I ran across an interesting blog post over at http://www.crunchgear.com/2008/05/05/locking-down-...e-tsa/ which refers to ways to protect information on a laptop that might be examined by custom’s agents. As you might know, as a US citizen, your Constitutional Rights do not apply when you’re going through customs. No, this has nothing to do with the Patriot Act, or George Bush or anything you might want to think it’s due to — it’s always been this way.

While the blog post is more focused on how criminals can hide their illegal data from the authorities, there’s a more important question to be concerned with here. Suppose you carry a laptop for your business, and you and your company have clearance to access classified government information. You keep some of that information on your laptop. The customs agent asks to view the contents of your laptop. What should you do? The customs agent does not have your clearance level and therefore must not see that information.

You could try to explain your situation, but that’s not likely to help and most likely would raise the agent’s attention and make him even more interested in the data on your hard disk. Now you’re truly between a rock and a hard place — you’ll net nailed for not cooperating with the customs agent, and you’re going to get nailed by the Federal Agency that you’re working with by exposing classified information to someone without the required clearance.

The same is true even if you’re not working with the government. You could be working in the financial services sector and have information that will impact millions or billions of dollars in the markets. If that information is on your laptop and the agent inspects the contents of your laptop, that agent now has information that can be sold on the gray or black markets that could put your company, and many other’s, at risk.

What should you do? My best advice for you is to never put sensitive information on a laptop. That’s what I do. Laptops are lost and stolen too frequently to make it worth taking a chance on sensitive information being lost due to misplacing my laptop.

However, there are other ways to gain access to sensitive information other than just looking at file contents on the laptop. How about your mail account? I’m sure you saved your user name and password in Outlook so that you won’t have to enter it every time. Now the agent has access to your email account and all the private data contain therein.

Also, you might have a VPN connectoid configured to save your user name and password. Now the agent has access to your entire network and any data that you’re authorized to access there. Now, that can become a very interesting situation.

The VPN and email solutions are easy. Don’t save your passwords. It always shocks me when security admins give in and allow users to save their email passwords locally on a laptop. But too often ease of use (laziness) trumpts security.

For those of you who don’t want to type passwords, there is a solution. For your laptop, just allow the base operating system to be installed. Then, create a virtual machine and place it on a high capacity SD card or USB key. Install all of your applications and files on the virtual machine. Then install VMware or Virtual PC on the laptop. Place the removable media into the laptop, start the virtual machine, and go to town! All data and passwords and other information is saved to the VM. When you shut down the VM and pull the media, no trace is left on the laptop.

Since customs is only interested in your laptop, all they’re going to see is Windows XP or Vista in an out of the box configuration.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As a MS security admin, you know that probably your biggest challenge today is securing mobile devices. There’s the versions of Windows Mobile, the Blackberry, the iPod, and the other phones that are waiting to connect to your network.

Some of these devices are built with security in mind and support multiple methods that can be used to secure the configuration of the device, secure the data on the device, and secure the connections that the device makes to your corporate network. Other devices aren’t so focused on security and are more focused on “cool”. But regardless of the device, you can be sure that your users are going to ask you to “hook them up”.

In the past you could have told them “no”. But this is getting to be less of an option as these devices are becoming increasingly pervasive. The boss sets the tone. He’s got the cool new Windows Mobile 6 Samsung i760, then a VP comes in with an iPod, and then another senior exec wants the Blackberry to work. Then there’s the mobile sales force, the various network and application admins who don’t want to have to carry a laptop around everywhere.

So how do you do it? Why not learn from the best? Microsoft is well known for giving its users relative free reign over the network, so it’s no surprise that they go out of their way to allow users network access using mobile devices. Join this webcast and find out how Microsoft IT is enabling their mobile workforce via the deployment of the Windows Mobile platform. Microsoft IT fully integrates Windows Mobile features and applications, with both established hardware and infrastructure, and future plans support  master security policy migrations, such as complete two-factor authentication operations.

You can find the Webcast at: http://msevents.microsoft.com/CUI/WebCastEventDeta...ode=US

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Not being a developer myself, I don’t spend a lot of time searching out information on secure software development. However, I recently found a site that makes secure software development education interesting to non-developers. The site is called Microsoft Hello Secure World. There are a number of useful and interesting presentations that you can watch and listen to on the site, and a virtual lab that you can use to bone on up learning about how to avoid common coding mistakes.

Check it out at:

http://www.microsoft.com/click/hellosecureworld/de...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I’ve written in the past about the areas where you need to implement security. My personal focus is network security, because my primary interest is in network firewalls, especially the ISA Firewall. However, there are many layers that need to be taken care of before you can say that you’ve implemented defense in depth security policy. I would argue that the most important consider is the security of the software deployed. In other words, is the software itself secure?

Building secure software is not magic. It’s the result of hard work and dedication to secure software development principles. Many software developers depend on penetration tests and security bugs found in the software after it is released. But is that the best way to do things?

To build secure software, you have to make sure that the software is created with security in mind. Security needs to be built in during every step in the process. From the planning phase, to the development phase, to the testing phase, to the post release phase, security procedures needs to be built in so that security bugs never appear in the first place.

This is where the Microsoft Security Development Lifecycle (SDL) comes in. The SDL includes a number of processes and procedures that can be used throughout the entire lifecycle of a particular software product. Security isn’t something that’s taken care of at the end of software development, where pen testing is used to find any security vulnerabilities in the software. Instead, security is built in each step of the way, so that a proactive approach is used to prevent vulnerabilities from ever appearing. Of course, pen testing is still used, but if the SDL is properly employed, very little value should come from pen testing.

The figure below shows the number of vulnerabilities for the first year after release between Windows XP and Vista, as well as other operating systems. As you can see, just comparing Windows XP and Vista shows a 50% reduction in vulnerabilities. And when you compare Vista to other operating systems, it’s clear that the SDL makes a profound difference when it comes to creating more secure software.

Some might argue that just counting vulnerabilities is not the best way to measure how secure software is out of the box. I won’t argue for or against that point. However, if you’re choosing between Microsoft and another vendor, just ask the other vendor what policies, processes and procedures they in place that insure that their software is secure by design, and have them compare their processes with the Microsoft SDL. If they can’t answer these questions, or give you The Party Line ( this is FUD, what does Microsoft know about security, etc) then consider the potential (and hidden) security issues with their software.

For a great discussion on this issue, check out:

http://www.microsoft.com/technet/community/columns...8.mspx

For more information on the Security Development Lifecycle:

http://msdn.microsoft.com/en-us/library/ms995349.aspx

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)