Jun 7, 2010 - Do Linux and Apple systems .... âSecurity remains a key IT challenge and the focus is on business contin
Interested in learning more about security?
SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Protecting Laptop Computers Both individuals and organizations may suffer serious losses measured in dollars, time and reputation when laptop computers are stolen, lost, broken or hijacked. While it would be impossible, not to mention expensive, to anticipate and thwart every possible risk, by taking a systematic approach, the vast majority of them can be avoided. The first step is to "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! build a Threat Model to identify the dangers, estimate their costs,...
AD
Copyright SANS Institute Author Retains Full Rights
Protecting Laptop Computers GIAC (GSEC) Gold Certification Author: Gregory F. Hill, [email protected] Advisor: Egan Hadsell
Accepted: June 7, 2010
Abstract Both individuals and organizations may suffer serious losses measured in dollars, time and reputation when laptop computers are stolen, lost, broken or hijacked. While it would be impossible, not to mention expensive, to anticipate and thwart every possible risk, by taking a systematic approach, the vast majority of them can be avoided. The first step is to "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! build a Threat Model to identify the dangers, estimate their costs, and determine the likelihood of their occurrence. A cross-platform, all purpose Protection Plan can be built based on the Threat Model, ready to customize for any situation, using the five most common OSes, Microsoft® Windows XP®, Windows Vista®, Windows 7®, Apple® Mac OS® X and Linux. Which operating system has the best overall security in the context of the Protection Plan? Which high-security configuration is the easiest to build? Do Linux and Apple systems provide superior security? These questions and more will be answered.
1. Introduction There are three general categories of mobile computing devices: x
The first category, “handhelds”, consists of smart phones, Personal Digital Assistants (PDAs), eBook readers, and tablets. These devices are technically computers, but are primarily designed for other uses. Presently, they do not pose as serious a threat to individuals and organizations as do full-featured portable computers (laptops), mostly due to their lack of homogeneity – there are too many different kinds with too many different types of software to be attacked on a large scale. However, as these devices become more powerful, with increased storage, effective network connectivity, and adapt more robust and consistent operating systems, they will approach the same threat profile as traditional laptops. Indications of this evolution are the iPad®, Palm® Pre™, Android and Windows® Phones, which already provide a substantial subset of laptop capabilities and are beginning to push less popular configurations out of the marketplace.
x
The second group, “netbooks” are cheaper, smaller, and typically provide less computing power and storage than laptops. They are primarily communication machines, designed "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! to be the portable equivalent of the “thin client” on the desktop. Netbooks (and thin clients) usually depend on a web browser as their operating system, such as Microsoft Internet Explorer® or Google Chrome, or light versions of mainstream operating systems such as Linux and Windows. Consequently, they also pose less of a threat to the individual or organization when they are lost or stolen. However, like the first class of devices above, netbooks are undergoing the same sort of capacity creep, propelling them toward the same capabilities as the final category, the laptop. (Crothers, 2009)
x
“Laptops” are essentially portable versions of the ubiquitous desktop computer. To grow in acceptance among users, laptops overcame deficiencies in storage, display, and computing power initially caused by the necessity that they be portable. Modern versions are frequently “desktop equivalents” possessing all of the power, speed, storage, and display capability of the average sedentary office machine. With the economical availability of wireless connections and the Internet, they are also communication centers, capable of supporting a variety of video content from television Gregory F. Hill, [email protected]
to movies, as well as providing a convenient device for browsing the web, checking email, making audio and video phone calls, keeping up with social sites like Twitter, FaceBook, MySpace, LinkedIn, etc., along with a wide variety of business activities including logging in remotely to the corporate network. A recent Gartner press release estimated that there are 500 million laptops currently in use, worldwide. (Gartner, Inc., 2010) Of the three categories of portable devices, the subject of this paper, laptops, present the greatest vulnerability not only because they have far greater capacity, complexity, and power, but because they are more clearly defined and homogenous, both in terms of hardware and software. Whereas handhelds have a large number of operating systems with no clear leader, most laptops use one of three brands of operating systems, with the clear leader being Microsoft with over 90% penetration (see table below). Operating Systems Total Market Share, from NetMarketShare as of May 15, 2010. Operating System
Market Share
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! Windows XP 63.41% Windows Vista
15.60%
Windows 7
11.68%
Mac OS X
4.42%
Linux
1.05%
Other
3.84%
Figure 1 - OS Market Share from NetMarketShare
The numbers of laptops in use are also far more than the other two types of mobile devices, making them the biggest target. IDC (International Data Corporation, a market research firm) predicts that by 2013, mobile workers will comprise nearly 35% of the workforce, or 1.19 billion employees, up from 919.4 million in 2008. (Ryan, 2009) However, although the focus of this paper is laptops, many of the threats and solutions presented are also valid for handhelds and netbooks.
Attempts to exploit computers have grown exponentially and are predicted to continue because it is a highly profitable venture. In fact, there is so much money being made that according to an article in Engineering News, revenue exceeds that of drug trafficking: “Cyber crime revenues are already exceeding those of drug trafficking and the threats are increasing along with the number of devices accessing networks, International Data Corporation (IDC) South Africa senior research analyst Pieter Kok has warned. “Security remains a key IT challenge and the focus is on business continuity. Only 5% of all organizations worldwide are adequately protected against cyber crime,” he says. Organizations also need to be part of global networks, which opens the opportunity for potential attacks, as global companies’ networks could be compromised from anywhere in the world. IDC’s top threats for 2010 include casual intruders, insider system sabotage, spyware and data loss through employee error or malicious intent. Only 50% of companies have formal security policies for employees to follow and only 33% educate their employees on these policies. “More money is lost from the inside than from the outside in terms of IT security,” says Kok. Companies need to exert greater control over the "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! information coming in and going out of an organization. Further, Web 2.0, which includes social interaction websites, could also pose threats of cross-site attacks, spam, hackers, malicious codes and phishing. Kok says that the adoption levels of Web 2.0 are expected to double, but this will be an additional threat that companies will have to handle through continuous monitoring.” The article further points out that “prevention is better than cure” and “information is the new currency and data protection solutions will be required to better protect business”. (Holman, 2010)
most cases, from $300 to $3000. The most recent sales figures from Gartner, Inc. list the average selling price of laptops at $732, 15.7% less than in the same period of the previous year when the average was $868. Sales were up 71% for the first quarter over 2009. (Gartner, Inc., 2010) Proceeding to threats of a more expensive and serious nature, the loss or theft of a laptop computer can result in the release of secure information, such as customer credit data to individuals who will exploit it. The average total cost of these data breaches in the United States is estimated at $6.75 million dollars, or about $204 per record. (Chickowski, 2010) Compounding the cost, laws that regulate how the storage of sensitive records must be handled may require disclosure and result in fines. Congress is considering a bill to force all persons or organizations involved in interstate commerce to disclose any breach of Personally Identifiable Information (PII) immediately, with a penalty of $1,000 per record, per day (up to $1 million) (govtrack.us, 2009) The resulting adverse publicity from such a breach may also result in lost business, estimated to represent more than half of the ultimate cost. These breaches are discovered and steps are taken as quickly as possible to mitigate the damage."#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! And, although the consequences are substantial, an even greater security issue exists -data breaches and other threats are occurring without the loss of the laptop and without the knowledge of the user. Criminal organizations as well as individuals can break into laptops with a number of sophisticated and even unsophisticated approaches. Some of the threats are as mundane as the cloud of phishing and other spam emails every user navigates on a daily basis. Or they can be as sophisticated as worms and Trojans that steal data and credentials silently without leaving a trace. The key to effective security is concentrating resources on the most likely areas to be exploited, predicted by using analysis like a threat model customized for each individual situation. Starting at the beginning, laptop threats fall into four major categories: 1. Loss of hardware (LOH) 2. Loss of software (LOS) 3. Loss of information (data, LOD) 4. Surreptitious use of the computer and contents by others (Invasion, INV)
3. Loss of Hardware As previously noted, the loss of hardware, by whatever means, represents a loss of replacement value and time. There are exceptions, however, such as in the case of machines that are specifically built or modified to access secure or specialized networks or machines. Generally, the loss of a laptop computer, without consideration for the data and software loaded, is a low-severity threat and may be rectified with relative ease. That in no way means actions to prevent a loss should be overlooked, education being the most logical and inexpensive step. In any organization utilizing laptops, management is wise to alert the employees of ways laptops are normally lost to increase awareness and establish behavior patterns to mitigate the problem. For example, in the Dell/Ponemon survey, researchers found that most laptops lost at airports were left at the security/scanning area. By simply providing a checklist for traveling employees to confirm, before leaving the security screening area, that their laptop was retrieved, a may eliminate a number of losses by a distracted worker. Other effective behavioral methods can easily be devised by individuals or organizations "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! at little cost. Electronic solutions are also available, including radio frequency identification (RFID) tags that will sound an alarm when two devices become separated by a pre-set distance. One example of this type of device, defined herein as Separation Detectors, is the $59.95 TagAlert 150 (TA-150) available from RemotePlay. One of the tags is attached to the computer, and the other can be attached to a key ring or glued to a cell phone. When the two tags exceed the set distance, such as when a laptop is left behind, the device sounds an alarm. There are also a number of Anti-Theft Devices, consisting of cable locks and motion detectors to secure laptops when the user must leave them behind. Labels from Laptop Tracking Services also act as a deterrent to thieves because they warn them that they are not likely to get anything useful from the machine and that software and hardware installed will lead the police to the location of the laptop.
4. Loss of Software The loss of software may represent a greater expense than missing hardware. In a bestcase situation, a recent backup of a lost laptop could be used to restore all of the software with very little lost time and no financial cost. Various situations can cause the time and expense to quickly escalate. If an exact hardware replacement cannot be obtained, software from the operating system to applications may have to be updated or replaced, requiring labor for installation, configuration, and data migration. One estimate is that replacement cost balloons to an average of nearly $9,000 when reinstallation of software and conversion of data is factored in. (Stokes, 2009) Key mitigation elements here are, once again, Software, Hardware, Education and Discipline, (“SHED” as a mnemonic acronym for future reference). Since most people who use computers already know they should back them up frequently (education), but fail to do so on a regular basis (discipline, or the lack of it), hardware and software can side-step the potentially unreliable human factor and assure compliance. In this "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! case, Automatic Backup Packages consisting of external hard drives combined with programs to ensure that there is always an up-to-date copy of the entire system for easy reinstallation. Organizations can implement the same feature using the network, backup servers and software. Some of the software on a laptop may be used by thieves to access the user’s or employer’s accounts which may result in considerable expense. Since this will result in the recipients’ use of the software and not the software itself, that condition will be covered under surreptitious use of the computer and contents by others.
anyone acquiring the laptop does not have one of the parts, they cannot gain access to the data, even by removing the disk and attacking it from another computer. Failure to protect personal and organizational data can lead to the largest vulnerabilities of all. Data breaches are estimated to cost an average of $6,750,000 for each incident in the United States (Chickowski, 2010) However, the cost of data breaches should not be attributed to the loss of data, but rather to the potential for misuse. Within the threat category, this misuse is called -- surreptitious use. This is due to the fact that the liability and notification expense becomes applicable only if there is the potential of the data getting into the wrong hands and being misused. If the data is simply destroyed and there is no potential for misuse, there are no additional costs incurred, other than the replacement or recovery of the data. With most laptops carrying 160 gigabyte or less of data on their hard drives, it is unlikely that the cost to replace or recover data would be more than $10,000. Most employing entities prohibit storing critical data on users’ laptops; yet somehow sensitive data is released with alarming regularity (see Dell/Ponemon study above). Employers should restrict access to databases using the SHED principle, by informing new hires of the "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! policy of not allowing institutional data on laptops and having them periodically sign an agreement to that purpose (Education and Discipline), and enforcing the policy by not allowing simple data transferring methods, limiting the size of downloads, prohibiting the use of external mass storage devices, and implementing Data Access Monitoring (DAM) to enforce the prohibitions (Software and Hardware). If data must be processed off site with a mobile device, it must be loaded on an encrypted storage device and carried or transported separately from the laptop.
c. Implementing any outside software necessary to accomplish the goals of the Protection Plan. Required components for each type of threat will be presented in more detail in the Threat Model/Matrix below.
7. The General Threat Model Threat
Average Damage/Severity
Severity Frequency
Loss of Hardware
Average hardware cost ($700) + configuration and setup, approximately $2000. (Wilcox, 2009) (Stokes, 2009)
3 4%
Loss of Software
$6,000 including installation and configuration. (Stokes, 2009)
3 10%
Loss of $10,000 Information
2 30%
Invasion
1 90%
$40,000
"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! A note on frequency: This is a probability estimate, based on the estimated percentage of the worldwide population of laptops likely to fall prey to the named threat. The loss of hardware estimate is from several articles, which cited expert’s estimates. (Wyld, 2009) The other values are constructed for this example, and actual historical numbers should be inserted for each reallife situation. Before using the threat model to develop a security plan for a person or organization, empirical data from actual experience should be substituted. A note on pricing: As the cited article discussed (Stokes, 2009), the $50,000 (split between Loss of Information and Invasion) is high because a few of the lost laptops resulted in very large dollar losses, raising the average. Ignoring the large losses because of the extremely low frequency of those events might lead to the false conclusion that no mitigation strategy is cost justifiable and therefore necessary. Such an approach would increase the vulnerability and make a large loss more likely, while simultaneously increasing the expense of recovering from successful exploitations.
Damage and Severity are based on population-wide averages. When determining the actual threat model for a particular situation, actual values and severity must be determined by individual case. For the purpose of this model severity ratings are as follows: 1=Critical, 2=Serious, 3=Standard, 4=Tolerable In order to begin to manage threats, they must be broken down into individual vulnerabilities, which can then be related to a product or strategy for mitigation. The end result provides the cost of mitigating a threat along with the estimate of the price of not doing so, giving decision makers a firm comparison.
Signs Separation Detectors Anti-Theft Devices Tracking Devices Loss of Software Loss of software, including the operating Archive system, due to loss of laptop, accident, Backup Malware, or Hardware failure Registration Loss of Loss of data other than software due to BitLocker Information, either lost laptop, Denial-of-Service (DOS) EFS temporarily or attack, Viruses, Data Leakage, Data Loss, RLS permanently Data Theft, Document malware, Spam Virtual Desktop Windows Defender FDE BIOS Login Biometrics, Smart Card, TPM Encrypted keys Windows Firewall Invasion Unapproved use of the computer through Service Hardening impersonation, spyware, Trojans (bots, NAP "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! backdoors, downloader), Root kits, Group Policies Worms, Auto run worms, Browser Security Center Hijackers, Cookies, Phishing, and hacking. ASLR DEP Wireless Security User Account Control Anti-Spam Browser Settings
9. Developing the Security Plan To design a security plan for a laptop computer or computers, first the threat model is customized for the particular situation to which it will be applied. Then, based on the modified model, a Security Plan is formulated to mitigate the threats by importance. The following are examples of likely security plans based on the Threat Model above:
on Microsoft’s Windows Operating Systems are only available with the “Enterprise” and “Ultimate” versions of Windows Vista and Windows 7. To begin his Security Plan, Sean estimates the cost of the threats in the Damage column. In the absence of any more specific frequencies the industry estimates will be used. Multiplying the two, proffers the expected value. The chart below illustrates the result of the calculations and clearly indicates the expected risk of not mitigating threats by category. It also indicates the amount of money that should not be exceeded in acquiring protection. For example, if Sean spends over twenty dollars to protect his hardware from theft, he will be spending more than he is likely to lose. This security plan shows that protection should be acquired in the first three categories only if it is at little or no cost. Further, Sean would be wise to spend, or ask his employer to pay for as much as necessary to guard against the unauthorized use of his hardware and software, because the risk is great. Sean found another item that needed to be taken into consideration when preparing a Protection Plan. Sometimes the optimal dollar amount that should be spent on each area of risk has to be"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! adjusted because of outside, unrelated constraints. In this case, he checked with his home insurance company and found that he could include the laptop in his coverage, but that he was required to attach a permanent label to the computer so it could be returned if it was recovered. Shawn opted for the coverage and the STOP brand plate ($25), even though it cost in excess of the projected loss amount.
10. Mythical Organization’s Laptop Laptops used by employees are all similar in terms of hardware, and have identical software installed, using a disk imaging program. The image includes the Microsoft Windows XP Professional operating system, an application suite consisting of Microsoft Office Professional 2003, some proprietary software used to access internal applications, a VPN client (Virtual Private Network to connect to the main organization network remotely), an anti-virus client, and software to connect to Oracle and Microsoft databases. To minimize lost and stolen laptops, Mythical has a very simple policy: the employee must pay for a replacement. This policy, although patently unreasonable has resulted in few lost or stolen computers. Losing software is also not a concern for Mythical, as they can re-install it from an image in minutes, and their software licenses allow them to install on an unlimited number of machines, so long as their user number remains below a certain threshold. They keep the software up-to-date by loading patches and updates whenever the laptop is connected locally to keep abreast of new exploits. Other than loading the anti-virus and "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! activating built-in Windows XP protections such as the Windows Firewall and Defender, they have no formal security plan or policy. Mitigation is on an individual basis; when a computer has a problem it is handled by the internal Desktop Support department. If any data breaches or network intrusions occurred in the past, since there is no formal method for monitoring or reporting them, management would probably remain unaware. Prompted by auditors and complaints from customers suspicious that Mythical is the source of information used by someone to steal their identities, the company has decided to formulate a Security Plan, beginning with their laptops. The first two threats, stolen hardware and software are of no concern to Mythical, because employees pay for missing hardware and the software is simply reinstalled. Since Windows XP does not include a Full Disk Encryption (FDE) facility like BitLocker, and third party implementations are costly, Mythical decides to deal with the possibility of stolen data, the third threat, by sending an edict to all mobile workers ordering them never to store corporate data on laptops.
The last threat, surreptitious use of computers and data, is now the only concern for the organization. They have decided to mitigate it by “hardening” Windows XP by maximizing the built-in security functions of the operating system and adding 3rd party solutions for any threat not handled by Windows. To harden Windows XP, Mythical’s security officer developed policies for password complexity and change frequency as well as other standard security and Windows Firewall settings, and implemented them by using network Group Policies. This updates the settings every time the mobile computers log onto the main network. Since computer hijacking is often accomplished by the use of a virus, spyware, or malware, Mythical uses McAfee VirusScan Enterprise software for about $12 per machine to protect against those threats. For protection against worms and Trojans, other popular methods of taking unauthorized control of laptops, Windows Defender will be installed and configured. Windows Defender is included free with Windows XP Service Packs 2 and 3. However, Defender is not an “Enterprise Class” malware product with centralized control, reporting, and administration, so each machine must be configured and patched independently. The built-in centralized update and group policy systems help with"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! configuring and patching Windows Defender on individual computers, but the lack of a centralized reporting system will keep the administrators in the dark about widespread problems on the network.
stolen, which would have resulted in a cost of $12,000 dollars but the employees are forced to bear that burden. They had no attached software losses because the terms of their license agreements allowed them to copy the software on the replacement machine at no charge. Mythical had some problems with worms and viruses, as well as accidental deletions, disk crashes, etc., that resulted in data losses. As estimated by the auditors, recovery cost an average of $1,000 per machine. The data losses occurred on roughly 10% of their machines, but since Mythical kept no records of possible misuse of computers or information, they are estimating the cost based on other companies in their industry. Since the Threat Model results are apportioned over all 120 of Mythical’s machines, the only area they will be spending money to mitigate will be the Invasion one at about $70 per machine ($8,000/120=$66.67), since the risk value of $8.33 (1,000/120) is not enough to purchase any useful protection, even if the severity was not 4 (Tolerable). If future trends indicate that losses will increase, the budget should be increased and the protection expanded in the areas causing the losses.
10.2 Baseline Security Plan "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! It is very important that the person entrusted with the design of the Protection Plan should establish a baseline before applying the Threat Model. Since the Threat Model in the Mythical case is based on actual losses with the existing security profile that should serve as the baseline. If the cost of the baseline is already in excess of the amounts determined in the Threat Model, the security planner could consider eliminating some protections if they appear not to be effective at preventing losses.
11. Security Best Practices “Best practices” is just another way of saying “Do what works”. In the computer security arena, a lot of what are called best practices is artifice, designed to give security managers the right to say “I told you so”. Edicts like, “never click on links in emails” or “never visit a web page you don’t know” are largely ignored by everyone. To follow that advice, while undisputedly prudent, would remove most of the benefits of progress in the last 30 years. Can you imagine not clicking on links in emails and websites? Google would be out of business. What is actually called for is to configure protected machines to mitigate every risk using the most effective means possible. For example, most anti-spam programs move questionable emails into a “junk’ folder, where the links are deactivated. Users can still click on the links by moving the emails back into the inbox, but to do so they would have to consciously evaluate what they are doing. This is the way to implement “best practices” which is, in itself is a best practice that has evolved over time. Best practices are better coded and implemented automatically rather than putting the "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! responsibility on users. In Windows, baseline security can be set through Group Policies, with configuration support for the OS, Internet Browser, and hardware type using the Security Compliance Manager, a free download. Server side tools, such as Web filters and Internet security products, can also enforce best practices by not allowing links to sites known to be dangerous.
evolving. User requirements are dynamic, software is being modified and new features are being added. All of these things affect the protection plan of the laptops and desktops, so the procedures must be dynamic and adjusted as necessary. Sometimes it is a matter of changing settings, other times threat mitigations are no longer needed, or new ones are required. Most laptops operate in two (or more) worlds, either connected to the home network or out in the wild, connected to the Internet. In most organizations, the security settings are controlled and updated by script injection or a similar process when the laptop is connected to the home net. In some cases, all of the settings are locked down and cannot be changed, even when the device is no longer connected. Windows accounts for this by allowing different profiles, with settings appropriate for each state of operation. For example, the Windows Firewall should be redundant when connected to the home network, so it will probably be turned off. It should reactivate when the computer detects that it is no longer connected to the home net and should be pre-set to both prohibit and allow connections. For instance, a user will probably not be able to start VPN software while on the home net because it is not needed, and will not be able to use network "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! printers when outside the office. While in either environment, however, the configurations should attempt to follow the same Security Plan design, implemented differently.
important to the individual or enterprise and allocates the available resources to “defense in depth” directed to those areas. The plan provides the yardstick to measure the changing goals of security on one hand, and the changing threat picture on the other hand, while providing a format to modify the strategy to continue to provide the most efficient and effective prevention and mitigation possible. An operating system is just another form of software, so the Protection Plan indicates an OS to some extent, based on the threats that are most severe in a situation. For example, if Full Disk Encryption (FDE) is very important, the person making the decision will need to weigh the comparative advantages of adding 3rd party software to Windows XP or buying one of the premium editions of Windows 7 that include BitLocker (Enterprise and Ultimate editions). It will probably be more expensive for the Windows 7 solution in terms of immediate expense, but since the older version is practically obsolete and an upgrade is inevitable, it may be more economical in the long run to go with the current version.
13.1 Linux and Macintosh "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! Conversely, many organizations may be tempted to move to Macintosh or Linux computers, based on advertising and articles (Elmer-DeWitt, 2009) that say there are no viruses on those operating systems. While that statement may or may not be true (Landesman), there are still two things to remember: First, there is malware that attacks both platforms (Corrons, 2010) (Barr, 2008), which can be far more destructive than viruses, and secondly, files and emails passing through Mac and Linux machines can still host viruses that may be passed on to the far more numerous Windows boxes with which they will be communicating. In order to avoid being blacklisted as a source of malware and viruses, Mac and Linux users may find it necessary to install antivirus software to protect their customers and associates. Also, Linux and Macintosh laptops represent a small market (see Figure 1) which makes them an unlikely target for cyber attacks, but at the same time discourages vendors to build hardware and software for them, which means there are fewer programs available to detect attacks on those platforms. So, it is just as critical that patches be acquired and applied to Mac and Linux laptops as Windows-based machines.
two examples above, none of the three recent systems has a clear advantage at the operating system level. Since hardening the system against surreptitious entry and use is largely determined by hardware, configurations, environment, and added software, the decision depends on the selection of other components. For instance, if the laptop must access Windows Servers and applications, using a Mac or Linux box may be possible, but so difficult as to be unjustifiable in regards to expense and effort. On the other hand, for a machine to be used for Internet access and other personal activities for which software availability is not an issue, Linux or Mac boxes may be preferable simply due their lower exposure to widespread threats because of lower market share. Regardless of which platform is in use, it is important to establish a Protection Plan and set it up to be as automatic as possible, with the baseline components being automatic backups, real-time automatic installation of updates and patches, and encryption of sensitive data with strong authentication. The backups mitigate the loss of hardware, software, and data with extreme effectiveness. While depending on updates and patches requires an uncomfortable reliance on vendors, there is little alternative short of writing your own operating system and "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! applications. Lastly, if sensitive personal or organizational data must be stored on the laptop or peripheral devices, some form of Full Disk Encryption (FDE) is an absolute requirement, with either the BitLocker available on the high end versions of Windows Vista/7 or a third party product. Strong authentication goes hand-in-hand with encryption, so in order to be effective, two stage (what you have/what you know) authentication is a must.
Keizer, G. (2010, Januare 3). Windows Loses Market Share to Mobile Operating Systems PCWorld. Retrieved 05 30, 2010, from PCWorld: http://www.pcworld.com/article/185743/windows_loses_market_share_to_mobile_operat ing_systems.html Landesman, M. (n.d.). Mac Antivirus Software Reviews: The Best and Worst of Macintosh Antivirus Software. Retrieved May 28, 2010, from About.com: http://antivirus.about.com/od/antivirussoftwarereviews/tp/aamacvir.htm MacDonald, N. (2010). Planning for the Security Features of Windows 7. Gartner. Ryan, S. (2009, December). Worldwide Mobil Worker Population 2009-2013 Forecast. Retrieved May 22, 2010, from IDC - Document at a Glance - 221309: http://www.idc.com/getdoc.jsp?sessionId=&containerId=221309&sessionId=0855D00EF 5481FB4E002403A8AE85F62 Stokes, J. (2009, April 23). Report: average stolen laptop cost is $50K. Retrieved May 12, 2010, from ars technica: http://arstechnica.com/gadgets/news/2009/04/report-average-stolen"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! laptop-cost-is-50k-intel-buy-vpro.ars Wilcox, J. (2009, July 22). Apple has 91% of market for $1000+ PCs, says NPD. Retrieved May 12, 2010, from betanews: http://www.betanews.com/joewilcox/article/Apple-has-91-ofmarket-for-1000-PCs-says-NPD/1248313624 Wyld, D. C. (2009, 12 11). Lost in Line: Improving Laptop Security with Automatic Identification Technology. Retrieved 5 9, 2010, from ComputerSight: http://computersight.com/communication-networks/security/lost-in-line-improvinglaptop-security-with-automatic-identification-technology/#ixzz0nTBzDKz6
Appendix A – Glossary and Definitions Description Firewalls generally block certain inbound traffic, either by analyzing network traffic or by blocking logical TCP and UDP ports. The Windows 3rd party and XP Firewall only blocked inbound traffic, while newer Windows Firewalls Windows (software) blocked traffic in both directions, providing a method to stop user or Firewalls software exporting of data for illegal purposes. Software that is activated when a computer is reported stolen. It will 3rd Party Tracking report the location of the user and in some cases take screen shots and Software activates web cameras. Address Space A method for loading programs and their associated memory at different Layout Randomizer places each time they are invoked, foiling certain types of remote (ASLR) attacks. Originated in Unix systems. Software that analyzes incoming email and moves items that likely Anti-Spam contain some form of malware, virus, phishing or spyware to a “junk” folder, while removing or deactivating any dangerous software or links. Windows 7 new feature that enables a white list to control what AppLocker™ applications may run on a system. Software that constantly backs up a system using shadow copy so that Automatic Backup even files that are in use are copied so a nearly complete copy always Software exists. Windows 7 addition to BitLocker that allows encrypting removable drives BitLocker to Go™ that can be opened on Windows Vista and Windows XP (Read only) "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! computers. Microsoft’s version of FDE software that uses the TDM chip found on BitLocker® many laptops, or thumb drives to hold keys. Available on Enterprise and Ultimate versions of Windows Vista and Windows 7. 3rd party antivirus programs and security suites with various feature sets and methods for protecting against and removing malware. Most are Commercial “black list” style, though recently white list technology is becoming Antivirus or Suite popular. Commercial Malware software is available by itself, but is usually bundled with antiMalware Prod. or virus or software or security suites. Suite Usually combined with a Kensington-type lock, the Defcon provides a Defcon 1 motion detector and a loud alarm to discourage thieves. Manufactured by Targus, this is an anti-theft device. Data Execution Prevention – a protection against memory injection attacks, which operates by checking areas of memory that have been marked by the hardware as non-executable and preventing code from executing there. Safe Unlinking in Windows 7 is a similar system, only DEP operating at the OS level. DEP has been incorporated into Windows since Windows XP Service Pack 2 (SP2), but has been improved in each subsequent version. Remote users log into virtual desktops rather than actual computers, Desktop limiting invaders’ access to hardware and network resources. One Virtualization disadvantage is that remote users must be connected to the network in Product
order to do any work. Facility in all versions of Windows that allows users to encrypt folders Encrypted File using their login credentials. Not very secure because anyone who can System (EFS) log into an account can see the encrypted data. These are operating system settings that can be automated in the same Group Policies or fashion as startup scripts in all current Windows versions. Windows Vista Group Policy and 7 have far more security-related settings, though Windows XP Objects (GPO) settings have been increased in SP2 and SP3. Internet Explorer version 6 shipped with Windows XP and suffered from a lack of security features and code that was exploited. Versions 7 and 8 have largely remedied the problems in 6, but the door was open for Internet Explorer better browsers and Firefox, Opera, Chrome, and Safari came through and other browsers. with better features and greater security. Important features are popup blockers, script and plug-in security, authorization improvements, certificate and Transport Level security. As an anti-theft device, cable locks designed to fit a socket found in most laptops. Provides a deterrent for casual thieves because pulling the Kensington Locks cable out causes damage that indicates the computer is stolen and reduces hardware resale value. Same principle as the Tag Alert, except a laptop is connected to a cell LockItNow! phone or music player wirelessly using Bluetooth. When the two devices Bluetooth/handheld get too far apart, the computer locks and cannot be used. Client for Network Access Control (NAC), implemented on Windows Server 2008 R2. Available on Windows XP SP3 and all business and enterprise versions of Windows Vista and Windows 7. Although the Network"#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! Access Windows version is not as full-featured as 3rd party implementations it Protection (NAP) does a good job of analyzing the health of computers trying to log into the network, refusing any that may have malware, viruses, or incompatible or dangerous software. Software that is purchased online and downloaded. The registration Online Licensing information is stored by the vendor and the software can be reloaded free if it is lost or stolen. A third party Full Disk Encryption (FDE) program that encrypts entire PGP Whole Disk hard drives and removable volumes like jump drives and portable disks Encryption using PKI infrastructure. 3rd party tool that requires the user to authenticate at a web site every Remote Laptop time the computer is used. If authentication fails, the computer can’t be Security (RLS) used because system files are encrypted. These are the long list of items that most users largely ignore, but are beating into their heads repeatedly, such as never click on links in Security Best emails, never open attachments, do not store passwords in documents, Practices etc. Many of these can now be enforced through Group Policy Objects (GPO) in Windows 7. Microsoft free anti-virus software available as a free download for all Security Essentials Windows versions. Two devices, at least one of which is capable of calculating the distance Separation between itself and the other device. When a pre-set separation distance Detectors is exceeded one or both of the devices will either sound an alarm or trigger another event, such as locking a protected computer.
Software, Hardware, Education, and Discipline, the keys to effective security. Program that keeps track of all licensed software to eliminate loss in case the originally installed software must be reinstalled due to loss.
Inexpensive adhesive labels that are registered with the manufacturer and contain security features that make it difficult to remove cleanly. Serial numbers facilitate the return of the Item. This is a separation detector system which involves two devices, one of which is stuck to the laptop and the other attached to a cell phone or Tag Alert/Proprietary wallet. When the two tags are more than a preset distance away, an alarm sounds. The TPM is a chip on the motherboard of some laptops that stores keys, passwords, and certificates in encrypted form. The TPM chip increases the security of BitLocker encryption by making more secure encryption Trusted Platform schemes available, along with the certainty that an encrypted disk Module (TPM) cannot be read if removed from the machine. The disk also cannot be read if the TPM is tampered with. User Access Control – Designed to remedy the necessity of giving Administrator privileges to normal users in Windows XP. This function User Account automatically reduces the permissions granted to all users to the least Control (UAC) required with the ability to assume administrator privileges as necessary. Invaders inherit the rights of the session they hijack, so lower is better. The opposite of a black list. The white list, for example the ones used by AppLocker and Microsoft Outlook, list permitted applications or email senders, respectively. Most antivirus software employs a black list that "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;! White List uses a repository of signatures of viruses that are not allowed to execute on the protected system. Some antivirus/anti-malware vendors are now employing a white list, such as Bit9. Lightweight backup program included in all versions of windows that is Windows Backup effective enough for copying software and reinstalling it in the event of loss or failure. Malware program provided with most versions of Windows and available Windows Defender as a free download with others. Common sense for setting up wireless networks, such as always using Wireless Best the highest security possible (WPA2), adjust antennas so “war drivers” Practices/Software cannot detect the signal from nearby streets, avoid broadcasting the name if possible. STOP Security Plates
