4 simple steps to bulletproof laptop security

Follow these tips, tools, and techniques to protect your Windows notebook against theft, intrusion, and data loss

Security: You either have it you don't. It's a matter of degrees or, as the experts prefer to think of it, layers. The more varieties of security you have, the better the odds your goods can be protected successfully from intrusion or theft.

Layered security applies as much to laptop computers as it does to corporate networks or the Pentagon -- good news because laptops present a major target for theft. Aside from the (illegal) resale value of the laptop itself, there's always the possibility that personal data can be harvested from it. Although hacking has surpassed the lost or stolen laptop as the leading cause of data breaches, the notebook is no less vulnerable to theft for precisely that reason.

[ Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following InfoWorld's Roger Grimes on Twitter. ]

With that in mind, I've collected a variety of techniques, software products, services, and functionalities that are either available on certain notebooks or can be implemented on just about all of them. Some involve hardware (fingerprint readers), some involve software (Prey, TrueCrypt), and some involve nothing more than using your head (strong passwords). Not all of them might be implemented on a given machine, but the more layers of each kind of security you can add, the better.

I don't expect most people to implement every single suggestion found here. I myself have a notebook that has a TPM (Trusted Platform Module), a fingerprint reader, full-disk encryption, a StuffBak sticker (to facilitate the return of a lost device), and a Prey account (to track a stolen unit) -- but I know full well that combining all of these protections is the exception, not the rule.

That said, there's nothing stopping you from implementing two or more of these layers of security on your notebook. Prey plus full-disk encryption, for instance, are both feasible and inexpensive; you can do both without paying a cent, and together they provide useful defenses. StuffBak costs money, but not a lot; a package of stickers can be had for under $20, and you pay (if you pay at all) only for a return when it actually takes place. The most expensive proposition is to either add a fingerprint reader to an existing system or to buy a system that has a fingerprint reader plus TPM as factory-installed features.

But no matter what your budget -- $2, $20, or $2,000 -- there are affordable layers of security you can add to your notebook that can prove priceless.

Laptop security step No. 1: Strong passwords
I know, I know, you've heard this drill too many times, and it never sounds any more compelling each time it's repeated. That's why you're using your birthday or "password123" or some other too-easy-to-guess string ... because when you get down to it, you don't really believe someone's going to crack open your notebook and ransack it for everything they can find. Right?

The point of a long password is not just to annoy you, even if it feels like that at times. It's to provide a nontrivial first line of defense for the system. Passwords are one of the first and easiest protections to attack if a system falls into the wrong hands. By that token, they're also one of the easiest protections to make secure in the first place -- provided you choose them properly.

Fortunately, it's quite possible to create secure passwords without exceptional stress on your part. The trick is to pick a password that means something to you and that has a degree of complexity to it, but which most anyone else -- even someone with a casual amount of knowledge about you -- will have a hard time guessing. Above all else, it should not be a word that can be found in a dictionary.

One of the best ways I've found to generate a secure password is to start with a phrase -- a short sentence, something you can easily remember. A song lyric is perfect for this sort of thing, since almost anyone can remember one that they like. The trick is not to use the lyric or the short sentence itself, but to use the first letter of each word to compose the password. Example: The opening words of Bob Dylan's "Like a Rolling Stone" might be rendered "ouatydsfyttbadiyp."

The end result is usually fairly long, complex enough to meet most passwords requirements, and easy to bring back to mind. If you're using a system where password length and complexity have been set by an administrator, you can enhance any of the above schemes by swapping symbols for letters ($ for S, @ for A, and so on).

What's crucial is that you find a way to keep your passwords in your memory and not rely on some external storage (such as a Post-it Note). Using a passphrase as a mnemonic is one way to avoid having to write it down. The less of your laptop's security you make available to prying eyes in any form, the better. This takes practice, but not as much as you might think, and it creates good password-generating habits that can be used elsewhere.

Laptop security step No. 2: Fingerprint readers
If your laptop comes equipped with a fingerprint reader, that's another layer of protection you can use. Fingerprint readers complement existing ways to secure a system; they can be used to log on instead of a password, but you can always fall back on a password if the fingerprint reader goes out of whack or you don't have a finger handy anymore (ouch). It's also often faster and more convenient to log in via a fingerprint than it is to type a password. There's nothing to memorize; you are the credential.

Note that fingerprint readers are not offered in all notebooks; they're mainly found in business-class machines. It is possible to add a fingerprint reader to a notebook after the fact, by plugging one in via USB. That said, I'm not crazy about the idea, if only because of the form factor. Having something the size of a stick of gum perennially hanging off the side of one's notebook sounds like an invitation to smashing it against something -- doubly so if you're a commuter.

When you set up a fingerprint reader, here are a few tips to keep in mind:

  1. Enroll at least one finger from each hand. That way, if you have a hand injury, you can easily fall back on the other finger.
  2. If your reader supports it, configure the system to require a fingerprint at power-on. This way, the system cannot be cold-booted by anyone who's not already registered. In many cases, the system will use the same fingerprint credential swiped at startup to automatically log you in, so you don't have to swipe your finger twice.
  3. Fingerprint credentials (the data sampled for your fingerprint) can be protected using the reader's own key for additional security. There's no noticeable overhead or cost for doing this, so use this option if it's available with your fingerprint reader.
  4. It's typically possible to set a backup password for the fingerprint reader in case it fails to work. If you do this, don't use a password that matches anything else in the system. Come up with something fresh.

Some fingerprint-reader software suites also have the ability to protect password fields, either in system prompts or in pages viewed by Web browsers. I'm not crazy about doing this, if only because I found another approach that does not store passwords locally at all: SuperGenPass. It's a browser-side add-on that uses a master password to dynamically generate strong passwords for websites based on their domain name. Nothing is ever stored locally, unless you use your browser's own password-storage feature to cache the results (which defeats the purpose).

Many business-class notebooks have fingerprint readers built-in. External USB models also exist, but integrated models are less cumbersome.
Many business-class notebooks have built-in fingerprint readers. External USB models also exist, but integrated models are less cumbersome.

Laptop security step No. 3: Full-disk encryption
A third level of protection comes in the form of encryption, which can range from simply encrypting individual files to encrypting the entire contents of the system disk. Windows has long had on-disk encryption for individual files and folders, but now features the native ability to encrypt the system drive itself: operating system, applications, data, everything. Whether you use Windows' built-in solution or an alternative (more on that below), don't overlook the importance of full-disk encryption. It's one of the most thorough physical defenses for a notebook.

Windows' native disk encryption system, BitLocker, can be used to protect either individual drives or the entire system drive. It doesn't appreciably affect system performance, so you can use it without worrying about slowing down the system. If you elect to encrypt your notebook's entire system drive with it, you'll need one of two things:

  1. A TPM (Trusted Platform Module) in the notebook in question. Notebooks equipped with a fingerprint reader generally have a TPM included, and BitLocker uses the TPM as a safe place to store the encryption keys.
  2. A removable USB drive which serves as a boot key for the system. By default BitLocker looks for a TPM, so it will need some administrative modification to use a USB key.

I've used BitLocker on notebooks both with and without TPM. On the whole, TPM makes it far simpler, but there's no appreciable difference in functionality on a system that's protected by USB key only. If you plan on using a USB key, do yourself a favor and spend some money to buy the smallest USB drive you can find (that you're confident you won't lose). This makes it less onerous to plug and unplug, especially if you find yourself doing so on the train.

Microsoft went through some trouble to make sure that data stored on BitLocker drives are recoverable in the event of hard disk damage or failure. BitLocker-encrypted drives can also be accessed in the Windows pre-installation environment and the Recovery Console, provided you have the encryption key or the backup password. If something does indeed go wrong, you will still have some way to access the encrypted drive. Also, if you're using the notebook in an Active Directory-managed environment, you can have a backup of the key saved in AD. It remains a good idea to have any valuable data backed up elsewhere (and to keep those backups encrypted, too), of course. My point is that you have multiple lines of defense against disaster.

BitLocker has one restriction that may put it out of the reach of many users: It's available in only the Enterprise and Ultimate SKUs of Windows. Since not everyone can afford those editions, it's good to know much of the same functionality is available through free third-party software.

One of the best ways to get roughly the same level of functionality as BitLocker is via TrueCrypt, an on-disk encryption system for multiple platforms that allows for full system-disk encryption in Windows. Once a system drive is encrypted with TrueCrypt, it requires a password at boot time -- one that you should pick according to the parameters I outlined previously. No password, no boot; no boot, no data.

Another major feature offered by TrueCrypt is the ability to create a hidden operating system partition. Depending on the password you supply at boot time, you can boot to one of two partitions: a visible OS partition (in which you have nothing of consequence) or a partition hidden at the end of the visible one that contains your real OS. This is an extension of an existing TrueCrypt function, where you can hide one encrypted volume inside another. If you're ever in a position where you're forced to reveal your encryption password, you can do so without giving up your secrets. I recommend this only for the truly cautious, because a) setting up a hidden OS is somewhat complicated and b) it's not likely you'll need it unless you work in an environment where guns might end up being pointed at you.

TrueCrypt also insists on creating a recovery .iso that you can boot (from a CD or USB drive) to perform system recovery in the event the drive doesn't boot properly for whatever reason. Thus, you have something to fall back to in the event of a problem.

If you're loathe to encrypt the whole system, you can use BitLocker or TrueCrypt to encrypt individual nonsystem volumes -- USB drives, for instance, where you might keep your most sensitive data. This provides less global protection, but also with slightly less hassle.

The TrueCrypt encryption process can be suspended and resumed at your convenience, even across multiple reboots.
The TrueCrypt encryption process can be suspended and resumed at your convenience, even across multiple reboots.

Laptop security step No. 4: Theft and loss recovery
One final layer of protection you can add to a notebook is what to do if it's lost or stolen. Since notebooks are lost and stolen a lot more regularly than their desktop counterparts (which goes hand in hand with the fact that they're portable), it makes sense to either protect them from being lost in the first place or to make sure they can be recovered if they go missing.

Theft recovery for a notebook can take roughly two forms: a service or an application. Sometimes you have one as an extension of the other, but those two basic incarnations are the most common.

1 2 Page 1
Page 1 of 2