Humans Continue To Be "Weak Link" In Data Security

ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."

Hmmm ...

[WrongSizeGlass]

If only there was a way to remove humans from the equation ... can you say Skynet?

Re:

[Anonymous Coward]

Kill all humans!
                Bender the robot

Humans Continue To Be 'Weak Link'

[jack2000]

In other news, carbon based lifeforms require nutritional sustenance.
Come on people! Enough of these filler stories!

Yes

[rolando2424]

Skynet

Re:Hmmm ...

[The_Wilschon]

Better if you could remove data mobility from the equation. If somebody leaves their laptop in an unlocked office or a box of hard disks in the back seat of their car, it's quite likely to get stolen. So, knowing that that sort of thing will happen, it seems to make sense to force all sensitive data to be stored on physically and cyberly(just woke up, can't think of the proper word here, nurrrr) secured file servers.

Re:

[nospam007]

Actually most of them forget them in the Underground, which is a series of tubes

FULL DISCLOSURE - Absolute Software

[Anonymous Coward]

Absolute Software - The absolute best way to track, manage and protect your digital world.
Tracking software to aid recovery of lost or stolen computers. Also software for hardware/software inventory and software license management.

There's a reason why Absolute Software is talking this up...

Just sayin'

Re:

[Fred_A]

There's a reason why Absolute Software is talking this up...

Just sayin'

I thought it was "Ponemon software says 'Laptops ! Collect them all !'"

Oh, wait, PoNemon... sorry.

Skynert

[Toze]

Oh, damn.

Usernames in browsers

[Sigma 7]

I noticed that browsers have a neat habit of storing userames that you've used on various sites, and help pre-fill the username field with that information.

It would be much more helpful if those usernames didn't bleed across servers; it would really cut down on potential exploits, and helps me remember which one of my usernames for a given site is correct (especially before I crack open the encrypted volume to lookup the real username/password combo.)

Re:

[somersault]

especially before I crack open the encrypted volume to lookup the real username/password combo.

I hope you can get into it faster than I did - it took me almost two hours to crack that thing!

Re:

[clemdoc]

Another neat feature in some browsers is that you can switch off this helpful password storage feature. But if you store your password on an encrypted volume, you certainly know this.

Security Failings

[Y2KDragon]

Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.

Re:Security Failings

[somersault]

Then have them store it in a more "secure" location like in their wallet or their keyring. Some people can't even look after those adequately of course.. but at least you'll know if you've lost them that you should change your passwords.

Re:

[drinkypoo]

I haven't lost my wallet in years (*knockonparticleboard*) so it's a good place for me to keep a password until I memorize it. Then I burn the paper it's on in my wood stove. This is probably way too much trouble to go to. I'm considering some kind of password safe, but the only digital device I carry on me regularly is a crappy motorola phone which can only just run a MIDlet.

Re:

[sjames]

Of course, nobody ever loses their wallet...

You're missing the point.

[FoolishOwl]

1) There's no perfect security.

2) People *rarely* lose their wallets, because they know they've got important stuff in them, so they know to keep them safe. Adding a slip of paper with a password to the wallet means that it will benefit from the same relative care.

3) People generally know that if they lose a wallet with ID, bank cards, etc., that they should immediately report the loss of the bank cards, get replacement ID, etc. By association, it would make sense to change a password promptly, or to inform

Re:

[sjames]

Agreed, nothing is perfect, just pointing out exactly that. It seems obvious to you and me, but apparently it's anything but obvious to many (based on the stories we keep seeing about highly secret information with no encryption disappearing on laptops).

Of course, it's important too to realisticallt assess how critical a given login really is. As often as I have seen critical information free for the taking due to lax security, I have seen outrageous passwords required for logins that grant read-only access

Re:

[FoolishOwl]

Oh, agreed. I think passwords are demanded much too frequently, and that's part of the problem.

Re:

[somersault]

Password resetting type services or phone calls to your bank etc if it's online, or if it's for work then phone up IT.

Re:

[Whalou]

A policy I had to follow on one site required the use of a minimum of 2 lower caps, 2 upper caps, 2 numbers and 2 special characters.

I'm sure a lot of users had the password q1W@e3R$ which is probably the easiest password to remember that fulfilled the requirements. And therefore easy to guess if the password policy is known.

Re:

[socsoc]

I have no idea why that would be the easiest. The pass is nothing personal or memorable. You just happen to like the left side of your keyboard. It's similar to having the password of asda.

Re:

[buruonbrails]

It's because people tend to think of their passwords as words, not phrases. It's much easier to remember a simple pass phrase (e.g. "Quick_brown_fox"), than a shorter, but completely senseless random symbol combination (e.g. "gsf12mU&*").

Re:Security Failings

[Sycraft-fu]

Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).

What it comes down to is if you feel the data you are protecting is important enough that it needs to have a complex password and such, what it really needs is two factor security. Something like a SecureID token or whatever. That makes it near impossible to break in as you have to get the password AND the token and you have to make use of it before the token's absence is noted.

Being a jerk about password policy is no replacement for a better security system over all, and in fact can make your stuff less secure than you think. You are ultimately dealing with people and as such you can't expect them to be perfect with their memories. You need to adapt your security to them, not demand they adapt.

You also have to simply accept that there's no such thing as perfect security. You can't have a system that can't be broken no matter what. Thus you need to make it as good as you can, have defense in depth (multiple security layers such that if one is breached not everything is bypassed), and remain vigilant.

Re:Security Failings

[vlm]

Not only making it too hard, but making changes too frequent.

You always know you're dealing with someone incompetent when that's a requirement.

You need to change your pass code on door locks because the used digits begin to look physically different than the unused digits.

You need to change ENCRYPTION KEYS occasionally to avoid known plaintext attacks, some MITM issues, and some other esoteric stuff.

Encryption keys and door passcodes are kind of security related, and login passwords are security related, therefore they must be the same (if you're stupid) so you must change your login password on a regular basis.

Some people confuse two of the A's in AAA. Login passwords are for "authorization". "Accounting" is where you catch multiple people using the same login, not "authorization".

Finally there's the idiots that think good security must be inconvenient, therefore ANYTHING inconvenient must inherently be secure.

The only reason you have to change your password on a regular basis is basically, stupid people quoting other stupid people saying its important because they heard other stupid people saying it, aka an urban legend. Nothing more.

Oddly enough the same morons whom claim changing passwords increases security, also believe biometrics are more secure because you can't change your fingerprint... or can you?

Re:

[The_Wilschon]

Some people confuse two of the A's in AAA.

Oh yeah, I get Americans and Automobiles [aaa.com] mixed up all the time.

Re:

[apoc.famine]

You're wrong, actually.

The theory is that if someone cracks your password, if you're forced to change it every month, they'll only have, on average, 2 weeks to exploit it.

In reality, you're correct that it's not so useful. In the case of a non-admin account, with enough auditing and proper permissions so that it's not possible to insert a keylogger nor take control of the machine, this works well. It works against a "got a temp job as a night janitor and walked around writing down passwords taped to moni

Re:

[sjames]

This applies everywhere. If building security is friendly and simple, all is well. Make it a pain and you can bet a back door will get propped open by people who just wanted to get a cup of coffee without the Spanish Inquisition. Thus in the quest for more security, you end up with almost none.

Re:

[Anci3nt of Days]

Some people confuse two of the A's in AAA. Login passwords are for "authorization". "Accounting" is where you catch multiple people using the same login, not "authorization".

Correction: Login passwords are for authentication, not authorisation.

Authentication checks whether the password / user matches and grants access on that basis - Is this Joe?
Authorisation checks whether the login combination is authorised for the requested command / task once authenticated - Is Joe allowed to do X?
Accounting is a method of ensuring that Dave is not being authorised as Joe, unless you are referring to the trolls.

Too often we presume than if a user is authenticated (correct user/pass combin

Re:

[JasterBobaMereel]

Security : Pick any two
Something you know
Something you have
Something you are

Unfortunately these are :
something you forget
something you lose
something you cease to be

Re:

[Anci3nt of Days]

Something you are... or were before I took your hand / eyeball / DNA.

Re:

[tlhIngan]

Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).

Actually, it happens in stages. The first few passwords are nice and secure. Then the next time around they're forgotten and the password is reset, and it's written down. After a few more months of that, the guy will choose a password according to some algorithm

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Security Failings

[L4t3r4lu5]

Make it long, make it simple.

Passphrases are the way forward. Ih4t3MSoft may well satisfy Microsoft's Secure Password policy of 7 characters, one upper, one lower case, one non-alphabetical. However, it's nowhere near as secure (from a brute-force perspective) as ihaterubbishmicrosoftsoftware.

N.B. Not Anti-MS trolling, just picking phrases as they come to mind.

Well..... Maybe

[Sycraft-fu]

If you know nothing about the password at all, yes it can be more secure. However, if you know it is a passphrase, then you can work on it as such. Rather than brute forcing using character combinations, you use work combinations. Maybe your program also has grammar rules in it so it can make more intelligent choices in words. Of course against that you can start doing letter substitution but then you start having complexity problems again and so on. Also there's the problem of someone finding out your pass

Re:

[Culture20]

I'll take "a minimum of `wc -l /usr/share/dict/american english` ^ 4 = 94397697714928713121" before "a minimum of 72^8 = 722204136308736" any day, especially since a larger percentage of example one is more easy to memorize.
Make at least one word a nonsense word with maximum 8 characters, and you've suddenly got a minimum of (`wc -l /usr/share/dict/american english` + (72^8) ) ^ 4 = 272044459885253599974534898044290557137522250032956637150625

That's a big number for such a small inconvenience (three nor

Re:

[IICV]

Uhhhm... after you guess the wrong password five times, the account is locked out and a system administrator needs to unlock it. If the sysadmin is unlocking the account ten times a day and the user swears that he's not entering in wrong passwords, then the sysadmin knows that there's something wrong.

If you've got the password hash and you're trying to brute force it, you've already won - you've got the password hash. How the hell did you get that without really high level access to the server you're trying

Re:

[darkmeridian]

Brute force methods use dictionary words. Therefore, "ihaterubbishmicrosoftsoftware," which has five dictionary words without any capitalization or numbers or symbols, is the equivalent of a five-character password. The much stronger approach is to use phrases to generate hard passwords. For instance, you can make "ihaterubbishmicrosoftsoftware" to "!h8rM$SW". That's an eight-character that has capitalization and characters and numbers, and therefore harder to attack.

Re:Security Failings

[Aceticon]

Draconian IT Security policies that end up achieving the opposite effect are caused by the same underlying problems as the theatrical Security that's currently done in most airports:

• If a Well-Balanced Security policy is in place and Something Bad happens, they blame the Security guys. If a Draconian Security policy is in place and Something Bad happens they can blame the person that "went around the security" (i.e. wrote a password in a piece of paper)
• When a new widget/software is proclaimed as the next silver bullet, if Security gets it and Something Bad happens, they're the ones blames, if they do get it, then they can blame the widget/software
• The guy that prevented thousands of Bad Somethings never got promoted to management, since Nothing Happened. They guys that get promotions are the ones that make an Heroic Recover when Something Bad happens
• Billions of man-hours wasted can easilly be ignored when spread over many people as many small hassles.

The blame here is in Management - rewards and punishement are distributed on the basis of easilly observable artifacts of The Work instead of looking at the hard to define and hard to measure Results.

This problem is very common in all kinds of professions and in most countries ...

Re:Security Failings

[bickerdyke]

If IT departments really would care about password security, and insist on complex passwords AND not writing them down, they should start treating a forgotten password as something normal, and not a chance to ridicule that poor guy who forgot it again.

Whats worse for security? Resetting that poor guys password twice a week or have him trying to avoid is by using a post it under his keyboard?

Re:

[Spad]

Making password resets that common is bad security practice in itself unless you have a good process in place for verifying the identity of the user requesting the reset. Far too many helpdesks will happily reset "your" password for you without even cursory checks as to who you are.

Re:

[bickerdyke]

Uhmm.. yes.

Last two shops I worked in were small enough that the support guy was able to recognize my voice on the phone as proof of ID.

That post was driven by an experience back at university when the password resetting process stopped only short of writing "I will not forgett my password" 100 times on the blackboard. (But included admitting your stupidity to the 'BOFH on duty')

Re:

[John Hasler]

> If IT departments really would care about password security, and insist on
> complex passwords AND not writing them down

How many security breaches do you know of that were due to the writing down of passwords?

Re:

[bickerdyke]

PersonallyI don'tknow of any breaches at all. But yes, written passwords are probably a bigger concern for internal attacks from mischievious co-workers.

Re:

[Kozz]

Strong password requirements are a big part of the problem.

I've known people to use a kind of "formula" to create/remember passwords. It works such that you don't need to strictly memorize your password, but you only need to remember how to derive it. First, I come up with some basic, moderate-strength password, like 4Fa2@xx8?L. But instead of the "xx", I replace it with the two letters in the site's domain name before the TLD, so for slashdot, maybe my password would be 4Fa2@ot8?L.

This is a very simple example, but you can imagine new ways of creating a formula

Encrypt your sh*t. Or you aren't a professional.

[elucido]

I'm tired of seeing articles which talk about IT "professionals" who don't even know how to use encryption.

It's not hard, it's more a matter of people not wanting to have any security because then they don't have to hire actual professionals who might cost a bit more.

Re:

[FlyingBishop]

Like what? The code for the project I'm working on? Or are you suggesting I encrypt my entire production database that I can access over a VPN from my notebook?

If you have shit on your laptop that needs encryption, you aren't a professional.

Re:

[zappepcs]

IT workers != IT professionals. The marketing directors admin does IT work for him, she is not a professional IT technician. Laptops AFAIK are not given out to those that deserve them so much as those who can't be required to sit in an office all day. Think about this for a minute. Are the tech savvy people in the office or on the road?

Re:Encrypt your sh*t. Or you aren't a professional

[c0mpliant]

Can't agree more. Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.

A question that should be asked more though that it currently is, is why do you need this data on easily stolen device. For example, why do customer records need to be on a laptop, why is this confidential document on a USB stick?
In my work place, no one can transfer anything off our internal network via data transfer. USB sticks will not be detected by machines. There are no open ethernet cables so if you try to connect a laptop to the cable running into your machine, it wont work. If anyone wants anything taken from the network, they need to raise a request and then if its granted, they will get the data encrypted and placed on a USB stick or laptop of their choice. We have a record of where things were taken from, when they were, requested by whom, authorised by whom. Users may find it slightly inconvenient but our data is secure, controlled and even in the event on a lost laptop or USB stick, we know that its encrypted to a high standard

Re:

[CohibaVancouver]

Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.

You're missing the point of the article - It's saying that encryption isn't a panacea because of the human factor - People write down passwords, put their tokens in their laptop bags etc.

Re:

[c0mpliant]

True, whatever encryption you have set up, it can only be as strong as a user who is working with it. If they're stupid enough to leave their passwords or tokens with PIN's in the bag, of course your going to have problems. But an aggressive education plan coupled with a "lest the clenched fist of retribution come down upon you" attitude, you can save yourself a lot of issues. But the above comment was more directed about organisations that don't use encryption at all. I don't know how many times recently I

Re:

[Mr_Icon]

"Bob, I need financial data for all clients bought the WidgetMaster 9000, ASAP!"
"Sure, boss. I couldn't attach it to email for some reason, so I posted it on superfileshare.com."

Encryption isn't everything

[Sycraft-fu]

I'm not saying there aren't plenty of places that encryption is useful security, but I see it far oversold as a panacea. That something is encrypted doesn't mean it is secure. A great example of that would be copy protected games or movies. They use encryption to secure their data. Often it is quite good encryption. AACS uses 128-bit AES crypto, doesn't get much stronger or more tested than that. Yet, it is all for naught. Games are cracked, Blu-Rays are copied and so on. Why? Well because the decryption key is on the disc somewhere. Obfuscate all you like, if they key is there you are screwed.

Same deal with encryption is terms of security for your data. Encryption is useful for data in transit over insecure channels, the Internet being the main one. So long as only your computer and the remote computer have the key, there'll be no snooping on what is going on. Encryption is also useful against physical theft in the case of a laptop or something. If they grab the computer but can't get the password (and the computer isn't logged in or the like) then they can't get the data.

However encryption isn't useful a whole lot outside of that. For example encrypting data on your desktop won't do much against a remote attack. You have to get in to said data and so when you decrypt it, the key and/or data can be captured. You'd be just as well off with unencrypted data overall. Likewise encryption does little to nothing against a social engineering type of attack.

So I'm not saying "Don't use encryption," just that you should think about when to use it, if it is doing any good. Don't sell encryption as something you need to always do, because it isn't useful and can lead to a false sense of security.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JasterBobaMereel]

The professional only needs to ask two questions ....

1st question: why have you got sensitive data on your laptop ?

2nd question: if you have (or might have) sensitive data on your laptop, why is not encrypted?

In my experience the people who "have to" have sensitive data on their laptops generally don't have to ...

and the people who have sensitive data on their laptops always come up with poor reasons why they don't want encryption ...

Maybe they should tie them to thier wrists

[Johnny Fusion]

Nine out of Ten lost or stolen in the UK? I have to wonder if seeing abandoned laptops laying around is commonplace there. I don't think I have ever seen a "lost" computer just waiting for me to pick it up. There must be something about the culture that only 10% of the population can keep track of their gadgets. I am reminded of people you see on the beach with metal detectors trying to find lost and dropped jewelery and coins. I may have to make a trip to the UK and ride trains looking for discarded h

Re:Maybe they should tie them to thier wrists

[Elky Elk]

In the summary it states 9/10 know of a laptop in their organisation being lost. The organisations in question could have thousands or tens of thousands of laptops.

Re:Maybe they should tie them to thier wrists

[bkr1_2k]

It doesn't say 9 out of 10 lost or stolen. It says 9 out of 10 people reported that a piece of equipment has been lost or stolen within their organization. There's a big difference between those two statements.

Of course the issue still remains, people are always going to be the weakest security link. This should come as no surprise to anyone. It has always been that way, and always will be.

Re:

[Tim C]

I have to wonder if seeing abandoned laptops laying around is commonplace there.

I've never seen a laptop just lying around unattended somewhere, so no, it is far from commonplace.

Human is the weak link in anything

[Opportunist]

Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.

One word:

[L4t3r4lu5]

Wargames.

Re:

[Opportunist]

Perfect example. If it was not for the humans interfering, this would be a better world.

Oh, what a feeling...

[srussia]

Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.

JohnnyCab!

Re:

[dkleinsc]

Thanks, HAL.

Ponemon

[tepples]

the Ponemon Institute

Laptops: gotta steal 'em all.

Encryption and you

[Kaldesh]

I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.

Re:

[jimicus]

And every password you add makes things a little harder, and sooner or later people decide to make things easier - usually with post-it notes.

Re:

[Kaldesh]

Actually we've run into that. But That's a violation of HIPPA (Health Information Privacy and Portability Act), and if you find your users doing something like that in a medical environment? It can mean very serious action is taken. We actually had one person refuse to 'not' use post-its.. and they where let go from the organization. And I mean honestly in the grand scheme of things, you're adding one password to your daily computing life, that will ultimately save someones butt if their PC gets stolen.

Re:

[account_deleted]

Comment removed based on user account deletion

Humans may be the weak link, but...

[bsDaemon]

Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.

Re:

[Akido37]

Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.

I'm glad we've moved past the Stone Age with their silly ideas about "braking systems". Things are so much better now without them.


:-)

Not a great thing.

[FlyingBishop]

None of the IT workers recorded their password on a private document, but three percent did admit to sharing their key with other people.

You keep your password on a private document in your pocket, you can use a stronger password, and it's a lot harder to lose both your laptop and your password.

If you do lose one, it's easy to take steps to blacklist the other. You can even use some trivial obfuscation in recording the password so that even if someone gets it, they won't be able to figure out your password.

Example:

awfuieri3v
4u9388535v
v9tv379vn7
mc20884v05

That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6) and there's not really much chance that someone's going to find my password. Of course there are even better examples where it's not even obvious that you're looking at a password matrix.

Re:

[NonUniqueNickname]

We could try to figure out your "secret path" through the matrix and try to finesse a solution. OR we could cat | sort | uniq your matrix, find your reduced charset (02345789acefimnrtuvw - only 21 characters) and brute force it.
Get a longer password. Get a bigger matrix with more noise.

Re:

[John Hasler]

> We could try to figure out your "secret path"...

First, though, you have to steal his wallet. Then you have to realize that there is a path.

Re:

[FlyingBishop]

Honestly, I don't care. You find the sheet of paper, you have my password. But you're unlikely to find the sheet of paper. Hell, I can hardly find the thing most days.

Re:

[chrysrobyn]

awfuieri3v
4u9388535v
v9tv379vn7
mc20884v05
That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6)

An attacker should use everything available to him/her to compromise your account. With your gibberish of 10x4 up there, one might immediately assume a random string is necessary. If I assume 8 digits, I'm stuck with 40^8. Immediately, that s

Human error

[charm101]

Security on your laptop is a human error. This means due to clumsiness, is a laptop could talk and say someone stole it. -Turning Winds [teenbootcamps.org]

Huh?

[Anonymous Coward]

This is news?

Weakest Link

[kiehlster]

You ARE the weakest link. Goodbye.

I really enjoyed that episode of Doctor Who [youtube.com]. Now I'm a little scared.

Its Funny

[MrTripps]

Its funny when you go to the trouble of encrypting a laptop and then see they have their user name and password taped to bottom. Its also funny when the encryption software bricks the laptop. I'm looking at you McAfee.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[natehoy]

Awwwww, darn, and I had this lovely snarky reply about math skills all worked up and everything. Killjoy! :)

But I agree, pick any organization of any reasonable size and it's almost inevitable that a laptop or smartphone will vanish at some point. That's why they need to be encrypted, with a good "nuke remote" option.

I carry a laptop and a Blackberry, and if either is stolen all I have to do is call my company's helpdesk at an 800# and give them my employee number and which device has been stolen, and the

Why allow imporant data on laptops at all?

[swb]

...without strong countermeasures to prevent the data from being exploited?

I guess I don't understand why, if some chunk of data is critically important, that the organization would allow it to be dragged out of the office on a laptop. The data should be required to stay in the office with access from outside the office only on a business-critical basis and with strong security requirements (ie, VPN-only accessable terminal server, all using RSA tokens).

And if it MUST go out of the office on a laptop, why aren't very strong encryption measures being taken into consideration, including whole-disk encryption with failed-access data wiping?

I see so many people with laptops who don't really need portability. Most of the time they have a laptop because it's a token of their importance to the organization or some kind of freebie (they have a desktop, too, but the laptop is so they can "work from home" but is really just a free home computer).

The other thing weird about this is that 61% of the lost laptops resulted in a security breach! Most of the people I've dealt with who had laptops were by and large wankers with company data of interest to almost no one; at worst you might be able to reverse a cached password or raid the browser passwords for something trivial.

And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.

Re:

[CohibaVancouver]

And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.

True, but the problem is you need to treat every theft like a security breach - So while an encrypted laptop with a SecurID token in the laptop bag was probably stolen by a junkie, you just don't know whether or not the final 'owner' is noodling through the data.

Re:

[Anonymous Coward]

Plus, the junkie is selling it to someone, and people who want to look for data might be willing to pay a significant premium over people who just want a cheap laptop. Junkies aren't completely stupid - they'll sell the machine to whomever is willing to pay the most.

I occasionally recycle old machines and give them to people. The local dump frequently yields good "parts" machines or often fully-working machines that are just too slow (frequently high-powered machines that are only slow because the former

Re:

[swb]

Somehow the data thief stringing along a half-dozen heroin addicts for used laptops sounds like a great plot vehicle for a movie but pretty unlikely in real life. Drug addicts, gang members, et al are who they are because they are unreliable, dishonest and only concerned with very short term outcomes -- like how am I gonna get high in the next hour.

It sounds like a clever idea to use them as secret shoppers to steal laptops, but what happens when they steal the wrong ones? It's like Frankenstein sending h

Re:

[CohibaVancouver]

It sounds like a clever idea to use them as secret shoppers to steal laptops, but what happens when they steal the wrong ones?

That's not what we're talking about here - We're talkinga about a junkie stealing a laptop, then the junkie's fence selling it on Craigslist, and the final owner, out of curiousity, noodling around in the data on the device and discovering something.

Re:

[petermgreen]

Maybe it would be hard to target a specific company that way but what is stopping someone just buying stolen laptops from addicts and searching them for information of potential value?

They would obviously get some with no valuable information on them but I'd bet enough would have valuable information to make the endevour worthwhile.

Why allow important data on laptops at all?

[drinkypoo]

You had me at 'at all'.

Why allow important data on laptops at all? Why not simply require that sensitive data only be accessed remotely? You can solve this problem with VNC. There are a very few situations where it is impossible to get internet access sufficient to use a computer remotely. In these few situations, a whole-disk-encrypted system can be used, which won't solve every problem (as this article indicates) but will at least narrow things down considerably. But in most cases, there's no actual need

The reason why security is hard...

[TejWC]

... is because computers do exactly what they are told to do [smbc-comics.com].

It will be that way

[Hymer]

...until someone invents humanproof security. If people have to remember something they will either

• write it down if it is too complex to remember
• choose something obvious so it is easy to remember
• choose something obvious AND write it down

Uhm. DUH!?!?!?

[Chas]

You can have your shit locked down 6 billion ways to Sunday.
The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.
You can train and train and train. Ennui sets in and their brains shut off after a while.
You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.
You can fire people. It just creates ill will and the damage is already done.
And, if it happens to be the owner of the company doing the circumvention there's jack and shit you can do about it.

I'm sorry, but anyone who tells you that security is about "keeping the bad guys out" is SELLING YOU SOMETHING (see: "How much for my large and stinky pile of crap?"). Nothing more.
Security is about putting enough roadblocks in place that attackers begin looking for easier targets so they can maximize their returns on time invested.
If someone wants into your systems bad enough, THEY WILL GET IN. Period.
The job of security is to make this interval as long as possible so they can maximize the chances of catching them before they get in or forcing them into something spectacular and HIGHLY traceable.

phishing

[jonpublic]

We get people responding to this kind of phishing message all the time, to a helpdesk@yahoo.com.hk address

We haven't had quotas in like 6 years.

---
The Helpdesk Program that periodically checks the size of your e-mail space is
sending you this information. The program runs weekly to ensure your
inbox does not grow too large, thus preventing you from receiving or sending new e-mail.
As this message is being sent, you have 18 megabytes (MB) or more stored in
your inbox. To help us reset your space in our database,

Stolen laptops should be ok

[Yvanhoe]

A stolen laptop should not threaten internal security. The tools to encipher crucial informations are free (as in $0)

In Other News the Sky is Blue...

[Taliesan999]

Seriously... humans are the weak link... don't tell me it's so!

where's the beef?

[sammy baby]

Nearly 90 percent of IT workers in the UK have said a laptop in their organisation has been reported lost or stolen, new research has found.

Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom', a report produced by the Ponemon Institute for Absolute Software.

I went to Ponemon's home page, but was unable to find the study referenced by the article. Just two questions, though:

What information do we have on the relativ