Information security experts like to talk about a metaphorical three-legged security model called the security tripod, or more simply, the tripod. In this model, one leg comes from perimeter security, which addresses the barrier and safeguards used to protect the boundary between internal and external networks, or between individual systems and the Internet. Another leg comes from software security, which addresses the needs to maintain confidentiality, integrity, and accountability for data and services that software and systems provide. The final, and too often overlooked leg hinges on physical security, or controlling physical access to systems and machines.
As I spoke to Rob Humphrey, the Director of Security Products at the Kensington Computer Products Group by phone last week, I was forcibly reminded of the vital importance of this third leg in maintaining security for systems and networks alike. It’s a truism that if a bad guy can take possession of, or gain access to, just about any kind of system, that he (or she) can usually compromise the other two kinds of security quickly and convincingly in most cases, provided that the person who takes possession of or gains access to a system knows what they’re doing.
Case in point: when my colleague James Michael Stewart and I used to teach Windows security courses for Interop in the late 1990s and early 2000s, we would ask a volunteer to let us borrow one of their notebook PCs in the class. In 9 cases out of 10, we could break into that system in under 5 minutes live in the classroom using readily available administrative hacking tools for Windows PCs. The notion that somebody who takes possession of a system can soon also take possession of its contents is one worth pondering, and reacting to, especially for companies or organizations that permit employees to work off-site, or take sensitive information with them off the premises as they travel for business or pleasure.
Simple thought it seems, the Kensington cable locks that the majority of notebook and laptop PCs support (around 99% of all notebooks, according to Mr. Humphrey, come with built-in Kensington Security Slots that accommodate such locks) can provide a powerful deterrent against theft and loss of systems and the information they contain. By making it more difficult and time-consuming to take possession of a notebook PC, Kensington decreases the likelihood that an unauthorized and possibly malefic third party will take it into his possession, and gain access to the information it contains.
Humphrey also shared some scary and wonderful statistics about the impact of theft and loss on companies and organizations. Right now, an average of 20,000 PCs are lost or stolen every week in the US. Estimates of the value of the information on those machines hovers near $75,000 per computer. This is not a huge number, but the product of the number of systems and the value of the information they contain comes up to a whopping $1.5B in losses in the US every week! That’s $78B per year in losses, for machines that get lost or stolen. This might seem highly unlikely, until you remember the tens of thousands of veteran’s identity data lost owing to the theft of a notebook belonging to a VA employee in 2006 (26.5 million records), or large scale losses of credit card information at various card processing operations in the past few years (over 40 million records in the aggregate).
The best combination of physical protections for a modern-day notebook looks something like this:
1. A physical lock-and-key-plus cable to keep the notebook where it’s left
2. Whole drive encryption that requires a password to access a hard disk, and any of the data it contains
3. Use of the boot/hardware password protection that the hardware-based trusted platform module (TPM) provides to suitably-equipped notebooks and laptop PCs. Without the right login/boot-up password, the computer simply won’t boot, and this low-level protective circuitry cannot be sidestepped or worked around
4. Built-in tracking software like LoJack that causes a system to report its IP address and other information whenever it’s started up, so that legitimate owners and service operators can track down and recover lost or stolen machines.
Today, Kensington has a relationship with Absolute Software that lets buyers of their security cables, purchase a bundle or obtain a discount on that company’s LoJack for Laptops. I suggested to Humphries that he look into similar synergies with makers of whole-drive encryption tools and TPM technologies. Seems like an appropriate collection of countermeasures to ensure that notebooks and the data they contain remain safe from unauthorized access or use.