Printer Friendly

Notebook security in a Nutshell.

What are the odds of someone breaking into an office, getting past security and the receptionist, figuring out the cipher lock to the computer room, chain-sawing into the network file server, and then carting away all of the hard drives from a company server completely unnoticed? In most companies, the chances are pretty slim because they keep their most important asset - their data - stored on computers that are well-protected. Unfortunately, thieves no longer need to break into offices to steal sensitive data. Company employees are bringing the information right to them.

As notebook computers gain in popularity, the amount of sensitive information processed on them also increases. Notebooks, which are completely portable, can be used anywhere and anytime. Chief executive officers keep their notes on them; finance professionals take the company's financial information home for the weekend; and the contracts staff has the details of the current deal stored for easy access when traveling. But the sheer convenience of the notebook is also its biggest problem.

Sensitive information leaving the relative safety of the office presents a serious security risk, and that risk is deepened by the logistics of business travel. Hotel room break-ins are a fact of life; weary business travelers may leave their notebooks on trains or planes; and travelers have always been targeted by thieves because of their unfamiliarity with their environment and the large amount of material and luggage they carry around. A several-thousand-dollar notebook computer increases the attraction. Tack on a potentially priceless amount of data stored on that same six-pound package and the attraction takes a quantum leap upward.

Many corporate users do not believe that their data is of worth to anyone else, so they take minimal precautions. For protection, they delete sensitive information from the hard drive and store it on floppies, which are then stored in the convenient pockets of the notebook's carrying case. Even if the users are aware enough to store the floppies separately, the deleted files can still be recovered with one of the dozens of computer utilities that are available.

Using the password features of most commercial software is another precaution that is not fail-safe. People write programs that can crack password codes, These programs are distributed to other "crackers" via computer bulletin boards. Making the cracker's job easier are the users, many of whom use the same password for their network user identification and to protect their files on the notebook. Once the password is cracked, the thief can try the modem that is built into the notebook, load the communications software that has the phone number for the office network in its dialing directory, and see what other information is available from the company's computers.

The problem. In the past, when mainframe computers were used to process sensitive information, the computer programmers who ran them added security systems to keep e in formation safe. When sensitive information was stored on minicomputers, programmers developed security systems to protect them. Both of these computing environments were easy to control because all processing and storage was accomplished at the system or host level - the terminal was merely a window into the mainframe with no (or limited) processing or storage capacity.

As the processing power of PCs increased, so did the lack of control. Their inherent flexibility and adaptability allowed users to define their data, formats, and software themselves. But users also had to rely on themselves to secure sensitive information. No programmer came with the PC. After a few years of catch up, however, security was possible. Today, more than twenty-five companies make devices that simply plug inside a PC and keep information safe.

When laptops were invented, a few of those companies shrank their security devices down, opened up the laptop, squeezed their hardware anywhere they could, and - presto - secured the laptop. But notebooks are different. They are smaller than laptops but often more powerful, benefiting from advances in miniaturization of processor and hard drive design. These advances allow them to process and store even more data - and put even more data at risk.

Notebooks also have no internal connections for hooking wires, and those that offer expansion capabilities are not compatible with other laptops, requiring the end user to seek security from the manufacturer. If an organization buys notebooks from a variety of vendors, no consistent way to ensure security will be provided, if any security products are offered at all.

The solution. Most of the notebook computer companies, knowing that they lacked the expansion room of a desktop, have adopted a new industry standard called PCMCIA (Personal Computer Memory Card International Association). This standard allows the notebook to use the same type of optional equipment as a desktop, such as modems, local area network (LAN) adaptors, and memory expansion cards.

The PCMCIA slot is located on the outside of the notebook, allowing users to simply slide in the needed product. Instead of cumbersome computer boards, the technology has been reduced to credit card sized devices that fit in a pocket. The added beauty of this design is that while typical PC expansion cards can be any of three incompatible types, the PCMCIA is a standard embraced by most computer manufacturers. Thus, a card that works on an IBM notebook, or desktop, will perform equally well on another brand. The same cannot be said of traditional expansion cards.

While these cards were originally intended as memory expansion cards, manufacturers, including savvy security specialists, quickly realized that they were adept at more. The security devices that fit into the PCMCIA slot consist of three parts - an encryption engine, using either the data encryption standard (DES) algorithm or the new Clipper Chip, which was recently announced by the the Clinton administration; a security processor so that the security device will not slow down the computer; and a memory area to keep special keys and security information.

While it is possible to purchase a software-only protection system, these utilities are memory-intensive, and since they rely on the system processor to encrypt and decrypt data, they either slow the computer down to an unacceptable level, or more often, rely on less than optimal encryption algorithms. For the commercial user, hardware encryption is the only way to ensure the system against compromise.

The PCMCIA card encrypts the hard disk, turning it into gibberish for anyone who tries to read it without the card. The encryption is generated with a combination of the owner's card and his or her encryption key. Both are required. Even if the notebook and card are both lost or stolen, the data is still secure. Of course, it is more secure if the owner's card is kept separate from the notebook.

After starting up the notebook with the card inserted and typing in the proper password, users have full access to their data. No additional passwords or commands are required. The notebook operates exactly as any other similarly equipped computer. Any software that can run on a standard computer will run on the protected machine. Operations remain at the same speed because all reads and writes to the hard drive are passed through the independent processor and memory on the card, which quickly encrypts and decrypts the data.

A well-designed card allows customization of its security levels, from simple boot protection up to and including full audit trail capabilities, covering most of the requirements at the C2 level of the Orange Book. It can manage multiple users, allowing some full access to the entire drive, or allow basic operation in a minimal mode. For example, the CEO and financial officer could see the entire drive, but if a junior employee needs to borrow the notebook overnight, his or her access can be limited. The employee will not stumble across the directory called "salaries" because the security system hides it. The system is so transparent that it does not make itself known with messages such as "security violation" when someone tries to access an unauthorized directory. Instead, the directory does not seem to exist at all.

A well-thought-out card system provides management utilities for the security officers who set up the notebooks for users. For example, it may include programs that allow security to set up and track thousands of individual cards (for large organizations). Programs may also permit the loading of similar security features onto multiple cards (for group access); the regeneration of the passwords and keys of lost cards; and the connection to a secured network. Other features to look for are security control of serial and parallel ports, and optional encryption for floppy disks and docking stations.

The future. It is important to look at the future of notebook computing to understand the future of information security products. PCMCIA is a standard. As notebook manufacturers release new models, they are including at least one, and usually more, PCMCIA slots. IBM recently announced a computer that boasts four. Because of the performance and robust operating parameters of PCMCIA cards, they are attracting attention. They have their own battery power, which reduces the drain on tiny notebook batteries. And unlike most PC expansion cards, which will ruin the computer if removed while the power is on, these cards give no reason for that concern.

Already, modem and network adapters in PCMCIA format have reached the market, and desktop computers equipped with PCMCIA slots will reach vendors' shelves soon. Organizations that buy PCMCIA security cards for their notebooks are moving toward the future of shareable devices for both desktops and notebooks.
COPYRIGHT 1993 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:data security
Author:Patterson, Tom
Publication:Security Management
Date:Sep 1, 1993
Previous Article:Dealing with dangerous employees: security must play an active role in reducing workplace violence.
Next Article:IDs put on a new face.

Related Articles
Case Closed.
HP: new wireless-ready notebook PC.
Market profile: electronic laboratory notebooks.
Seven top security tips.
Notebook computer theft is prevalent yet preventable.
New version of SECUDE secure notebook 8.0.2.
HP Debuts HP EliteBook, Expands Business Notebook Portfolio.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters