Dell recently sponsored a study on the number of laptops lost in airports. The findings are a little surprising— apparently, they estimate that over 12 thousand laptops are lost each week at airports across the United States.
Potentially more frightening is the fact that the majority of these laptops go unclaimed and are eventually “disposed of.” According to the study:
Only 33% of laptops lost and found in airports are reclaimed. The other 67% of subsequently found laptops remain in the airport until they are disposed of. As a result, there are potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors.
This goes beyond the loss of physical data. Sure, the laptops cost money, and losing one will always carry at least the monetary cost of the hardware. But, the fact that these laptops can (and probably do) contain some sensitive information is certainly more worrisome. Either private data belonging to the owner, or private data belonging to the company the owner might work for may be at risk.
It seems perfectly possible for a shady individual to walk up to the “lost and found,” give a detailed description of a common laptop make and model, and walk away with a shiny new laptop that might contain information worth more than the device itself.
With the rapid explosion of the laptop / portable-computer industry, it becomes more and more important for users (and companies) safeguard the information stored on them. For the average user with little technical knowledge, an often over-looked technique would be the simple act of labeling the laptop with their contact information. At least this would allow a good Samaritan or the airport staff to potentially return it to the rightful owner.
Endpoints can be almost anything – USB drives, iPods, laptop computers, cell phones, even digital cameras with SD cards. Billions of dollars have been spent making sure brilliant hackers can’t attack computers from across the globe. But firewalls generally don’t stop anyone from attaching a finger-size drive to a computer and stealing gigabytes worth of secrets from a company or government agency.
Oddly enough, security breaches or data leakage through this form is usually never intentional. It usually just ends up being a careless employee who’s trying to get their work done quicker. The network is slow, permissions are acting up, email file size limitations, whatever the reason, and it’s probably never intentional. With the size of USB thumb drives getting smaller and smaller, it’s not hard for these things to be misplaced, or even forgotten about.
The situation is serious, but not hopeless. Making sure you have solid policies in place is a good start. Protecting important documents with encryption is an even better start. There are many makers of thumb drives with built in encryption mechanisms. You can even opt for a full on encryption suite for you company that includes a form of removable storage encryption. There are some that include mini-software packages that will allow you to decrypt the data on a system that doesn’t have the master encryption suite installed.
But encryption isn’t the only answer. A simple process of purging thumb drives could eliminate left over documents that the user simply forgot to delete of the drive.
So let’s not forget that even with the most robust firewall protection and million dollar network security solutions. A single careless employee an easily circumvent all these, and nine times out of ten, it’s probably unintentional.
Another lost laptop story, this time from the UK. The details of the theft aren’t too unique – laptops with sensitive patient data were stolen from a hospital and a doctor’s house, and while the files were supposed to be encrypted, they weren’t. This story, much like every other data leak story, brings up the same arguments for why it isn’t a big deal:
“The data, which also cannot be accessed without passwords, contained patients’ names, postcodes, hospital numbers and dates of birth.” (Emphasis added)
Passwords are ridiculously weak forms of security, and, if the files aren’t encrypted, chances are the statement that access is impossible without a password is most likely just flat-out wrong
“However they insisted there was no reason to believe the computers had been targeted for the information they contained, merely for their monetary value.”
Targeted or otherwise, the data is now freely accessible to the thief. There’s equally no reason to believe that this will not be exploited. While historically, thieves are just in it for the quick score, that’s not really a guarantee.
“However he insisted that only someone with ‘specialist computer knowledge’ would be able to crack the passwords and access it.”
It’s not too hard to find people who know their way around a computer. And, thanks to the internet, specialist-type information is ridiculously easy to find.
“‘We believe the data will almost certainly be wiped by the thief so he can get a quick sale. “
Without any evidence that this is the case, you can believe whatever you want. I’m sure that’s really comforting to the people whose data is at risk.
“The hospital has stressed that the data was only a copy of information stored centrally, so no details of appointments or treatment have been irreparably lost.”
Well, thank goodness the people responsible for the data didn’t get hurt.
Every story about a data leak, regardless of the source (hospital, bank, etc), always seems to contain the same PR spin. “Well, the files are password protected anyway, and the person who stole them probably isn’t even going to notice, and it doesn’t matter because they probably just want to wipe the hard drive and sell the machine anyway, so, no hard feelings, okay? We’re sorry we weren’t adhering to the applicable laws and data protection standards, but this probably isn’t a big deal anyway.”
I understand the desire to try to mitigate the problem and reassure customers that things will “be alright”. But, these arguments are at best wishful thinking and at worst outright lying. If someone’s data could have been compromised, they need to understand the steps they need to take to protect themselves, not be reassured that it’s probably not a big deal.
Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army. Names, Social Security numbers, birth dates and other information was released, hospital officials said Monday.
Although this wasn’t the typical “lost laptop” event, it still has a lot to do with user responsibility. According to a message on their website by Col. Patricia Horoho, the problem could have been caused by an unauthorized program being run on a computer that had access to such sensitive data.
“I need everyone to ensure that they are not loading or downloading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared,” Horoho said.
It is increasingly important for people who have access to sensitive information to follow the guidelines and policies meant to protect that information. If someone downloads and executes a random program, despite a policy prohibiting such action, data integrity could be forfeited rather easily.
But for people to realize the risk of discarding policies, it may be necessary for them to be informed as to reason the policies exist in the first place. I can’t shake the feeling that, for the average user, some computer security policies are just mysterious rules that are sometimes enforced and that can often be ignored.
In a recent case in Arkansas, a registered nurse has pleaded guilty to violating HIPAA rules by disclosing confidential patient information for personal gain. No one should be surprised that things like this happen.
Every industry has laws, regulations and penalties set up for the purpose of consumer (and business) protection. In the health care industry, there is and has been an enormous amount of money spent to bring processes and systems into compliance with regulations like HIPAA to try to protect patient confidentiality. You can lock down electronic systems as much as you want, but nothing can ever be truly secured, because of one simple fact – these systems are owned and operated by people.
A “weakest link” analogy that’s popular in the security industry is the concept of putting deadbolts, latches, chains, and bars on a door while leaving the window next to it open. This is usually used to make a case to bring an insecure area up to par, or to discourage spending a lot of money on one aspect of a system when there’s another module in dire need of attention. Social engineering attacks, like the one in the article, are the “unclosable window” in the proverbial computer security house.
Now, this isn’t an argument against trying to secure electronic systems as much as reasonable or possible, or that laws and regulations are a waste of time. Keeping out as many attackers as possible from as many angles as possible is a “good thing”. Social engineering is just one of those things that makes a security professional occasionally throw their hands up in the air and wonder why they’re trying at all. It’s an insidious type of attack that no one can ever plan for, and, despite all efforts to the contrary, will never, ever go away. Unfortunately, despite the lofty goals that legislation like HIPAA aspires to accomplish, nobody’s data will ever be truly safe.
According to Bruce Schneier it is and it might not be fixable.
It’s expensive to investigate, and it’s cross-jurisdictional. It might not be fixable. A lot of [the solution] is going to be making the things that criminals are going after harder to get. You’re not going to stop the criminals [from trying]. But in the United States, it’s really easy to get a credit card in someone else’s name. The credit card companies like it that way.
Isn’t any fraud, stealing, trespassing online a crime? Of course it’s the biggest problem, and no it’s not fixable – just manageable. A long as people try to commit crimes, there will be crimes.
The Post has another article on an NIH laptop stolen from someone’s car. The interesting part is that the Post points out that the laptop should have been encrypted:
The information was not encrypted, in violation of the government’s data-security policy.
At least there are policies about this now, but as we all know, most security policies aren’t followed because they’re annoying. Luckily, laptop encryption is not as difficult as it once was. TrueCrypt, SecureDoc, heck, even BitLocker, make hard drive encryption fairly easy.
The last paragraph in that story also goes on to say that personally identifiable information would not be located on laptops. I want to know how they’re going to manage that. People want to be able to work form home, they want to be able to work on the plane, or the airport. Perhaps in this specific instance, the personally identifiable information is not required for these people to do their job, but in many cases, some kind of identifying information is required. The only good option is full hard disk encryption – or at least all data directories/drives.
Please visit our brand new re-launched website for Gemini Security Solutions. The new site has whitepapers, security tools, and a lot more information about what we can do for you.
