Over the past couple of years laptop computers have continued to lose ground to tablets and a broad range of other mobile devices; but they still play an important role in maximizing the productivity of many. While I rely heavily on my own mobile devices for certain activities, my laptop remains the centerpiece of my business. As a professional security consultant, it’s especially important to me that I protect the sensitive information entrusted to me by my clients. In fact, my clients often ask what types of steps I take to ensure that my laptop and data storage systems are ‘secure’.
This article is intended to outline a few options for locking down a laptop computer – primarily targeted at other solitary professionals who are responsible for protecting sensitive data. I say solitary, because if you are part of a larger organization, many of these issues may (or may not) be addressed for you already. These steps can also be taken by any security-conscious individual who just wants to keep from being a victim.
Let me first start by saying that a LOT of this is about personal preferences. There are a TON of options for how you might go about setting up a laptop. Many security professionals I know prefer to run Linux or Unix based operating systems, while others tend to prefer a Windows-based platform. For the purpose of this article I am going to begin from the perspective of a Windows machine; Windows 7 Professional still being my preferred OS for general productivity work. If Windows is your starting point, then hopefully you’ll find some useful information here…
Let’s dive in:
1) Situational Awareness and Physical Security: You can’t start any conversation about laptop security without pointing out the obvious. Laptops are small and easy to steal. They are also easy to unload – so they make sweet targets. Just be smart and you should avoid most physical security problems. If you’re on the road, make sure that you use a computer bag with a shoulder strap – preferably one that would make it difficult for someone to remove your laptop from your person without you noticing. When it’s not being carried, use a lock (there are even ones with alarms built in) or keep it in a safe (or some other secure location). Again, be smart and you’ll be fine in this area.
2) Physical Tracking and Shutdown Services: If you do manage to find yourself in a situation where you have one less laptop than you should have, there are a few great tools on the market that will allow you to track or trace the computer,and/ or to prevent it from even being booted. LowJack for Laptops is one example, but I use PCTheftDefense myself (it came with my Sony Vaio). You just setup an account on-line, add a passcode, and off you go. If your laptop is lost or stolen, you can go to the site and shutdown the device. If the laptop isn’t used for a few days (it misses its check-ins with the server for too long), you’ll have to enter your passcode to even boot the thing. While this may sound a little annoying, it’s actually a nice feature.
3) Locking Down the BIOS: The BIOS is your friend when it comes to laptop security. There aren’t too many things that you can actually do with it, but the couple of options you have here can make it nearly impossible to use the device (well, unless the BIOS is physically reset that is). Anyway, there are two quick and easy things you’ll want to do. First, enable a strong password for gaining access to the BIOS. After that, make your hard drive is the only bootable device. This will make it difficult to start the laptop with a CD or USB drive if it ever falls into the wrong hands.
4) Whole Disk Encryption for the Hard Drive: Now we start to get into the fun stuff. Encryption is a powerful tool when it comes to protecting your sensitive data on a mobile device (including laptops). There are many different options for encrypting data, but if you really start to dig into the Windows operating system, you’ll find that there are many caches and other little hidey-holes that your data can sneak into. It’s just easier, and safer, to encrypt the entire drive. One option here is the free (and awesome) TrueCrypt. Another (and the one I prefer) is PGP full disk encryption. You could also just use BitLocker (if you have the right version of Windows), but I prefer using a third party tool for encryption purposes. If your encrypted drive is removed, it can’t really be accessed.
5) Internet Security Suite: Assuming we’re now in a booted state with Windows up and running, the next thing you want to make sure you have in place is a strong security suite. This is where your anti-virus, anti-spyware, anti-spam, and general anti-bad stuff tools come into play. There are a number of good packages on the market – and you can choose from any one of them. Whatever you choose, make sure you do some reading, fully explore the features, and enable the functions that matter to you. I use BitDefender (and a second suite of tools I will not disclose here), which is a particularly strong security suite, but it’s a little less user friendly than some of the others. And, yes, there can be value in running two different security suites at the same time, but you need to fully understand what you are doing – otherwise you’ll run into a lot of issues.
6) System Maintenance Software: While this doesn’t usually fall under the heading of ‘security’ per se, I consider the use of a good system maintenance tool to be directly tied to good security practices. Again, there are several good options on the market, and some vendors even offer this kind of functionality as a part of their overall security suite. As for me, I use System Mechanic. I prefer to have a tool that is separate from my security suite, as it can perform some useful added functions and provide some redundancy. For instance, you can run a security check that will test if you are open to null session attacks, if you have the right patches installed, etc. There’s also a file shredding tool that you can use to permanently wipe sensitive files when deleting them. You can explore your startup processes and running processes in great detail, etc. Lastly, there’s something to be said for having a fully optimized laptop system.
7) Protecting the Browser: I won’t get into too much detail here, since the features and functions vary from browser to browser. Just be sure to fully explore the security options available to you and turn on the ones that make the most sense. Most browsers will also offer add-ons or plugins that can provide additional security layers. For instance, I tend to use FireFox quite a bit – and I always have the NoScript security tool installed. I also have a protected proxy server running, but that’s a little more of an advanced function. I’ll also call attention to another very interesting option (and one I use when I’m doing investigations or find myself ‘surfing’ in the danger zone). You can use a free virtualization suite (like VMPlayer or VirtualBox) and install an OS inside it that is JUST used for Internet access (Chrome OS, Splashtop, Browser Linux, the options are endless). That way nothing is persisted from your surfing experience – and everything disappears when you terminate the virtual session (without saving it of course).
8) Protecting the Mail Client: Sure Outlook dominates in this space, but Thunderbird is also a strong option. But then of course you could be one of those folks who uses Gmail for everything. My assumption is that you are security-minded though, so let’s also assume that cloud-based e-mail is not your cup of tea. One of the features that should be included in your security suite is an anti-spam, anti-fishing, anti-bad e-mail option. Personally I don’t find the anti-spam features of my security suites to be all that useful, so I also use SpamAssassin on my mail server and SpamBayes on my mail client. Plus my proxy server also does some filtering work on my behalf. But also be sure to consider the features and functions built into your mail program itself – like disabling images from being shown, viewing header details, etc. And, as with the browser options, there are also a number of security-based add-ons available for most mail clients. Do your research and see what’s available for your own needs. As a side note – PLEASE USE SSL for connecting to your mail server. Don’t toss your mail credentials and messages into the void by using open, cleartext mail services.
9) Protecting IM and Social Media Platforms: This topic gets a little stickier because it covers so much ground. As with anything else in the security realm, being smart will help you avoid 90% of the problems out there. Note that there are encryption options (both embedded and via third party tools) that are available for a number of IM chat clients. There are also scanning services that can be provided by your security suite to prevent you from clicking on malicious embedded links, or opening files that are shared with you through these types of channels. Overall, just do your research and look at which IM services and which social media platforms you actually use. Then decide which tools will meet your needs. The goal here is to keep yourself protected from accidental information disclosure, and from malicious code (viruses, spyware, etc.).
10) Protecting Your Passwords: These days we have a TON of passwords we have to remember (at least you should have a ton of passwords if you are doing security correctly). The problem is – how do you keep all of those passwords straight? Especially if you are adding the level of complexity you should be (at least 8 characters with upper and lower case, numbers, special characters, etc.; or better yet an actual passphrase that is a bit longer and uses some of the same character types). Anyway, you’ll likely need to store these passwords somewhere. No, adding them to an excel spreadsheet is NOT a good option. Instead, look into using one of the many encrypted password storage tools that are available. My favorite is PassWord Safe. Tools like this not only allow you to keep your passwords together in a secure location, they also offer features like copying and pasting (then deleting the cache) so you can punch your credentials directly into web pages, applications, etc. with just a few clicks of the mouse.
11) Going Deeper with Encryption: We already discussed full disk encryption; we’ve also discussed e-mail protection. Now I want to discuss encryption in terms of e-mail, and in terms of creating ‘encrypted volumes’. PGP is my go-to of choice here. You can install the OpenPGP solution, or you can buy the Symantec suite, but either way, PGP encryption is a veritable must for secure communications. As for encrypted volumes, this is a handy way of dealing with USB storage devices. Instead of just putting your data on the device, you can create a secure volume that you mount and unmount as needed (using a passphrase or a key). My recommendation is to combine these two functions – by removing your private keys from your laptop and storing them on an encrypted volume that is protected by a passphrase. Your private key is indeed the ‘key to the kingdom’ and should be protected from loss or harm. You can use encrypted volumes in a number of other creative ways – basically anytime you need to protect a particular subset of data with stronger controls (like if you were to store sensitive data to a cloud server or a network accessible storage device for instance).
12) Dealing with Remote Access: If you have certain files you like to have access to in a place other than your laptop, then you may need to get access to those files while you are on the road. My ‘for instance’ here is if you have a remote desktop on your home network that’s attached to a network access server. You might get better fail-safe data redundancy this way and it may be quite appealing. Don’t make the mistake of opening up your firewall to get access though. Use a VPN service instead. Whether you are using a wireless router that can support VPN connections, or you have a full-blown firewall in place, using an IPSec VPN, or using the OpenVPN client is definitely the better and far more secure option. Just be sure to have a strong passphrase and use a client-side certificate in order to access the VPN. You can also do some pretty cool things with a service like DynDNS if you are connecting to a home network that gets its IP address from an external DHCP server. This is obviously a more complex topic, so do your research to learn more.
13) Going Virtual for the ‘Real’ Work: This topic is far more relevant to security professionals and other IT folks, but the basic power of virtualization should NOT be overlooked, especially on a laptop. Granted, you need enough memory (at least 8gigs realistically) in order to fully leverage this option, but it’s worth it. I use VMPlayer in order to run a number of virtual systems on my laptop, especially when I am involved in penetration testing or forensic discovery work. Yes, you have the option of dual booting or running your laptop with an alternate, non-persistent OS images, but I prefer to continue running my Windows system, and use things like Kali linux (which used to be BackTrack) to do my testing on. It’s also nice to pit different virtual machines against one another so you can do training or perform validation testing. If you want to get REALLY crazy, you can even start nesting virtual systems (like running ESXI on VMPlayer with VMotion to move and test copies of production systems).
14) Of course, you can’t forget the basics. Things like setting automatic updates on your operating system, keeping your applications up to date (especially applications from Adobe), scanning downloads for malicious code and validating them using hash values, only installing the software you actually need, and so on and so forth. At this point though, we’ve gone WAY beyond the basics of laptop security and are now deep in the realm of good systems management.
There are, of course, other steps that you can take and other things you can do, but this list covers most of the basics, and most of the more advanced situations you might encounter. I’ll also clearly state that none of these steps is entirely foolproof, or 100% effective. In fact, there’s a way around pretty much every single one of these controls if the person who gets a hold of your laptop is particularly knowledgeable. The goal however is to create layers of security that dissuade, deter, and even misdirect would be villains – hopefully long enough for you to recover your lost or stolen property. If not though, these steps will indeed make it more difficult for less-gifted thieves to derive much of a benefit from your stolen system.
In the end, the exact steps you take, the tools you use, and the features you set up, are going to be uniquely suited to your own personal needs and preferences. This article is just the beginning.