When it comes to data risks in Windows, one near constant is that your mobile Windows systems are not as secure as they could be. Keeping sensitive data protected on a Windows-based laptop is arguably one of the greatest IT problems in business today. Many shops are struggling with this, and others aren't even fully aware of the danger involved.
Often times, management doesn't have a problem investing in locking down the organization's data center and e-commerce systems. When it comes to laptops, however, ignorance can create huge business risks. Many people, especially those in management, have yet to realize just how much sensitive data the average Windows-based laptop contains. This list could include:
- Local logon credentials that can often be used to connect in to the network
- Network logon credentials in VPN and remote desktop connections
- Cached Web browser form data (Web site passwords, credit card numbers, SSNs, etc.)
- Sensitive Word, Excel, PDF, etc. documents
- Software license numbers
Consider the following data gleaned from my own laptop system in just a few seconds using the
A great deal of sensitive data was discovered and the search was only five percent complete. This isn't even counting the intellectual property on laptops that can be just as abundant. If you were to try a similar tool on a sampling of laptops in your organization, you'd likely get the same results. A Windows laptop that doesn't utilize hard drive encryption could very well be maliciously accessed via Wi-Fi or become infected with malware. Hacking into laptops is simple, and it's only a matter of time before it can happen to your business.
Much of this oversight comes from not having standardized on solid Windows security configurations. It also comes from overlooking Windows laptop systems during security assessments and audits. These shortcomings are typically the result of not having management buy-in and the right mobile security goals. At the very least, you need to consider adopting the following mobile security policies to ensure your Windows laptops are locked down:
- Perform in-depth security assessments on all Windows laptops once a year
- Encrypt laptop hard drives with strong passphrases and centrally-managed keys
- Enable screen savers on all systems with a timeout period of less than 10 minutes
- Run personal firewall software on all systems
- Configure all systems to automatically download and install Windows updates
- Configure all systems to update malware signatures via the Internet when they're not connected to the local network
- Confirm all systems are configured to not automatically connect to any wireless network in range
- Train and test all employees on mobile security policies each year
Don't forget about mobile storage. External hard drives, USB memory sticks and SD cards that are often attached to mobile Windows systems are also exposed. As the U.S. National Archives learned recently, improperly secured mobile drives can create big problems.
The bottom line is for administrators to understand where your Windows laptops are vulnerable, know what sensitive data is where, implement reasonable controls and continuously check for holes. It's a simple formula for Windows laptop security that'll buy you a lot in the way of minimizing complex business risks.
|ABOUT THE AUTHOR:|
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.
This was first published in June 2009