Category: Hosting and Security

A couple of months ago, a NASA laptop containing personal information about employees was stolen. Apparently, this is not a rare occurrence. If you google for “stolen laptop containing personal information,” you get thousands of hits. Ugh.

I used to lose sleep at night because so many of my staff use laptops as their primary work machine. All of my Project Managers, New Biz team members and Directors carry laptops. We even have Netbooks that staff can check out if they are headed to a meeting. The risks are obvious. Laptops contain company confidential proposals and reports. They have passwords stored in browsers to make it easier to visit websites. They store passwords so we can VPN into our intranet and check e-mail.

While Matrix Group has an amazing track record of zero loss/zero theft of laptops and PCs (knock on wood), I still lost sleep. What would happen if a laptop were lost or stolen? Forget the cost of the machine. What would it take to recover from the loss? How quickly could credentials be changed? How much damage would we suffer if confidential information were released publicly? Would we even know about all of the passwords that would need to be changed?

Today, all Matrix Group laptops have encrypted hard drives. Windows laptops use TrueCrypt, a free, open source tool for encrypting hard drives. Mac users take advantage of the built-in encryption capabilities through FileVault2. Yes, laptop users need to login to their machines twice: once to unencrypt the hard drive and a second time to login to the machine/network. We also use strong, long passwords so it takes a few extra seconds to type our passwords. And yes, there is a bit of lag while we wait for the hard drives to become available.

Is encrypting the hard drives worth the effort, hassle and wait time?

Absolutely! My encryption password is 34 characters long and contains letters, characters and numbers. While I know that any password can be cracked but it will take a really, really long time to crack my password. So, for all intents and purposes, if my laptop were to get lost or be stolen, the machine would be a nice paperweight until the hard drive is reformatted. Although I love my Sony laptop (I have a nice one with a carbon fiber body and a solid state drive), I can always get another one. It’s the data that I really care about.

The Ponemon Institute last year reported that 329 organizations surveyed lost more than 86,000 laptops over the course of a year. The Institute further calculated each loss to be worth $49,246, which meant these 329 companies alone lost over $4 billion! (Can you even imagine how 329 companies lost 86,000 laptops? What are they doing to these things?)

So, my question to you is: what would happen to you and your organization if your laptop were lost or stolen?

Addendum to this blog post from December 7, 2016: In 2014, development on TrueCrypt was discontinued. When I upgraded my laptop to Windows 10, I started using device encryption from Microsoft. Here’s a great article from comparitech that answers questions about TrueCrypt and provides alternatives for encrypting your drives. Whatever you do, use something to protect your drives, especially laptop drives. Don’t just “hope” your laptop doesn’t get stolen and “hope” that the folks who steal your laptop don’t care about your data.

A couple of years ago, I discovered strangers walking through our office unescorted.  They told our receptionist that they were looking at office space in the building; they were well dressed, the referenced the name of our landlord and they asked nicely if they could just walk around and take a look at our space.  Our receptionist, ever on the lookout for ways to be helpful, let them wander the halls.

A couple of months ago, someone claiming to be an exhibitor at a client’s trade show called, asking for the client’s logo so they could use it in an e-mailing going out.  The person said they had the approval of the client.  My responsive Project Manager opened up a work request and got the logo sent out asap.

In both cases, the persons making the requests were legitimate and no harm was done.  BUT, they just as easily could have been hackers or scammers and my helpful staff could have been duped into giving them information or access they were not authorized to have.  Which is why Matrix Group covers security during orientation and training for all new hires and we recently brought in a security expert to discuss social engineering.

Social engineering is “the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.” Kevin Mitick, the famous computer hacker, claims that it’s “much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.”  There are many social engineering techniques, including:

• Pretexting is the act of getting people to divulge small pieces of information, which hackers use to obtain more information from the next person.  Knowing bits of information establishes legitimacy in people’s minds and makes them more willing to divulge even more information.
• Phishing is used to fraudulently obtain private information.  Phishers typically impersonate legitimate businesses via phone or e-mail and convince victims to divulge sensitive or private information.  Think of the hundreds of e-mails you get that look like they’re from your bank; nearly all of them ask you for your account information, login information and/or SSN.
• Baiting is a technique whereby hackers leave CDs or USB sticks containing viruses or trojans in public places, in the hopes that a curious person will pick up the items and insert them into their systems, effectively infecting them and making them vulnerable to hacker attacks.

Social engineering is highly successful because of the natural human tendency to trust other people. In addition, most people want to be helpful.  In fact, we train our staff to be helpful because helpfulness is key to a successful business.  If you’re wondering if you or your organization are vulnerable to social engineering tactics, ask yourself these questions:

• How easy or hard would it be for someone to gain access to your office by mentioning the name of the CEO and some key staff?
• How difficult would it be for someone to impersonate you by providing your name, address, SSN, mother’s maiden name, spouse name, etc.  I’ll bet a lot of this information is on public Web sites and social networks.  Just look at some of your friends’ profiles on Facebook; you’ll find hometown, e-mail, birthday, the works!
• How hard would someone have to work to impersonate someone and convince a network admin to divulge or reset a password?
• Have you held the lobby door open for someone off the street while entering a secure building?

Okay, now that you’re paranoid, what are you going to do about this potential threat to you and your organization?