* The individual must lose (by negligence or through theft) a laptop

>> Yes. Not losing your laptop is a good security practice.

* The laptop must have information on it that could actually be used in some harmful way

>> Any employee who is carrying a work-related laptop is probably carrying it because they do sensitive processing on it. Credit card numbers, names of customers, a password list? Clues about the company’s network system, personal details about the employee who owned the computer, hooks that would save a hacker all kinds of work. Trying to keep people from putting sensitive data on their computers is a good idea, where feasible. Expecting them to keep sensitive data off their computers and counting on that for any kind of security is a really bad idea.

* The person who acquires the laptop (through whatever means) must desire to get data off of the laptop and not just sell the laptop for drug money, which is probably much more often the case.

>> Here’s where Security Guru falls off track. The threat comes not from the schmuck who found the laptop, but the guy who has put the word out that he’s paying, no questions asked, for laptops. This is the guy who is absolutely going to meet all the rest of the threat criteria. The hotel maid is not a threat — it’s her cousin’s friend, who will gladly pay $200 for that laptop.

* The bad guy must have the ability to get through the basic security protection on the laptop
* The bad guy then must have the ability to use that information in some hurtful way

Windows built-in protection suddenly doesn’t sound so appealing, does it? The free and open-source Truecrypt isn’t such a bad trade-off.

Another point, of course, is that policy controls (e.g. to discourage people from putting sensitive data on laptops) are often worthless without technical means of enforcing them. That’s a completely different, and equally interesting, discussion.

Specifically on encryption: EFS and BitLocker are quite effective at mitigating a wide range of risks, too many to cover here. I’ll be happy to have a side discussion if anyone wants more details. (disclaimer: I was the lead author for Microsoft’s Data Encryption Toolkit for Mobile PCs, http://technet.microsoft.com/en-us/library/cc500474.aspx)

I don’t think he’s either naive or “blithely ignoring reality.” If you google him and read some of his papers, you’ll find that he’s very well grounded in hard data. However, he is certainly unorthodox.

For example, he recognizes (as you intimate above) that most data and $$ theft occurs by insiders (about 70%, it turns out). Companies spend a disproportionate amount of time and money protecting against external threats when most abuses come from the inside.

In the scenario above, encryption doesn’t help. If the guy’s got a weak password and someone wants the data on his machine (or in the data center, for that matter) it’s there’s for the taking.

1. The individual must lose (by negligence or through theft) a laptop
2. The laptop must have information on it that could actually be used in some harmful way
3. The person who acquires the laptop (through whatever means) must desire to get data off of the laptop and not just sell the laptop for drug money, which is probably much more often the case.
4. The bad guy must have the ability to get through the basic security protection on the laptop
5. The bad guy then must have the ability to use that information in some hurtful way

Now here’s a scenario:

- Financial analyst puts a forecast on his desktop on the laptop.
- Has a weak password (or else is one known to other people)
- Leaves his laptop in his car while at lunch
- A coworker removes the laptop long enough to copy a file to a thumb drive

We invent the idea of the “bad guy” and the “competent user” as means to not worry about increased security. But if you just implemented some hard drive encryption (not difficult), you give yourself one other protection.

I think Tippets is kind of naive as to how people actually lose data and how they use laptops. (Or maybe not naive, but blithely ignoring reality.)

Scott/Craig.
He is not recommending that the enterprise disregard encryption. However, very simple encryption (note in the post I reference “heavy duty” encryption), just of folders which contain sensitive data, passes the California requirement and offers a basic protection from the “incidental” hacker who doesn’t have the wherewithal to get past it.

Anyway, this discussion probably was not meant to address endpoint encryption, but new ways of think about risk. I would very much enjoy listening to the other ideas like this. Is the general public privy to discussions held by the Research Board, or at least your discussion with Mr. Tippett?

The logic chain is classic “incrementalism.” If you believe this simple premise, then you also should believe this one, then surely this one–inevitably leading to a wholly false conclusion.

Purely driven by random chance, the point about the end risk being minimal might be accurate, but the cumulative (incremental) risk is one no business can afford to take.

A far simpler, cheaper, and all-around better solution is simply to prohibit anyone, especially senior folk who should know better, from carrying any confidential data whatever on their laptops.

As a side issue, apart from loss or theft, is the very real possibility that laptops (and their data) may be confiscated at international borders. There are no firm policies in place anywhere (including the US) as to what happens to such confiscated data, or on what basis a government might decide to confiscate it.

No sensitive data on the laptop–no worries.

With the new breach notification laws for personal information (now including health information), it doesn’t matter if someone does something bad with the information in the case of a lost laptop—just loosing it is bad!

A notification must be sent to all of the individuals whose information was on the device. Depending on how many records with personal information an enterprise handles, the cost can be very significant to send out the notifications, offer free credit monitoring, contract with a call center to answer questions, hire a team of lawyers and auditors for the next 2 years, deal with the FTC, not to mention reputation and stock value impact, etc.

Our organization calculated the cost of a breach notification with the assistance of experienced outside counsel and found that the actual risk exceeded any other single risk to our organization. Endpoint protection became extremely important—encryption is our get-out-of-jail-free card.

Tippett has some good insights, but he might want to update his example!

Todd, you mention that a good security design is one where “the maximum amount of security is applied with minimal inconvenience to the user of your system.”

Had you asked me last year I would have said the same thing. I need to be careful here because we’ve assembled a highly competent security team at the Church and they’re probably preparing to mutiny as they read this and I don’t want to give them or anyone the impression that security isn’t extremely important. Security is EXTREMELY important.

The point Tippett makes is that you never want maximum security, even at a cheaper cost. You want enough security given the actual risk. And the risk is an amalgamation of real, practical things–not just theoretical ones.

It’s not enough to implement a control because someone, somewhere could do something if X, Y and Z happened. We must implement controls based on the likelihood that those things will actually happen.

A good security design is one where the maximum amount of security is applied with minimal inconvenience to the user of your system. Using your example, a laptop’s HDD can be encrypted at almost 0 inconvenience to the user, but all it would take to access any unencrypted files on a windows machine is to boot up the laptop in linux (you don’t even have to install it, using a live CD) and then you have complete access to any and ALL unencrypted files on the laptop.

I guess what it comes down to is not how likely an attack is, but how valuable the information is that you are protecting. All it takes if for the thief (or discoverer of a lost laptop) who ends up with the laptop to recognize the value of the information and then the item will end up on ebay or craigslist, and that will very likely put the laptop in the hands of someone who knows how to use the information in a harmfull way.

A good book for any programmer hoping to get an introduction into Security is “Foundation of Security: What every programmer needs to know” by Neil Daswani, Christoph Kem, and Anita Kesavan. The book is obviously geared towards programmers but there are some fundamentals presented in the book which are applicable to other facets to IT as well.

Does anyone have any suggestions for other good books which cover, in a more general way, topics on security?