It doesn’t have to be that way.

There are some tried-and-true, basic steps you can take to dramatically reduce the cost to your organization of data loss due to laptop theft or malicious penetration when using your computer in a public place. Implement them all and you can come close to eliminating the possibility of a data breach. The following steps are organized by the threat they mitigate.

Theft

The best way to deal with the risk of laptop theft is to ensure that the thief cannot possibly get any of your information off of the computer. If you work for a real business, the cost of having private information (proprietary data, HIPAA Protected Health Information, PCI records, etc.) fall into the hands of the bad guys is immeasurably greater than the value of the physical laptop. Insurance will probably pay for new equipment anyway. Fortunately, good technology is available to protect your information at a reasonable price. My favorite price is free.

TrueCrypt is a free, open-source, high-quality Full Disk Encryption (FDE) product. It supports a wide variety of modern encryption algorithms that are sure to foil any information thief. But remember that once somebody has possession of your computer, it would be a very simple thing to boot it from a CD-ROM containing an FDE password cracker, a tool that would make short work of a simple boot-time encryption password like “letmein“. So choose a really good password, where really good means really long. Something like “till the end of time” (20 characters) will keep any current password cracker hunting for a few hundred years, or until someone adds phrases from popular songs or the Bible to the word lists employed by these hacker tools. You can mix it up with strange capitalization or a misspelling (say, “@ the end of Time”) to make it even harder, but the best way to make it better is to make it longer.

Packet Sniffing

You may have confidence in your WPA2 wireless G network at work, but what about when you’re on the unencrypted wireless network at Starbucks or plugged into the Ethernet at your hotel? This is where the Virtual Private Network (VPN) shines, and there’s a really nice one out there at my favorite price.

OpenVPN is a free, open-source VPN tool that runs on Windows, Linux, and even wireless access points. When using TLS (the successor to SSL) to negotiate 256-bit AES encryption authenticated with 1024-bit RSA certificates, this is a solid protocol with excellent credentials. When carried over UDP, it has none of the difficulty traversing NAT routers or firewalls that bedevils IPSec users. We set it up so that it’s always on, staying out of the way when no network is attached or when accessing public web sites, but connecting automatically when possible to allow secure access to corporate internal systems. It’s especially secure if all your traffic goes through the VPN, even when performing such mundane tasks as browsing public web sites. Setting up OpenVPN, however, is not for the faint of heart, so hire a professional to do it for you.

Network Attacks

Being sniffed is not the only threat you face on public networks. You are also open to direct attack from other network dwellers, so don’t make it easy on them by leaving your file shares open to the world. The best configuration is termed “stealth”, where your computer refuses to respond to any incoming traffic at all. No file sharing, no iTunes sharing, no remote desktop and no ping. Only ARP remains operational, but it has to because you need it so that other devices can respond to your outbound web and other requests.

Fortunately, you can probably have your cake and eat it too. Windows XP has two separate sets of firewall configuration rules, one for when you’re attached to a corporate Active Directory domain and one for when you’re not. If you use Active Directory at work, you can set up the “domain profile” to allow management by your IT staff and configure the “standard profile” to be stealth when you’re on the road.

If you use Vista, you have even more choices. There are three different firewall profiles: domain, public and private. With Vista, you can have one set of rules for work, one for your home, and one for Starbucks and other dangerous places.

But what if you work at a small place that doesn’t use Active Directory? You still have options. On Vista, you can use your private firewall profile for work and the public one for everywhere else. If you’re running XP, though, it’s a little tougher. Have your IT folks set up rules in your standard firewall profile that are very tightly fitted to their setup. Perhaps allow Remote Desktop and remote administration only from the corporate server’s IP address. It’s not perfect, but an attacker will never know the difference unless you just happen to be on a public network with the same IP network number as your office and he happens to have the same IP address as your corporate server. Not perfect, but pretty darn good.

Passive Attacks

Nearly all successful penetrations of home or corporate desktops occur through passive attacks such as visiting an infected web site or opening an infected e-mail attachment. We’re so familiar with this kind of attack that it should come as no surprise that the mitigation is also familiar. Keep your computer up-to-date with all the latest Windows and other patches, and use a good antivirus system. Set your computer to update automatically with Windows as well as other applications: Adobe Reader, Flash, Apple QuickTime, etc. Not all antivirus systems are created equal, either. Check out AV-Comparatives.org to find out which are the best.

“Drive-by” Attacks

Someone plugs a hacked USB drive into your computer. Or they load a CD-ROM while you’re in the bathroom. Or you leave it unattended and someone reads your e-mail or steals a file by e-mailing it to himself. These scenarios tend to be more paranoid than the ones above because you typically leave your computer unattended only in environments where the people are trustworthy. Or so you think.

We keep hearing the statistic that 80% of all data breaches are perpetrated by insiders, but we can’t think of anyone where we work who would ever do that. But they must exist, and, of course, any such person would keep such evil thoughts very, very private. So let’s make a few changes that keep easy access to your computer just out of reach.

The first and easiest step is setting up a locking screensaver. On nearly ever screensaver, there is an option to have it prompt for a password before returning to normal operation. Some computers also allow you to set up a quick and easy way to engage the screensaver, such as moving the mouse pointer to one of the corners of the screen. Or you can press the Windows logo key (if you have one) plus the L key to immediately engage the screensaver.

Sometimes the Windows autorun feature is handy, but just as often I find it annoying. But it can be positively dangerous if inserting a USB drive or CD-ROM automatically runs software from the device, especially if you think your computer is safe because the screen is locked. Get rid of this behavior by disabling autorun (not autoplay—that’s different and not dangerous). Just google for the phrase “disable autorun” and you’ll find dozens of step-by-step recipes.

Finally, any malicious person or software will find it much more difficult to infect your computer if you log in under an account that does not have administrative powers. You need to be an administrator to do things like install new software, but that’s best done in a separate account. Go to Control Panel -> User Accounts and create a new login with account type set to Computer administrator, then change the type of your regular account to Limited. This is what Apple recommends its users do on OS X, and it plays a significant role in making Macs more secure than Windows computers.

Summary

You can carry a secure laptop, and it doesn’t have to be painful or expensive. Here’s the list again:

• Use Full Disk Encryption (FDE)
• Choose a long FDE password
• Use a VPN to connect to your company’s systems
• Set Windows firewall to stealth
• Configure Automatic Updates
• Install a good antivirus system
• Use a locking screensaver
• Disable autorun
• Use a non-privileged account for normal computer uses