I do quite a lot of travel, and although I had a quiet month or two over the summer, I’ve got several trips booked over the next few months. For many of us, our laptop is a key tool that we tend to keep with us, and most of us will have sensitive material of some type on our laptops, whether it’s internal emails, customer, partner or competitive information, patent information, details of internal processes, strategic documents or keys and tools for accessing our internal network. I decided to provide a few tips around security and your laptop. Of course, a laptop presents lots of opportunities for attackers – of various types. Before we go any further, let’s think about some of the types of attacker you might be worrying about. The extent to which you need to be paranoid will depend somewhat on what attackers you’re most concerned about.
Here are some types of attackers that spring to my mind: bear in mind that there may be overlap, and that different individuals may take on different roles in different situations.
- opportunistic thieves – people who will just steal your hardware.
- opportunistic viewers – people who will have a good look at information on your screen.
- opportunistic probers – people who will try to get information from your laptop if they get access to it.
- customers, partners, competitors – it can be interesting and useful for any of these types to gain information from your laptop. The steps they are willing to take to get that information may vary based on a variety of factors.
- hackers/crackers – whether opportunistic or targeted, you need to be aware of where you – and your laptop – are most vulnerable.
- state actors – these are people with lots and lots of resources, for whom access to your laptop, even for a short amount of time, gives them lots of chances to do short-term and long-term damage to you data and organisation.
7 concrete suggestions
- Don’t take a laptop. Do you really need one with you? There may be occasions when it’s safer not to travel with a laptop: leave it in the office, at home, in your bag or in your hotel room. There are risks associated even with your hotel room (see below), but maybe a bluetooth keyboard with your phone, a USB stick or an emailed presentation will be all you need. Not to suggest that any of those are necessarily safe, but you are at least reducing your attack surface. Oh, and if you do travel with your laptop, make sure you keep it with you, or at least secured at all times.
- Ensure that you have disk encryption enabled. If you have disk encryption, then if somebody steals your laptop, it’s very difficult for them to get at your data. If you don’t, it’s really, really easy. Turn on disk encryption: just do.
- Think about your screen. When your screen is on, people can see it. Many laptop screens have a very broad viewing angle, so people to either side of you can easily see what’s on it. The availability of high resolution cameras on mobile phones means that people don’t need long to capture what’s on your screen, so this is a key issue to consider. What are your options? The most common is to use a privacy screen, which fits over your laptop screen, typically reducing the angle from which it can be viewed. These don’t stop people being able to view what’s on it, but it does mean that viewers need to be almost directly behind you. This may sound like a good thing, but in fact, that’s the place you’re least likely to notice a surreptitious viewer, so employ caution. I worry that these screens can give you a false sense of security, so I don’t use one. Instead, I make a conscious decision never to have anything sensitive on my screen in situations where non-trusted people might see it. If I really need to do some work, I’ll find a private place where nobody can look at my screen – and even try to be aware of the possibility of reflections in windows.
- Lock your screen. Even if you’re stepping away for just a few seconds, always, always lock your screen. Even if it’s just colleagues around. Colleagues sometimes find it “funny” to mess with your laptop, or send emails from your account. What’s more, there can be a certain kudos to having messaged with “the security guy/gal’s” laptop. Locking the screen is always a good habit to get into, and rather than thinking “oh, I’ll only be 20 seconds”: think how often you get called over to chat to someone, or decide that you want a cup of tea/coffee, or just forget what you were doing, and just wander off.
- Put your laptop into airplane mode. There are a multitude of attacks which can piggy-back on the wifi and bluetooth capabilities of your laptop (and your phone). If you don’t need them, then turn them off. In fact, turn off bluetooth anyway: there’s rarely a reason to leave it on. There may be times to turn on wifi, but be careful about the networks you connect to: there are lots of attacks which pretend to be well-known wifi APs such as “Starbucks” which will let your laptop connect and then attempt to do Bad Things to it. One alternative – if you have sufficient data on your mobile phone plan and you trust the provider you’re using – is to set your mobile (cell) phone up as a mobile access point and to connect to that instead.
- Don’t forget to take upgrades. Just because you’re on the road, don’t forget to take software upgrades. Obviously, you can’t do that with wifi off – unless you have Ethernet access – but when you are out on the road, you’re often more vulnerable than when you’re sitting behind the corporate firewall, so keeping your software patched and updated is a sensible precaution.
- Don’t suspend. Yes, the suspend mode makes it easy to get back to what you were doing, and doesn’t take much battery, but leaving your laptop in suspend increases the attack surface available to somebody who steals your laptop, or just has access to it for a short while (the classic “evil maid” attack of someone who has access to your hotel room, for instance). If you turn off your laptop, and you’ve turned on disk encryption (see above), then you’re in much better shape.
Are there more things you can do? Yes, of course. But all of the above are simple ways to reduce the chance that you or your laptop are at risk from
1 – After a recent blog post, a colleague emailed me with a criticism. It was well-intentioned, and I took it as such. The comment he made was that although he enjoys my articles, he would prefer it if there were more suggestions on how to act, or things to do. I had a think about it, and decided that this was entirely apt, so this week, I’m going to provide some thoughts and some suggestions this week. I can’t promise to be consistent in meeting this aim, but this is at least a start.
2 – edited: I did have “hibernate” mode in here as well, but a colleague pointed out that hibernate should force disk encryption, so should be safer than suspend. I never use either, as booting from cold is usually so quick these days.