Physical security threats and countermeasures pertaining to laptop and other mobile devices

In the present day and increasingly in the future, laptop and mobile devices consist of diversified functions that are integrated into their “small-factor” to formulate the efficient and effective usage for assisting the growing mobile users (both corporate and personal).

Though these devices technologically tend to be advanced and user friendly, they consist of common information and entry points for gathering sensitive information. This type of information gathering mainly affects the confidentiality of the data that they sustain. Hence the outcome of risks they result in if stolen, would span a diverse threat landscape that would assist in effortless inception of other types of attacks. Typically the following information is available in such devices:

1. Strategic information
   These devices may likely contain information such as pending merges, intellectual property, etc…
2. Tactical information
   Such information includes; Organizational change plans, calendar, contacts, etc…
3. Other Organizational information
   There consist of a likelihood that these devices might carry an organizations’ internal information for example; passwords, banking or financial information and/or confidential employee data.
4. Customer Information
   Though legislation such as The Data Protection Act of 1998 articulates that it is essential for third party data to be secured in opposition to unauthorized or unlawful processing, it may challenge such acts via by such “physical vulnerabilities” the loss of confidential customer data i.e.; account details, telephone numbers including email addresses would result in loss of corporate image and goodwill, and also loss of business and legal penalties.
5. Personal Information
   The amount of user personal information would be also included in such equipment such as bank information, Internet shopping accounts and credit card details, to name a few, which could be accessed via the laptop by a thief. The loss of such private data could result in immense distress to an employee resulting in production loss and time at work while the circumstances are resolved.
6. Network Information
   Consist of Network–related User Names and Passwords, IP Addressing Schemes, DNS Naming Conventions, etc…
7. Remote Access
   Since these devices not “stationary” and are utilized for mobile workforce, apart from such information stored in these devices, they may also consist of appropriate access levels (including respective technical and non-technical configurations and information) for accessing their respective remote organizations. Hence if such devices fall into the hands of an illegitimate person, he/she could easily gain widespread access to an organizations information assets posing as a “legitimate” user. Moreover, corporate accounts, financial data, confidential personnel files and customer details, would be stolen via causing untold amounts of harm and loss of corporate trust.  

Hence taking the above information into consideration, the following techniques are available pertaining to extracting information from such devices. It should be noted that all these methods in general could assist in extracting diversified user names and passwords;

1. Perform identification of sensitive data in the devices
   Since the above information resides in such devices, an attacker could extract these particular data for illicit use.
2. Search for passwords
   These may include both technical and non-technical passwords pertaining to an organizations’ confidential information and point of entry.
3. Scan the company’s infrastructure or finance documents.
   The same information gathering techniques could be utilized and also executed by attackers to illicit use and discrediting an organization.
4. Take out the address book including phone numbers.
   The same information gathering techniques could be utilized and also executed by attackers to illicit use and discrediting an organization.
5. Extract appointments and schedules.
   For gathering information pertaining to organizational meetings, etc…
6. Perform extraction of information from applications installed on these devices.
   Applications residing in these devices could expose a wealth of confidential information by which attackers could extract and utilize for illicit use.
7. Perform mining of e-mail messages from these devices.
   Apart from user names and passwords, e-mail messages themselves may contain important information that could be exploited.
8. Attempt to gain access to the server’s resources via utilizing the extracted information.
   Since most of the information may consist of all the required authorizations and other information, an attacker would utilize these “assets” to gain access, posing as an authorized user.
9. Perform social engineering with the extracted information.
   The attacker could perform social engineering to gather more information from the extracted data.
10. Verify the BIOS Password
    The attacker could either break the password or guess it or check if the CMOS Default Configuration is set to access into such devices’ operating system via escalating privileges to gain access to relevant information.
11.  Check the RAM
    In some devices such as laptops, the RAM consist of temporary information processed when such a device was in operation. Hence, if an attacker gets hold of such a device, he/she would try to extract such type of information as an entry point.
12. Analyze encrypted files
    Since there consist of diversified decrypting tools available, an attacker would perform decryption on them to extract confidential information.
13. Examine Web Browsers
    Passwords could be extracted via stored cookies, history and temp files, recycle bin, etc…   
14. Software installation on these devices (LAPTOP, PDAs, etc…) would assist the attacker to gather archive or deleted information pertaining to confidential data. Provided that such devices are not properly secured, the attacker might even gather such information and also keep the device where it was found, so that when the victim operates such equipment, the installed software could perform as a backdoor to transmit sensitive information.
15. Attempt to enable wireless services – for this process, attacker may perform the following;
    • Power on wireless or Bluetooth when nearing the organizations’ campus
    • Scanning the Organizations’ network
    • Perform tracing of the organizations’ network and search the SSID in the laptop.
    • Confirm if the provided SSID is requesting for a password.
    • Try to break the password via password cracking techniques.
    • There after enable the wireless or Bluetooth to gain access to the required information.

Pertaining to countering such methods, it is essential that the organizational security policy attend to such instances, via formulating a sub-policy which addresses this section. Hence the mitigation strategies may consist of the following (Not Limited to);

1. Safeguard the physical security of the laptop via protecting them with lockable security cables
2. Utilizing Laptop Safes or Laptop storing boxes to physically safeguard them from being stolen and only to be used by an authorized party. (applies to other mobile devices also)
3. Storing Laptops in a secure area comprised of motion detectors, CCTV Cameras, Biometric entrance systems, etc… (applies to other mobile devices also)
4. Use obscure Laptop carrying cases to avoid attacker noticing them. (applies to other mobile devices also)
5. Educate the authorized usage of any mobile device to the organizational users. In addition enforce a security-aware culture pertaining to “accepted use” of such equipment. Non-organizational mobile equipment should be segregated physically from the corporate mobile devices. In addition, proper technical mitigation and segregation strategies should be enforced.
6. Use only accepted applications and installations on such devices to mitigate the threat landscape.( both technical and non-technical) (applies to other mobile devices also)
7. Communicate to employees pertaining to the responsibilities pertaining to Laptop usage. (applies to other mobile devices also)
8. Setting technical restrictions such as BIOS and Login passwords, Encryption, two factor or multi-factor encryption, Bio-metric security, Laptop Tracking and tracing mechanisms, etc… (applies to other mobile devices also)
9. Labeling and Tagging the laptops and their related devices (applies to other mobile devices also)
10. Utilize Password Protection methods (applies to other mobile devices also)
11. Store minimal information on the mobile devices.

 References:

1. ECSA/LPT - Module XXVII – Stolen Laptop, PDAs and Cell Phones Penetration Testing: Licensed Penetration Tester,(n.d.). Retrieved 9 20, 2011, from eccouncil.org: https://academia.eccouncil.org/default.aspx
2. Ryder, Josh. Laptop Security, Part One: Preventing Laptop Theft. 7 30, 2001. http://www.symantec.com/connect/articles/laptop-security-part-one-preventing-laptop-theft   (accessed 9 20, 2011).
3. Ryder, Josh. Laptop Security, Part Two: Preventing Laptop Theft. 7 30, 2001. http://www.symantec.com/connect/articles/laptop-security-part-two-preventing-laptop-theft   (accessed 9 20, 2011).
4. Sec-1 Limited. Stolen Laptop Test. Spring Valley Park,Bulter Way,Stanningley,Leeds,LS28 6EA, 11 27, 2006.

Written by:

G.S.D. Wanigaratne – (Network & Communication Administrator - NSB)