US LAPTOP SECURITY AND THEFT Laptop Security, Theft, And Public Relations: Password Protection Is Not “Protection” If There Is No Device Encryption - AlertBoot Endpoint Security
AlertBoot Endpoint Security
Laptop Security, Theft, And Public Relations: Password Protection Is Not “Protection” If There Is No Device Encryption
We seem to have a new trend: I’m seeing more and more instances of people stating after a data breach that the lost or stolen computer was not encrypted but was password‑protected: The Home Depot and the Kiski Area School District instances are the two that come into mind as of right now, but there certainly have been more since then. A quick search in Google also shows that CUNY released a similar statement regarding a laptop theft reported last month.
It seems that they’re referring to the password and username you have to enter prior to accessing your Windows machine, the Windows logon prompt. Unfortunately, that particular logon prompt is not secure. I’ve already mentioned in passing why this is so in other blog posts.
I’m not sure what to make of it. Is this a PR effort in a lame attempt to assure the people affected? Or perhaps people in the public relations department actually believe that because you’re entering a password, this offers some kind of protection?
I’m something of a cynic, so I think it’s the former but hope it’s the latter. I’ve talked to plenty of people who didn’t realize that the Windows logon prompt is not an adequate measure of security. On the other hand, I’ve seen signs of the former as well. In one instance, someone purportedly said that in most cases where a laptop has a password on it, the perpetrator will just attempt to offload a computer without accessing the contents. I don’t have a problem with such a statement; chances are that this is true.
But it strikes me that such an attitude is nothing more than a hope and a prayer that the criminal will not take the time to try to break into the laptop. Or, that the subsequent person who buys the hot merchandise will not attempt to do so. Relying on password protection, without encryption—knowing that this is not adequate protection—is relying on ignorance to protect your data. This method of “protection” is the least secure kind of protection, if one can call it that: It’s like protecting your home by locking your front door, but also leaving a crowbar on the welcome mat with a note “Gone fishing. Will be back Wednesday.” Except, to make it parallel to a stolen laptop, the thief has managed to move your entire house into a secluded place where no one can see or hear him using the crowbar.
Those who did their homework know that there is no substitute for encryption. This is why the TSA required all contractors to encrypt all data. Or why the Gap went relatively unscathed when they announced that one of their contractors had their laptop stolen: as I recall, most of the criticism was centered on the fact that the Gap wouldn’t release the name of the contractor—who was supposed to have the Gap’s information encrypted. Of course the Gap was not criticized; people were angry with the contractor, it was they who messed up. The Gap did its homework and made it a requirement that computers be encrypted, and who can ask for their blood when the company made the right decision?
Encryption is the key to securing data. They're the locks and keys of the digital domain. Services provided by companies such as AlertBoot allow you to secure your information. Not only have you taken the crowbar off your "Go Away" mat, you've secured you door and windows and chimney (and any other potential security holes) with unbreakable locks. A trillion keys will fit that lock, but only one will open it, and only you know which one it is. The thief can spend the rest of his life trying to find the key. With a trillion keys, it should only take him 31,000 years or so to try all the keys, assuming it takes him 1 second to pick a key, fit it, try it, discard it, and get the next one.
Posts
No comments:
Post a Comment