A night without your notebook. After a crazy day, you_ve slipped away from the office a little early to a favorite hideaway for a drink and some dinner in the company of your agency_s notebook computer. You need to finish up some overdue reports and spreadsheets, and getting away from the office, the people and the telephone allows you to concentrate. So you queried your database server at the office this morning, pulled the 50,000 or so patient and response records you needed from the past year, and copied them to your notebook.
You finally arrive at the destination you_d been looking forward to all day. You order, pull out your notebook, plug it in, boot it up and get online with the free Wi-Fi that_s offered. Yes, life is good. Those reports can wait a few more minutes, you tell yourself, as you walk over to chat for a moment with some friends.
You walk back to your table as the server is arriving with dinner, and you dive right in. The stress of the day is fading, and you_re enjoying your meal. But when you start to think about the reports and spreadsheets, a terrible, sickening feeling comes over you. Where_s my notebook? Your case and coat are still nearby, but there_s no sign of your notebook anywhereƒnot on another table, not on the floor, not on a chair, not in anyone_s hands. You ask people nearby if they saw anyone at your table with a computer, but no one did. Then it sets in -- it_s gone; you_re a victim.
The notebook was essentially unsecured, without encryption on the hard disk or data. Thousands of patient records with social security numbers, addresses, dates of birth (a treasure trove for identity thieves), not to mention the thousands of e-mails with sensitive information and the contacts that will be sold to a spam farm somewhere in Eastern Europe. You don_t even have the agency name engraved in the PC, and you have no record of its serial number. There_s no hope for recovery.
- What mistakes did you make that led to this unhappy ending?
- You don_t have a data-security policy.
- You don_t have ID info etched into your notebook, and you don_t know the serial number.
- You copied HIPAA-protected data to an unsecure device and took the device to an unsecured public place.
- You have no substantial security on the notebook.
- You have no encryption on the drive or data.
- You didn_t physically lock your notebook with a cable lock.
- You didn_t use a DEFCON anti-theft alarm system.
- You logged on to an unsecure Wi-Fi network without using signal encryption.
- You took your eyes off your notebook.
Amazingly, scenarios like this happen every day in theU.S. Go towww.privacyrights.org and look at the data breaches page, scare yourself, and then start determining where your agency is and where you personally fall on the data-security spectrum.
It seems hardly a week goes by without a news report of a notebook computer being stolen or lost and thousands of individuals_ financial and health records being potentially compromised. Many times, the thefts are crimes of opportunity in which someone seeks the actual equipment for a quick buck. However, the real money lies in the unsecured, unencrypted data on the device_s hard drive.
There have been more than three dozen documented cases of EMS notebooks being lost or stolen in theU.S. andCanada in the past year. An estimated 2.2 million notebooks were stolen in the U.S. in 2007, with 98% never recovered, and the theft rate is expected to rise about 15% per year for the next three years until widespread adoption of trusted computing initiatives take hold, which will make stolen machines useless to anyone except authorized users.
In more than two thirds of theEMS cases, the patient information on the drives wasn_t encrypted and, in most cases, was ˙protectedÓ only by a username and password or a data application protection scheme. This protection can be easily bypassed by anyone with only scant IT skills.
A variety of tools exist to secure your notebook computer. Most modern notebook computers; operating systems; commercial products and software; and trusted open source, academically reviewed, third-party applications are designed with features that allow you to easily create extremely secure portable computing platforms. Unfortunately, security and usability have always been at oddsƒthe more secure, the less user friendly, and the more user friendly, the less secure computing is.
Those lines are now starting to blur a bit. No doubt, computer and network security is difficult to obtain, and on a professional level it_s extremely complex. Implementing sweeping security policies that employees may view as draconian will always result in policy failure and compromised security. Thus, security must be built into agency operations across the board, and, for IT-related functions, security needs to be nearly invisible to the end user for optimal compliance.
During the past five years, the majority of ˙notebook culpritsÓ have gone from lone hackers and teenagers to more organized criminal operations with a profit motive. Virus and worm attacks in the past 10 years (e.g., Melissa, CodeRed, Zotab, SQLSlammer) may not have been isolated events, but rather probes of different attack vectors designed to see how long it takes major Internet service providers (ISPs) and the US-Computer Emergency Readiness Team (US-CERT) to determine what_s happening and squelch the criminal activity. This way attackers would know their strengths and weaknesses for a more crippling attack in the future.
The good news is that following a few simple precautions will protect us from the majority of malicious threats Internet users face today. The threats are constantly evolving, and we have to be ever alert.
Encrypt the whole disk
Encryption is a necessary precaution. On newer notebook and desktop computers, we can utilize the Trusted Platform Module (TPM) security chip, an open industry standard security subsystem built into the motherboard. The TPM approves users via a finger swipe or a single sign-on password. If the machine is lost or stolen, it_s nothing but a paperweight to the thief. Should someone remove the drive and mount it to a different machine, they find it locked. Should they defeat that lock or take the drive apart and place the data platters into another drive, they find the entire disk, including the master boot record, encrypted and irrecoverable.
Although it generates security key strings, the TPM doesn_t run any software, and security software has to be specifically written to use it. Many notebooks and desktops sold since 2003 have TPMs built in; if your notebook has a fingerprint reader, the fingerprint scan and passwords you save with your fingerprint may be secured by the TPM. Some password vaults, such as Wave Systems_ Private Information Manager and Document Manager applications, use the TPM.
These tools encrypt the entire Windows volume and use the TPM to check the boot components; you can_t boot up if the system has been tampered with, and a thief can_t boot from a CD or take your hard drive out and put it into a PC running another operating system to decrypt it.
For BitLocker, which comes free with the Ultimate version ofVista, your hard drive must be formatted with New Technology File System (NTFS), and you need two volumes. The system volume only needs to be 1.5 GB, because it stores only the files needed to load Windows, which aren_t encrypted.
Vista itself will be on the boot volume, which will be encrypted by BitLocker with a full-volume encryption key. That key is encrypted with an unencrypted volume master key, so if you change something in your system, or lose a key, you can get a new key without taking the time to decrypt and encrypt the whole volume again. You can also turn BitLocker off temporarily to update the Basic Input/Output System (BIOS), which changes the measurement in the TPM. When you turn BitLocker back on, only the volume master key needs re-encrypting.
Once BitLocker verifies the key with the TPM and authenticates your log-in credentials, theVista file system encrypts and decrypts disk sectors as you write and read data. If you hibernate the PC, the hibernation file is encrypted, and then decrypted again when you wake the PC. If you have other volumes, you don_t need to run BitLocker on them directlyƒinstead, you can use the Windows Encrypting File System, because the keys for that are stored on the boot volume, where they_re protected by BitLocker.
You can add a PIN or startup key stored on a USB flash drive to make BitLocker more secure. You also need to create a recovery password or key and save it to a USB drive, so you can recover the encrypted drive if your PC fails and you need to read it on another system.
I use the TPM module in my notebooks in combination with my favorite disk encryption software, TrueCrypt. I_ve been using this open source, free product with Windows XP,Vista and Linux for more than three years, with no problems for whole-disk encryption. It_s platform-independent and well-constructed.
TrueCrypt can do whole-disk encryption or partial-disk encryption. It also works on USB drives and in ˙travelerÓ mode, allowing you to decrypt/encrypt a USB memory stick on a PC that doesn_t have TrueCrypt installed. TrueCrypt has a longer track record than other encryption products, and opens its source code for review. For more on encryption vendors, visit www.jems.com/jems.
Secure the network
Almost all of us have jumped onto someone else_s unsecured Wi-Fi network, but it violates federal law to connect to a network that_s not yours without explicit permission. Doing this unintentionally and sucking in those signals and data packets is not illegal unless you use the captured data in a malicious way.
In densely populated areas, many networks can be visible when a Wi-Fi card is turned on. (I heard that someone inLas Vegas actually recorded 199 separate networks available to his PC.) If you don_t control your Wi-Fi settings and you_re running Windows, your notebook will frequently try to make itself ˙at homeÓ on other people_s networks.
At public Wi-Fi locations, the station and any other locations, it_s important to properly secure your wireless connection. It_s easy for others to watch your wireless traffic and computing activities, almost in real time. It_s also relatively easy for hackers to hijack your session and take over your account. If you were logged in to an online banking session, they could easily obtain your financial records.
Because public hot spots generally don_t use encryption, you should assume that anyone can see your Internet traffic, unless you take the following precautions:
- Make sure you_re using a legitimate hot spot: Nefarious types have been known to set up pirate routers with a familiar service set identifier (SSID) name for the wireless network, such as ˙wayportÓ or ˙T-mobile,Ó and then use it to capture users_ login information and other data.
- Verify that your PC_s software firewall is turned on and the Windows file-sharing feature is off.
- Never send bank passwords, credit card numbers, confidential e-mails or other sensitive data online, unless you_re on a secure site. Look for the lock icon in the bottom-right corner of your browser, as well as a URL in the address bar that begins with https. Such sites build in their own encryption.
- Always turn your Wi-Fi radio off when you don_t need it. Hackers can use it to create peer-to-peer Wi-Fi connections with your computer and access it directly. This became a major attack vector in spring and summer of this year.
- Disable or remove the Bluetooth card. It allows easy access into your notebook.
The best way to protect a public wireless link is by using a virtual private network (VPN). VPNs keep your communications safe by creating secure ˙tunnelsÓ through which your encrypted data travels. Many companies and governments provide VPN service to their mobile and offsite workers, so check with your IT department to see if this is available.
An inexpensive VPN service that offers a number of options is HotSpotVPN. This allows you to create a secure tunnel to HotSpotVPN_s servers where you_re placed on the Internet. All traffic from your PC to the Internet is contained within the tunnel, so the hacker can see only encrypted traffic from you and nothing sensitive is exposed.
Make sure you_re behind a hardware firewall and a network address translation (NAT) type of routing device. This simple step costs as little as $35 and can protect you from a myriad of online criminal activities.
Also, keep the software firewall of your PC on, even when behind a hardware firewall. If an infected notebook enters the office and connects to the network and certain PCs don_t have their software firewalls in place (assuming there_s no other threat-management appliance in place on the local area network), a worm will spread to all of the other PCs. A software firewall is especially important for nomadic PC notebooks.
Just like cash
The best advice for keeping your notebook computer around is to treat it like a $500 bill. Would you leave it on a restaurant table while you chat with friends? How about in a hotel room? If you have notebook computers deployed onEMS units, try to have your personnel apply the same logic. Never let the $500 bill out of sight.
There isn_t a perfect solution yet for notebook security. As the trusted computing initiative moves along, the hardware will become less attractive to thieves looking for a quick buck. However, data will remain attractive for all the same reasons: identity theft, espionage, intelligence, competitive advantage, blackmail, bribery and so on. It_ll always be a challenge to keep data secure, and the insider will always be the highest threat. JEMS
www.uscert.gov: US-CERT_s site, with great information and e-mail updates.
www.sans.org: IT security education and several excellent e-newsletters.
www.privacyrights.org: The perfect site for information on data breaches.
www.microsoft.com/security: Microsoft_s security site.
www.grc.com: A lot of neat tools and tips from Gibson Research Corp.
www.grc.com/securitynow.htm: Gibson_s and LaPorte_s security podcast site.William Ottis chief consultant at CPCS Technologies and co-founder and chief technologist at Max-Q Media, both located inCary,N.C. He spent 20 years as a paramedic andEMS educator and also developed and wrote the eJEMS column. Since 1998, he has focused on information security and assurance, secure wireless communications, unconventional technology development and counter-terrorism technology support. Contact him firstname.lastname@example.org.