Robbery, is your data prepared?

This article was republished in a variety of print sources, like Euro BusinessWeek:
scan0001

 

 

 

 

 

scan0003scan0002I originally published this blog at http://community.ca.com/blogs/securityadvisor

Published     Jul 15 2007, 11:00 PM by     Benjamin Googins

A chill ran up my spine when I came to my front door and it was already open. A USB cable lay strewn across the doorway. I could hear a stereo speaker eerily buzzing inside. I pushed the swinging door aside and confirmed my fear. I was robbed! After a wonderful weekend of camping and fishing, I returned to a mess and all my computer related equipment stolen.

I use my computers for many activities – telecommuting, accessing the Internet, performing online banking, processing and storing pictures, storing music, and writing and storing personal notes and journal entries. Getting robbed helped me quickly realize what I value most: my data, not the hardware. Fortunately, I was relatively prepared for this robbery. Are you?

Here are six preventative steps that could make computer theft a lot less painful:

Password protect your computer. A system password was my first line of defense in preventing data loss. It is the gateway to my system. I could imagine, all too vividly, the robber getting home with my laptops, flipping them on, and finding his access obstructed by my good system passwords. The common criminal does not have the expertise to access data on a password protected system. I imagine my drives were wiped clean and a new operating system installed. A happy thought!

Windows offers you the option of creating a password hint. Make sure the hint doesn’t give away your password – for example, “hint: my first name is”. As silly as this may sound, it is all too common. Also, don’t keep passwords written on paper next to your computer — another common, avoidable mistake. Robberies differ from online attacks in that the robber takes the whole caboodle. A sheet of passwords is gold to a thief.

What you should do:

• Create memorable (something you can remember without writing it down), strong passwords.

• Read this tutorial on how to create good passwords: http://www.microsoft.com/protect/yourself/password/create.mspx

• Check the strength of your new passwords: http://www.microsoft.com/protect/yourself/password/checker.mspx

Note: there are advanced techniques for getting around a password protected system. If you have sensitive data on your system that could be specifically targeted by a robber, you may consider using full disk encryption.

Further reading:

http://home.eunet.no/pnordahl/ntpasswd

http://www.microsoft.com/technet/security/smallbusiness/topics/cryptographyetc/protect_data_efs.mspx

Protect your external data storage device. I regularly backup my critical data using a 120 gigabyte external hard drive. For me, this is a fast and easy backup solution. Unfortunately, the robber took my computers and external drive, so each of these needed to be protected. Without a protected drive, I could imagine the robber’s slimy fingers clicking through my personal photos and reading my journal entries. Very creepy. You don’t want this.

A floppy disk, hard disk drive, compact flash, Multi Media Card, memory stick, or external hard drive are all quick ways of backing up your data. Be sure your regular data backups are encrypted and password protected. Your data backup is a roundabout way of accessing your computer; make sure both are protected.

What you can do:

• Insure your backup solution leaves your data protected (not just backed up). If you use a commercial backup solution, chances are it already provides some data protection. You may want to double check this

• Compress and password protect data copied verbatim to external media

Use a password manager. Personally, I have a surprising 35 different logins for accounts like Expedia.com, Chase Bank, and Yahoo! Mail. There is no way I can remember all of these account logins. Many computer users store passwords in plain text on their computer. This is the worst possible scenario because both online threats (like keylogging trojans) and robbers can easily access them. Don’t do this.

What you should do:

• Store (and backup) passwords with a password management tool. There are many free solutions available.

• Create a very strong password for accessing the password manager.

• Hint: most password managers can create good passwords for you.

Store critical data away from home. Even though I knew my data was out of the thief’s hands, I needed it in my hands. My hardware was gone; this is where my remote backup came into play. In the business world, this is commonly referred to as “off-site backup,” and because data is the backbone of many companies, most have a plan in place. Your data is just as critical; get a personal remote backup plan in place. Fire, robbery, flooding, and other disasters can take away all your data, even if you regularly backup locally, so spend a little time considering what data is worth the resources and energy to back up.

Here are a few possible off-site solutions:

• Check with your ISP (Internet Service Provider). Many now offer remote data backup solutions.

• Purchase a commercial solution. It may seem like one more unnecessary bill to pay, but as the digital age rolls on, I think it will be increasingly common for home users to pay for off-site storage. As a parallel example, when digital music stores were a new concept, many people had a hard time laying out cash for something they couldn’t hold in their hands. Now it is commonplace. If you have data you care about, consider spending a little money to protect it. Investigate a few solutions by performing a web search for “remote data storage” or “online data backup”, for example.

• Backup and store at a trusted person’s house. Backup data like you normally would to a floppy disk, hard disk drive, compact flash, Multi Media Card, memory stick, or external hard drive and then drop a copy off at a friend or family member’s house. If you’re in a particularly disaster prone area, send it off to a family or friend on the other side of the country or world. This is a laborious method, but could work in limited circumstances.

• Backup data and store in a safe deposit box at your local bank.

• Encrypt data and email it to yourself. This solution works for webmail not email that resides locally on your system. Online email accounts are becoming very generous with storage capacity. If you have a relatively small amount of data you need stored off-site, encrypt it with a file compression program, attach it to an email and send it to yourself. This is a quick and easy solution that is easily accessible.

Remove cached pages and passwords. If the robber managed to break into my system, I knew he couldn’t open a browser, open my bank account and transfer funds out because I do not cache passwords for such sites. Think twice about caching (or using a password auto-fill program) passwords for critical web pages.

What you should do:

• Use a password manager to store passwords.

• Enter passwords only when you visit the site.

• Decline prompts to store passwords for a page.

• Remove cached passwords.

Write down hardware serial numbers. After the police officer checked every room and all closets and looked under beds for a hiding criminal, his first question was, “Do you have the serial numbers, make and models for your stolen hardware?” With this information, police (and you) have a chance to conduct at least a modest investigation by checking police databases, online auction sites and local pawn shops. Without it, little can be done.

What you should do:

• Identify all your hardware.

• Write down the make and model.

• Write down the hardware’s serial numbers.

• Incorporate hardware information into your off-site data backup plan.

• Considering using hardware tracking.

If a robber strikes (as well as flooding, fires and other natural disasters), you will have plenty of things to deal with; don’t increase the pain by losing pictures, journal entries and other personal data. Being robbed was far more emotional and disturbing than I could have imagined, but the feeling of personal invasion was minimized by the data safeguards I had in place – no creepy stranger looking at pictures of my loved ones or reading my journal entries!

Even modest attempts at following these six steps will pay off in event of disaster.

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s