MARYLAND COMPUTER SECURITY NEEDS TO BE IMPROVED Security for laptops raises concerns as many machines go missing, stolen - Examiner.com:

Security for laptops raises concerns as many machines go missing, stolen

BALTIMORE - The names and Social Security numbers of hundreds of patients at a Leonardtown hospital were stored on one laptop.

Another laptop, in Boston, housed software for creating FBI identification badges.

Count them among dozens of stolen or missing laptops in the United States containing personal, sensitive or classified information.

Laptops are increasingly replacing desktops in the public and private sectors, but security has lagged behind mobile technologies, experts say.

“The speed of security hasn’t kept up with the technology,” personal security and identity theft expert Robert Siciliano said. “People aren’t paying enough attention to the issue.”

Siciliano bills himself as an unofficial spokesman of MyLaptopGPS, a Stillwater, Okla.-based company that sells laptop-tracking software which allows users to remotely track and remove sensitive data when the stolen laptop connects to the Internet.

Laptops boast the same horsepower and capacity as their bulkier counterparts, but their portability is as much a convenience as a liability, according totheft figures.

The CSI/FBI Computer Crime and Security Survey reported that in 2006 stolen laptops and mobile hardware cost the roughly 600 participating companies and government agencies nearly $7 million.

Experts consider those figures low estimates because they don’t account for the true value of the data, particularly when the data represent Social Security numbers, or the names and addresses of federal agents.

Disk encryption remains the most effective way to secure a laptop, but tracking software has gained momentum, said professor Robert Guess, who teaches information systems technology at Tidewater Community College in Virginia.

But relatively few companies have adopted it, he said.

The software is inexpensive, but the companies also charge monthly service fees, which start at about $10 per machine.

The data on the laptop stolen in December from St. Mary’s Hospital, in Leonardtown, was not encrypted, hospital officials said. Their answer to laptop security was to do away with laptops completely.

The FBI lost 10 laptops containing sensitive or classified data between February 2002 and September 2005, according to a Justice Department report released last month.

“We suspect that most of the laptops are misplaced or in a desk drawer somewhere — not in the wrong hands,” FBI spokesman Paul Bresson said in a telephone interview.

But at least three were stolen, and just three of the 10 were encrypted, the report said.

The FBI does not equip its computers with tracking software or devices, Bresson said.

“It has to do with inventory control,” Bresson said. “That’s what we have to improve more so than installing some kind of tracking device on our laptops.”

PROTECTION TIPS

» Insure laptops from theft (Note: Insurance does not typically cover the data).

» Avoid storing sensitive data on laptops and mobile devices.

» Use a strong disk encryption system.

» Use a laptop configuration that minimizes software vulnerabilities.

» Provide and require the use of security cables.

» Automate data backup to a remote location.

» Use strong authentication.

» Investigate the use of antitheft and remote tracking software.

Source: Robert Guess, assistant professor of information systems technology at Tidewater Community College in Virginia

jpalazzolo@baltimoreexaminer.com