Protecting Laptop Computers - SANS Institute

1 downloads 142 Views 1MB Size Report
Jun 7, 2010 - Do Linux and Apple systems .... “Security remains a key IT challenge and the focus is on business contin
Interested in learning more about security?

SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Protecting Laptop Computers Both individuals and organizations may suffer serious losses measured in dollars, time and reputation when laptop computers are stolen, lost, broken or hijacked. While it would be impossible, not to mention expensive, to anticipate and thwart every possible risk, by taking a systematic approach, the vast majority of them can be avoided. The first step is to "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! build a Threat Model to identify the dangers, estimate their costs,...

AD

Copyright SANS Institute Author Retains Full Rights

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptop Computers GIAC (GSEC) Gold Certification Author: Gregory F. Hill, [email protected] Advisor: Egan Hadsell

Accepted: June 7, 2010

Abstract Both individuals and organizations may suffer serious losses measured in dollars, time and reputation when laptop computers are stolen, lost, broken or hijacked. While it would be impossible, not to mention expensive, to anticipate and thwart every possible risk, by taking a systematic approach, the vast majority of them can be avoided. The first step is to "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! build a Threat Model to identify the dangers, estimate their costs, and determine the likelihood of their occurrence. A cross-platform, all purpose Protection Plan can be built based on the Threat Model, ready to customize for any situation, using the five most common OSes, Microsoft® Windows XP®, Windows Vista®, Windows 7®, Apple® Mac OS® X and Linux. Which operating system has the best overall security in the context of the Protection Plan? Which high-security configuration is the easiest to build? Do Linux and Apple systems provide superior security? These questions and more will be answered.

© 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

2

1. Introduction There are three general categories of mobile computing devices: x

The first category, “handhelds”, consists of smart phones, Personal Digital Assistants (PDAs), eBook readers, and tablets. These devices are technically computers, but are primarily designed for other uses. Presently, they do not pose as serious a threat to individuals and organizations as do full-featured portable computers (laptops), mostly due to their lack of homogeneity – there are too many different kinds with too many different types of software to be attacked on a large scale. However, as these devices become more powerful, with increased storage, effective network connectivity, and adapt more robust and consistent operating systems, they will approach the same threat profile as traditional laptops. Indications of this evolution are the iPad®, Palm® Pre™, Android and Windows® Phones, which already provide a substantial subset of laptop capabilities and are beginning to push less popular configurations out of the marketplace.

x

The second group, “netbooks” are cheaper, smaller, and typically provide less computing power and storage than laptops. They are primarily communication machines, designed "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! to be the portable equivalent of the “thin client” on the desktop. Netbooks (and thin clients) usually depend on a web browser as their operating system, such as Microsoft Internet Explorer® or Google Chrome, or light versions of mainstream operating systems such as Linux and Windows. Consequently, they also pose less of a threat to the individual or organization when they are lost or stolen. However, like the first class of devices above, netbooks are undergoing the same sort of capacity creep, propelling them toward the same capabilities as the final category, the laptop. (Crothers, 2009)

x

“Laptops” are essentially portable versions of the ubiquitous desktop computer. To grow in acceptance among users, laptops overcame deficiencies in storage, display, and computing power initially caused by the necessity that they be portable. Modern versions are frequently “desktop equivalents” possessing all of the power, speed, storage, and display capability of the average sedentary office machine. With the economical availability of wireless connections and the Internet, they are also communication centers, capable of supporting a variety of video content from television Gregory F. Hill, [email protected]

© 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

3

to movies, as well as providing a convenient device for browsing the web, checking email, making audio and video phone calls, keeping up with social sites like Twitter, FaceBook, MySpace, LinkedIn, etc., along with a wide variety of business activities including logging in remotely to the corporate network. A recent Gartner press release estimated that there are 500 million laptops currently in use, worldwide. (Gartner, Inc., 2010) Of the three categories of portable devices, the subject of this paper, laptops, present the greatest vulnerability not only because they have far greater capacity, complexity, and power, but because they are more clearly defined and homogenous, both in terms of hardware and software. Whereas handhelds have a large number of operating systems with no clear leader, most laptops use one of three brands of operating systems, with the clear leader being Microsoft with over 90% penetration (see table below). Operating Systems Total Market Share, from NetMarketShare as of May 15, 2010. Operating System

Market Share

"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! Windows XP 63.41% Windows Vista

15.60%

Windows 7

11.68%

Mac OS X

4.42%

Linux

1.05%

Other

3.84%

Figure 1 - OS Market Share from NetMarketShare

The numbers of laptops in use are also far more than the other two types of mobile devices, making them the biggest target. IDC (International Data Corporation, a market research firm) predicts that by 2013, mobile workers will comprise nearly 35% of the workforce, or 1.19 billion employees, up from 919.4 million in 2008. (Ryan, 2009) However, although the focus of this paper is laptops, many of the threats and solutions presented are also valid for handhelds and netbooks.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

4

Attempts to exploit computers have grown exponentially and are predicted to continue because it is a highly profitable venture. In fact, there is so much money being made that according to an article in Engineering News, revenue exceeds that of drug trafficking: “Cyber crime revenues are already exceeding those of drug trafficking and the threats are increasing along with the number of devices accessing networks, International Data Corporation (IDC) South Africa senior research analyst Pieter Kok has warned. “Security remains a key IT challenge and the focus is on business continuity. Only 5% of all organizations worldwide are adequately protected against cyber crime,” he says. Organizations also need to be part of global networks, which opens the opportunity for potential attacks, as global companies’ networks could be compromised from anywhere in the world. IDC’s top threats for 2010 include casual intruders, insider system sabotage, spyware and data loss through employee error or malicious intent. Only 50% of companies have formal security policies for employees to follow and only 33% educate their employees on these policies. “More money is lost from the inside than from the outside in terms of IT security,” says Kok. Companies need to exert greater control over the "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! information coming in and going out of an organization. Further, Web 2.0, which includes social interaction websites, could also pose threats of cross-site attacks, spam, hackers, malicious codes and phishing. Kok says that the adoption levels of Web 2.0 are expected to double, but this will be an additional threat that companies will have to handle through continuous monitoring.” The article further points out that “prevention is better than cure” and “information is the new currency and data protection solutions will be required to better protect business”. (Holman, 2010)

2. Protecting Laptops Protecting laptops is a complicated process, due primarily to the nature of their use. The most powerful protection for the traditional desktop computer is the security of its location. It is kept in an office and connected to a fixed network, both of which can be surrounded with nearly impregnable defenses against breaches, such as concrete walls and locked doors, firewalls and Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

5

security protocols. Desktop computers also do not need to access the public network in order to access internal network applications as mobile computers do when they are used remotely. Protection is based on control, so the first priority must be maintaining possession. This is easier with desktops, shackled to a desk with a tangle of wires, with valuable data stored in a bulky and heavy box. Laptops, on the other hand, are light, sleek, small, and are at home in the wild, thrust into obvious cases or carried rakishly in one hand or under an arm. They are tethered to nothing but the occasional electric outlet, and can be picked up and carried off easily. While theft or loss of these portable devices is a practically an epidemic, laptop unit sales continue to approach sales of desktops, with the most recent statistics showing 110 million of the portable devices sold to 150 million desktops. (Wyld, 2009) Laptops are “road warriors”, whether they simply travel back and forth to the jobsite every day or are the constant companion of a traveling computer worker. They are exposed to on-going and increasingly insidious threats far beyond those of their tethered cousins A survey commissioned by Dell Computers from the Ponemon Institute has estimated “Up to 12,000 laptops are lost or stolen in United States airports each week” (Ponemon, 2009). "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! That adds up to an estimated 624,000 devices in a year. Another article states “it has been estimated that upwards of a million laptops are stolen annually, with an estimated hardware loss alone totaling over a billion dollars. And it is not just companies that are affected. Indeed, across federal agencies, leading universities, and all facets of health care and education, there is increasing focus on laptop theft, as surveys of IT executives across organizations of all types show such occurrences happening on a routine basis – often with dire consequences potentially impacting thousands of employees, customers, patients, and students.” (Wyld, 2009) Other disturbing findings from the Dell/Ponemon survey are “between 65 and 70 percent of lost laptops are never reclaimed”, “53 percent of business travelers surveyed carry sensitive corporate information on their laptop”, “65 percent of those who carry confidential information have not taken steps to protect it while traveling”, and “42 percent of respondents say they do not back up their data”. But the simple loss or theft of the computer is usually not the most serious threat affecting laptop computers. Hardware is replaceable, and most laptops are affordable, priced, in Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

6

most cases, from $300 to $3000. The most recent sales figures from Gartner, Inc. list the average selling price of laptops at $732, 15.7% less than in the same period of the previous year when the average was $868. Sales were up 71% for the first quarter over 2009. (Gartner, Inc., 2010) Proceeding to threats of a more expensive and serious nature, the loss or theft of a laptop computer can result in the release of secure information, such as customer credit data to individuals who will exploit it. The average total cost of these data breaches in the United States is estimated at $6.75 million dollars, or about $204 per record. (Chickowski, 2010) Compounding the cost, laws that regulate how the storage of sensitive records must be handled may require disclosure and result in fines. Congress is considering a bill to force all persons or organizations involved in interstate commerce to disclose any breach of Personally Identifiable Information (PII) immediately, with a penalty of $1,000 per record, per day (up to $1 million) (govtrack.us, 2009) The resulting adverse publicity from such a breach may also result in lost business, estimated to represent more than half of the ultimate cost. These breaches are discovered and steps are taken as quickly as possible to mitigate the damage."#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! And, although the consequences are substantial, an even greater security issue exists -data breaches and other threats are occurring without the loss of the laptop and without the knowledge of the user. Criminal organizations as well as individuals can break into laptops with a number of sophisticated and even unsophisticated approaches. Some of the threats are as mundane as the cloud of phishing and other spam emails every user navigates on a daily basis. Or they can be as sophisticated as worms and Trojans that steal data and credentials silently without leaving a trace. The key to effective security is concentrating resources on the most likely areas to be exploited, predicted by using analysis like a threat model customized for each individual situation. Starting at the beginning, laptop threats fall into four major categories: 1. Loss of hardware (LOH) 2. Loss of software (LOS) 3. Loss of information (data, LOD) 4. Surreptitious use of the computer and contents by others (Invasion, INV)

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

7

3. Loss of Hardware As previously noted, the loss of hardware, by whatever means, represents a loss of replacement value and time. There are exceptions, however, such as in the case of machines that are specifically built or modified to access secure or specialized networks or machines. Generally, the loss of a laptop computer, without consideration for the data and software loaded, is a low-severity threat and may be rectified with relative ease. That in no way means actions to prevent a loss should be overlooked, education being the most logical and inexpensive step. In any organization utilizing laptops, management is wise to alert the employees of ways laptops are normally lost to increase awareness and establish behavior patterns to mitigate the problem. For example, in the Dell/Ponemon survey, researchers found that most laptops lost at airports were left at the security/scanning area. By simply providing a checklist for traveling employees to confirm, before leaving the security screening area, that their laptop was retrieved, a may eliminate a number of losses by a distracted worker. Other effective behavioral methods can easily be devised by individuals or organizations "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! at little cost. Electronic solutions are also available, including radio frequency identification (RFID) tags that will sound an alarm when two devices become separated by a pre-set distance. One example of this type of device, defined herein as Separation Detectors, is the $59.95 TagAlert 150 (TA-150) available from RemotePlay. One of the tags is attached to the computer, and the other can be attached to a key ring or glued to a cell phone. When the two tags exceed the set distance, such as when a laptop is left behind, the device sounds an alarm. There are also a number of Anti-Theft Devices, consisting of cable locks and motion detectors to secure laptops when the user must leave them behind. Labels from Laptop Tracking Services also act as a deterrent to thieves because they warn them that they are not likely to get anything useful from the machine and that software and hardware installed will lead the police to the location of the laptop.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

8

4. Loss of Software The loss of software may represent a greater expense than missing hardware. In a bestcase situation, a recent backup of a lost laptop could be used to restore all of the software with very little lost time and no financial cost. Various situations can cause the time and expense to quickly escalate. If an exact hardware replacement cannot be obtained, software from the operating system to applications may have to be updated or replaced, requiring labor for installation, configuration, and data migration. One estimate is that replacement cost balloons to an average of nearly $9,000 when reinstallation of software and conversion of data is factored in. (Stokes, 2009) Key mitigation elements here are, once again, Software, Hardware, Education and Discipline, (“SHED” as a mnemonic acronym for future reference). Since most people who use computers already know they should back them up frequently (education), but fail to do so on a regular basis (discipline, or the lack of it), hardware and software can side-step the potentially unreliable human factor and assure compliance. In this "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! case, Automatic Backup Packages consisting of external hard drives combined with programs to ensure that there is always an up-to-date copy of the entire system for easy reinstallation. Organizations can implement the same feature using the network, backup servers and software. Some of the software on a laptop may be used by thieves to access the user’s or employer’s accounts which may result in considerable expense. Since this will result in the recipients’ use of the software and not the software itself, that condition will be covered under surreptitious use of the computer and contents by others.

5. Loss of Information (everything other than software) Information stored on any computer need never be lost. With the low price of storage devices and media, coupled with the low cost availability of continuous backup software, there should always be a readily available copy of all data in an area outside the machine itself. Storage space and backup solutions are now available on the internet for continuous off-site storage at low cost. Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

9

Vendors selling laptops and software are leaving users vulnerable by not setting the systems up to protect any data stored there. The SHED principle provides that Software and Hardware should be used to enforce the Education and Discipline that will protect laptop users from losing data, even if the laptop is stolen by crooks experienced in utilizing the information for all manner of lucrative illegal activities. Hardware and Operating System vendors could mitigate much of the possibility of lost data by configuring their machines to make use of the capabilities that already exist to protect any data the user chooses to store on it. Currently, unless the user specifically makes the request and is willing to pay for it, retail vendors don’t bother. Lost information is defined as data that is no longer available to the user. There are many ways availability can be lost, all of them preventable or recoverable. In earlier times, security experts would have recommended that the user decide which data was “sensitive” and which was not, and protect the former through encryption, backup, shadow copies, and other means. This was impractical and highly time-consuming. With the average user today, it is simply impossible. In most cases, all of the data should be encrypted, backed up, shadow-copied, etc., "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! because the methods of doing so have improved enough to make it possible, and the volume of data required is too large to allow manual culling. Operating systems may include Full Disk Encryption (FDE) tools that prevent malicious intruders from finding data, let alone denying them the use of it. External devices are now available to store all of the personal data on external hard drives or thumb drives, which can also be protected with passwords, secret keys and/or biometrics (fingerprints, retinal scans, face recognition, etc.) and encrypted. Backups can be automatically created during off times or idle periods, without impacting performance. The result is that no data is lost or misused, even if the laptop is stolen. Backup alone is not sufficient, because, while the user still has the data accessible, such as bank account numbers and passwords, the same information is also in possession of the thief, and may be used at any time to change the credentials, locking the original owner out. All laptops should follow the principle of access being achieved by “what you have and what you know”; in other words, a password and an external key, or a fingerprint, or a facial scan, etc. If Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

10

anyone acquiring the laptop does not have one of the parts, they cannot gain access to the data, even by removing the disk and attacking it from another computer. Failure to protect personal and organizational data can lead to the largest vulnerabilities of all. Data breaches are estimated to cost an average of $6,750,000 for each incident in the United States (Chickowski, 2010) However, the cost of data breaches should not be attributed to the loss of data, but rather to the potential for misuse. Within the threat category, this misuse is called -- surreptitious use. This is due to the fact that the liability and notification expense becomes applicable only if there is the potential of the data getting into the wrong hands and being misused. If the data is simply destroyed and there is no potential for misuse, there are no additional costs incurred, other than the replacement or recovery of the data. With most laptops carrying 160 gigabyte or less of data on their hard drives, it is unlikely that the cost to replace or recover data would be more than $10,000. Most employing entities prohibit storing critical data on users’ laptops; yet somehow sensitive data is released with alarming regularity (see Dell/Ponemon study above). Employers should restrict access to databases using the SHED principle, by informing new hires of the "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! policy of not allowing institutional data on laptops and having them periodically sign an agreement to that purpose (Education and Discipline), and enforcing the policy by not allowing simple data transferring methods, limiting the size of downloads, prohibiting the use of external mass storage devices, and implementing Data Access Monitoring (DAM) to enforce the prohibitions (Software and Hardware). If data must be processed off site with a mobile device, it must be loaded on an encrypted storage device and carried or transported separately from the laptop.

6. Surreptitious use of the computer and contents by others (Invasion) This is by far the most complex and common threat to laptop computers and all computing devices in general. Most cyber crimes committed in the computer age are a result of the use of a computer or its contents by criminals, either by software injection (worms, Trojans, viruses, spyware, etc., loosely defined as “malware”) or through illegal entry, either remotely or Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

11

from within. Laptops are particularly subject to these attacks because they are built to communicate as they travel, opening vulnerabilities with every connection. The average corporate laptop will be capable of connecting to wired or wireless (Wi-Fi) networks, through phone lines or cellular technology, and using cables (USB, eSATA, HDMI, etc.) and wireless cable replacements (Bluetooth). They will contain communication software, such as VPN and other gateways, and will probably have numerous stored sets of credentials that allow them to connect to sites and databases to view and extract sensitive information. Since laptops frequently operate outside of the controlled office environment, they are also more susceptible to malware because they are not protected by firewalls and servers filtering data, and are not likely to be as up-to-date on patches as hard-wired machines. Mitigating the possibility of the laptop being used by outside parties for unauthorized purposes requires an aggregate of tools previously mentioned, as well as tools to prevent invaders from gaining control by intrusion. Once again, it requires all facets of the SHED principle. The users must obtain and configure the Software and Hardware to protect against the threats they consider most severe. They must also obtain the Education necessary to avoid "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! pitfalls that will allow invaders into their laptop, and must exercise the Discipline necessary to be vigilant in not inviting intruders into the system. Simply put, this involves 1. Education and Discipline a. Keeping the computer away from criminals by not losing it and taking steps to minimize the chances of theft b. Avoiding software intrusion by observing best practices such as not clicking on links or opening attachments from emails, not visiting sites that may be infected, using strong passwords, storing keys apart from the laptop, etc. c. Preparing a Protection Plan and following it. 2. Software and Hardware a. Protecting data and software with frequent automatic backups, outside storage, and encryption combined with have/know authentication. b. Following the Operating System and manufacturer recommendations for update settings, anti-malware/anti-virus software, and firewall settings. Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

12

c. Implementing any outside software necessary to accomplish the goals of the Protection Plan. Required components for each type of threat will be presented in more detail in the Threat Model/Matrix below.

7. The General Threat Model Threat

Average Damage/Severity

Severity Frequency

Loss of Hardware

Average hardware cost ($700) + configuration and setup, approximately $2000. (Wilcox, 2009) (Stokes, 2009)

3 4%

Loss of Software

$6,000 including installation and configuration. (Stokes, 2009)

3 10%

Loss of $10,000 Information

2 30%

Invasion

1 90%

$40,000

"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! A note on frequency: This is a probability estimate, based on the estimated percentage of the worldwide population of laptops likely to fall prey to the named threat. The loss of hardware estimate is from several articles, which cited expert’s estimates. (Wyld, 2009) The other values are constructed for this example, and actual historical numbers should be inserted for each reallife situation. Before using the threat model to develop a security plan for a person or organization, empirical data from actual experience should be substituted. A note on pricing: As the cited article discussed (Stokes, 2009), the $50,000 (split between Loss of Information and Invasion) is high because a few of the lost laptops resulted in very large dollar losses, raising the average. Ignoring the large losses because of the extremely low frequency of those events might lead to the false conclusion that no mitigation strategy is cost justifiable and therefore necessary. Such an approach would increase the vulnerability and make a large loss more likely, while simultaneously increasing the expense of recovering from successful exploitations.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

13

Damage and Severity are based on population-wide averages. When determining the actual threat model for a particular situation, actual values and severity must be determined by individual case. For the purpose of this model severity ratings are as follows: 1=Critical, 2=Serious, 3=Standard, 4=Tolerable In order to begin to manage threats, they must be broken down into individual vulnerabilities, which can then be related to a product or strategy for mitigation. The end result provides the cost of mitigating a threat along with the estimate of the price of not doing so, giving decision makers a firm comparison.

"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

14

8. Threat Model Detail (condensed) Threat

Vulnerability

Loss of Hardware

Loss of laptop through theft or other means.

Mitigation

Signs Separation Detectors Anti-Theft Devices Tracking Devices Loss of Software Loss of software, including the operating Archive system, due to loss of laptop, accident, Backup Malware, or Hardware failure Registration Loss of Loss of data other than software due to BitLocker Information, either lost laptop, Denial-of-Service (DOS) EFS temporarily or attack, Viruses, Data Leakage, Data Loss, RLS permanently Data Theft, Document malware, Spam Virtual Desktop Windows Defender FDE BIOS Login Biometrics, Smart Card, TPM Encrypted keys Windows Firewall Invasion Unapproved use of the computer through Service Hardening impersonation, spyware, Trojans (bots, NAP "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! backdoors, downloader), Root kits, Group Policies Worms, Auto run worms, Browser Security Center Hijackers, Cookies, Phishing, and hacking. ASLR DEP Wireless Security User Account Control Anti-Spam Browser Settings

9. Developing the Security Plan To design a security plan for a laptop computer or computers, first the threat model is customized for the particular situation to which it will be applied. Then, based on the modified model, a Security Plan is formulated to mitigate the threats by importance. The following are examples of likely security plans based on the Threat Model above:

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

9.1

15

Security Plan 1 – Sean’s personal laptop This laptop is used as a communication device, not for storing any kind of personally

identifiable information (Sean also has a desktop computer on which he stores his personal information). The portable is a very inexpensive machine, bought new for less than $500 including the operating system and all of the application software. Sean has added less than $100 in additional communication software to connect to his employer’s network – which is the primary use of his laptop. Sean’s job involves working with extremely sensitive data. Sean’s laptop runs a popularly used Microsoft Windows operating system (see table below.) Laptops purchased today at a consumer retail outlet usually come with Windows 7 Home Premium Edition. Customizing the Threat Model for this situation leaves us with the following conclusions: First, the severity of loss or theft of the computer is very low since the purchase price is minimal and there are no other complicating considerations like customized hardware or configurations. Further, the “loss of software” risk is very low and it could probably be replaced for less than the "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! cost of mitigation. Additionally, the “loss of information” threat is negligible in this case because none will be stored on the computer. The last category is by far the most serious. This laptop is set up to communicate with a network, providing accessibility to extremely sensitive information, and a data breach could trigger fines, notifications, and adverse publicity. This is a very common situation. The standards or lack thereof, permits employees to connect their equipment to the network without enforcing the organization’s Security Plan on the employee’s personal hardware and software. While the employer will bear the brunt of the charges for a data breech, which could be millions of dollars, the employee will also encounter fallout from the breech, which may include dismissal and legal action. So, the employee should not dismiss the seriousness of keeping the laptop secure – it should be considered the highest severity. So what if Sean wants to beef up his system to protect his employer’s sensitive data? Adding another level of complexity is that the operating systems typically found on “home class” machines provide inadequate security. Many of the industrial strength security features provided Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

16

on Microsoft’s Windows Operating Systems are only available with the “Enterprise” and “Ultimate” versions of Windows Vista and Windows 7. To begin his Security Plan, Sean estimates the cost of the threats in the Damage column. In the absence of any more specific frequencies the industry estimates will be used. Multiplying the two, proffers the expected value. The chart below illustrates the result of the calculations and clearly indicates the expected risk of not mitigating threats by category. It also indicates the amount of money that should not be exceeded in acquiring protection. For example, if Sean spends over twenty dollars to protect his hardware from theft, he will be spending more than he is likely to lose. This security plan shows that protection should be acquired in the first three categories only if it is at little or no cost. Further, Sean would be wise to spend, or ask his employer to pay for as much as necessary to guard against the unauthorized use of his hardware and software, because the risk is great. Sean found another item that needed to be taken into consideration when preparing a Protection Plan. Sometimes the optimal dollar amount that should be spent on each area of risk has to be"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! adjusted because of outside, unrelated constraints. In this case, he checked with his home insurance company and found that he could include the laptop in his coverage, but that he was required to attach a permanent label to the computer so it could be returned if it was recovered. Shawn opted for the coverage and the STOP brand plate ($25), even though it cost in excess of the projected loss amount.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

Protecting Laptops

Threat

Damage

Severity

Frequency

Value

Loss of Hardware

Less than $500

3

4%

$20

Loss of Software

$100

4

10%

$10

Loss of Information

$0

4

30%

$0

Invasion

$40,000

1

90%

$36,000

! "# $%&&%'()*+,)*$).-/& 0123 45677 289; "< $%&&%'0%'=,)*>)9?@A BC8+%,&>)9?@A 7677 289"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! 2@=.%@8+ ; ; $%&&%'D8'%*E)=C%8 BC8+%,&FC*-,)// 7677 289FC/=-*C8G D8.%@8+ " ; D8H)&C%8 BC8+%,&FC*-,)// 7677 289FC/=-*C8G " 5 D8H)&C%8 I99-&& 0-*HC9-()*+-8C8G 7677 289" J D8H)&C%8 I99-&& KI3 7677 289" "" D8H)&C%8 I99-&& I0$L 7677 289" 4 I//-M9-A=$%&&%'()*+,)*- I99-&& NIO 7677 289>-&= 0-9@*C=P>-&= " < I//-M9-A=$%&&%'()*+,)*7677 2893*)9=C9-& 3*)9=C9-& " " " " "

Q I//-M9-A=$%&&%'()*+,)*"7 "! "; "5

I//-M9-A=$%&&%'()*+,)*I//-M9-A=$%&&%'()*+,)*I//-M9-A=$%&&%'()*+,)*I//-M9-A=$%&&%'()*+,)*-

6%-7

3$+45.&

3"$

/0$",&

3$%."

Sean’s Protection Plan 1%&%2,&%+-

9.3

17

Sean’s Threat Model

()*+$&,-."

9.2

!"#"$%&'

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

:-& :-& :-& :-& :-& :-& :-& :-& :-&

0-9@*C=P 0-==C8G&

R*%@A3%/C9C-&S$%9)/ 7677 289- :-& 0-==C8G&

0A)E U)/,)*WC*@& I99-&&

BTC=-$C&= BC8+%,&V-'-8+-* 0-9@*C=PX&&-8=C)/& D8=-*8-=XMA/%*-*J BC*-/-&&>-&= 3*)9=C9-&

" 47 I//-M9-A=$%&&%'()*+,)*- BC*-/-&&

7677 7677 7677 7677

289289289289-

:-& :-& :-& :-&

7677 289- :-&

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

18

10. Mythical Organization’s Laptop Laptops used by employees are all similar in terms of hardware, and have identical software installed, using a disk imaging program. The image includes the Microsoft Windows XP Professional operating system, an application suite consisting of Microsoft Office Professional 2003, some proprietary software used to access internal applications, a VPN client (Virtual Private Network to connect to the main organization network remotely), an anti-virus client, and software to connect to Oracle and Microsoft databases. To minimize lost and stolen laptops, Mythical has a very simple policy: the employee must pay for a replacement. This policy, although patently unreasonable has resulted in few lost or stolen computers. Losing software is also not a concern for Mythical, as they can re-install it from an image in minutes, and their software licenses allow them to install on an unlimited number of machines, so long as their user number remains below a certain threshold. They keep the software up-to-date by loading patches and updates whenever the laptop is connected locally to keep abreast of new exploits. Other than loading the anti-virus and "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! activating built-in Windows XP protections such as the Windows Firewall and Defender, they have no formal security plan or policy. Mitigation is on an individual basis; when a computer has a problem it is handled by the internal Desktop Support department. If any data breaches or network intrusions occurred in the past, since there is no formal method for monitoring or reporting them, management would probably remain unaware. Prompted by auditors and complaints from customers suspicious that Mythical is the source of information used by someone to steal their identities, the company has decided to formulate a Security Plan, beginning with their laptops. The first two threats, stolen hardware and software are of no concern to Mythical, because employees pay for missing hardware and the software is simply reinstalled. Since Windows XP does not include a Full Disk Encryption (FDE) facility like BitLocker, and third party implementations are costly, Mythical decides to deal with the possibility of stolen data, the third threat, by sending an edict to all mobile workers ordering them never to store corporate data on laptops.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

19

The last threat, surreptitious use of computers and data, is now the only concern for the organization. They have decided to mitigate it by “hardening” Windows XP by maximizing the built-in security functions of the operating system and adding 3rd party solutions for any threat not handled by Windows. To harden Windows XP, Mythical’s security officer developed policies for password complexity and change frequency as well as other standard security and Windows Firewall settings, and implemented them by using network Group Policies. This updates the settings every time the mobile computers log onto the main network. Since computer hijacking is often accomplished by the use of a virus, spyware, or malware, Mythical uses McAfee VirusScan Enterprise software for about $12 per machine to protect against those threats. For protection against worms and Trojans, other popular methods of taking unauthorized control of laptops, Windows Defender will be installed and configured. Windows Defender is included free with Windows XP Service Packs 2 and 3. However, Defender is not an “Enterprise Class” malware product with centralized control, reporting, and administration, so each machine must be configured and patched independently. The built-in centralized update and group policy systems help with"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! configuring and patching Windows Defender on individual computers, but the lack of a centralized reporting system will keep the administrators in the dark about widespread problems on the network.

10.1 Mythical Organization’s Threat Model Threat

Damage

Severity

Frequency

Value

Loss of Hardware

$12,000

4

10%

$1000

Loss of Software

$27,500

4

0%

$0

Loss of Information

$12,000

4

10%

$1000

Invasion

$40,000

1

20%

$8,000

Mythical’s Security Officer used actual figures in the Threat Model for the loss of hardware, software, and information. In the previous year, 12 laptops out of 120 were lost or Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

20

stolen, which would have resulted in a cost of $12,000 dollars but the employees are forced to bear that burden. They had no attached software losses because the terms of their license agreements allowed them to copy the software on the replacement machine at no charge. Mythical had some problems with worms and viruses, as well as accidental deletions, disk crashes, etc., that resulted in data losses. As estimated by the auditors, recovery cost an average of $1,000 per machine. The data losses occurred on roughly 10% of their machines, but since Mythical kept no records of possible misuse of computers or information, they are estimating the cost based on other companies in their industry. Since the Threat Model results are apportioned over all 120 of Mythical’s machines, the only area they will be spending money to mitigate will be the Invasion one at about $70 per machine ($8,000/120=$66.67), since the risk value of $8.33 (1,000/120) is not enough to purchase any useful protection, even if the severity was not 4 (Tolerable). If future trends indicate that losses will increase, the budget should be increased and the protection expanded in the areas causing the losses.

10.2 Baseline Security Plan "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! It is very important that the person entrusted with the design of the Protection Plan should establish a baseline before applying the Threat Model. Since the Threat Model in the Mythical case is based on actual losses with the existing security profile that should serve as the baseline. If the cost of the baseline is already in excess of the amounts determined in the Threat Model, the security planner could consider eliminating some protections if they appear not to be effective at preventing losses.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

Protecting Laptops

21

"

7 I//M( 20

BC8+%,&Y33*%'-&&C%8)/03!

83

3"$

3$+45.&

3$%."

1%&%2,&%+-

/0$",&

()*+$&,-."

10.3 Mythical Organization’s Protection Plan !"#"$%&'

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

7677 289-

:

; "Q $20

$C9-8&C8G 28/C8-$C9-8&C8G

7677 289-

:

;

I99-&&

7677 289-

:

; "4 $2V

BC8+%,&FC*-,)//Z2@=.%@8+ [ 3*-H-8=C X89*PA=-+FC/-0P&=-EZXF0[

7677 289-

:

"

; DKW

3*-H-8=C BC8+%,&FC*-,)//ZD8.%@8+FC/=-*C8G[

7677 289-

:

"

< I//M( 3*-H-8=C 0-9@*C=P>-&=3*)9=C9-&

7677 289-

:

"

Q I//M( 3*-H-8=C R*%@A3%/C9P2.\-9=0-9@*C=P0-==C8G&

7677 289-

:

" "! I//M( 3*-H-8=C BC8+%,&V-'-8+-*ZU)/,)*-[

7677 289-

:

; "; I//M( L-9%H-*P 0P&=-EL-&=%*-

7677 289-

:

" "5 I//M( I99-&&

7677 289-

:

7677 289-

:

; $2V

D8=-*8-=XMA/%*-*W-*&C%8J

" 47 I//M( BC*-/-&& BC*-/-&&>-&=3*)9=C9-&S0%'=,)*-

"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! " 4" I//M( WC*@& U9I'--WC*@&09)8X8=-*A*C&-]A-*3O "4677 :-)* :

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

22

11. Security Best Practices “Best practices” is just another way of saying “Do what works”. In the computer security arena, a lot of what are called best practices is artifice, designed to give security managers the right to say “I told you so”. Edicts like, “never click on links in emails” or “never visit a web page you don’t know” are largely ignored by everyone. To follow that advice, while undisputedly prudent, would remove most of the benefits of progress in the last 30 years. Can you imagine not clicking on links in emails and websites? Google would be out of business. What is actually called for is to configure protected machines to mitigate every risk using the most effective means possible. For example, most anti-spam programs move questionable emails into a “junk’ folder, where the links are deactivated. Users can still click on the links by moving the emails back into the inbox, but to do so they would have to consciously evaluate what they are doing. This is the way to implement “best practices” which is, in itself is a best practice that has evolved over time. Best practices are better coded and implemented automatically rather than putting the "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! responsibility on users. In Windows, baseline security can be set through Group Policies, with configuration support for the OS, Internet Browser, and hardware type using the Security Compliance Manager, a free download. Server side tools, such as Web filters and Internet security products, can also enforce best practices by not allowing links to sites known to be dangerous.

12. Basic Settings (Policies) The first step in protecting laptops is to set up the machines using as many of the built-in security features as are relevant. Most of these features are listed in the Master Security Plan below with a price tag of $0.00. Default configurations should never be trusted. The person in charge of security, whether it is an individual with his first computer or a Chief Technology Officer setting standards for thousands of computers, should go through each step in the setup and err on the side of caution. This is an area where the iterative, agile approach works best. The configurations of the laptop fleet will be continuously changing, because the threats are fluid and Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

23

evolving. User requirements are dynamic, software is being modified and new features are being added. All of these things affect the protection plan of the laptops and desktops, so the procedures must be dynamic and adjusted as necessary. Sometimes it is a matter of changing settings, other times threat mitigations are no longer needed, or new ones are required. Most laptops operate in two (or more) worlds, either connected to the home network or out in the wild, connected to the Internet. In most organizations, the security settings are controlled and updated by script injection or a similar process when the laptop is connected to the home net. In some cases, all of the settings are locked down and cannot be changed, even when the device is no longer connected. Windows accounts for this by allowing different profiles, with settings appropriate for each state of operation. For example, the Windows Firewall should be redundant when connected to the home network, so it will probably be turned off. It should reactivate when the computer detects that it is no longer connected to the home net and should be pre-set to both prohibit and allow connections. For instance, a user will probably not be able to start VPN software while on the home net because it is not needed, and will not be able to use network "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! printers when outside the office. While in either environment, however, the configurations should attempt to follow the same Security Plan design, implemented differently.

13. Evaluating the protected laptop Thieves are going to ridiculous extremes to break into computer systems. Fortunately, the manufacturers are keeping pace. A good example of this is the following description from a Microsoft TechNet blog of how Microsoft is hardening some parts of the operating system they consider vulnerable to attack: “Over the past few months we have discussed a few different defense in depth mitigations (like GS [pt 1, pt2], SEHOP, and DEP [pt 1, pt 2]) which are designed to make it harder for attackers to successfully exploit memory safety vulnerabilities in software. In addition to the mitigations that we’ve discussed so far, a significant amount of effort has gone into hardening the Windows heap manager in order to complicate the exploitation of heap-based memory corruption vulnerabilities.” ("swiblog", 2009) Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

24

Obviously, the average individual or company would be helpless in the face of the types of attacks described in the previous passage. In order to continue to defend against the continuous escalations, computer owners need to use the advances being made by software and hardware vendors by continuously loading updates as they become available. This is not limited to the operating system, but all of the software on the machine. The more popular an application is, the more likely a flaw will be found and exploited by the criminal element. There is little chance that any Protection Plan, no matter how meticulously crafted, will be successful if software is not current. Virus programs depend on the latest signatures to be able to detect the latest viruses; other software is “patched” when problems are found. Unlike most actions being taken, these patches and updates are being made because real attacks have occurred and real solutions have been found, so there is a far greater urgency. Fortunately, most of today’s software will patch itself semi- or fully automatically, and personal and enterprise software exists to constantly scan and monitor the patch levels of all installed software. Large organizations have programs to force the latest versions of software out to all connected machines on the network. Laptops that are not constantly connected to the home network need to monitor and "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! load critical updates on their own. Some companies make a big production out of testing Microsoft, Apple, Intel, and other hardware manufacturer’s patches in test areas before moving them production, using the rationale that installing them without testing them first is bad security. This may be true when referring to normal software vendors, but in the case of security and operation system software, time is of the essence and delaying a patch for testing may result in catastrophic exposure. Again, it is important to emphasize that patches to security systems and the OS may be distributed in response to an actual damaging event, and delay may be costly. When actual problems occur with security updates, such as the recent widely reported problems with MacAfee and Trend Micro antivirus software, they are quickly fixed and probably would not have been detected by the types of test conducted by the average organization. Eliminating “patch lag” as the cause of any vulnerabilities leaves the Protection Plan evaluation much more subjective. Much of the damage done by malware, spyware, hackers, and all other forms of malicious or accidental attacks is difficult to recognize and attribute. As always, the first goal is to avoid the catastrophic event: whole networks shutting down, all email being lost, thousands of customer records stolen. The Protection Plan determines what is most Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

25

important to the individual or enterprise and allocates the available resources to “defense in depth” directed to those areas. The plan provides the yardstick to measure the changing goals of security on one hand, and the changing threat picture on the other hand, while providing a format to modify the strategy to continue to provide the most efficient and effective prevention and mitigation possible. An operating system is just another form of software, so the Protection Plan indicates an OS to some extent, based on the threats that are most severe in a situation. For example, if Full Disk Encryption (FDE) is very important, the person making the decision will need to weigh the comparative advantages of adding 3rd party software to Windows XP or buying one of the premium editions of Windows 7 that include BitLocker (Enterprise and Ultimate editions). It will probably be more expensive for the Windows 7 solution in terms of immediate expense, but since the older version is practically obsolete and an upgrade is inevitable, it may be more economical in the long run to go with the current version.

13.1 Linux and Macintosh "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! Conversely, many organizations may be tempted to move to Macintosh or Linux computers, based on advertising and articles (Elmer-DeWitt, 2009) that say there are no viruses on those operating systems. While that statement may or may not be true (Landesman), there are still two things to remember: First, there is malware that attacks both platforms (Corrons, 2010) (Barr, 2008), which can be far more destructive than viruses, and secondly, files and emails passing through Mac and Linux machines can still host viruses that may be passed on to the far more numerous Windows boxes with which they will be communicating. In order to avoid being blacklisted as a source of malware and viruses, Mac and Linux users may find it necessary to install antivirus software to protect their customers and associates. Also, Linux and Macintosh laptops represent a small market (see Figure 1) which makes them an unlikely target for cyber attacks, but at the same time discourages vendors to build hardware and software for them, which means there are fewer programs available to detect attacks on those platforms. So, it is just as critical that patches be acquired and applied to Mac and Linux laptops as Windows-based machines.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

26

14. Conclusions The most important facet of protecting laptops is to understand the goals. Carefully building a Threat Model brings the goals into focus by selecting the assets to be protected and assigning an importance to each one in terms of the expected risk exposure of not protecting them. This concentrates limited resources on the critical areas. The information is transferred to the Master Protection Plan to select the most effective methods to achieve the goal. Next, the custom Protection Plan is implemented by installing products and configuring components. Lastly, the protected assets must be monitored and the plan adjusted to keep abreast of changing goals and new threats. Creating several Protection Plans for different configurations or operating systems is a useful tool for evaluating future strategy for the individual or organization. A comparison of the 3 Windows operating systems demonstrates a clear security superiority of the most recent versions, Windows Vista and Windows 7 over the nearly 10 year old Windows XP. However, in spite of that fact, nearly two thirds of all Windows computers are still using the older OS (see Figure 1), though web use indicates both of the older systems are dropping in favor of Windows "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! 7 and mobile operating systems (Keizer, 2010). Even with the security enhancements in Service Pack 3, Windows XP is vulnerable in many areas important for laptops, such as its exclusion from NAP and ASLR, its antiquated IP stack, lack of Full Disk Encryption (FDE), etc. Another consideration is that, even though the same software appears to run on all 3 platforms, versions running on the newer systems take advantage of advanced development and security features, and are improved over the Windows XP versions. The differences between the two later Microsoft systems are far more subtle and in most cases may not represent a compelling argument for upgrade, at least from a security perspective, depending, of course, on the cost to upgrade. Significant new features in Windows 7 include BitLocker to Go™, AppLocker™, DirectAccess, and USB Device Control. (MacDonald, 2010) Comparing Protection Plans between Windows, Mac, and Linux systems does not present a clear advantage for a particular platform. Unfortunately, platforms decisions are usually determined by application requirements, which frequently limit the selection to a single platform. When protecting the system from hijacking by intruders is the most important threat, as in the Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

27

two examples above, none of the three recent systems has a clear advantage at the operating system level. Since hardening the system against surreptitious entry and use is largely determined by hardware, configurations, environment, and added software, the decision depends on the selection of other components. For instance, if the laptop must access Windows Servers and applications, using a Mac or Linux box may be possible, but so difficult as to be unjustifiable in regards to expense and effort. On the other hand, for a machine to be used for Internet access and other personal activities for which software availability is not an issue, Linux or Mac boxes may be preferable simply due their lower exposure to widespread threats because of lower market share. Regardless of which platform is in use, it is important to establish a Protection Plan and set it up to be as automatic as possible, with the baseline components being automatic backups, real-time automatic installation of updates and patches, and encryption of sensitive data with strong authentication. The backups mitigate the loss of hardware, software, and data with extreme effectiveness. While depending on updates and patches requires an uncomfortable reliance on vendors, there is little alternative short of writing your own operating system and "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! applications. Lastly, if sensitive personal or organizational data must be stored on the laptop or peripheral devices, some form of Full Disk Encryption (FDE) is an absolute requirement, with either the BitLocker available on the high end versions of Windows Vista/7 or a third party product. Strong authentication goes hand-in-hand with encryption, so in order to be effective, two stage (what you have/what you know) authentication is a must.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

28

15. References "swiblog". (2009, August 4). Preventing the exploitation of user mode heap corruption vulnerabilities - Security Research and Defense. Retrieved May 25, 2010, from Security Research and Defense: http://blogs.technet.com/b/srd/archive/2009/08/04/preventing-theexploitation-of-user-mode-heap-corruption-vulnerabilities.aspx Barr, J. (2008, March 11). Linux.com :: Good malware hunting for Linux. Retrieved May 28, 2010, from linux.com: http://www.linux.com/archive/feature/128450 Chickowski, E. (2010, 05 05). Security: What a Data Breach Really Costs. Retrieved 05 09, 2010, from Channel Insider: http://www.channelinsider.com/c/a/Security/What-a-DataBreach-Really-Costs-494704/?kc=CITCIEMNL05062010STR1 Corrons, L. (2010, March 25). Mac Malware - fact or fiction? Retrieved May 28, 2010, from Pandalabs: http://pandalabs.pandasecurity.com/mac-malware-fact-or-fiction/ Crothers, B. (2009, November 24). Major Intel chip upgrade coming to new Netbooks | Nanotech - The Circuits Blog - CNET News. Retrieved May 22, 2010, from CNET "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! News: http://news.cnet.com/8301-13924_3-10403768-64.html Elmer-DeWitt, P. (2009, September 2). Why are ther no Mac viruses? - Apple 2.0. Retrieved May 28, 2010, from Fortune Tech at CNNMoney.com: http://tech.fortune.cnn.com/2009/09/02/why-are-there-no-mac-viruses/ Gartner, Inc. (2010, May 25). Gartner Says Worldwide Mobile PC Shipments Grew 43 Percent in First Quarter of 2010. Retrieved May 26, 2010, from Gartner Newsroom: http://www.gartner.com/it/page.jsp?id=1374913 govtrack.us. (2009, January 6). Read the Bill: S.139. Retrieved May 22, 2010, from Govtrack.us: http://www.govtrack.us/congress/billtext.xpd?bill=s111-139 Holman, J. (2010, May 21). Cyber crime revenues now exceeding those associated with drug trafficking . Retrieved May 22, 2010, from Creamer Media's Engineering News Computer Security a Concern in 2010: http://www.engineeringnews.co.za/article/itsecurity-a-concern-in-2010-2010-05-21 Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

29

Keizer, G. (2010, Januare 3). Windows Loses Market Share to Mobile Operating Systems PCWorld. Retrieved 05 30, 2010, from PCWorld: http://www.pcworld.com/article/185743/windows_loses_market_share_to_mobile_operat ing_systems.html Landesman, M. (n.d.). Mac Antivirus Software Reviews: The Best and Worst of Macintosh Antivirus Software. Retrieved May 28, 2010, from About.com: http://antivirus.about.com/od/antivirussoftwarereviews/tp/aamacvir.htm MacDonald, N. (2010). Planning for the Security Features of Windows 7. Gartner. Ryan, S. (2009, December). Worldwide Mobil Worker Population 2009-2013 Forecast. Retrieved May 22, 2010, from IDC - Document at a Glance - 221309: http://www.idc.com/getdoc.jsp?sessionId=&containerId=221309&sessionId=0855D00EF 5481FB4E002403A8AE85F62 Stokes, J. (2009, April 23). Report: average stolen laptop cost is $50K. Retrieved May 12, 2010, from ars technica: http://arstechnica.com/gadgets/news/2009/04/report-average-stolen"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! laptop-cost-is-50k-intel-buy-vpro.ars Wilcox, J. (2009, July 22). Apple has 91% of market for $1000+ PCs, says NPD. Retrieved May 12, 2010, from betanews: http://www.betanews.com/joewilcox/article/Apple-has-91-ofmarket-for-1000-PCs-says-NPD/1248313624 Wyld, D. C. (2009, 12 11). Lost in Line: Improving Laptop Security with Automatic Identification Technology. Retrieved 5 9, 2010, from ComputerSight: http://computersight.com/communication-networks/security/lost-in-line-improvinglaptop-security-with-automatic-identification-technology/#ixzz0nTBzDKz6

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

30

Appendix A – Glossary and Definitions Description Firewalls generally block certain inbound traffic, either by analyzing network traffic or by blocking logical TCP and UDP ports. The Windows 3rd party and XP Firewall only blocked inbound traffic, while newer Windows Firewalls Windows (software) blocked traffic in both directions, providing a method to stop user or Firewalls software exporting of data for illegal purposes. Software that is activated when a computer is reported stolen. It will 3rd Party Tracking report the location of the user and in some cases take screen shots and Software activates web cameras. Address Space A method for loading programs and their associated memory at different Layout Randomizer places each time they are invoked, foiling certain types of remote (ASLR) attacks. Originated in Unix systems. Software that analyzes incoming email and moves items that likely Anti-Spam contain some form of malware, virus, phishing or spyware to a “junk” folder, while removing or deactivating any dangerous software or links. Windows 7 new feature that enables a white list to control what AppLocker™ applications may run on a system. Software that constantly backs up a system using shadow copy so that Automatic Backup even files that are in use are copied so a nearly complete copy always Software exists. Windows 7 addition to BitLocker that allows encrypting removable drives BitLocker to Go™ that can be opened on Windows Vista and Windows XP (Read only) "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! computers. Microsoft’s version of FDE software that uses the TDM chip found on BitLocker® many laptops, or thumb drives to hold keys. Available on Enterprise and Ultimate versions of Windows Vista and Windows 7. 3rd party antivirus programs and security suites with various feature sets and methods for protecting against and removing malware. Most are Commercial “black list” style, though recently white list technology is becoming Antivirus or Suite popular. Commercial Malware software is available by itself, but is usually bundled with antiMalware Prod. or virus or software or security suites. Suite Usually combined with a Kensington-type lock, the Defcon provides a Defcon 1 motion detector and a loud alarm to discourage thieves. Manufactured by Targus, this is an anti-theft device. Data Execution Prevention – a protection against memory injection attacks, which operates by checking areas of memory that have been marked by the hardware as non-executable and preventing code from executing there. Safe Unlinking in Windows 7 is a similar system, only DEP operating at the OS level. DEP has been incorporated into Windows since Windows XP Service Pack 2 (SP2), but has been improved in each subsequent version. Remote users log into virtual desktops rather than actual computers, Desktop limiting invaders’ access to hardware and network resources. One Virtualization disadvantage is that remote users must be connected to the network in Product

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

31

order to do any work. Facility in all versions of Windows that allows users to encrypt folders Encrypted File using their login credentials. Not very secure because anyone who can System (EFS) log into an account can see the encrypted data. These are operating system settings that can be automated in the same Group Policies or fashion as startup scripts in all current Windows versions. Windows Vista Group Policy and 7 have far more security-related settings, though Windows XP Objects (GPO) settings have been increased in SP2 and SP3. Internet Explorer version 6 shipped with Windows XP and suffered from a lack of security features and code that was exploited. Versions 7 and 8 have largely remedied the problems in 6, but the door was open for Internet Explorer better browsers and Firefox, Opera, Chrome, and Safari came through and other browsers. with better features and greater security. Important features are popup blockers, script and plug-in security, authorization improvements, certificate and Transport Level security. As an anti-theft device, cable locks designed to fit a socket found in most laptops. Provides a deterrent for casual thieves because pulling the Kensington Locks cable out causes damage that indicates the computer is stolen and reduces hardware resale value. Same principle as the Tag Alert, except a laptop is connected to a cell LockItNow! phone or music player wirelessly using Bluetooth. When the two devices Bluetooth/handheld get too far apart, the computer locks and cannot be used. Client for Network Access Control (NAC), implemented on Windows Server 2008 R2. Available on Windows XP SP3 and all business and enterprise versions of Windows Vista and Windows 7. Although the Network"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! Access Windows version is not as full-featured as 3rd party implementations it Protection (NAP) does a good job of analyzing the health of computers trying to log into the network, refusing any that may have malware, viruses, or incompatible or dangerous software. Software that is purchased online and downloaded. The registration Online Licensing information is stored by the vendor and the software can be reloaded free if it is lost or stolen. A third party Full Disk Encryption (FDE) program that encrypts entire PGP Whole Disk hard drives and removable volumes like jump drives and portable disks Encryption using PKI infrastructure. 3rd party tool that requires the user to authenticate at a web site every Remote Laptop time the computer is used. If authentication fails, the computer can’t be Security (RLS) used because system files are encrypted. These are the long list of items that most users largely ignore, but are beating into their heads repeatedly, such as never click on links in Security Best emails, never open attachments, do not store passwords in documents, Practices etc. Many of these can now be enforced through Group Policy Objects (GPO) in Windows 7. Microsoft free anti-virus software available as a free download for all Security Essentials Windows versions. Two devices, at least one of which is capable of calculating the distance Separation between itself and the other device. When a pre-set separation distance Detectors is exceeded one or both of the devices will either sound an alarm or trigger another event, such as locking a protected computer.

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Protecting Laptops

SHED Software License Tracking

32

Software, Hardware, Education, and Discipline, the keys to effective security. Program that keeps track of all licensed software to eliminate loss in case the originally installed software must be reinstalled due to loss.

Inexpensive adhesive labels that are registered with the manufacturer and contain security features that make it difficult to remove cleanly. Serial numbers facilitate the return of the Item. This is a separation detector system which involves two devices, one of which is stuck to the laptop and the other attached to a cell phone or Tag Alert/Proprietary wallet. When the two tags are more than a preset distance away, an alarm sounds. The TPM is a chip on the motherboard of some laptops that stores keys, passwords, and certificates in encrypted form. The TPM chip increases the security of BitLocker encryption by making more secure encryption Trusted Platform schemes available, along with the certainty that an encrypted disk Module (TPM) cannot be read if removed from the machine. The disk also cannot be read if the TPM is tampered with. User Access Control – Designed to remedy the necessity of giving Administrator privileges to normal users in Windows XP. This function User Account automatically reduces the permissions granted to all users to the least Control (UAC) required with the ability to assume administrator privileges as necessary. Invaders inherit the rights of the session they hijack, so lower is better. The opposite of a black list. The white list, for example the ones used by AppLocker and Microsoft Outlook, list permitted applications or email senders, respectively. Most antivirus software employs a black list that "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! White List uses a repository of signatures of viruses that are not allowed to execute on the protected system. Some antivirus/anti-malware vendors are now employing a white list, such as Bit9. Lightweight backup program included in all versions of windows that is Windows Backup effective enough for copying software and reinstalling it in the event of loss or failure. Malware program provided with most versions of Windows and available Windows Defender as a free download with others. Common sense for setting up wireless networks, such as always using Wireless Best the highest security possible (WPA2), adjust antennas so “war drivers” Practices/Software cannot detect the signal from nearby streets, avoid broadcasting the name if possible. STOP Security Plates

Gregory F. Hill, [email protected] © 2010 The SANS Institute

As part of the Information Security Reading Room

Author retains full rights.!

                      

6%-7 1,.

;%-5)9?0=%AA  289- : : : "# $2( 1*)9?C8G >I^4@  289- : : : "# $2( 1*)9?C8G O%EA@=*)9-O%EA/-=546#5 :-)* : : : "# "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! $2( 1*)9?C8G OP.-*I8G-/   : : : "# $2( 1*)9?C8G XM%1*)9?   : : : "# $2( 1*)9?C8G F)C/0)'C=$%9?-*

7677

289- K : :

K

K



" $2V 3*-H-8=C%8

>C=$%9?-*=%R%

7677

289- K K

:

K

K



" $2V 3*-H-8=C%8

3R3BT%/-VC&?X89*PA=C%8

:-)* K : :

:

:



; $2V 3*-H-8=C%8

!*+3)*=PFC*-,)//ZD8.%@8+FC/=-*C8G[   : : : : "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! ; $2V I99-&& !*+3)*=PFC*-,)//Z2@=.%@8+FC/=-*C8G[   : : : : ; $2V I99-&& BC8+%,&FC*-,)//Z2@=.%@8+FC/=-*C8G[ 7677 289- : : : KI

:

 

";#677

 "4 $2V 3*-H-8=C%8

X89*PA=-+FC/-0P&=-EZXF0[

7677

 "4 $2V 3*-H-8=C%8

FC/-W)@/=ZU)920Y[

7677

289- : : : 

K K K

: KI

:

:

:

K

K

K

:

83

289- K K

3"$

;%-5