

Similarly, passwords and other confidential access information should not be stored in command files on the PC. Many terminal emulation packages allow users to store passwords, phone numbers, and other potentially confidential information in a file. If the protections for systems or servers at an office are based on the security of a laptop s login information, that information should not be included in files that are easily read if the system is lost or stolen, or while it is being repaired. Even if a laptop does not contain confidential data, there may be information that provides the keys to other confidential data.

SETTING SECURITY POLICY

Information security policies must address the issues of portable computing. The security requirements for portable computing should be defined — to maintain the confidentiality, integrity, and availability of information belonging to an organization, and to ensure that all users understand their responsibilities relative to the use of portable computers in the course of doing business.

The protection of portable computing and information assets relies on the same basic principles that are used for the protection of other valuable assets. Policy should set the requirements, define responsibilities, and establish accountability. Comprehensive, cost-effective protection of portable computing assets means blending the appropriate controls, including:

  Physical. Is the security of the building perimeter acceptable given the change in computing environment? Are there areas within the building where access should be more strictly controlled when information and valuable equipment are more distributed and accessible? Is there a need for the use of Electronic Article Surveillance (EAS) systems to protect easily transported devices?
  Operational. Are property controls governing the movement of valuable equipment needed? Is access to buildings and offices controlled or merely monitored through a reception or security desk?
  Information. Does policy stipulate what information is appropriate for use on portable computers? Have requirements been established relative to where and when to work on sensitive files?
  System. Are requirements established for the use of passwords, tokens, and encryption of the information?
  Network. Are restrictions established relative to the use of cellular and RF modems? Are dialup protections adequate? Are authentication mechanisms appropriate for the value of the information?

Users should review their environment. Risks should be assessed, vulnerabilities determined, and protections should be developed to fit within the organization’s culture and objectives. Protecting portable computers and the information they contain is no different than protecting other critical assets. The proper application of security controls is all that is required.

The computing environment is changing constantly. In fact, the only constant is change. Protecting an organization’s assets requires keeping up with those changes and making adjustments to controls.


Previous Table of Contents Next

Copyright © CRC Press LLC