ISO27001 Laptop Security
More and more details are emerging concerning lax security of data and I am becoming increasingly concerned at the absence of even basic precautions to prevent unauthorised disclosure of data.
There have been laptops stolen, lost or simply forgotten at airports which contain sensitive information. Not long ago a Cabinet Minister had a desktop computer stolen, which had data not normally allowed outside Whitehall. The Minister concerned told the Press that it was safe as it was protected by a password. There was incredulity among those present as passwords are so easily overcome. One wag even enquired if the password was 'PASSWORD'.
Desktops and laptops often store system passwords in cmos which is a volatile store chip within the computer and is kept alive by a small coin type battery on the motherboard. This same chip holds the date and other start-up data. If you remove the battery and leave it for a few minutes, this data is lost and the password is removed. The other type of start-up password is held in an encrypted form on hard disk.
It is relatively easy to boot the computer from a CD or alternative operating system, access the password files and delete them. Rebooting the computer in the normal way shows that the password has been removed.
I am no computer expert, but this easy routine is readily available on the internet and it beggars belief that anyone, let alone, those in Government think that their data is secure when 'protected' in this flimsy way.
In my job I travel widely and I have a laptop which is protected by a password but the data I carry is on a separate removable drive which is encrypted at file level so that even if the drive was stolen and put into another laptop the data could not be accessed.
I use Folder Lock to secure my data. There are many other programmes available but I like this one.
Folder Lock is a fast file-security program that can password-protect, lock, hide and encrypt any number of files, folders, drives, pictures and documents in seconds. Protected files are hidden, undeletable, inaccessible and highly secure. It hides files from anyone other than the authorised user, safeguards them from viruses, trojans, worms and spy ware, and even protects them from networked PCs, cable users and hackers. Files can also be protected on USB Flash Drives, Memory Sticks, CD-RW, floppies and notebooks. Protection works even if files are taken from one PC to another on a removable disk, without the need to install any software. It locks files in Windows, DOS and even Safe Modes.
I know that my sensitive files are protected and that my Clients data is protected.
There have been laptops stolen, lost or simply forgotten at airports which contain sensitive information. Not long ago a Cabinet Minister had a desktop computer stolen, which had data not normally allowed outside Whitehall. The Minister concerned told the Press that it was safe as it was protected by a password. There was incredulity among those present as passwords are so easily overcome. One wag even enquired if the password was 'PASSWORD'.
Desktops and laptops often store system passwords in cmos which is a volatile store chip within the computer and is kept alive by a small coin type battery on the motherboard. This same chip holds the date and other start-up data. If you remove the battery and leave it for a few minutes, this data is lost and the password is removed. The other type of start-up password is held in an encrypted form on hard disk.
It is relatively easy to boot the computer from a CD or alternative operating system, access the password files and delete them. Rebooting the computer in the normal way shows that the password has been removed.
I am no computer expert, but this easy routine is readily available on the internet and it beggars belief that anyone, let alone, those in Government think that their data is secure when 'protected' in this flimsy way.
In my job I travel widely and I have a laptop which is protected by a password but the data I carry is on a separate removable drive which is encrypted at file level so that even if the drive was stolen and put into another laptop the data could not be accessed.
I use Folder Lock to secure my data. There are many other programmes available but I like this one.
Folder Lock is a fast file-security program that can password-protect, lock, hide and encrypt any number of files, folders, drives, pictures and documents in seconds. Protected files are hidden, undeletable, inaccessible and highly secure. It hides files from anyone other than the authorised user, safeguards them from viruses, trojans, worms and spy ware, and even protects them from networked PCs, cable users and hackers. Files can also be protected on USB Flash Drives, Memory Sticks, CD-RW, floppies and notebooks. Protection works even if files are taken from one PC to another on a removable disk, without the need to install any software. It locks files in Windows, DOS and even Safe Modes.
I know that my sensitive files are protected and that my Clients data is protected.
Labels: data, ISO27001 security, laptop
Posted: Monday, 28 July 2008
Security of Data
The loss and compromise of sensitive data by the Revenue has left most of us dumbfounded as every security precaution that could have been provided to protect this data were totally ignored.
Security professionals across the country gasped in amazement as the story unfolded. If a private company had lost this amount of data the Data Protection Act would be invoked and a criminal investigation and prosecution would follow. Will this happen in this case? I doubt it. Will the truth come out? Again I doubt it particularly as Civil Servants have been told to keep quiet or risk prosecution under the Official Secrets Act.
Government departments with their immunity from prosecution are often cavalier with the rules that apply to the rest of us.
This scandal should bring down the Government or as an absolute minimum result in the sacking of the Chancellor.
However for the law-abiding and professional users of data here are the basic precautions that should be taken when transmitting sensitive data:
These are the basics which seem to have been ignored by the custodians of our personal information.
If the Government is to hold even more data (ID cards for example) then their systems have to be bomb proof.
Industry is adopting ISO27001 - information security management - to protect data and so it should. It is a sad reflection on HMG that these standards are not adopted by them.
Security professionals across the country gasped in amazement as the story unfolded. If a private company had lost this amount of data the Data Protection Act would be invoked and a criminal investigation and prosecution would follow. Will this happen in this case? I doubt it. Will the truth come out? Again I doubt it particularly as Civil Servants have been told to keep quiet or risk prosecution under the Official Secrets Act.
Government departments with their immunity from prosecution are often cavalier with the rules that apply to the rest of us.
This scandal should bring down the Government or as an absolute minimum result in the sacking of the Chancellor.
However for the law-abiding and professional users of data here are the basic precautions that should be taken when transmitting sensitive data:
- Never send data over the internet unless securely encrypted;
- Never send more data that is actually required;
- If data is to be burned onto CD or DVD, it must be properly authorised and the disks numbered, monitored and tracked.
- Never send disks of this type by post;
- If they need to be sent to another location, a hand to hand transfer is most secure followed by a data tracking delivery and lastly by a registered method.
- Once the disks have been used they should be returned to the originator by a secure method for destruction.
- If there is an apparent loss of disks then an immediate and high priority search should be made and interested parties informed.
These are the basics which seem to have been ignored by the custodians of our personal information.
If the Government is to hold even more data (ID cards for example) then their systems have to be bomb proof.
Industry is adopting ISO27001 - information security management - to protect data and so it should. It is a sad reflection on HMG that these standards are not adopted by them.
Labels: basic computer security, data, government
Posted: Sunday, 25 November 2007
Laptop Data Safety
Basic levels of password protection on laptops are easily overcome by the experienced thief and this is causing considerable concern within the industry.
There are two things you should do:
That takes some account of security for the laptop, but with attached devices such as SD cards and USB pen-drives the situation is different:
Anyone stealing the SD Card or Pen-drive can read the data on any computer loaded with similar software. This is clearly a point of vulnerability; the best method to protect this type of device is to encrypt it so that it is useless without the decrypt key.
This protection is not the expensive option it used to be, with open source software freely available. The best of these encrypt and decrypt on the fly and are transparent to the authorised but render the device useless to the thief and in may cases appear to be a blank device.
ISO27001 and Laptop Security
There are two things you should do:
- Physical security - Don't let your laptop out of your sight. Never leave it unattended in a public place. Never leave it in the boot of your car overnight at hotels. Always use a steel cable to attach it to a firm structure when in use outside your normal environment.
- Electronic security - Don't have sensitive data on a hard disk in the first place. Use a complex password and if possible second level authentication, such as a token or other device. When the laptop is on but is not being used, use the electronic lock facility to activate the password entry facility. Use a password on any screensaver.
That takes some account of security for the laptop, but with attached devices such as SD cards and USB pen-drives the situation is different:
Anyone stealing the SD Card or Pen-drive can read the data on any computer loaded with similar software. This is clearly a point of vulnerability; the best method to protect this type of device is to encrypt it so that it is useless without the decrypt key.
This protection is not the expensive option it used to be, with open source software freely available. The best of these encrypt and decrypt on the fly and are transparent to the authorised but render the device useless to the thief and in may cases appear to be a blank device.
ISO27001 and Laptop Security
Posted: Thursday, 21 June 2007
0 Comments:
Post a Comment