HIPS Series > Protecting Your Portables

How to take this course

Learning to protect the portable computing and storage devices you use is an important part of that training.  Portable devices can contain very sensitive data -- sometimes very large quantities of it.  It's bad enough when a paper file is compromised.  A lost or stolen portable device can risk hundreds or thousands of times as much information.  That's potentially a security disaster.

Fortunately, there are a range of security steps --some of them quite simple -- that can dramatically reduce the risks of using portables.  But never forget that greater vulnerability is inherent in any portable device, precisely because it is portable.

The microprocessors that power computer "thinking" have gotten cheaper, smaller and more powerful each year.  With that, the number of small, portable computing devices has increased.  It is now common to see all of these:

• laptop and notebook computers
   
• tablet computers
   
• palmtop computers and personal digital assistants (PDAs)
   
• "smart phones" (computers bundled with cellular telephones)

Such devices can be linked wirelessly to local computing networks, and then connect to anywhere in the world via the Internet.  Cellular-equipped devices can send data over the telephone network, and also to the Internet.

The range of portable information storage options has increased as well.  Once upon a time, there was only paper -- and paper remains important still.  But now we also have:

• magnetic floppy disks (floppies) and magnetic tape (cartridges and cassettes)
   
• rigid magnetic disks (removable and non-removable) in standard and micro sizes 
   
• optical disks (CDs and DVDs)
   
• solid-state "flash memory" cards (CF, MMC, SD, etc.) and USB "storage-key" devices

Data storage capacities of these devices range from around a megabyte (for floppies) to tens of thousands of times that (for optical disks and rigid magnetic disks).

All these portables share the convenient feature that you can take them almost anywhere at any time.  Hence the name.  That feature is also their most important defect -- because it makes them much more vulnerable to accidental damage, loss or theft.

How often do such bad things happen?   Based on insurance statistics for personal computers, there are many millions of "adverse events" each year in the US alone.

Much of this course focuses on strategies to prevent or recover from theft -- because portables are particularly attractive to thieves.  But as the insurance statistics show, you also need to be worried about accidental loss and damage.

It's a simple truth that you've already read several times in other security series courses: The single most important protection for any computing or storage device is keeping it in a secure physical space.

Locked doors, alarm systems, video surveillance, human guards, and all the other elements of physical security go a long way toward securing modern offices and their contents.  When your portables are kept in an office with such protections, they are usually relatively secure. 

Unfortunately, people generally don't have portables if they're planning to use them only in the office.  Portables go home.  Portables go on business trips.  Portables sometimes even go on vacation trips.  These environments are generally less secure than the office -- often much less.

Consequently, the first safety step is assessing the physical security of the environment in which your portable is being used.  How easily could an intruder gain access to that space?

Remember that it can only take a few seconds for a thief to steal an unattended device that is not otherwise physically protected, so an intruder wouldn't need to get access for long. 

In this respect, even an office environment may present considerable risks of theft, if outside vendors, customers and other unknown persons are often around and unmonitored.

That's why one of the first rules of portable security is "always keep it nearby."  How near?  We have a simple test.

It's called the Ben Franklin Test, named for the unit of U.S. currency on which the famous scientist, inventor and political thinker appears.

If you wouldn't leave a $100 bill unattended in a particular place, you probably shouldn't leave your portable device unattended in that place either.  At least not without some of the additional protections we'll discuss in subsequent sections.

Most portables cost at least $100.  Indeed, most portable computing devices cost many times that.  The information on the device is often much more valuable than the device itself -- so it probably ought to be an even more expensive test.  Unfortunately, the $100 bill is the largest US currency denomination in regular circulation.  Maybe we should say "think about several Bens."

When not in use, portables should be kept in a secure, locked room or other storage place.  It may be more convenient to leave everything at your usual work area, but is that space secure?

When portables are transported from one location to another, they should ideally be kept with you or close to you at all times.  (Remember Ben again.)  If that's not possible, portables should be locked up in something else and, to the degree possible, hidden or disguised.

For example, don't leave a portable on the seat of your car, in plain view.  (It doesn't take long to smash a car window.)   Also, consider forgoing that expensive laptop case in favor of something that disguises what you are carrying.

If you must leave your computer unattended in an insecure place, you can still ain a measure of physical security.  The cheapest option is a cable lock that secures your portable to an immovable object.  Cables can be cut, but they will at least slow down a thief.

Another option is an alarm system.  Wireless alarms use a transmitter kept with the owner and a receiver attached to the device (or vice-versa).  When the transmitter and receiver get too far apart -- say, because a thief is running away with the attached device -- the alarm sounds. 

Alternatively, a motion sensor alarm can be attached to the portable device, set to go off if it is moved.  Or an alarm can be combined with a cable-lock to activate if the cable is cut. 

Labeling a device with your name and telephone number can facilitate return of a lost device -- at least if an honest person finds it.  (Your organization should have "If found, return postage guaranteed" labels and tags that can be used for this purpose.) 

Tamper-proof security labels and engraving are even better options to promote returns.  Such permanent marking also makes the device difficult to re-sell, and so a less attractive target for theft.

Remember that even if you get your portable back in perfect working order, the security of the data on it may still have been compromised.  Always report the loss or theft of a device containing sensitive information -- even if it was only out of your control for a short time.

Most portable devices have technical security measures to protect the data on them from being accessed by intruders.  These should be used if the device will contain sensitive information.

Almost all portable computing devices can enable login passwords and a password-protected screensaver.  (If the device can employ an access token or biometric authenticator, that's even better.) 

It's true that such passwords can sometimes be defeated by a savvy, determined attacker, but it'll usually deter a casual one.

Password protection is also available on portable storage devices like USB keys.  (If your portable media doesn't have it, consider buying another model to use for sensitive data transfer.)

Many portable devices allow protection of individual files and directories with encryption.  If the capability is not built in to the device's operating system it can usually be added via supplemental software.

Encryption can add a virtually impenetrable level of security for portable data, but at the price of a degree of inconvenience for the user.  Some encryption systems are unlocked with a password for the protected files or directories.  Other systems require use of a physical device, such as a USB key, in conjunction with a simple PIN number. 

As with use of encryption on non-portable computers, whether the inconvenience is "worth it" depends on the sensitivity of the data being protected, and the probability of loss given how the portable device is to be used.

Portable computing devices can also have "tracking software" installed, that will report the location of a missing device whenever it connects to the Internet.  Some security software of this type also has the capability of erasing data on the device by remote command.  (This is a standard feature of Blackberry devices, for example.)

Tracking services generally requires paying an upfront fee and an annual protection license.  Is it worth it?  As with encryption, it depends on the vulnerability of the particular computing device, given how it is to be used, and the sensitivity of the data kept on it.  

As with any other protective strategy, you should consult with a knowledgeable person in your organization's information security group if you're not sure what is appropriate for your circumstances.

As noted at the outset, portable computing devices are often connected wirelessly to local networks and other devices.  It is critical that you take the standard steps to secure any Wi-Fi (802.11) and Bluetooth wireless connections your device employs. 

In addition, portable computing devices accessing sensitive data may need to use available capabilities for secure end-to-end communications, such as virtual private network (VPN) software.

Securing any computing device that will connect to the Internet requires attention to the full range of technical safeguards -- whether it's a portable or one that never moves.  If you don't have appropriate protections in place, you may be at great risk. 

If you haven't done so already, you may want to read more about such steps in the Protecting Your Computer course.

The best way to protect data is to keep it off a portable in the first place.  Whenever possible, avoid putting sensitive information on portable devices that must leave the office.  If you cannot avoid it, try to keep the amount to a minimum.

What if you need access to sensitive data from your portable computing device?   Consider keeping the data on computers that are in physically secure locations -- and then access the data via secure communications links.

What if you need to transfer sensitive data from place to place?  Use portable storage media with technical security features like passwords.  Or send it as an email attachment, if (and only if) you have access to a secure email system.

Passwords are used for device login, encryption of files and folders, wireless security, and access to secure Web sites.  Be sure to pick good passwords.  (For tips, see the Picking and Protecting Passwords course.)

Be sure to protect your passwords appropriately too.   You know the rules:  It's dangerous to keep passwords in a text file on the device itself, however well hidden you may think that is.  Instead, use password manager software or password manager hardware.

While we're on the subject, it's worth repeating that it's generally a bad idea to use the "remember my password" option for Web pages you access from your portable device.  If your portable is compromised, you'll potentially be compromising access to all these login-protected places too.  

(We give the same advice to users of non-portable computers, of course, but it's particularly critical here.)

As noted, the loss or theft of a portable may compromise the confidentiality of sensitive information.  It will definitely compromise your own access to the information on the device -- because you won't have the device any more!

Loss and theft are not the only risks.  As noted, portables are also very vulnerable to accidental damage, especially when in transit.  It's a rough world out there, as the insurance statistics show.

It is critical to have backup copies of all the important data on a portable -- kept in a separate place.  (That's a good idea for any computer, but it is particularly important with portables.) 

Whatever backup option you choose, you'll also need to pay attention to security for your backup copies.

We're not trying to convince you to leave your portable locked up back at the office at all times.  We just want you to be careful when you take it out into a sometimes dangerous world.

If you do decide to leave your own portable computer behind, be careful about relying on others' devices.  Using a "borrowed" system to access the Internet, email or other applications can leave sensitive information behind. 

If that borrowed system is infected with a key logger or other form of spyware, it can leave a lot of information behind.  Ideally, you should only use a computer you can trust -- where you are reasonably sure that appropriate security steps have been taken.  Failing that, personal server devices (built into USB keys) are available to add security.

Sooner or later every device reaches the end of its productive life.  When you no longer need a portable computing device or a portable storage device, it is critical that you take steps to clean it of any sensitive information.

This isn't always as easy as you might think.  Paper can simply be shredded.  So can optical media like CDs and DVDs (though it may take a powerful shredder).  Hard drives inside computing devices must be systematically over-written or physically destroyed.  Floppies and magnetic tapes require the same.  Solid-state (flash) memories must also be over-written or physically destroyed. 

If you don't understand the secure disposal specifics, find someone who does.  Don't ever just throw a device in the trash!  

This course has covered many security options.  The more of them you use, the safer you'll be. 

Though better than nothing, it is rarely adequate to employ only one security mode.  But it is also rare to need all of them.  What is right for you?  Unfortunately, we can give you no firm rule.  As we've noted several times, you must assess your own vulnerabilities, given how and where you use your portables, and what kinds of information you keep on them. 

The risks of a security breach include the cost of replacing the device itself, and the costs associated with loss or exposure of any critical data on it.  The data risk will often be much more important -- which is why we've stressed protecting storage devices as well as computers.

The rules for portable device safety are not difficult.  Remembering to practice them can be hard -- because it often requires extra effort and attention.  It's well worth it.  Ask anyone who has had critical data lost, stolen or damaged.

(1) Keep all portable devices as physically secure as possible.  With you, or nearby, is best.

(2) Enable any technical security measures that are available (like password protections).

(3) Minimize the amount of sensitive data on the device.  Report the loss/theft of any device containing sensitive data.

(4) Keep a backup copy of any data on the device that would be difficult to replace.

(5) Take appropriate steps for secure disposal when the device is no longer needed.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •