I have been considering hanging up my spurs as an application security professional. Instead I am going to start selling laptop security cables.
Over the past couple of weeks we have seen personal data stolen for:
What is the common thread for all of these massive thefts of personal data? Stolen laptops.
What can be done to stop this plague of valuable data stored on easily-stolen laptops?
Couple of ideas:
- Limit data collection. If you never collect the data then no one can steal it from you. In all of these cases (except perhaps the Hotels.com situation) this might not have helped, but it is still good advice and the foundation of protecting customer information.
- Policy and policy audits. Who should have access and where is customer information allowed to be stored? A little bit of discipline here would have gone a long way to preventing these breaches. Also – having a policy isn’t enough. You have to audit to be sure that policies are being followed.
- Encryption. If you have sensitive data at rest it should be encrypted. End of story. There are some interesting TPM solutions to this problem starting to surface as well as good old fashioned PGP.
I spend quite a bit of my time working with organizations on ways that they can help prevent the compromise of their customer information via web-based applications. However, as Ira Winkler mentions (for example in his book Spies Among Us) if it is easier for attackers to go through some other means like stealing a laptop – they will. And this makes all of the technical countermeasures used ineffective.
dan _at_ denimgroup.com