SecureState’s Incident Response Team has performed several mock scenarios for clients based upon the question, “What information can be obtained if one of our laptops is stolen”. SecureState approaches the situation much like a standard attacker. We will attempt to bypass logins and encryption to obtain whatever sensitive information is available on the system. Every Information Security professional knows that laptops and mobile phones can hold several key pieces of information and as such should be lobbying their company to perform user awareness training.
According to The Leaking Vault, one of largest avenues for a criminal to steal a device is a user leaving the device unattended within a vehicle. If a device is consistently left within a vehicle, it is only a matter of time before it is noticed and stolen. Keep in mind, a laptop or mobile device is not only just the initial vector for the breach, several other pieces of information may exist on or within the device that can expose the organization to further compromise. This information can include but is not limited to:
- Remote access security devices
- Paper notes with pin codes
- Sensitive data on printouts
One of the most common statements by a company who has lost a device is that the device is password protected. This does not provide any real protection against accessing the data from a skilled attacker, as the password can be bypassed with minimal effort or expertise. In a few short minutes all of the information that is on the device is now within the hands of the thief. Passwords still have a purpose as maintaining a strong password policy can help thwart less knowledgeable attackers. Another level of defense that should be implemented is full disk encryption. Full disk encryption will help to protect the device from a would-be attacker with physical access.
The most common recommendation SecureState makes to clients when performing a mock scenario involving a missing mobile device or laptop is to encrypt the device. Full-disk encryption will stop 99% of all attackers, as the time, effort, and knowledge needed to break the encryption is above that of the standard thief. SecureState also recommends hosting user awareness training for all personnel that use mobile devices and laptops with company information. User awareness training will teach employees the basics on protecting their devices and the sensitive information on them.